Law No. 81/2018 relating to Electronic Transactions and Personal Data Law (the “Law”).
Definition of Personal Data
Personal Data is defined as any information relating to an individual which helps identifying such individual, either directly or indirectly, including by way of comparing or combining information of multiple sources.
Definition of Sensitive Personal Data
The Law brings no definition of sensitive personal data per se. However, it states that the processing of personal data falling within specific categories shall only be processed under a license from the Ministry of Economy and Trade (exceptions apply).
The Law does not attribute a particular name for such category of data, simply listing specific data elements falling within the above defined category, as follows:
- those related to the external and internal security of the State, under the terms of a joint decision of the Ministers of National Defence and Interior and Municipalities;
- those related to criminal offences and judicial proceedings of various natures, under the terms of a decision by the Minister of Justice;
- those related to health, genetic identity, sexual life of individuals, under the terms of a decision of the Minister of Public Health.
There is no National Data Protection Authority in Lebanon.
The Ministry of Economy and Trade is responsible for issuing permits and licenses for the processing of personal data when required under the Law.
Any person or entity wishing to process personal data must file a declaration before the Ministry of Economy and Trade obtaining a permit issued against receipt of such declaration, unless:
- when the data subject has agreed in advance to the processing of their personal data.
- when processed by public authorities, within their prerogatives;
- when processed by Non-Profit Organizations in relation to the members and clients thereof, within the scope of the normal and legal exercise of their functions;
- when processed for the purpose of keeping dedicated records required under the provisions of applicable laws and regulations, for the purpose of informing the public and which data can be accessed by any person having a legitimate interest;
- when processed by educational institutions in relation to their students and pupils, for educational or administrative purposes;
- when processed by institutions, commercial companies, trade unions, associations and liberal professionals in relation to their employees and members, within limits and for the needs of exercising their activities in a legal manner;
- when processed by commercial entities, associations, organizations, trade unions and liberal professionals in relation to their clients and customers, within limits and for the needs of exercising their activities in a legal manner.
The Law brings no definition of data protection officer.
Processing of Personal Data is defined as any action or set of actions performed on the data regardless of the medium used, including data collection, recording, organization, storage, adaptation, modification, extraction, reading, use, transmission, copy, dissemination, deletion, destruction or otherwise disposing of it.
The Law states that personal data shall be collected faithfully and for legitimate, specific, and explicit purposes. In addition, the data must: be appropriate; not exceed the set purposes; be correct and complete; and remain on a daily basis as relevant as possible.
Data controllers, or their representatives, have an obligation to inform data subjects of the following:
- the identity of the data controller or the identity of its representative;
- the purposes of the processing;
- the mandatory or optional nature of the raised questions;
- the consequences of non-response;
- the persons to whom the data is to be sent; and
- the right to access and correct information, as well as the means provided for the same.
The Law is silent on cross-border data transfers.
The Law does not mandate specific technical security measures. Appropriate security standard is applicable.
The Law requires the data processor to take all measures, in light of the nature of the data and the risks resulting from processing thereof, in order to ensure the integrity and security of the data and to protect the same against being distorted, damaged or accessed by unauthorized persons.
Data subjects are entitled to resort to the competent courts, especially to the Judge of Expedite Matters, for matters related to enforcement of their rights under the Law.
There are no administrative enforcement actions.
Public prosecutor and/or data subjects can start legal proceeding for enforcement of the Law.
It is forbidden to communicate unsolicited marketing and advertising emails (SPAM) using a real person's name and address, unless that person has consented to such type of advertising, except for cases where the sender of the unsolicited advertisement has legally obtained the address of such individuals through a previous engagement with them.
The Law provides that any individual shall have the right to object to the processing of their personal data for legitimate reasons, including to the collection and processing of personal data for marketing/promotion purposes (exceptions apply).
The Law does not identify classes or types of personal data, while making no specific mention to cookies/cookie identifiers or location data. Qualification of online identifiers as personal data shall be assessed by local courts.