Data Protection Laws of the World

Data Protection

“Privacy and Publication generally never go together. But this publication is a must for every privacy lover. Meticulous compilation of data privacy laws by the DLA Piper team.”
Raghu Raman Lakshmanan, General Counsel,
HCL America, Inc.
“This compilation does what every brilliant lawyer should do: it makes it easy for clients to understand and apply technical and difficult regulations. Touché to DLA Piper Data Protection Team.”
Dr Katarzyna Lasota Heller, Group Legal Compliance Officer,
“DLA Piper has done a great work as the handbook is incredibly well structured and an extremely valuable for anyone handling data protection issues.”
Desislava Avramova, Senior Legal Counsel EMEA,
Newell Rubbermaid Inc.
“DLA’s handbook is a very helpful tool when looking up and comparing privacy requirements across various countries. And by putting it online they made it available to me anytime and anywhere I need it.”
René Keiser, Senior Counsel,
Mondelēz International
“DLA Piper’s Data Protection Laws of the World Handbook is an extremely useful resource. It enables us to find an answer to complex multi-jurisdictional privacy law questions very quickly.”
Lieven van Parys, European Privacy Counsel,
“I’ve never seen anything like it before in terms of law firm guidance/publications. Fantastic job and an excellent tool! I and my team will certainly use it and I know that it is already being circulated to others within the Volvo Group.”
Alexia Henriksen, VP General Counsel
Volvo Financial Services (EMEA)

New Features

  • This year is shaping up to be particularly important for data protection and to reflect this we have included a new chapter which summarises the substantial material changes between the existing European Directive and the proposed EU Regulation as it currently stands.

  • We also now have chapters covering Bosnia and Herzegovina, Croatia, Macedonia, Montenegro and Venezuela, to bring the total number of jurisdictions to 77. We plan to add additional African jurisdictions over the course of 2015.


More than ever it is crucial that organisations manage and safeguard personal information and address their risks and legal responsibilities in relation to processing personal data, to address the growing thicket of applicable data protection legislation.

A well‑constructed and comprehensive compliance program can solve these competing interests and is an important risk‑management tool.

This handbook sets out an overview of the key privacy and data protection laws and regulations across 77 different jurisdictions and offers a primer to businesses as they consider this complex and increasingly important area of compliance.

DLA Piper's global data protection and privacy team has the deep experience and international reach to help global businesses develop and implement practical compliance solutions to the myriad data protection laws that apply to global businesses.


Welcome to DLA Piper's Data Protection Laws of the World Handbook. We launched the first edition of the handbook in 2012, and following such a positive response have been updating it to include additional chapters from Bosnia and Herzegovina, Croatia, Macedonia, Montenegro and Venezuela, to bring the total number of jurisdictions to 77. We also plan to add additional African jurisdictions during the course of 2015.

We continue to witness a period of unprecedented activity in the development of data protection regulation around the world which will have a profound impact on the way in which global businesses are required to approach the collection and management of personal information.

These changes are being driven largely by cultural and trade considerations and by a struggle to keep pace with emerging technology and online business methods. The proposal for a new EU data protection regulation, which is wending its way through the European legislative process as of this writing, is almost certain to effect a fundamental change in the existing EU framework. Of equal significance is the toughening of legal requirements and of enforcement in countries such as Korea, Hong Kong and Singapore. Furthermore, the emergence of laws in countries which previously had no data protection law in place, including a large number of countries in Asia, Latin America and the Middle East, continues and could create considerable enforcement risk in the future.

Should you require further guidance, please do not hesitate to contact us at


We are pleased to introduce CyberTrak, an innovative online cybersecurity tool featuring information on cybersecurity-related mandates in 23 key markets around the world. CyberTrak is the inaugural product of a partnership between Blue Edge LabSM* and the Internet Security Alliance (ISA).

CyberTrak provides multinational companies instant online access to critical information about cybersecurity-related laws, regulations and generally accepted standards in 23 key markets in the Americas, Asia-Pacific, Europe and the Middle East and in four highly regulated sectors in the US. It also provides brief summaries of requirements, as well as an assessment on enforcement risk and the degree of activity triggering the requirement.

Cybersecurity laws and regulations are evolving rapidly around the world. Companies battling ever more sophisticated cyberattacks face mounting compliance costs and higher risks if they do not keep up with new requirements in all markets where they operate.

CyberTrak is designed to help GCs, CIOs, CISOs, risk officers and legal, technology, IT and procurement departments of multinational companies make better, faster risk management decisions and reduce the costs associated with keeping up with these changing regulatory requirements.

CyberTrak content will be regularly updated three times per year by a global group of more than 50 carefully selected contributors in key jurisdictions (many of them contributors to Data Protection Laws of the World), along with interim updates when major changes occur.

Understanding cybersecurity mandates on a global scale is critical to any multinational company that collects and retains customer data, trade secrets, and other confidential data or operates in a critical infrastructure sector, such as energy, financial services, healthcare and defense/government contractors.

Company-wide CyberTrak access is offered on an annual subscription basis. To register for a free trial or to learn more about CyberTrak, please visit

*Blue Edge Lab, LLC is a wholly owned subsidiary of DLA Piper LLP (US). Blue Edge Lab is not a law firm and does not provide legal services.


If you find this Handbook useful, you may also be interested in DLA Piper's Data Protection, Privacy and Security group's Privacy Matters Blog − a blog featuring regular data protection, privacy and security legal updates to help you remain aware of the most important legal and regulatory developments.

We have over 130 experienced privacy and security lawyers across the globe who are close to the regulations in each of their respective jurisdictions and who regularly post summary articles on their local issues.

To access the blog, please visit

To ensure you receive an automatic email when a new article is posted, please enter your details in the 'subscribe' section found on the blog’s right‑hand sidebar.


This handbook is not a substitute for legal advice. Nor does it cover all aspects of the legal regimes surveyed, such as specific sectorial requirements. Furthermore, enforcement climates and legal requirements in this area continue to evolve. Most fundamentally, knowing high-level principles of law is just one of the components required to shape and to implement a successful global data protection compliance program.

Data Protection and Privacy Group Key Contacts


Jim Halpert
Jim Halpert
Partner & Chair of US Data Protection and Privacy Group
T +1 202 799 4441

Europe, Middle East and Africa

Andrew Dyson
Andrew Dyson
Partner & Co-Chair of EMEA Data Protection and Privacy Group
T +44 (0)113 369 2403
Prof. Patrick Van Eecke
Prof. Patrick Van Eecke
Partner & Co-Chair of EMEA Data Protection and Privacy Group
T +32 2 500 1630
Carol Umhoefer
Carol Umhoefer
Partner & Co-Chair of EMEA Data Protection and Privacy Group
T +33 1 40 15 24 34
Thomas Jansen
Thomas Jansen
Partner & Co-Chair of EMEA Data Protection and Privacy Group
T +49 89 2323 72 110
Diego Ramos
Diego Ramos
T +349 17901658
Richard van Schaik
Richard van Schaik
Partner & Co-Chair of EMEA Data Protection and Privacy Group
T +31 20 541 9828

Asia Pacific

Peter Jones
Peter Jones
Partner & Co-Chair of Asia-Pac Data Protection and Privacy Group
T +61292868356
Scott Thiel
Scott Thiel
Partner & Co-Chair of Asia-Pac Data Protection and Privacy Group
T +852 2103 0519


Kate Lucente
Kate Lucente
Associate and Co-Editor, Data Protection Laws of World Handbook
T +1 813 222 5927

The EU Legal Framework On Data Protection


Current Legal Framework

Personal data processing in the European Union is governed by the European Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The principles of this directive have been implemented in the national laws of each of the European Union Member States, as further explained in the country chapters.

Future Legal Framework

Technological progress and growth, as well as globalisation, have significantly changed the way personal data is collected, accessed and processed. Furthermore, the current European legal framework regarding data protection is regulated by a Directive, which results in diverging national interpretations as well as different local enforcement of the provisions.

The technical developments as well as the diverging national implementations have resulted in the European legislators reconsidering the current data protection framework in Europe. A first step towards a new legal framework was taken when the European Commission presented its draft proposal to a new Data Protection Regulation on 25 January 2012. The proposal was presented as a comprehensive reform of the current data protection rules and aims to 'strengthen online privacy rights and boost Europe's digital economy'.

The Commission opted for a Regulation instead of a Directive, as no transposition into local law will be required, and ensures that the Regulation will directly and equally apply in all Member States. This should result in an abolishment of the current fragmentation and should remove costly administrative burdens, especially for companies active in multiple EU Member States.

Time frame

The exact wording of the draft Regulation is currently being negotiated by the members of the European Parliament and the member state delegations, assembled in the European Council. A common position on the final text is expected in summer 2015.

After formal approval, followed by the official publication, of the Regulation it is expected a 2 year transitional period will apply. Following the end of this transitional period, the Regulation will be directly applicable throughout the EU, without requiring implementation by the Member States through national law.

Key changes

Key changes to the current data protection framework include:

  1. A single set of rules on data protection , directly applicable in all EU Member States

  2. Increased responsibility and accountability for those processing personal data, for example, companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible (if feasible within 24 hours)

  3. Organisations will only have to deal with a single national data protection authority in the EU country where they have their main establishment. Likewise, people can refer to the data protection authority in their country, even when their data is processed by a company based outside the EU

  4. Wherever consent is required for data to be processed, consent must be given explicitly, rather than assumed

  5. Users will have easier access to their own data and be able to transfer personal data from one service provider to another more easily (right to data portability). It is believed that this will improve competition among services

  6. A ‘right to be forgotten’ will help people better manage data protection risks online: people will be able to require third parties to delete their data if there are no legitimate grounds for retaining it

  7. EU rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens

  8. Independent national data protection authorities will be strengthened so they can better enforce the EU rules in their local jurisdiction. They will be empowered to fine companies that violate EU data protection rules, and

  9. Non-compliance could lead to heavier sanctions (compared to the current framework), such as fines up to 2% of the annual worldwide turnover of the enterprise, depending on the obligation that was breached.

Summary of The Substantial Material Changes

The sections below summarise the substantial material changes imposed by the Regulation, compared to the current framework under the Directive.


The material scope as foreseen in the Proposal for a General Data Protection Regulation has not substantially changed compared to the current Directive 95/46/EC. As to the territorial scope, the new rules are expected to have a major impact on non-EU established companies targeting the EU market.

Controllers or processor established in the EU

The draft Regulation applies to the processing of personal data "in the context of the activities of an establishment of a controller or a processor in the EU".

The determining factor is the location of the establishment whose activities entail personal data processing. An establishment will be deemed to exist where there is an effective and real exercise of activities through stable arrangements in the EU (whether through a branch or a subsidiary with legal personality). Whether the actual processing takes place within or outside the EU is irrelevant in determining the applicability of the Regulation.

It should be noted that it is no longer just the location of the controller that is relevant for determining the applicability of EU data protection law. Indeed, the draft Regulation (in contrast to the current Directive) refers not only to the establishment of a controller in the EU, but also to the establishment of the processor in the EU.

Controllers not established in the EU

A Controller with no establishments in the EU may still be required to comply with the Regulation, when the controller:

  • processes personal data of data subjects residing in the EU; and
  • such processing activities relate to offering EU data subjects goods or services or monitoring their behaviour.

Monitoring occurs when individuals are tracked on the internet with data processing techniques which consist of applying a 'profile' to an individual, particularly in order to take decisions concerning the individual or for analyzing or predicting his/her personal preferences, behaviours and attitudes.

The current rules regarding use of EU based equipment would no longer apply.

General Processing Requirements


The draft Regulation clarifies the conditions for invoking a data subject's consent as a legal basis for processing. Consent requires an explicit, freely given specific, and informed indication of wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to him being processed(eg by ticking a box when visiting a website or by any other statement or conduct which clearly indicates the data subject's acceptance of the proposed processing). This appears to remove the possibility of implied consent being effective.

If the consent is given in the context of a written declaration that also concerns another matter (e.g. general terms and conditions), it should be noted that the requirement to give consent must be distinguishable in its appearance from this other matter. The data subject has, at all times, the right to withdraw his or her consent.


The draft Regulation provides a strict framework for processing the personal data of children.

In particular, in relation to the offering of information society services directly to a child, the processing of personal data of a child below the age of 13 years will only be lawful if and to the extent that consent is given or authorised by the child's parent or custodian. The controller must in this respect make reasonable efforts to obtain verifiable consent.

Data Subjects' Rights


The draft Regulation introduces a new obligation imposed on the controller, whereby the controller must have "transparent and easily accessible" policies with regard to the processing of personal data and for data subjects to exercise their rights. It must provide any information and any communication relating to the processing of personal data to the data subject in an intelligible form, using clear and plain language, adapted to the data subject, in particular for any information addressed specifically to a child.

Where personal data are collected, the controller must provide the data subject with information. Compared to the current Directive, the types of information to be provided to the data subject have been expanded by the draft Regulation.

Procedures and mechanisms

The controller must establish procedures for responding to, and mechanisms to facilitate requests for data subjects' access, rectification, erasure, portability and objection requests. Where personal data are being processed by automated means, the controller must also provide means for requests to be made electronically.

Except in cases of excessive requests (in particular due to repetitive character), no fees may be charged in this respect by the controller.
Whereas the Directive simply provides that data subject requests must be answered without excessive delay, the draft Regulation imposes specific requirements regarding the content, the term and the format of the response to be given by the controller.

If the data controller rectifies or erases any data as a result of the data subject exercising his right to rectification and right to be forgotten, the controller must inform any recipient, to whom the data has been disclosed, of the change, unless this proves to be impossible or involves disproportionate effort.

Access and rectification

The draft Regulation extends the right of access to personal data. The key changes are as follows:

  • The data subject would have the right to make requests to the controller at any time rather than at reasonable intervals.
  • The following additional information must be provided to a data subject who makes a request:
    • details of recipients in third countries to whom the personal data is disclosed
    • the period for which the personal data will be stored
    • the existence of the data subject's right to request rectification or erasure and to object to processing
    • details of the data subject's right to complain to the supervisory authority and the authority's contact details,
    • the significance and consequences of processing, at least in relation to measures based on profiling.

As with the Directive, the data subject has a right to obtain a copy of the data.

The right to rectification gives data subjects the right to have any inaccurate data about them rectified, and any incomplete data completed.

Right to be forgotten and to erasure

Whereas the principles underlying the right to be forgotten under the current Directive have been recognised by the European Court of Justice in its landmark Google Spain ruling, the scope of this right has been further clarified and extended in the draft Regulation.

A data subject may require the controller to erase his personal data, and to refrain from further disseminating such data, especially in relation to data made available by the data subject when he was a child, in the following cases:

  • the data are no longer necessary for the purposes for which they were collected or otherwise processed
  • the data subject withdraws his consent or when the storage period consented to has expired, and where there is no other legal ground for processing the data
  • the data subject objects to his personal data being processed (see below), or
  • the processing of the data does not comply with the Regulation for other reasons.

Where the data were made public by the controller, it must take all reasonable steps to inform third parties that are processing such data, that a data subject requests them to erase any links to, or copy or replication of that data. Where the data controller has authorised a third party publication of personal data, the controller shall be considered responsible for that publication.

Several exceptions exist to the obligation to erase the data without delay, including e.g. compliance with a legal obligation. In some cases, the controller may restrict the processing of the data rather than erasing them, notably:

  • if the data's accuracy is contested, for a period enabling the controller to verify the accuracy
  • if the controller no longer needs the data for the accomplishment of its task but they have to be maintained for evidence purposes
  • if the processing is unlawful but the data subject opposes to their erasure and requests the restriction of their use instead, or
  • if the data subject exercises its right to data portability (see below).

In case of such restricted processing, with the exception of storage, the data may only be processed for evidence purposes, with the data subject's consent or for the protection of another person's rights or an objective of public interests. The controller must inform the data subject before lifting the restriction on processing.

Data portability

The draft Regulation introduces a new right to data portability, which grants data subjects the right, where data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data undergoing processing in an electronic and structured format which is commonly used and allows for further use by the data subject. This right is similar to the existing data subject access right, but in addition, it requires that the data is made available in a specific format.

Where the data subject has provided the personal data and the processing is based on consent or on a contract, the data subject shall have the right to transmit those personal data and any other information provided by the data subject and retained by an automated processing system, into another one, in an electronic format which is commonly used, without hindrance from the controller from whom the personal data are withdrawn.

The right to data portability is primarily aimed at social media platforms but would apply to all controllers and is likely to place a significant burden on data controllers.

Right to object

The general right to object, applicable in cases where personal data is used for purposes of direct marketing, has been extended to cover the situation where processing is based on the necessity to protect the data subject's vital interest.

In addition, it is now the data controller that bears the burden of proof to demonstrate that there are compelling legitimate grounds for its processing activities.


Principle – The draft Regulation restricts the possibility of taking automated individual decisions regarding natural persons. Natural persons have the right not to be subject to measures which may have legal effects or which significantly affect them where such measures are solely based on profiling. A measure will be deemed to be solely based on profiling where it is solely based on automated processing intended to evaluate certain personal aspects relating to a natural person or to analyse or predict, in particular, a natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour.

Exceptions – A person may nevertheless be subjected to such a measure based on profiling in exceptional cases, namely if the processing is:

  • carried out in the course of entering into or performance of a contract (where the request for entering into / performance of the contract was lodged by the data subject and was satisfied or suitable safeguarding measures were adduced)
  • expressly authorised by (EU or national Member State) law, or
  • based on the data subject's consent.

In such cases, the controller has an extended information obligation towards the data subject. The data subject must be informed of the existence of processing for such measure based on profiling, and the envisaged effects on the data subject.

In any case, automated processing intended to evaluate certain personal aspects of a natural person may not be based solely on the so-called "special categories of data", i.e. data revealing race or ethnic origin, political opinions, religion or beliefs, trade-union membership, genetic data, data concerning health or sex life or criminal convictions or related security measures.

Previous draft versions of the Regulation provided that measures based on profiling could never be taken with respect to children. Whereas this prohibition has been deleted in the draft Regulation, the explanatory recitals still refer to this principle.

Internal Compliance Requirements

The controller has an obligation to ensure that all processing of personal data is performed in compliance with the Regulation. Moreover, the controller must be able to demonstrate such compliance.

To this end, the controller must adopt specific policies and measures, and verify the effectiveness of those measures. If proportionate, this verification will be carried out by independent internal or external auditors.

The minimum measures to be taken by the controller are listed and further elaborated in the draft Regulation:

  • keep extensive documentation of the processing operations
  • implement data security requirements
  • perform a data protection impact assessment (only required in specific cases)
  • obtain prior authorization or prior consultation from the supervisory authority (only required in specific cases),and
  • designate a data protection officer (only required in specific cases).

System and Operating Requirements

Privacy by design

The draft Regulation introduces the concept of "privacy by design". Although this idea is already reflected in the current Directive, it is now introduced as a specific, stand-alone concept. The controller must implement appropriate technical and organisational measures and procedures which should ensure that the processing complies with the Regulation, and protects the rights of the data subjects.

Privacy by default

The draft Regulation also introduces the concept of "privacy by default", which can generally be considered to be the practical implementation of the existing data minimisation principle, and implies that the controller must implement mechanisms to ensure that, by default, only those personal data are processed which are necessary for each specific purpose of the processing and are especially not collected or retained beyond the minimum necessary for those purposes, both in terms of the amount of data and time of their storage.

Security breach notification

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
The draft Regulation introduces a notification obligation for controllers and processors in the case of personal data breaches. A processor must alert and inform the controller immediately after establishment of a personal data breach. A controller must notify the supervisory authority without undue delay, and where feasible within 24 hours, after having become aware of a personal data breach.

The draft Regulation also imposes a documentation obligation on controllers which should enable the supervisory authority to verify compliance with the notification obligation, and should only include the information necessary for that purpose.

Furthermore, the controller has a notification obligation towards data subjects. Such notification obligation applies where the personal data breach is likely to adversely affect the protection of the personal data or privacy of the data subject.

Transfers to Third Countries Or International Organisations

The main changes compared to the current regime relate to enabling controllers and processors to make certain transfers of personal data outside of the European Economic Area (EEA) where it is in the legitimate interests of the controller or the processor. This would only apply where the transfer is not "frequent, massive or structural" but this relaxation of the data transfer restrictions is nevertheless a welcome change for businesses operating in an international environment.

In addition, the draft Regulation envisions binding corporate rules for processors, approval of additional standard data transfer clauses beyond the model clauses, and flexibility for the European Commission to determine a jurisdiction's "adequacy" to receive international data transfers for particular industry sectors or territories within a country.

(JOINT) Controllers and Processors

In line with the Directive, the draft Regulation recognises the principle of "joint controllers", i.e. two or more companies determining the purposes, conditions and means of the processing together. The draft Regulation does, however, additionally impose the requirement to ensure an arrangement is in place between such joint controllers.

Such an arrangement must determine, in particular, the parties' respective responsibilities with respect to the procedures and mechanisms for data subjects exercising their rights.

Liability allocation

The draft Regulation grants, to any person who has suffered damage as a result of an unlawful processing operation or of an action incompatible with the draft Regulation, the right to compensation from the controller or the processor responsible for the damage suffered.

Where more than one controller or processor is involved in the processing, each controller or processor shall be jointly and severally liable for the entire amount of the damage. The controller or the processor may be exempted from this liability, in whole or in part, if the controller or the processor proves that they are not responsible for the event giving rise to the damage.

Enforcement and Liability


Contrary to the Directive, the draft Regulation introduces the principle of a "one-stop-shop", whereby one supervisory authority (in the country of the controller's main establishment) is responsible for decisions relating to the controller across its EU operations. This principle is expected to reduce the administrative burden for international organisations.

The draft Regulation requires controllers and processors to cooperate with the supervisory authority, eg by providing information and/or access.

For certain specific processing activities, prior consultation with or authorisation from the supervisory authority is required.

Penalties and administrative sanctions

The draft Regulation requires the Member States to lay down rules on penalties applicable to infringements of the Regulation.

Additionally, the draft Regulation foresees an extensive regime of administrative sanctions, empowering each supervisory authority to impose sanctions in cases where a controller intentionally or negligently infringes the Regulation.

Depending on the nature of the breach, supervisory authorities may impose fines varying from 250,000 EUR or 0.5% of the annual worldwide turnover of an enterprise, up to 1,000,000 EUR or 2% of the annual worldwide turnover of an enterprise.

In this context, we note that an "enterprise" is any entity engaged in an economic activity, irrespective of its legal form, so includes natural and legal persons, partnerships or associations regularly engaged in an economic activity.

For enterprises or organisations employing fewer than 250 employees which process personal data only as an ancillary activity, a warning may be given (rather than a sanction imposed) in case of a first and non-intentional case of non-compliance with the draft Regulation.

The draft Regulation also takes into account the degree of cooperation to remedy the violation when determining the fine.

Current Status of the Draft Regulation

The provisions of the draft Regulation are not to be considered as final and are still subject to extensive debate by the European legislative bodies.

For any updates on the legislative process, and other data protection and privacy related news, we invite you to consult our data protection and privacy blog

Key Contacts

Prof. Patrick Van Eecke
T +32 2 500 1630

To start reading, please select a country below or topic on the right.

Please select country above.
Please select an optional comparison country from the top.
Please select country above.
Please select an optional comparison country from the top.
Please select country above.
Please select an optional comparison country from the top.
Please select country above.
Please select an optional comparison country from the top.
Please select country above.
Please select an optional comparison country from the top.
Please select country above.
Please select an optional comparison country from the top.
Please select country above.
Please select an optional comparison country from the top.
Please select country above.
Please select an optional comparison country from the top.
Please select country above.
Please select an optional comparison country from the top.
Please select country above.
Please select an optional comparison country from the top.
Please select country above.
Please select an optional comparison country from the top.
Please select country above.
Please select an optional comparison country from the top.
Please select country above.
Please select an optional comparison country from the top.