Symantec addresses
global data security challenges

Symantec’s Cloud Access Security Broker (CASB) and Cloud Data Protection solutions help enterprises overcome security issues and operational risks associated with placing sensitive data in the cloud.

Translate This Provides broader protection of personal data closely following Spain’s data protection law. Provides “adequacy” standards for data flows outside of Argentina. The European Union has determined that Argentina’s law meets the EU’s “adequacy” standard. Translate This Proporciona una mayor protección de los datos personales, siguiendo de cerca la ley de protección de datos de España. Provee estándares de “adecuación” para flujos de datos fuera de Argentina. La Unión Europea determinó que la ley de Argentina cumple con el estándar de “adecuación” de la UE.

Data privacy/protection in Australia is currently made up of a mix of Federal and State/Territory legislation. The Federal Privacy Act 1988 (Cth) (Privacy Act) and its Australian Privacy Principles (APPs) apply to private sector entities with an annual turnover of at least $3 million and all Commonwealth Government and Australian Capital Territory Government agencies.

The Privacy Act was last amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012. The amendments significantly strengthened the powers of the Privacy Commissioner to conduct investigations (including own motion investigations), ensure compliance with the amended Privacy Act, and introduced fines for a serious breach or repeated breaches of the APPs.

Australian States and Territories (except for Western Australia and South Australia) each also have their own data protection legislation applying to State Government agencies (and private businesses' interaction with them).

Financial institutions also need to adhere to specific requirements defined by APRA on the treatment and protection of financial data.

Translate This See “European Union” for information on principles established under the GDPR. Law is fully applicable by May, 2018, replacing the EU Data Protection Directive. Translate This Im Abschnitt „Europäische Union“ finden Sie weitere Informationen zu den in der Datenschutzgrundverordnung verankerten Grundsätzen. Das Gesetz wird im Mai 2018 in Kraft treten und die EU-Datenschutzrichtlinie ablösen.

The legal entities and (or) individuals using personal data shall carry out in accordance with Belarus law appropriate legal, organisational, technical measures of information protection in order to establish personal data protection from their illegal distribution. The acts implemented within the framework of the Eurasian Economic Union should also be taken into consideration. Law enforced by the Ministry and the Centre.

See “European Union” for information on principles established under the GDPR. Law is fully applicable by May, 2018, replacing the EU Data Protection Directive.

Law enforced by The Personal Data Protection Agency ('DPA').

Translate This In June 2014 the Brazilian Internet Act set out principles for the use of the Internet, as well as the rights of Internet users and the duties of (a) Internet connection providers and (b) Internet application providers. The act establishes standards for the Internet use in Brazil, including general principles for the protection of privacy and personal data and certain specific duties in relation to the collection, process, storage and sharing of personal data to be followed by the entities deemed Internet application providers and Internet connection providers.

There is also a draft bill in congress which addresses the protection of personal data of individuals (the Data Protection Bill).  The focus of the bill is the protection of personal data of individuals. In addition, the Data Protection Bill set outs the rights of the owners of personal data Translate This Em junho de 2014, o Marco Civil da Internet Brasileira definiu os princípios para o uso da Internet, além dos direitos dos usuários da Internet e os deveres de (a) provedores de conexão com a Internet (b) provedores de aplicações de Internet. A lei estabelece as normas para o uso da Internet no Brasil, incluindo princípios gerais para a proteção da privacidade e de dados pessoais e determinadas obrigações em relação à coleta, processamento, armazenamento e compartilhamento de dados pessoais que devem ser seguidos pelas entidades consideradas provedores de aplicações de Internet e provedores de conexão de Internet.

Também há um projeto de lei no congresso que aborda a proteção de dados pessoais de indivíduos (a "Lei de proteção de dados"). O foco desse projeto é a proteção de dados pessoais de indivíduos. Além disso, a Lei de Proteção de Dados define os direitos dos proprietários de dados pessoais

There is currently no formal legislation regulating data protection in the British Virgin Islands (BVI) however, the BVI Government has pledged the promulgation of suitable data protection legislation, based on internationally recognized standards, to be enacted in the near future.

English Common law is persuasive (although not binding) in the BVI and accordingly, a BVI Court will recognise and subscribe to the Common law duties of confidentiality and privacy. In essence, a person's details will need to be kept confidential provided an appropriate and satisfactory exception applies. The Financial Services Commission (the 'Commission') regulates the fiduciary and trust business sectors, pursuant to the Banks and Trust Companies Act, 1990 (as amended) to regulates all banking and trust/ fiduciary related activities in the BVI. No specific data protection authority at present pending promulgation of data protection legislation in the near future.

Resembles EU Directive on Data Protection. Personal information is defined as data relating to natural persons, legal entities, and even government personnel and agencies. Opt-in consent required for sensitive data. Law creates a Commission on Protection of Personal Data to supervise compliance and implementation.

In Canada there are 28 federal, provincial and territorial privacy statutes (excluding statutory torts, privacy requirements under other legislation, federal anti-spam legislation, identity theft/ criminal code etc.) that govern the protection of personal information in the private, public and health sectors. Although each statute varies in scope, substantive requirements, and remedies and enforcement provisions, they all set out a comprehensive regime for the collection, use and disclosure of personal information. Law is enforced by Canadian Privacy Statutes.

The Cayman Islands has not implemented a legislative framework that specifically addresses issues of data protection. There are, however, proposals to introduce a data protection regime in the Cayman Islands, potentially during the course of 2015, but the precise details and scope of any such regime are still to be finalised.

Notwithstanding the lack of specific data protection legislation, the Cayman Islands does recognise a duty of confidentiality in certain circumstances, under both the common law, and the provisions or the Confidential Relationships Preservation Law (as revised) of the Cayman Islands (the 'CRPL'). The CRPL provides a statutory framework which regulates disclosures of confidential information by professional persons, providing among other things for criminal sanctions for certain breaches of confidentiality obligations, in parallel to the civil remedies available at common law.

Translate This Personal Data Protection is addressed in several specific laws, as well as scattered provisions in related or complementary laws and other legal authority. Overall, laws aim to establish the 'respect and protection of the public and private life, and the honour of the person and its family', define the treatment of personal information in public and private databases, rules when treating economic and debt-related personal data, and establish sanctions for those who breach and unlawfully access and/or use the information available in electronic databases.

Law does not establish a data protection enforcement body. Enforcement occurs via court system. Translate This La protección de datos personales se aborda en varias leyes específicas, como así también en disposiciones dispersas en leyes relacionadas o complementarias y otras autoridades legales. En general, las leyes apuntan a establecer el “respeto y la protección de la vida pública y privada, así como el honor de la persona y su familia”, definir el tratamiento de la información personal en las bases de datos públicas y privadas, establecer normas para el tratamiento de los datos económicos y personales relacionados con las deudas, y establecer sanciones para aquellos que infringen las leyes y acceden y/o utilizan ilegalmente la información disponible en las bases de datos electrónicas.

La ley no establece un organismo para la aplicación de la protección de los datos. La aplicación ocurre a través del sistema judicial.

Although China does not have comprehensive national law focusing exclusively upon the regulation of data privacy, the New Regulations, which took effect on March 15, 2012, include significant new data protection requirements applicable to Internet information service providers (“IISPs”). IISP is defined quite broadly, so the law impacts many businesses.

Consistent with data protection regimes currently in place elsewhere in the world, IISPs will be required to provide much stronger protection for the personal data they collect from users in China, and will be subject to notice and consent requirements, collection limitations and use limitations.

Translate This In addition to the law, the constitution provides any person the right to update their personal information. Translate This Además de la ley, la constitución provee a las personas el derecho de actualizar su información personal.

Translate This The development of data privacy regulation in Costa Rica is divided among two laws (the Laws). The first law is Law No. 7975, Undisclosed Information Law, which makes it a crime to disclose confidential/personal information without authorization. The second law is Law No. 8968, Protection in the Handling of the Personal Data of Individuals, and its by-laws were enacted regulate the activities of companies that administer databases containing personal information. Therefore, its scope is limited. The Agency for the Protection of Individual's Data is the entity charged with enforcing compliance with the applicable regulation. Translate This El desarrollo de la reglamentación de privacidad de los datos en Costa Rica se divide en dos leyes (las “Leyes”). La primera es la Ley N.º 7975 de Información No Divulgada, que define como delito la divulgación de información confidencial/personal sin autorización. La segunda es la Ley N.º 8968 de Protección de la Persona frente al Tratamiento de sus Datos Personales, y sus estatutos se promulgaron para regular las actividades de las empresas que administran las bases de datos que contienen información personal. Por lo tanto, su alcance es limitado.La Agencia de Protección de Datos de los Habitantes es la entidad encargada de regular el cumplimiento de la reglamentación aplicable.

The GDPR harmonizes the 28 separate state-level data protection regulations that came out of the 1995 EU Data Protection Directive and extends to any organization (including foreign) that handles over 5000 personal data records of EU customers, employees, members and citizens. Organizations are required to implement a robust data protection policy overseen by a Data Protection Officer and conduct regular audits and privacy impact assessments. Data protection must be embedded into all processes and state-of-the-art technologies deployed to secure data. Should a breach occur, authorities and affected individuals must be notified and requests for data erasure implemented. The Data Protection Authority of various EU Member States have the ability to interpret provisions of the law within their own country. Responsibilities are defined for sharing data with 3rd party processors as well as data transfers across borders.

The GDPR harmonizes the 28 separate state-level data protection regulations that came out of the 1995 EU Data Protection Directive and extends to any organization (including foreign) that handles over 5000 personal data records of EU customers, employees, members and citizens. Organizations are required to implement a robust data protection policy overseen by a Data Protection Officer and conduct regular audits and privacy impact assessments. Data protection must be embedded into all processes and state-of-the-art technologies deployed to secure data. Should a breach occur, authorities and affected individuals must be notified and requests for data erasure implemented. The Data Protection Authority of various EU Member States have the ability to interpret provisions of the law within their own country. Responsibilities are defined for sharing data with 3rd party processors as well as data transfers across borders.

The GDPR harmonizes the 28 separate state-level data protection regulations that came out of the 1995 EU Data Protection Directive and extends to any organization (including foreign) that handles over 5000 personal data records of EU customers, employees, members and citizens. Organizations are required to implement a robust data protection policy overseen by a Data Protection Officer and conduct regular audits and privacy impact assessments. Data protection must be embedded into all processes and state-of-the-art technologies deployed to secure data. Should a breach occur, authorities and affected individuals must be notified and requests for data erasure implemented. The Data Protection Authority of various EU Member States have the ability to interpret provisions of the law within their own country. Responsibilities are defined for sharing data with 3rd party processors as well as data transfers across borders.

The GDPR harmonizes the 28 separate state-level data protection regulations that came out of the 1995 EU Data Protection Directive and extends to any organization (including foreign) that handles over 5000 personal data records of EU customers, employees, members and citizens. Organizations are required to implement a robust data protection policy overseen by a Data Protection Officer and conduct regular audits and privacy impact assessments. Data protection must be embedded into all processes and state-of-the-art technologies deployed to secure data. Should a breach occur, authorities and affected individuals must be notified and requests for data erasure implemented. The Data Protection Authority of various EU Member States have the ability to interpret provisions of the law within their own country. Responsibilities are defined for sharing data with 3rd party processors as well as data transfers across borders.

In addition to several piecemeal provisions in connection with data protection in different laws and regulations in Egypt, the constitution provides any person the right to update their personal information. There is no national authority responsible for data protection in Egypt.

The GDPR harmonizes the 28 separate state-level data protection regulations that came out of the 1995 EU Data Protection Directive and extends to any organization (including foreign) that handles over 5000 personal data records of EU customers, employees, members and citizens. Organizations are required to implement a robust data protection policy overseen by a Data Protection Officer and conduct regular audits and privacy impact assessments. Data protection must be embedded into all processes and state-of-the-art technologies deployed to secure data. Should a breach occur, authorities and affected individuals must be notified and requests for data erasure implemented. The Data Protection Authority of various EU Member States have the ability to interpret provisions of the law within their own country. Responsibilities are defined for sharing data with 3rd party processors as well as data transfers across borders.

The GDPR harmonizes the 28 separate state-level data protection regulations that came out of the 1995 EU Data Protection Directive and extends to any organization (including foreign) that handles over 5000 personal data records of EU customers, employees, members and citizens. Organizations are required to implement a robust data protection policy overseen by a Data Protection Officer and conduct regular audits and privacy impact assessments. Data protection must be embedded into all processes and state-of-the-art technologies deployed to secure data. Should a breach occur, authorities and affected individuals must be notified and requests for data erasure implemented. The Data Protection Authority of various EU Member States have the ability to interpret provisions of the law within their own country. Responsibilities are defined for sharing data with 3rd party processors as well as data transfers across borders.

The GDPR harmonizes the 28 separate state-level data protection regulations that came out of the 1995 EU Data Protection Directive and extends to any organization (including foreign) that handles over 5000 personal data records of EU customers, employees, members and citizens. Organizations are required to implement a robust data protection policy overseen by a Data Protection Officer and conduct regular audits and privacy impact assessments. Data protection must be embedded into all processes and state-of-the-art technologies deployed to secure data. Should a breach occur, authorities and affected individuals must be notified and requests for data erasure implemented. The Data Protection Authority of various EU Member States have the ability to interpret provisions of the law within their own country. Responsibilities are defined for sharing data with 3rd party processors as well as data transfers across borders.

Translate This ‘Information Technology, Data Files and Civil Liberty’ is the principal law regulating data protection in France. Also see “European Union” for information on principles established by the GDPR which will also be enforced in France. Law enforced by the French Data Protection Authority (CNIL). Translate This La protection des données est principalement régie en France par la loi relative à l'informatique, aux fichiers et aux libertés. Voir aussi « Union européenne » pour plus d'informations sur les principes du RGPD, également applicables en France. Loi créée par la CNIL (Commission nationale de l'informatique et des libertés).

Translate This See “European Union” for information on principles established by the GDPR.

Each German state also has a data protection law of its own, which are enforced by each state. Translate This Im Abschnitt „Europäische Union“ finden Sie weitere Informationen zu den in der Datenschutzgrundverordnung verankerten Grundsätzen.

Jedes Bundesland verfügt darüber hinaus über ein eigenes Datenschutzrecht und ist für dessen Durchsetzung zuständig.

Law enforced by Data Protection Commission.

The GDPR harmonizes the 28 separate state-level data protection regulations that came out of the 1995 EU Data Protection Directive and extends to any organization (including foreign) that handles over 5000 personal data records of EU customers, employees, members and citizens. Organizations are required to implement a robust data protection policy overseen by a Data Protection Officer and conduct regular audits and privacy impact assessments. Data protection must be embedded into all processes and state-of-the-art technologies deployed to secure data. Should a breach occur, authorities and affected individuals must be notified and requests for data erasure implemented. The Data Protection Authority of various EU Member States have the ability to interpret provisions of the law within their own country. Responsibilities are defined for sharing data with 3rd party processors as well as data transfers across borders.

The GDPR harmonizes the 28 separate state-level data protection regulations that came out of the 1995 EU Data Protection Directive and extends to any organization (including foreign) that handles over 5000 personal data records of EU customers, employees, members and citizens. Organizations are required to implement a robust data protection policy overseen by a Data Protection Officer and conduct regular audits and privacy impact assessments. Data protection must be embedded into all processes and state-of-the-art technologies deployed to secure data. Should a breach occur, authorities and affected individuals must be notified and requests for data erasure implemented. The Data Protection Authority of various EU Member States have the ability to interpret provisions of the law within their own country. Responsibilities are defined for sharing data with 3rd party processors as well as data transfers across borders.

The GDPR harmonizes the 28 separate state-level data protection regulations that came out of the 1995 EU Data Protection Directive and extends to any organization (including foreign) that handles over 5000 personal data records of EU customers, employees, members and citizens. Organizations are required to implement a robust data protection policy overseen by a Data Protection Officer and conduct regular audits and privacy impact assessments. Data protection must be embedded into all processes and state-of-the-art technologies deployed to secure data. Should a breach occur, authorities and affected individuals must be notified and requests for data erasure implemented. The Data Protection Authority of various EU Member States have the ability to interpret provisions of the law within their own country. Responsibilities are defined for sharing data with 3rd party processors as well as data transfers across borders.

Translate This Personal Data Protection is regulated mainly in: National Constitution, Law of the Civil Registry, Law for Transparency and for Access to Public Information, which also extends the Constitutional Protection of Habeas Data and forbids the transmission of personal information that may cause any kind of discrimination or any moral or economic damage to people, and Rulings on the Law for Transparency and for Access to Public Information. Translate This La protección de los datos personales se regula principalmente en:
la Constitución Nacional, la Ley de Registro Civil, la Ley de Transparencia y Acceso a la Información Pública, que también extiende la Protección Constitucional de Hábeas Data o datos personales y prohíbe la transferencia de información personal que pudiera causar cualquier tipo de discriminación o cualquier daño moral o económico a las personas, y las resoluciones de la Ley de Transparencia y Acceso a la Información Pública.

Resembles EU Directive on Data Protection. Applies to both the public and private sectors. The law expressly prohibits the use of all-purpose identification numbers or codes. Enforcement occurs via the Parliamentary Commissioner for Data Protection and Freedom of Information. Law has not received “adequacy” from the EU.

The GDPR harmonizes the 28 separate state-level data protection regulations that came out of the 1995 EU Data Protection Directive and extends to any organization (including foreign) that handles over 5000 personal data records of EU customers, employees, members and citizens. Organizations are required to implement a robust data protection policy overseen by a Data Protection Officer and conduct regular audits and privacy impact assessments. Data protection must be embedded into all processes and state-of-the-art technologies deployed to secure data. Should a breach occur, authorities and affected individuals must be notified and requests for data erasure implemented. The Data Protection Authority of various EU Member States have the ability to interpret provisions of the law within their own country. Responsibilities are defined for sharing data with 3rd party processors as well as data transfers across borders.

The GDPR harmonizes the 28 separate state-level data protection regulations that came out of the 1995 EU Data Protection Directive and extends to any organization (including foreign) that handles over 5000 personal data records of EU customers, employees, members and citizens. Organizations are required to implement a robust data protection policy overseen by a Data Protection Officer and conduct regular audits and privacy impact assessments. Data protection must be embedded into all processes and state-of-the-art technologies deployed to secure data. Should a breach occur, authorities and affected individuals must be notified and requests for data erasure implemented. The Data Protection Authority of various EU Member States have the ability to interpret provisions of the law within their own country. Responsibilities are defined for sharing data with 3rd party processors as well as data transfers across borders.

There is no specific legislation on privacy and data protection in India. However, the courts have interpreted data protection within the Right to Privacy as implicit in Article 19 and 21 of the Constitution of India. The Information Technology Act, 2000 (the ‘Act’). contains specific provisions intended to protect electronic data (including non-electronic records or information that have been, are currently or are intended to be processed electronically). India’s IT Ministry adopted the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules (Privacy Rules). The Privacy Rules, which took effect in 2011, require corporate entities collecting, processing and storing personal data, including sensitive personal information to comply with certain procedures.

In Indonesia, as of the date of this publication there is no general law on data protection. However, there are certain regulations concerning the use of electronic data. The primary sources of the management of electronic information and transactions are Law No. 11 of 2008 regarding Electronic Information and Trasactions (“EIT Law”) and its main implementing regulation, Government Regulation No. 82 of 2012 regarding Provisions of Electronic systems and Transactions (“Reg. 82”).

However, a new draft Bill on the Protection of Private Personal Data (the Bill) is currently being discussed and there is reason to believe that this Bill may come into law in 2016, although the exact date remains uncertain and the Bill is still to be considered by the House of Representatives. If passed, this will become Indonesia’s first comprehensive law to specifically deal with the issue of data privacy. In addition to the provisions under EIT Law and Reg. 82, there are also a series of regulations which also cover certain provisions which may relate to data protection.

The GDPR harmonizes the 28 separate state-level data protection regulations that came out of the 1995 EU Data Protection Directive and extends to any organization (including foreign) that handles over 5000 personal data records of EU customers, employees, members and citizens. Organizations are required to implement a robust data protection policy overseen by a Data Protection Officer and conduct regular audits and privacy impact assessments. Data protection must be embedded into all processes and state-of-the-art technologies deployed to secure data. Should a breach occur, authorities and affected individuals must be notified and requests for data erasure implemented. The Data Protection Authority of various EU Member States have the ability to interpret provisions of the law within their own country. Responsibilities are defined for sharing data with 3rd party processors as well as data transfers across borders.

Regulates data processing and computer databases. Imposes limitations on data controllers/processors concerning use of information (11 activities prohibited by law). Data subjects have right to inspect, correct and erase information. Databases with over 10,000 names must register with Ministry of Justice’s Registrar of Databases.

The GDPR harmonizes the 28 separate state-level data protection regulations that came out of the 1995 EU Data Protection Directive and extends to any organization (including foreign) that handles over 5000 personal data records of EU customers, employees, members and citizens. Organizations are required to implement a robust data protection policy overseen by a Data Protection Officer and conduct regular audits and privacy impact assessments. Data protection must be embedded into all processes and state-of-the-art technologies deployed to secure data. Should a breach occur, authorities and affected individuals must be notified and requests for data erasure implemented. The Data Protection Authority of various EU Member States have the ability to interpret provisions of the law within their own country. Responsibilities are defined for sharing data with 3rd party processors as well as data transfers across borders.

Requires business operators who utilize for their business in Japan a personal information database, which consists of more than 5,000 individuals in total identified by personal information on any day in the past six months to protect personal information. Amendments to the APPI apply the APPI to all businesses in Japan, regardless of whether the business operator maintains a database of more than 5,000 individuals.

Further, the Amendments clarify the definition of personal information, add two new classes of information, and introduce new requirements for opt out choice for business operators to disclosure personal information to third parties. Finally, as of January 1, 2016, the Amendments created a Privacy Protection Commission (the Commission), a central agency, which will act as a supervisory governmental organization on issues of privacy protection.

The GDPR harmonizes the 28 separate state-level data protection regulations that came out of the 1995 EU Data Protection Directive and extends to any organization (including foreign) that handles over 5000 personal data records of EU customers, employees, members and citizens. Organizations are required to implement a robust data protection policy overseen by a Data Protection Officer and conduct regular audits and privacy impact assessments. Data protection must be embedded into all processes and state-of-the-art technologies deployed to secure data. Should a breach occur, authorities and affected individuals must be notified and requests for data erasure implemented. The Data Protection Authority of various EU Member States have the ability to interpret provisions of the law within their own country. Responsibilities are defined for sharing data with 3rd party processors as well as data transfers across borders.

The GDPR harmonizes the 28 separate state-level data protection regulations that came out of the 1995 EU Data Protection Directive and extends to any organization (including foreign) that handles over 5000 personal data records of EU customers, employees, members and citizens. Organizations are required to implement a robust data protection policy overseen by a Data Protection Officer and conduct regular audits and privacy impact assessments. Data protection must be embedded into all processes and state-of-the-art technologies deployed to secure data. Should a breach occur, authorities and affected individuals must be notified and requests for data erasure implemented. The Data Protection Authority of various EU Member States have the ability to interpret provisions of the law within their own country. Responsibilities are defined for sharing data with 3rd party processors as well as data transfers across borders.

The Constitution of the Kingdom of Lesotho guarantees a right to privacy on top of the Data Protection Act, which provides for the principles for regulation of the processing of personal information in order to protect and reconcile the fundamental and competing values of personal information. Law enforced by an independent supervisory authority, the Data Protection Commission.

The GDPR harmonizes the 28 separate state-level data protection regulations that came out of the 1995 EU Data Protection Directive and extends to any organization (including foreign) that handles over 5000 personal data records of EU customers, employees, members and citizens. Organizations are required to implement a robust data protection policy overseen by a Data Protection Officer and conduct regular audits and privacy impact assessments. Data protection must be embedded into all processes and state-of-the-art technologies deployed to secure data. Should a breach occur, authorities and affected individuals must be notified and requests for data erasure implemented. The Data Protection Authority of various EU Member States have the ability to interpret provisions of the law within their own country. Responsibilities are defined for sharing data with 3rd party processors as well as data transfers across borders.

The law dated 2 August 2002 on the protection of persons with regard to the processing of personal data as amended from time to time ('Law').

The law dated 30 May 2005 laying down specific provisions for the protection of persons with regard to the processing of personal data in the electronic communications sector as amended from time to time ('Law of 30 May 2005').

Law enforced by the Commission Nationale pour la Protection des Données.

The GDPR harmonizes the 28 separate state-level data protection regulations that came out of the 1995 EU Data Protection Directive and extends to any organization (including foreign) that handles over 5000 personal data records of EU customers, employees, members and citizens. Organizations are required to implement a robust data protection policy overseen by a Data Protection Officer and conduct regular audits and privacy impact assessments. Data protection must be embedded into all processes and state-of-the-art technologies deployed to secure data. Should a breach occur, authorities and affected individuals must be notified and requests for data erasure implemented. The Data Protection Authority of various EU Member States have the ability to interpret provisions of the law within their own country. Responsibilities are defined for sharing data with 3rd party processors as well as data transfers across borders.

Law enforced to protect personal data by Office for Personal Data Protection.

The DP Law is entirely harmonized with EC Directive 95/46/EC ('Data Protection Directive'). Law is enforced by the Directorate for Personal Data Protection.

The main regulatory framework in Madagascar for the protection of personal data. Law provides for the creation of the Commission of Malagasy sur I’informatique et des Libertés.

Malaysia’s first comprehensive personal data protection legislation. Law enforced by Personal Data Protection Commissioner.

The GDPR harmonizes the 28 separate state-level data protection regulations that came out of the 1995 EU Data Protection Directive and extends to any organization (including foreign) that handles over 5000 personal data records of EU customers, employees, members and citizens. Organizations are required to implement a robust data protection policy overseen by a Data Protection Officer and conduct regular audits and privacy impact assessments. Data protection must be embedded into all processes and state-of-the-art technologies deployed to secure data. Should a breach occur, authorities and affected individuals must be notified and requests for data erasure implemented. The Data Protection Authority of various EU Member States have the ability to interpret provisions of the law within their own country. Responsibilities are defined for sharing data with 3rd party processors as well as data transfers across borders.

Aims to protect the fundamental privacy rights of individuals against the use of data concerning them without their informed consent. The Act came into operation in February 2009. Law enforced by Data Protection Office.

Translate This The Federal Law on the Protection of Personal Data held by Private Parties was enacted on July 5, 2010 and entered into force on July 6, 2010.

The Executive Branch has also issued:

• the Regulations to the Federal Law on the Protection of Personal Data held by Private Parties
• the Privacy Notice Guidelines
• the Parameters for Self Regulation regarding personal data

The Law only applies to private individuals or legal entities which process personal data, and not to the government, credit reporting companies governed by the Law Regulating Credit Reporting Companies, or persons carrying out the collection and storage of personal data exclusively for personal use and without the purposes of disclosure or commercial use. Translate This La Ley Federal de Protección de Datos Personales en Posesión de los Particulares se promulgó el 5 de julio de 2010 y entró en vigencia el 6 de julio de 2010.

El Poder Ejecutivo también emitió:

• las reglamentaciones para la Ley Federal de Protección de Datos Personales en Posesión de los Particulares
• los Lineamientos del Aviso de Privacidad
• los Parámetros de Autorregulación en materia de Protección de Datos Personales

La Ley solo se aplica a los particulares o las entidades legales que procesan datos personales, y no al gobierno, a las empresas de información crediticia regidas por la ley que regula las empresas de información crediticia ni a las personas encargadas de recopilar y almacenar los datos personales exclusivamente para uso personal sin fines de divulgación ni uso comercial.

Data protection in Monaco is regulated by Data Protection Law n° 1.165 of 23 December 1993, modified by Law n°1.353 of 4 December 2008 ('DPL').

Furthermore, the Principally of Monaco is part of the Council of Europe and entered into Convention n° 108 of the European Council.

The Principality of Monaco is not part of the EU and as a consequence did not transpose Data Protection Directive 95/46/EC.

Law enforced by Commission for Control of Personal Data.

The Montenegrin law governing data protection issues is the Law on Protection of Personal. It originates from December 2008 and its latest amendments were made in August 2012.Law enforced by Agency for Protection of Personal Data and Free Access to Information.

Personal data protection is governed in Morocco by the Law n° 9-08 relating to the protection of individuals with respect to the processing of personal data and by its implementation Decree n° 2-09-165. Law enforced by National Control Commission for the Protection of Personal Data.

The GDPR harmonizes the 28 separate state-level data protection regulations that came out of the 1995 EU Data Protection Directive and extends to any organization (including foreign) that handles over 5000 personal data records of EU customers, employees, members and citizens. Organizations are required to implement a robust data protection policy overseen by a Data Protection Officer and conduct regular audits and privacy impact assessments. Data protection must be embedded into all processes and state-of-the-art technologies deployed to secure data. Should a breach occur, authorities and affected individuals must be notified and requests for data erasure implemented. The Data Protection Authority of various EU Member States have the ability to interpret provisions of the law within their own country. Responsibilities are defined for sharing data with 3rd party processors as well as data transfers across borders.

The Privacy Act 1993 governs how agencies collect, use, disclose, store, retain and give access to personal information. The Act gives the Privacy Commissioner the power to issue codes of practice that modify the operation of the Act in relation to specific industries, agencies, activities or types of personal information. Codes currently in place are:

• Credit Reporting Privacy Code
• Health Information Privacy Code
• Justice Sector Unique Identifier Code
• Superannuation Schemes Unique Identifier Code
• Telecommunications Information Privacy Code
• Civil Defence National Emergencies (Information Sharing) Code.

Enforcement is through the Privacy Commissioner.

Nigeria does not have a comprehensive legislative framework on the protection of personal data. However, there are a few industry-specific and targeted laws and regulations that provide some privacy-related protections, which include:

• The Constitution of the Federal Republic of Nigeria, 1999
• The Freedom of Information Act, 2011
• The Child Rights Act No. 26 of 2003
• The Consumer Code of Practice Regulations 2007
• The National Information Technology Development Agency
• The Cybercrimes Act 2015

No specific authority bestowed with the responsibility of the protection of data, however sector specific regulatory agencies including NITDA, NCC etc provide services relating to the protection of data.

The GDPR harmonizes the 28 separate state-level data protection regulations that came out of the 1995 EU Data Protection Directive and extends to any organization (including foreign) that handles over 5000 personal data records of EU customers, employees, members and citizens. Organizations are required to implement a robust data protection policy overseen by a Data Protection Officer and conduct regular audits and privacy impact assessments. Data protection must be embedded into all processes and state-of-the-art technologies deployed to secure data. Should a breach occur, authorities and affected individuals must be notified and requests for data erasure implemented. The Data Protection Authority of various EU Member States have the ability to interpret provisions of the law within their own country. Responsibilities are defined for sharing data with 3rd party processors as well as data transfers across borders.

Translate This In recent years, Panama has taken significant legislative steps to regulate electronic data protection and internet commerce. However, this regime remains a work in progress.

The primary laws and regulations thus far enacted are Law 51 of 22 July 2008, as amended by Law 82 of 9 November 2012, and Executive Decree No. 40 of 19 May 2009. The central purpose of both is to regulate the creation, utilization and storage of electronic documents and signatures in Panama, through a registration process and the supervision of providers of data storage services. Law 51 and Decree 40 provide for enforcement through the General Directorate of Electronic Commerce. Translate This En los últimos años, Panamá tomó medidas legislativas significativas para regular el comercio electrónico y la protección de datos electrónicos. No obstante, este régimen continúa siendo un trabajo en curso.

Las principales leyes y reglamentaciones promulgadas hasta ahora son la Ley 51 del 22 de julio de 2008, enmendada por la Ley 82 del 9 de noviembre de 2012 y el Decreto Ejecutivo n.º 40 del 19 de mayo de 2009. El objetivo principal de ambos es regular la creación, la utilización y el almacenamiento de firmas y documentos electrónicos en Panamá, mediante un proceso de registro y la supervisión de los proveedores de servicios de almacenamiento de datos. La Ley 51 y el Decreto 40 prevén la aplicación mediante la Dirección General de Comercio Electrónico.

Translate This Personal data protection is governed in Peru by: the Personal Data Protection Law No. 29733 ('PDPL') published on July 3, 2011 its regulations enacted by Supreme Decree 003-2013-JUS and published on March 22, 2013 (the 'Regulations'), and the Security Policy on Information Managed by Databanks of Personal Data enacted by Directorial Resolution N° 019-2013-JUS/DGPDP on October 11, 2013. Law enforced by the General Agency on Data Protection, part of the Ministry of Justice and Human Rights. Translate This En Perú, la protección de los datos personales está regulada por: la Ley N.º 29733 de Protección de los Datos Personales (“PDPL”) publicada el 3 de julio de 2011, sus reglamentaciones promulgadas por el Decreto Supremo 003-2013-JUS y publicadas el 22 de marzo de 2013 (las “Reglamentaciones”), y la Directiva de Seguridad de la Información Administrada por los Bancos de Datos Personales promulgada por la Resolución Directoral N.º 019-2013-JUS/DGPDP el 11 de octubre de 2013. Ley aplicada por la Agencia General de Protección de Datos, que forma parte del Ministerio de Justicia y Derechos Humanos.

The Act provides for the creation of a National Privacy Commission. As of 21 January 2015, the National Privacy Commission has not been constituted.

The GDPR harmonizes the 28 separate state-level data protection regulations that came out of the 1995 EU Data Protection Directive and extends to any organization (including foreign) that handles over 5000 personal data records of EU customers, employees, members and citizens. Organizations are required to implement a robust data protection policy overseen by a Data Protection Officer and conduct regular audits and privacy impact assessments. Data protection must be embedded into all processes and state-of-the-art technologies deployed to secure data. Should a breach occur, authorities and affected individuals must be notified and requests for data erasure implemented. The Data Protection Authority of various EU Member States have the ability to interpret provisions of the law within their own country. Responsibilities are defined for sharing data with 3rd party processors as well as data transfers across borders.

Translate This See “European Union” for information on principles established under the GDPR. Law is fully applicable by May, 2018, replacing the EU Data Protection Directive. Translate This Consulte "União Europeia" para obter informações sobre os princípios estabelecidos sob a GDPR. A lei é totalmente aplicável até maio de 2018, substituindo a Diretiva de Proteção de Dados da UE.

The GDPR harmonizes the 28 separate state-level data protection regulations that came out of the 1995 EU Data Protection Directive and extends to any organization (including foreign) that handles over 5000 personal data records of EU customers, employees, members and citizens. Organizations are required to implement a robust data protection policy overseen by a Data Protection Officer and conduct regular audits and privacy impact assessments. Data protection must be embedded into all processes and state-of-the-art technologies deployed to secure data. Should a breach occur, authorities and affected individuals must be notified and requests for data erasure implemented. The Data Protection Authority of various EU Member States have the ability to interpret provisions of the law within their own country. Responsibilities are defined for sharing data with 3rd party processors as well as data transfers across borders.

Personal Data is regulated by the Law on Personal Data (152-FZ). Recent amendments have been added stipulating that personal data of Russian citizens must be stored in the data centers/data bases located in the Russian Federation.

Law enforced by Federal Service for Supervision of Communications, Information Technologies and Mass Media, in short, Roscomnadzor.

Shari'a principles (that is, Islamic principles derived from the Holy Quran and the Sunnah, the latter being the witnesses' sayings of the Prophet Mohammed), which although not codified, are the primary source of law in the KSA. In addition to Shari'a principles, the law in the KSA consists of secular regulations passed by government, which is secondary if it conflicts with Shari'a principles.

There are certain secular regulations passed by government, which although not dedicated as a whole to data privacy/protection, contain specific provisions governing the right to privacy and data protection in certain contexts. Examples of such regulations include:

• the Basic Law of Governance
• the Anti-Cyber Crime Law (8 Rabi 1, 1428
• the Telecoms Act
• the Regulations for the Protection of Confidential Commercial Information

There may also be specific regulations applicable to certain industries, for example, in banking, the Saudi Arabian Monetary Agency (or ‘SAMA’) imposes a general duty of confidentiality on banks, and requires banks to provide a safe and confidential environment to ensure confidentiality and privacy of customer data. Similarly, in the healthcare sector, confidentiality requirements will apply in terms of protecting medical data of patients.

There is no national data protection authority in the KSA. In respect of telecommunications services, the Communications and Information Technology Commission is responsible for overseeing the relevant telecoms laws and policies. SAMA is responsible for, amongst other things, overseeing commercial banks in the KSA.

It became applicable in. At the beginning of November 2015 the Ministry of Justice published a draft of a new Law on Protection of Personal Data, which has entered the legislative process. Under the DP Law, personal data is any information on a natural person based on which the respective person is identified or identifiable (for example, name, address, e-mail address, photo etc). The DPA is responsible for the enforcement of the DP Law.

Aims to protect the fundamental privacy rights of individuals against the use of data concerning them without their informed consent. The Act will come into operation on such date as the Minister notifies in the official Gazette.

The creation of the Office of the Data Protection Commissioner is envisaged by the Act but has not yet taken place.

Singapore enacted a new Personal Data Protection Act 2012. The Act took effect in 3 phases:

1. Provisions relating to the formation of the Personal Data
2. Provisions relating to the National Do-Not-Call Registry
3. The main data protection provisions took effect on 2 July 2014

Law enforced by Personal Data Protection Commission.

Financial institutions also need to adhere to specific requirements defined by MAS on the treatment and protection of financial data.

The GDPR harmonizes the 28 separate state-level data protection regulations that came out of the 1995 EU Data Protection Directive and extends to any organization (including foreign) that handles over 5000 personal data records of EU customers, employees, members and citizens. Organizations are required to implement a robust data protection policy overseen by a Data Protection Officer and conduct regular audits and privacy impact assessments. Data protection must be embedded into all processes and state-of-the-art technologies deployed to secure data. Should a breach occur, authorities and affected individuals must be notified and requests for data erasure implemented. The Data Protection Authority of various EU Member States have the ability to interpret provisions of the law within their own country. Responsibilities are defined for sharing data with 3rd party processors as well as data transfers across borders.

The Constitution of the Republic of South Africa guarantees the right to privacy.

Certain provisions within the Electronic Communications and Transactions Act regulate the electronic collection of personal information, although compliance with these provisions is voluntary.

The Protection of Personal Information Act was promulgated into law following the President's signature. The PPI Act is wide in application and will, subject to certain exclusions detailed therein, impact all persons processing personal information. The Act will commence on a date to be determined by the President by proclamation in the Government Gazette. Different dates of commencement may be determined in respect of different provisions of the PPI Act. Certain sections of the PPI Act have, on proclamation by the President of the Republic of South Africa, come into effect as of 11 April 2014. The provisions of the PPI Act, which came into effect relate to the definitions section under the PPI Act and the provisions dealing with the establishment of the office of the Regulator (as well as its powers, duties and functions).

The PPI Act introduces and provides for the establishment of an independent supervisory authority, namely the Information Protection Regulator specifically established for the purpose of data protection.

In addition to the PIPA, there is sector-specific legislation, such as:

• the Act on Promotion of Information and Communication Network Utilisation and Information Protection
• the Use and Protection of Credit Information Act
• the Act on Real Name Financial Transactions and Guarantee of Secrecy

Under PIPA, except as otherwise provided for in any other Act, the protection of personal information shall be governed by the provisions of PIPA.

Law enforced by the Ministry of the Interior.

Translate This See “European Union” for information on principles established under the GDPR. Law is fully applicable by May, 2018, replacing the EU Data Protection Directive. Translate This Consulte la sección “Unión Europea” para obtener información sobre los principios establecidos en GDPR. La Ley será plenamente aplicable para mayo de 2018, y reemplazará a la Directiva de Protección de Datos de la UE.

The GDPR harmonizes the 28 separate state-level data protection regulations that came out of the 1995 EU Data Protection Directive and extends to any organization (including foreign) that handles over 5000 personal data records of EU customers, employees, members and citizens. Organizations are required to implement a robust data protection policy overseen by a Data Protection Officer and conduct regular audits and privacy impact assessments. Data protection must be embedded into all processes and state-of-the-art technologies deployed to secure data. Should a breach occur, authorities and affected individuals must be notified and requests for data erasure implemented. The Data Protection Authority of various EU Member States have the ability to interpret provisions of the law within their own country. Responsibilities are defined for sharing data with 3rd party processors as well as data transfers across borders.

Translate This The Federal Act on Data Protection and its ordinances mainly regulates the processing of personal data, ie the Ordinance to the Federal Act on Data Protection and the Ordinance on Data Protection Certification.

In addition, provisions further restrict the processing of personal data in other laws, mainly with regard to the public sector and regulated markets.

Law enforced by the Federal Data Protection and Information Commissioner  . Translate This Das Bundesdatenschutzgesetz und die zugehörigen Verordnungen – die Verordnung zum Bundesdatenschutzgesetz und die Verordnung zur Datenschutzzertifizierung – regeln hauptsächlich die Verarbeitung personenbezogener Daten.

Verfügungen in anderen Gesetzen schränken die Verarbeitung personenbezogener Daten weiter ein, insbesondere mit Blick auf Einrichtungen der öffentlichen Hand und andere regulierte Märkte.

Für die Durchsetzung der entsprechenden Gesetze zeichnet der Bundesdatenschutzbeauftragte verantwortlich.

The provisions relating to sensitive personal data and the notification obligation for personal data indirectly collected before the effectiveness of the PDPL remain ineffective. The government has proposed further amendment to these provisions, which is pending legislative review. The information hereunder is based upon the effective PDPL only.

In Taiwan, there is no single national data protection authority. The various ministries and city/county governments serve as the competent authorities.

At present, Thailand does not have any general statutory law governing data protection or privacy.

However, the Constitution of the Kingdom of Thailand does recognize the protection of privacy rights. In addition, statutory laws in some specific areas (such as telecommunications, banking and financial businesses (Specific Businesses) as well as other non-business related laws, such as certain provisions under Thai Penal Code and the Child Protection Act B.E. 2543 (2003), do provide a certain level of protection against any unauthorised collection, processing, disclosure and transfer of personal data.

Recently, the draft Personal Information Protection Act (‘Draft’), which has been reviewed by the Council of State, was given to the Committee for House of Representative Coordination to review and analyse if there are any practical issues on applying the law and how the Data Protection Committee should be formed.

The Draft is being reviewed by the Office of the Public Sector Development Commission and will be submitted to the Cabinet for approval later. The current Draft provides protection of personal data by restricting the gathering, using, disclosing and altering of any personal data without the consent of the data owner. The Draft also imposes both criminal penalties and civil liability for any violation of the Draft and calls for the establishment of a Protection of Personal Data Commission to regulate compliance with the Draft.

Notwithstanding the above, at present, no clear indication exists as to when the Draft will be final, or whether it will ultimately be enacted into binding law.

Provides for the protection of personal privacy and information ('DPA') processed and collected by public bodies and private organisations. No timetable has been set for the proclamation of the remainder of the DPA and it is possible that there may be changes to the remainder of the legislation before it is proclaimed. The entity responsible for the oversight, interpretation and enforcement of the DPA is the Office of the Information Commissioner. It has broad authority, including to authorise the collection of personal information about an individual from third parties and to publish guidelines regarding compliance with the Act.

In the Law, personal data was described as “Any information relating to an identified or identifiable natural person”. Currently there is no independent body governing data protection in Turkey. The new Law introduces two bodies to watch over and regulate data processing and transfer activities.

These are;
a) Data Protection Board and b) Data Protection Authority. Both of these bodies have not yet been established as of mid-2016 however the Law stipulates that these bodies will be established as of October 7, 2016. The Data Protection Board will be an independent decision making body whereas Data Protection Authority will be operating under the Prime Ministry .

In addition to the law, there are additional powers granted to the Commissioner of Data Protection, who has issued the Data Protection Regulations.

UAE - General The purpose of the Dubai Data Law to collate and manage data that relates to the emirate of Dubai and, where appropriate, to publish it as Open Data or at least ensure that it is shared it between authorised persons. This law is considered unique as it is the only one in the world we are aware of that provides a government with the power to require designated private sector entities to provide to a government with information held by the company in relation to a city, for the purposes of making that information Open Data.

In addition, there are several UAE Federal Laws that contain various provisions in relation to privacy and the protection of personal data:

• Constitution of the UAE (Federal Law 1 of 1971)
• Penal Code (Federal Law 3 of 1987 as amended)
• Cyber Crime Law (Federal Law 5 of 2012 regarding Information Technology Crime Control), and
• Regulating Telecommunications (Federal Law by Decree 3 of 2003 as amended), which includes several implementing regulations/policies enacted by the Telecoms Regulatory Authority ('TRA') in respect of data protection of telecoms consumers in the UAE.

In addition to the Data Protection Law, certain data protection issues are regulated by subordinate legislation specifically developed to implement the Data Protection Law, in particular:

• Procedure of notification of the Ukrainian Parliament's Commissioner for Human Rights on the processing of personal data, which is of particular risk to the rights and freedoms of personal data subjects, on the structural unit or responsible person that organizes the work related to protection of personal data during processing thereof (Notification Procedure)
• Model Procedure of processing of personal data (Model Procedure)
• Procedure of control by the Ukrainian Parliament's Commissioner for Human Rights over the adherence of personal data protection legislation.

The Data Protection Law essentially complies with EU Data Protection Directive

Besides, the general data protection issues are regulated by:

• the Constitution of Ukraine dated 28 June 1996
• the Civil Code of Ukraine dated 16 January 2003 No 435 IV
• the Law of Ukraine 'On Information' dated 2 October 1992 No 2657 XII
• Law of Ukraine 'On Protection of Information in the Information and Telecommunication Systems' da
• some other legislative acts.

Law enforced by Ukrainian Parliament’s Commissioner for Human Rights .

The United Kingdom is expected to enact the principles of the GDPR that it had agreed to prior to its recent vote to leave the European Union, thereby updating/aligning the Data Protection Act to be consistent with mainland Europe.

The GDPR harmonizes the 28 separate state-level data protection regulations that came out of the 1995 EU Data Protection Directive and extends to any organization (including foreign) that handles over 5000 personal data records of EU customers, employees, members and citizens. Organizations are required to implement a robust data protection policy overseen by a Data Protection Officer and conduct regular audits and privacy impact assessments. Data protection must be embedded into all processes and state-of-the-art technologies deployed to secure data. Should a breach occur, authorities and affected individuals must be notified and requests for data erasure implemented. The Data Protection Authority of various EU Member States have the ability to interpret provisions of the law within their own country. Responsibilities are defined for sharing data with 3rd party processors as well as data transfers across borders.

Law enforced by the Information Commissioner’s Office.

The United States has about 20 sector specific or medium-specific national privacy or data security laws, and hundreds of such laws among its 50 states and its territories. (California alone has more than 25 state privacy and data security laws). These laws, which address particular issues or industries, are too diverse to summarize fully in this volume.

In addition, the large range of companies regulated by the Federal Trade Commission (‘FTC’) are subject to enforcement if they engage in materially unfair or deceptive trade practices. The FTC has used this authority to pursue companies that fail to implement reasonable minimal data security measures, fail to live up to promises in privacy policies, or frustrate consumer choices about processing or disclosure of personal data.

There is no official national authority. However, the FTC has jurisdiction over most commercial entities and has authority to issue and enforce privacy regulations in specific areas (eg for telemarketing, commercial email, and children's privacy). The FTC uses its general authority to prevent unfair and deceptive trade practices to bring enforcement actions against inadequate data security measures, and inadequately disclosed information collection, use and disclosure practices. State attorneys general typically have similar authority and bring some enforcement actions, particularly in the case of high profile data security breaches.

In addition, a wide range of sector regulators, particularly those in the health care, financial services, communications, and insurance sectors, have authority to issue and enforce privacy regulations.

International data transfer between the EU and the USA is governed by the principles of the recently defined in the Privacy Shield agreement, which replaced the Safe Harbor agreement pursuant to Safe Harbor being deemed inadequate to protect the privacy rights of EU citizens by the European Court of Justice. Privacy advocates have raised concerns that the Privacy Shield agreement does not go far enough and have promised to challenge it in the courts.

Translate This Law enforced by Data Protection Authority. Translate This Ley aplicada por la Autoridad de Protección de Datos.

Translate This Venezuela does not have any general legislation regulating data protection. However, there are general principles established in the Constitution of the Bolivarian Republic of Venezuela and developed by Supreme Court decisions.

There are also specific provisions concerning data protection with limited scope of application, contained in the Banking Institutions Law and the Special Law against Cybercrime.

Venezuela does not have a national data protection authority. Some agencies have data protection authority within their specific jurisdiction, for instance, the Superintendence of Banks and the National Telecommunications Commission. Translate This Venezuela no tiene una ley general que regule la protección de los datos. No obstante, hay principios generales establecidos en la Constitución de la República Bolivariana de Venezuela y desarrollados por las decisiones de la Corte Suprema.

También existen disposiciones específicas relacionadas con la protección de los datos con alcance limitado de aplicación, que se incluyen en la Ley de Instituciones del Sector Bancario y la Ley Especial Contra los Delitos Informáticos.

Venezuela no cuenta con una autoridad nacional para la protección de los datos. Algunos organismos tienen una autoridad de protección de los datos dentro de su jurisdicción específica; por ejemplo, la Superintendencia de las Instituciones del Sector Bancario y la Comisión Nacional de Telecomunicaciones.

The protection of privacy is a principal enshrined in Zimbabwe's Constitution. Whilst there is no designated national legislation dealing with data protection for private persons in Zimbabwe, however there are laws that have a bearing on the right to privacy and protection of personal information for specific types of data, or in relation to specific activities.

The Access to Information and Protection of Privacy Act (Chapter 10:247) is the law which contains the most provisions on data protection. However, this generally only regulates the use of personal data by public bodies. Other laws refer to the protection of information as a function of other activities or the protection of specific types of data such as the Courts and Adjudicating Authorities (Publicity Restrictions) Act (Chapter 07:04), the Census and Statistics Act (Chapter 10:29), Banking Act (Chapter 24:20), National Registration Act (Chapter 10:17) and the Interception of Communications Act (Chapter 11:20).

The Ministry of Information Communication Technology and Postal Services is currently formulating the policy principles for a data protection law.

There is no data protection authority. However, the Zimbabwe Media Commission's mandate does include the following:

• ensuring that the people of Zimbabwe have equitable and wide access to information
• commenting on the implications of proposed legislation or programs of public bodies on access to information and protection of privacy
• commenting on the implications of automated systems for collection, storage, analysis or transfer of information or for the access to information or protection of privacy
• amongst other functions.