Resolution No. 151 of 2020 approving the Law on the Protection of Personal Data was published, on 15 July 2020, in the Official Gazette.

Yes – Data Protection Act 2012 (the "DPA").

Yes – Law No. 09-08 relating to the protection of individuals with regard to the processing of personal data.

Yes – the Nigeria Data Protection Regulation 2019 (the "NDPR").

Yes – the Protection of Personal Information Act 4 of 2013 (Act) (the "POPIA").

Yes – No. 2004-63, 27 July 2004 on the Protection of Personal Data (the Law).

Yes – the Data Protection Act [Chapter 11:12] (originally referred to as the Cyber Security and Data Protection Bill).

No. However, Cambodia's constitution provides for citizens' rights to privacy. The Civil Code recognises the personal right to identity, dignity, privacy and other personal interests of an individual. Under the Penal Code, the disclosure of secrets and the interception of private communication or mishandling of data are criminal offences.

Yes – the Personal Information Protection Law (the "PIPL"). The Cybersecurity Law (the "CSL") and the Data Security Law (the "DSL") also contribute towards China's overall data protection regime.

Yes – the Personal Data (Privacy) Ordinance 1996 as amended in 2013 (the "PDPO"). Most recently the Personal Data (Privacy) (Amendment) Ordinance (the "Amendment Ordinance") came into force in October 2021 ,introducing new offences.

No - currently Indian data protection requirements are located across multiple sources. However the draft Personal Data Protection Bill 2019 is currently being considered.

No - there is currently no general personal data protection law. However, the draft of the Personal Data Protection Act (the "PDP Bill') has been officially submitted to the House of Representatives.

No

Yes – the Protection of Privacy Law (the "PPL") and the Data Security Regulations.

Yes – the Act on the Protection of Personal Information (as amended) (the "APPI").

Yes – the Personal Data Protection Act 2010 (the "PDPA"). The Ministry of Communications and Multimedia carried out a public consultation in relation to proposed PDPA amendments in February 2020.

No

No – there is no general personal data protection law. However, the Personal Data Protection Bill 2021 (the "Bill') has been released on the Ministry of Information Technology & Telecommunication's website for public comment.

Yes - Republic Act No. 10173, known as the Data Privacy Act of 2012 (the “Data Privacy Act”).

Yes – Law No. 13 of 2016 Concerning Personal Data Protection (the "Data Protection Law") was passed in November 2016. A separate legal regime applies to entities licensed in the Qatar Financial Centre (the "QFC").

Yes – the Federal Law of 27 July 2006 152-FZ on Personal Data.

Yes – the Personal Data Protection Law the "PDPL" and the Personal Data Protection Interim Regulations (the "PDPIR").

Note: the PDPL was to become effective on 23 March 2022 but has been

Yes – the Personal Data Protection Act 2012 (the "PDPA").

Yes – the Personal Data Protection Act 2010 (as amended in 2015) Personal Data Protection Act 2010 (as amended in 2015) (the "PDPA').

Yes – the Personal Data Protection Act 2019 (the "PDPA").

Yes - the Law on Personal Data Protection No.6698.

Yes – the Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data Protection (the "PDPL"). The PDPL keeps intact existing data protection and privacy laws within the UAE's financial free zones which include:

Abu Dhabi Global Market ("ADGM") – the Data Protection Regulations 2015. This was amended by the Data Protection (Amendment) Regulation 2018 - Dubai International Financial Centre ("DIFC") – the Data Protection Law 2007.

No – only in draft. The most comprehensive legal framework on data protection in the Law on Cyber Information Security (the "LCIS")

Yes – the Federal Act on the Protection of Individuals With Regard to the Processing of Personal Data (Data Protection Act (DSG) BGBI. I No. 165/1999) (last amended in 2019) and the GDPR.

Yes - The Act of 30 July 2018 on the Protection of Natural Persons with Regard to the Processing of Personal Data (the "Act"), and the GDPR.

Yes – the Bulgarian Personal Data Protection Act (the "PPDA") and the GDPR.

Yes – the Personal Data Processing ("PDPA") Act No. 110/2019 Coll. came into force on 24 April 2019, implementing the GDPR and Act No. 111/2019 amending certain laws in connection with the adoption of the PDPA.

Yes – the Act No. 502 of 23 May 2018 on Supplementary Provisions to the Regulation on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data (the "Data Protection Act"), which implemented the GDPR.

Yes – the Data Protection Act 2018 and the UK GDPR.

Yes – Information Technology, Data Files and Civil Liberty No.78-17 dated 6 January 1978 - An updated version of the law incorporating the GDPR provisions was enacted 20 June 2018 as law No. 2018-493 regarding the protection of personal data and the GDPR.

Yes – the Federal Data Protection Act of 30 June 2017 (the "BDSG") (implementing the GDPR) (as amended) and the GDPR.

Yes – Law No. 4624/2019 on the Personal Data Protection Authority, implementing the GDPR and transposing into national law Data Protection Directive with respect to law enforcement and other provisions.

Yes – on 17 July 2018, the Hungarian Parliament adopted Act XXXVIII of 2018, the Hungarian national law supplementing the General Data Protection Regulation, amending Act No. CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (the "Amendment").

Yes – Act 90/2018 on Privacy and Processing of Personal Data, substituting Act no. 77/2000 and implementing the GDPR.

Yes – the Irish Data Protection Act 2018 (the "DP Act") and the GDPR.

Yes – the Italian Council of Ministers approved the Legislative Decree n.101/2018 harmonising the Italian Privacy Code, other national laws and the GDPR.

Yes – Act of 1 August 2018 concerning the organisation of the CNPD and the General Data Protection Regulation.

Yes – the GDPR has been implemented through the Maltese Data Protection Act 2018 (Chapter 586 of the Laws of Malta) (the "DPA”).

Yes – the GDPR implemented through the Dutch Implementation Act (Uitvoeringswet Algemene Verordening gegevensbescherming - the “UAVG”). The UAVG is to a large extent identical to the old Dutch Personal Data Protection Act.

Yes – the Personal Data Protection Act (the "PDPA") came into force on 25 May 2018, implementing the GDPR.

Yes – Law no. 190/2018 and the GDPR.

Yes – the Data Protection Act 2018 and the UK GDPR.

Yes – Act No. 18/2018 Coll on the Protection of Personal Data and the GDPR.

Yes – the Personal Data Protection Act 2004 (the "Act") and the GDPR. Slovenia has not yet adopted the new Personal Data Protection Act.

Yes – Organic Law 3/2018, of 5 December 2018, on the Protection of Personal Data and Guarantee of Digital Rights (the "NLOPD") and the GDPR.

Yes – the Data Protection Act (2018:218) (the "DPA") with its complementary provisions (2018:19) and the GDPR.

Yes – the Federal Act on Data Protection (the "FADP").
Note: the revised FADP which is expected to enter into force between
mid-2022 and beginning of 2023 aims to align the current law with the
GDPR.

Yes – the Law of 1 June 2010 No. 2997-VI on Personal Data Protection, as amended (the "PDPL").

Yes – the Canadian Federal Personal Information Protection and Electronic Documents Act 2000 ("PIPEDA") and Privacy Act 1985.

Yes – Law on the Protection of Persons Regarding the Processing of their Personal Data No. 8968 of 2011 (the "Data Protection Law") and Executive Decree No. 37554-JP of 30 October 2012 Regulating Law No. 8968

No – Cuba regulates data privacy and protection issues through the constitution as well as various decrees and regulations.

Yes – the Federal Law on the Protection of Personal Data held by Private Parties (the "LFPDPPP") and the Regulation of the Federal Law on Protection of Personal Data Held by Private Parties (the "Regulation").

Yes – Law No. 81 on Personal Data Protection 2019 supplemented by
Executive Decree No. 285 of May 28 2021 (together the "Data Protection
Law").

There is no general, federal data protection law in place. Instead, there are a number of sectoral, federal and state laws.

Yes - the Privacy Act 1988 as amended in 2012 and supported by the Australian Privacy Principles (the "APPs"). There is different legislation at State and Territory level too, as well as sector-specific legislation.

Yes – the Privacy Act 2020 (the "Act").

Yes – the Personal Data Protection Act, Act No. 25.326 of 2000 (the "Act"') and Decree No. 25.326.

Yes – the Brazilian General Data Protection Law (the "LGPD"), Federal Law no. 13,709/2018, has been in force since September 18, 2020. The LGPD is Brazil’s first comprehensive data protection regulation and it is largely aligned to the EU GDPR.

Yes – the Protection of Private Life Act (Law 19,628) (1999) (the "PDPL").

Note – Draft Bill No. 11144-07 Regulating the Protection and Processing of Personal Data and Creating the Data Privacy Authority ("the Bill") aims to modernise the PDPL based on the EU GDPR but has yet to successfully pass through the legislative process.

Yes – the General Provisions for the Protection of Personal Data (the "The Data Protection Law" (Law 1581 of 2012)).

Yes – the Personal Data Protection Law (29. 733) (2011) (the "PDPL")
together with Supreme Decree 003-2013 Regulation of the PDPL which
expanded, developed and clarified the requirements of the PDPL.

Yes – the Protection of Personal Data and Habeas Data Action (Law 18,331) (2008) and Decree No. 414/009 Regulating Law 18.331 Relating to the Protection of Personal Data.

No - under the Protection of Personal Data Law it will be the Personal Data Protection Centre (the "DPC") however they are not yet operational.

Yes – Data Protection Commission (the "DPC").

Yes – National Commission for the Protection of Personal Data (the "CNDP").

Yes – the National Information Technology Development Agency (the "NITDA")

Yes – the Information Regulator. This has been established but is not yet fully operational.

Yes – the National Authority for Protection of Personal Data (the "INPDP").

Yes – the Postal and Telecommunication Regulatory Authority of Zimbabwe (the "POTRAZ").

No

Yes – the Cyberspace Administration of China (the "CAC").

Yes – the Office of the Privacy Commissioner for Personal Data (the "PCPD").

No

No

No

Yes – the Privacy Protection Authority (the "PPA")

Yes – the Personal Information Protection Commision (the "PPC").

Yes – the Personal Data Protection Commissioner (the "PDP Commissioner") under the Ministry of Communications and Multimedia.

No

No

Yes – the National Privacy Commission ("NPC").

Yes – the QFC Authority for entities licensed in the QFC. The Compliance and Data Protection Department (the "CDP") oversees data protection otherwise.

Yes – the Federal Service for Supervision of Communications, Information Technologies and Mass Media (the "Roskomnadzor").

Yes – the Saudi Data & Artificial Intelligence Authority (the "SDAIA").

Yes – the Personal Data Protection Commission.

Yes – the National Development Council (the "NDC").

Yes – the Personal Data Protection Committee (the "PDPC").

Yes – the Personal Data Protection Authority (the "KVKK").

The UAE Data Office. However, this is not yet operational.

Yes – the Ministry of Information and Communications and the Ministry of Public Security.

Yes – the Austrian Data Protection Authority (the "DSB").

Yes – the Data Protection Authority (the "'Belgian DPA").

Yes – the Commission for Personal Data Protection (the "CPDP").

Yes – the Office for Personal Data Protection (the "UOOU").

Yes – Danish data protection agency ("Datatilsynet").

Yes – the UK Information Commissioners Office (the "ICO").

Yes – the Commission Nationale Informatique et Liberté, (the "CNIL").

Yes – the The Federal Commissioner for Data Protection and Freedom of Information (the "BfDI"). Please note that there are also regional laws and regulators.

Yes – the Hellenic data protection authority (the "HDPA").

Yes – the National Authority for Data Protection and Freedom of Information (the "NAIH").

Yes – the Icelandic data protection authority (the "Persónuvernd").

Yes – the Irish Data Protection Commissioner (the "DPC").

Yes – the Italian data protection authority (the "Garante").

Yes - National Commission for Data Protection (the "CNPD").

Yes – the Maltese Office of the Information and Data Protection Commissioner (the "IDPC").

Yes, Dutch data protection authority (the "AP").

Yes – Polish data protection authority (the "UODO").

Yes – the National Supervisory Authority for Personal Data Processing (the "ANSPDCP").

Yes – the UK Information Commissioner's Office (the "ICO").

Yes – the Office for Personal Data Protection of the Slovak Republic (the "ÚOOÚ").

Yes – the Information Commissioner.

Yes – the Spanish Data Protection Agency (the "AEPD").

Yes – the Swedish Authority for Privacy Protection.

Yes – the Federal Data Protection and Information Commissioner (the "FDPIC").

Yes – the Ukrainian Parliament's Commissioner for Human Rights.

Yes – the Office of the Privacy Commissioner of Canada (the "OPC").

Yes – the Agency for the Protection of Individual's Data (the "PRODHAB").

Yes - the Ministry of Communications.

Yes – the National Institute of Transparency for Access to Information and Personal Data Protection (the "INAI").

Yes – the National Authority for Transparency and Access to Information (the "ANTAI').

Yes – the Federal Trade Commission (the "FTC") takes enforcement action against organisations for violations of Section 5 of the FTC Act, which prohibits unfair or deceptive acts in or affecting commerce.

Yes – the Office of the Australian Information Commissioner (the "OAIC").

Yes – the Office of the Privacy Commissioner of New Zealand.

Yes – the Argentinian Data Protection Authority (the "AAIP").

Yes – the National Data Protection Authority (the "ANPD").

No – There is no specific authority however other Chilean authorities have claimed jurisdiction to regulate data protection including the National Consumer Service ("SERNAC"), Commission for the Financial Market (the "CMF") and the Chilean Transparency Council (the "CPLT").

Yes – the Colombian Data Protection Authority, a branch of The Superintendency of Industry and Commerce (the "SIC").

Yes – the National Authority for the Protection of Personal Data (the "APDP").

Yes – the Uruguayan data protection authority (the "URCDP").

Yes – the processor of personal data is obligated to obtain a license from the DPC.

No - however DPA requires data controllers that control or process and use personal data to register with the DPC. It is recommended that data processors do so too.

Yes – the processing of personal data requires prior notification to the CNDP.

Yes – a data controller who processes the personal data of more than 1,000 data subjects in a period of 6 months or 2,000 subjects in a period of 12 months must submit the summary of a required audit to the NITDA.

No – however, prior authorisation must be obtained from the Information Regulator before processing of personal information in certain circumstances, as prescribed by section 57 of POPI.

Yes – at least a month before processing to allow the INPDP to make a decision.

Yes

N/A

No

No

No

No – however, an electronic system provider for public services must conduct registration.
Though it is not a requirement for electronic system providers for non-public services, they may conduct registration.

No

Yes – databases must be registered with the Database Registrar beyond a certain volume and type of data processing.

No

Yes – for data controllers in stipulated sectors which currently include communications, banking and financial institutions, insurance, health, tourism and hospitality, transportation, education, direct selling, services (including legal, audit, accountancy, engineering, architecture, retail or wholesale dealing, private employment agencies), real estate, utilities, pawnbrokers and moneylenders to be renewed every 12 months.

No

No

Yes – controllers and processors must notify the NPC if they are processing the data of at least 1000 individuals or employing at least 250 employees, or if the processing is likely to pose a risk to rights and freedoms, or if the processing is not occasional.

Yes – sensitive personal data is prohibited in the absence of having obtained advance approval from the CDP, pursuant to more detailed rules and regulations that did not accompany the law upon its issuance.

Yes – operators are to notify the Roskomnadzor prior to commencing the processing of personal data. There are exceptions where personal data is processed under employment law, made publicly available by the data subject and where data only consists of the surname, first name and patronymic of the data subject.

No

No

No

No

Yes - data controllers processing personal information will be required to enrol in the Registry of Data Controllers.

There are no requirements under the PDPL.
ADGM – controllers must register with the Registrar, updated annually.

DIFC – controllers must notify the Commissioner of processing operations, updated annually.

No

No.

No.

No

No

The permission of Datatilsynet must be obtained where the processing of personal data is carried out for a private data controller and in a very limited number of circumstances (i.e. to assess creditworthiness or keep a legal information system).

No

No – although some processing must still be notified to the CNIL for authorisation or request for an opinion (e.g. Processing of health data for research purposes and for public interest purposes).

No

No

No (but the prior consultation obligation under Article 36(1) of the GDPR applies).

No (but the prior consultation obligation under Article 36(1) of the GDPR applies).

No

No

No

No – however consultation with the IDPC is required in certain instances

No

No

No

No

No

No

No

No

No – generally there is no requirement under the current FADP unless the
organisation regularly processes sensitive personal data or regularly
discloses personal data to third parties. The exception to this is where a
DPO has appointed and notified the FDPIC of such appointment.

Yes, if the data owner processes "Special Risk Data" which relates to particular rights and freedoms.

No – however, where an organisation wishes to make use of personal information without the individual's knowledge or consent for statistical or scholarly study or research they must notify the Privacy Commissioner of Canada before using such information.

Yes – any database, public or private, managed for distribution, dissemination or marketing purposes, must be registered with PRODHAB.

No

No

No

No

No

No – however the Privacy Commissioner may require an agency to supply information for the purpose of publishing or supplementing a directory or to enable the Privacy Commissioner to respond to public enquiries.

Yes – any private or public data file, register, base or bank intended to provide reports as well as any private person forming data files, registers, databases or databanks, which are not intended for an exclusively personal use, must register with the AAIP's registry.

No.

No.

Yes – companies and non-profits with assets valued higher than 100,00 tax value units and public legal entities are required to register with the National Register of Databases (the "RNBD") for each database containing personal information processed either by automatic or manual means. There are also various other rules governing deadlines to register and updates.

Yes – registration in the National Registry for the Protection of Personal Data is required and cross-border transfers of personal data must be notified to the APDP.

Yes – processed data should be registered.

Yes – it is prohibited to transfer any personal data where the personal data was collected or prepared for processing to a foreign country unless certain requirements are met including obtaining a licence from the DPC however there are some exceptions.

No

Yes – any transfer of personal data to a foreign state must be subject to prior authorisation from the National Commission.

Yes

No

Yes – authorisation is required for every transfer but for a few limited exceptions.

No

N/A

No.

No

No

No

No

No

No, unless the business uses the "opt out" method (permitted by the APPI), where they can – as a default – disclose personal information to third parties.

No

No

No

No

No

No

Yes – data controllers may only store and process personal
data outside Saudi Arabia after obtaining written approval from the
relevant regulatory authority.

No

No - but certain goverment authorities may restrict transfers.

No

Yes – each controller requires a register and changes to this register must be notified to the Personal Data Protection Board for transfers to parties in third countries.

DIFC – transfers outside the DIFC require notification.

No

No.

No.

No

No

Yes – the transfer of Special Categories of Personal Data, originally processed for scientific and statistic purposes, requires the DPA's preapproval if i) such data is to be processed outside the geographical scope of the GDPR, ii) the data constitutes biometric data or iii) if the data is to be published in a well-known paper.

No

No

No

No

No

No

No

No

No

No – except in the absence of an adequacy decision, the Minister may, following
consultation with the commissioner, by regulations set limits to the transfer of specific categories of personal data to a third country or international organisation for important reasons of public interest.

No

No

No

No

No

No

No

No

Yes

No – however the notification procedure requires the owners of personal data to notify the regulator about the termination of processing which is of particular risk to the rights and freedoms of data subjects.

No.

No

Yes - generally entities must provide notice to lawfully collect and process personal data.

No

No – However, under the new law the database custodians that transfer personal data stored in a database to third parties must keep a record of them, which must be available to ANTAI, if requested to do so.

No

No

No

No

The transfer of personal data to other jurisdictions is allowed only subject to compliance with the requirements of the LGPD. Also, prior specific and informed consent is needed for such transfer except for limited circumstances.

No

No

No

No

Yes

There is no requirement for data controllers or processors to appoint a DPO under the Act.

No

Yes – The NDPR requires Data Controllers to designate a Data Protection Officer responsible for ensuring compliance with the NDPR and other applicable data protection directives. The data controller may outsource this responsibility to a verifiably competent firm or person.

Yes.

No.

No – however if a DPO is appointed, POTRAZ allows for an exemption from the processing notification requirement for certain categories of data.

N/A

Yes – If an organisation handles quantities of personal information within certain thresholds (as yet unspecified by the CAC). Currently, the National Standards guideline requires a DPO and department if the primary business of an organisation is related to data processing and there are more than 200 employees, or personal data of more than 1,000,000 individuals are processed, or is expected to be processed within 12 months, or if it processes the sensitive information of more than 100,000 individuals.

No, but recommended by guidelines.

No – but "Grievance Officers" must be appointed where sensitive personal data is collected, used, retained or transferred.

No

No

No – unless the entity is a possessor of five databases that require registration, a public body as defined in section 23 to the PPL, or a bank, insurance company or a company engaging in rating or evaluating credit.

No, but guidelines recommend that specific employees be assigned to control personal data (e.g. Chief Privacy Officer).

No. However, pursuant to PC01/2020, the PDP Commissioner is considering introducing an obligation in the PDPA for a data user to appoint a data protection officer and to introduce a guideline pertaining to such appointments.

No

No

Yes – both data controllers and processors are required to appoint a DPO.

No – however, there is an obligation on the data controller to the specify processors responsible for protecting personal data, to train them appropriately on the protection of personal data and raise to their awareness in relation to protecting personal data.

Yes – DPO appointment is compulsory in Russia. The DPO must be appointed by data controllers which are legal entities and must be reported to the Roskomnadzor. Any data operator being a legal entity is obliged to appoint a manager responsible for compliance of personal data. An operator which is a legal entity shall appoint a person responsible for organising the processing of personal data.

No – under the PDPIR there is no requirement for a DPO. However,
the PDPL will introduce such a requirement.

Yes.

No – however there are industry specific regulations. For example, if the data controller is a government agency, a specific person should be appointed to be in charge of the security maintenance measures.

Yes – appointment is mandatory under the PDPA where the data controller or processor is a public authority, the activities of the data controller or processor in the collection, use or disclosure of the personal data require a regular monitoring of the personal data or the system, by the reason of having a large number of personal data and the core activity of the data controller or processor is the collection, use or disclosure of the personal data.

No.

Yes – if conducting data processing which would cause a high risk to the confidentiality and privacy of the data subject's personal data, if conducting data processing will involve a systematic and comprehensive assessment of sensitive personal data including profiling and automated processing or if processing large volumes of sensitive personal data.

No – however, certain types of organisations (e.g. information system owners, telecoms enterprises, banks, state bodies, etc.,) are required to appoint specialised information security focal points and contact persons to supervise and warn on cyber-information security.

Yes – if the controller/processor is a public authority, its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale or its core activities consist of processing sensitive personal data on a large scale.

Yes, if they are a public authority, their core activities consist of regular and systematic monitoring of data subjects on a large scale or their core activities consist of processing sensitive personal data on a large scale.

Under the national data protection law, a private body is required to have a DPO if:

- they process personal data for the account of a federal public authority, or a federal public authority has transferred personal data to them the processing of the data is likely to result in a high risk as defined in the GDPR; or

- their processing of personal data is likely to result in a high risk as defined in the GDPR.

Yes, if they are a public authority, their core activities consist of regular and systematic monitoring of data subjects on a large scale or their core activities consist of processing sensitive personal data on a large scale.

Yes – if the controller/processor is a public authority, its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale or its core activities consist of processing sensitive personal data on a large scale. Additionally, DPOs must be appointed by bodies established by law which carry out statutory tasks in the public interest.

Yes – if the controller/processor is a public authority, its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale or its core activities consist of processing sensitive personal data on a large scale.

Yes – if the controller/processor is a public authority, its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale or its core activities consist of processing sensitive personal data on a large scale

Yes – if the controller/processor is a public authority, its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale or its core activities consist of processing sensitive personal data on a large scale.

Yes – if the controller/processor is a public authority, its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systematic monitoring of data subjects on a large scale or its core activities consist of processing sensitive personal data on a large scale.

Yes – if the controller/processor is a public authority, its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale or its core activities consist of processing sensitive personal data on a large scale

Yes – if the controller/processor is a public authority, its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale or its core activities consist of processing sensitive personal data on a large scale (Article 37(1) GDPR requirement).

Yes – if the controller/processor is a public authority, its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale or its core activities consist of processing sensitive personal data on a large scale.

Yes – if the controller/processor is a public authority, its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale or its core activities consist of processing sensitive personal data on a large scale.

Yes – if the controller/processor is a public authority, its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale or its core activities consist of processing sensitive personal data on a large scale.

Yes – if the controller/processor is a public authority, its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale or its core activities consist of processing sensitive personal data on a large scale. Article 65 of the Act of 1 August 2018 provides for a specific obligation to appoint a DPO in the context of processing of personal data for scientific or historical research purposes or statistical purposes.

Yes – if the controller/processor is a public authority, its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale or its core activities consist of processing sensitive personal data on a large scale.

Yes – if the controller/processor is a public authority, its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale or its core activities consist of processing sensitive personal data on a large scale.

Yes – if the controller/processor is a public authority, its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale or its core activities consist of processing sensitive personal data on a large scale.

Yes – if the controller/processor is a public authority, its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale or its core activities consist of processing sensitive personal data on a large scale.

Yes – if the controller/processor is a public authority, its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systematic monitoring of data subjects on a large scale or its core activities consist of processing sensitive personal data on a large scale.

Yes – if the controller/processor is a public authority, its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systematic monitoring of data subjects on a large scale or its core activities consist of processing sensitive personal data on a large scale.

Yes – if the controller/processor is a public authority, its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale or its core activities consist of processing sensitive personal data on a large scale.

Yes – if the
controller/processor is a public authority, its core activities consist of
processing operations which, by virtue of their nature, scope or purposes,
require regular and systemic monitoring of data subjects on a large scale
or its core activities consist of processing sensitive personal data on a
large scale. Additionally, the NLOPD specifies that specific organisations,
such as professional associations and teaching centres, must appoint a
DPO.

Yes – if the controller/processor is a public authority, its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale or its core activities consist of processing sensitive personal data on a large scale.

No – however, data controllers can be dispensed from registering data files if there is a DPO who meets certain criteria.

No – there is no obligation to appoint a DPO except for the cases where a data controller processes Special Risk Data. However, data controllers and data processors shall establish a special department or appoint a responsible person to organise the work related to the protection of personal data during processing.

Yes – PIPEDA, PIPA Alberta, and PIPA BC expressly require organisations to appoint an individual responsible for compliance with the obligations under the respective statutes.

No

No

Yes – a specific person or department must be responsible for data protection.

No

No – with the exception of entities regulated by HIPAA.

No legal requirement but appointment of a DPO is recommended in the Privacy Management Framework and the APP Guidelines.

Yes – the Act requires each agency to appoint one or more individuals to be a privacy officer. The privacy officer may be within or external to the agency (i.e. the privacy officer role may be outsourced to a third party) and does not need to be a New Zealand citizen or reside in New Zealand.

Generally, there is no specific requirement to appoint a data protection officer. Under certain circumstances, in which special security standards apply, it may be necessary to appoint an officer in charge of data security.

Yes – it is assumed all organisations (public and private) should appoint a DPO irrespective of their activities and volumes of data processing until further guidance is provided by the ANPD.

The PDPL does not require the appointment of a Data Protection Officer.

There is no requirement to appoint a data protection officer in Colombia. Nevertheless, it is required for a specific person in the company or a designated group within the company to be in charge of personal data matters, specifically any request made by the Data Subjects.

No – however, when a company is registering its personal data bank before the authority, it can, if applicable, report that it has a Security Manager of that data bank.

Yes - for public entities, private entities owned by the government and private entities whose core activity is the processing of sensitive data or large amounts.

E-marketing: Yes; Telemarketing: Yes; SMS/MMS Marketing: Yes

Yes – prior written consent is required.

Yes – prior consent is required, however direct marketing via e-mails may be authorised if the recipient's details have been received directly from the data subject. In the absence of consent, unwanted emails can still be sent in certain limited conditions.

Yes

Yes – it is prohibited unless prior consent is given by the data subject or if the email recipient is a customer of the responsible party.

Yes

No – there are no specific rules regarding direct marketing. However, the Consumer Protection Act does provide certain guidelines around electronic transactions.

N/A

Yes - it is only possible if the targeted consumers have explicitly consented to receiving such messages either at the time their electronic address/mobile phone number was collected or at a later time.

Yes

No – however, the Information Technology Rules (the "Privacy Rules") do provide the right to "opt out" of email marketing, and a company's privacy policy must address marketing. Telecom service providers are also required to set up a mechanism to register requests of subscribers not to receive unsolicited commercial calls.

No

Under the Charter of Citizens' Rights, operators must obtain addressee consent before sending any advertisement. Personal cell phones are considered as a private zone. Sending any unwanted advertisements, or spam, is against the law.

E-marketing: Yes; Telemarketing: Yes; SMS/MMS Marketing: Yes

Yes – prior consent is required and evidence of said consent must be kept for 3 years for email advertisements and 1 year for fax advertisements after the last transmission date of an email or fax advertisement to the consumer.

No, however the PDPA does apply to electronic marketing activities that involve the processing of personal data for the purposes of commercial transactions. Explicit consent is also required when sending unsolicited advertisements.

No – there is no specific law however it would generally be covered by
the Competition Law and Consumer Protection Law.

No

E-marketing: Yes; Telemarketing: Yes; SMS/MMS Marketing: Yes

Yes – it is only permitted with the consent of the recipient and must include the identity of the sender and an indication that it is for the purpose of direct marketing with an address that can easily be reached and enable the recipient to send a message requesting the sender to cease electronic communication and enable withdrawal of consent at any time.

Yes – prior consent is required for distribution of advertising through telecommunications networks, in particular, through use of phone, fax and mobile telephone communications to data subjects.

Yes – opt-in consent is required from data subjects to receive electronic messages.

Yes – any organisation engaging in telemarketing activities must comply with the "Do Not Call" provisions under the act. They must first obtain explicit consent which must be evidenced in written or other form so as to be accessible for subsequent reference, must not be a condition for sale of goods, services, land, interest or opportunity and cannot be obtained through provision of false or misleading information or through deceptive or misleading practices

Yes – the data controller may use personal data for marketing, but when the data subject refuses marketing (right to opt-out) the data controller must cease using such data for marketing. When first marketing, the data controller should bear the costs to provide the data subject with the means to refuse marketing.

Yes – data subjects have the right to object to direct marketing so data
controllers must ensure there is an opt-out function throughout the entire
processing period.

E-marketing: Yes; Telemarketing: Yes – for both, commercial electronic communications can only be sent if prior consent (opt-in) has been obtained from recipients.

Yes

Yes – any service provider sending advertising emails must satisfy all conditions set out in Decree 90 on Anti-Spam. Email and text message advertisements may only be sent after obtaining prior explicit consent from the recipient.

E-marketing: Yes; Telemarketing: Yes; SMS/MMS Marketing: Yes

E-marketing:Yes; Telemarketing: Yes; SMS/MMS Marketing: Yes

E-marketing:Yes; Telemarketing: Yes; SMS/MMS Marketing: Yes

Yes

E-marketing:Yes; Telemarketing: Yes; SMS/MMS Marketing: Yes

E-marketing: Yes; Telemarketing: Yes; SMS/MMS Marketing: Yes

E-marketing: Yes; Telemarketing: Yes; SMS/MMS Marketing: Yes

E-marketing: Yes; Telemarketing: Yes; SMS/MMS Marketing: Yes.

Yes

Yes - the related regulation is the Act XLVIII of 2008.

Yes – only if prior consent is given, or if the email address has been obtained in the context of sale of goods/services. It may be used without prior consent provided customers are given the opportunity, free of charge, to object to such use of their email address when it is collected and each time a message is sent (Electronic Communication Act No. 81/2003).

E-marketing: Yes; Telemarketing: Yes; SMS/MMS Marketing: Yes

E-marketing: Yes; Telemarketing: Yes; SMS/MMS Marketing: Yes

Yes –E-marketing: Yes; Telemarketing: Yes; SMS/MMS Marketing: Yes.

E-marketing: Yes; Telemarketing: Yes; SMS/MMS Marketing: Yes

Yes – the ePrivacy Directive applies.

Yes – processing based on legitimate interests does not require separate consent. However the data subject may always object to such processing. If marketing activities relate to products and services of third parties, prior consent for such processing is necessary.

Yes – it is forbidden to send commercial communications by using automatic systems that do not require the intervention of a human operator, by fax or electronic mail or any other similar method, except where data subjects have expressly consented in advance. It may be considered that SMS marketing falls under the same restrictions.
In cases where a natural or legal person has directly obtained the email address of a client upon the sale of a product/service, they may use the address for the purpose of sending commercial communications regarding similar products/services, provided that clients are clearly and expressly offered the possibility to oppose by way of an easily accessible and free-of-charge method with each commercial communication received, in a case where the customer has not initially objected.

E-marketing: Yes; Telemarketing: Yes; SMS/MMS Marketing: Yes

Yes – direct marketing is authorised if the data subjects have provided prior consent, which can be withdrawn at any time.

Yes – the consent of an individual is required for the purposes of electronic marketing. Direct marketing is allowed where the "similar service/product" exemption applies, however customers must be given clear and distinct opportunity to refuse the use of their electronic mail address at the time of the collection of these contact details, and on the occasion of every message in the event that the customer has not initially refused such use.

Yes – there is a requirement for a legal basis for electronic marketing and where consent is relied upon, GDPR standards are to be noted along with the need for marketing forms to incorporate clearly worded opt-out mechanisms.

Yes – there is a requirement for a legal basis for electronic marketing and where consent is relied upon, GDPR standards are to be noted along with the need for marketing forms to incorporate clearly worded opt-in mechanisms.

E-marketing: Yes; Telemarketing: Yes; SMS/MMS Marketing: Yes
Mass advertising emails must contain the sender’s correct name, address and email contact and must provide for an easy-access and free of charge 'opt-out' from receiving future advertisements. There are also Swiss-specific rules for phone marketing.

Yes – E-commerce Law: regulations around the distribution of marketing messages. Distribution to individuals and marketing by telephone and fax without consent is prohibited.

Canada's Anti-Spam Law ("CASL") states that prior express or implicit consent is required for a commercial electronic message to be sent and the message must comply with the prescribed content and unsubscribe requirements (subject to limited exceptions).

Yes – the Telecommunications Act states that marketing companies may not advertise via phone nor email unless they obtain prior and express written consent from the data subject.

No

Yes – consumers have the right to object to direct marketing, and may prohibit companies from disclosing their information to third parties.

Yes – there is a requirement that commercial communication emails must state they are such, include the name of the sender and set out the mechanism through which the recipient may choose not to receive any further communications from the particular sender. The client's opt-in consent is required if an entity wishes to use a client's email for

E-marketing: Yes; Telemarketing: Yes; SMS/MMS Marketing: Yes.

E-marketing: Yes; Telemarketing: Yes; SMS/MMS Marketing: Yes.

Yes – the Unsolicited Electronic Messages Act 2007 prohibits unsolicited commercial electronic messages (excluding internet pop-ups or voice telemarketing) with a New Zealand link and requires commercial electronic messages to include information about who authorised the message to be sent. It also requires a functional unsubscribe facility to be included and prevents the use of address-harvesting software.

E-marketing: Yes; Telemarketing: Yes; SMS/MMS Marketing: Yes

Yes - there are no specific rules. However there are some general rules, derived from consumer codes and self-regulatory codes are relevant. If the marketing is based on the use of personal emails or phone numbers, the LGPD applies.

Yes, the Chilean Consumer Protection Act states that all marketing practices must comply with the following:
• terms and conditions and / or characteristics of the offered goods and services must be accurate;
• an expedited means to opt-out must be included in such communications; and
• every marketing email must indicate that it is an advertisement, and include the sender's identity and an email address to which a person can send an opt-out request.

Yes – opt-in consent is required by the data subject to receive electronic marketing materials

E-marketing: Yes; Telemarketing: Yes; SMS/MMS Marketing: Yes

Yes – data subjects/personal data owners have the right to demand the deletion or suppression of their data from the marketing database.

Yes

Yes

No (aside from relevant provisions of the Labour Code).

No

Yes

Yes

No – However, the Constitution enshrines the right to privacy which is relevant to employee monitoring.

No

Yes.

Yes – the PDPO including the Data Protection Principles (Schedule 1 of the Ordinance), must be complied with.

Yes – although there are no explicit rules, they can be implied from the courts' recognition of an individual's right to privacy. The Privacy Rules also create compliance obligations for entities involved in the collection, storage, or handling of sensitive personal data or information.

No – however, under Law No. 23 of 1948 concerning Manpower Supervision, the authorised government institution responsible for manpower regulation is mandated to conduct monitoring to ensure employers' the compliance of employers in respect of their obligations towards their employees.

No

Yes

Yes – APPI and the Cabinet Order to Enforce the Act on the Protection of Personal Information..

Yes – the PDPA applies.

No

No

Yes – NPC Circular No. 1, series of 2016 applies to the public sector and case law governs the right to privacy.

Yes

Yes

Yes

Yes

Yes – no direct law relating to email and phone call monitoring but employees' rights and privacy are protected in other legislation.

Yes - the PDPA applies to employee monitoring. Thai tort law could also be applicable.

Yes

Yes

No – but may be covered by laws on protection of privacy.

Yes – there is no specific employment data protection law but employees benefit from protection afforded through constitutional rights and data protection and labour laws in relation to employee monitoring.

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes – the GDPR implementation law alongside the GDPR is the basic framework on personal data protection which is relevant to employee monitoring. The HDPA has also issued secondary legislation more applicable in the context of employee monitoring.

Yes – both the Hungarian Labour Code and the Info Act contain certain rules in this regard. In April 2019, the Hungarian Parliament adopted the GDPR Omnibus Act, which amends the Labour Code's general provisions on the processing of employee data. Moreover the NAIH also issued comprehensive guidelines on the practical interpretation of the relevant rules in October 2016.

Yes

Yes

Yes

Yes – articles L.261-1 and L.261-2 of the Labour Code as well as other relevant data protection legislation.

No specific rules, aside from the Data Protection Act and various guidance and case law on workers' privacy.

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes – but the relevant acts do not specifically target employee monitoring but rather data collection and/or monitoring in general. Labour laws will also apply.

Yes

Yes

Yes, derived from statutory, contract and common law rules (at both federal and provincial level).

No sector specific laws regulating employee monitoring however employees benefit from protection afforded by constitutional rights as well as labour laws and the Data Protection Law.

No

Yes

Yes

Yes – located across sectoral and state law. Connecticut and Delaware have legislation explicitly for employee monitoring.

Yes – there is no single act or regulation that governs employee surveillance by employers in Australia. The legislation which applies depends on the type of surveillance that and the state in which this surveillance is done.

Yes

Yes – employees benefit from constitutional rights and protection under various data protection law and labour law in relation to employee monitoring. Furthermore, in certain contexts, employee monitoring can attract criminal liability.

Yes – under the LGPD, the Brazilian constitution, the Brazilian Internet Law, the consumer code, the Consolidated Labour Law and Federal Decree-Law No. 2.848 of 7 December 1940, Criminal Code.

Yes, various provisions of the Labour Code and the Chilean Constitution 2012.

Yes

No specific rules, but there are laws of a general nature.

No

Yes – transferring personal data outside Egypt can only be done subject to approvals and certain requirements. There are exceptions to this.

There are no specific provisions in the Act on the transfer of personal data. However, the sale, purchase, knowing or reckless disclosure of personal data or information is prohibited.

Yes – if international, the data subject’s consent and CNDP authorisation is required.

Yes – the NDPR prohibits the transfer of data to third parties locally or internationally unless in compliance with its provisions.

Yes – transfer of personal information about a data subject to a third party who is in a foreign country is not permitted under the Act unless an exception applies.

Yes – the Act prohibits the transfer of personal data to a foreign country where this is likely to harm the public security or vital interests of Tunisia. Transfers of personal data are not permitted to countries which do not provide adequate protection. The transfer of personal data is generally prohibited or subject to strict measures, including prior authorization and the explicit consent of the person in question, which is mandatory.

Yes – foreign country recipients of data transfers must have adequate levels of protection and the POTRAZ lays down categories of processing operations where the transfer of data to countries outside the Republic of Zimbabwe is not authorised.

No

No explicit law but data transfers are only allowed where: the subject has expressly consented; there is explicit legal or regulatory permission; there is consent from the competent authority. Additional rules apply to cross-border transfers.

Yes – transfers within jurisdiction do not require consent. However the data user must adopt certain measures. Transfers outside of jurisdiction are permitted subject to the introduction of an international transfer restriction which has not yet been implemented.

Yes – data transfers of sensitive information can only be made when: (i) the recipient ensures the same level of protection that is respected by the body corporate under the Rules; and either (ii) the transfer is necessary for the performance of a contract between the body corporate or any person on its behalf, or (iii) that person has consented to the data transfer. Data that is not regarded as sensitive personal information may be freely transferred. There are also sector-specific restrictions.

Yes – consent from the data owner is required for the use of personal data within the jurisdiction. Further requirements exist for the transfer of data outside of the jurisdiction.

The Charter of Citizens' Rights prohibits data transfers without express data subject consent.

Yes – data cannot be transferred abroad unless the country where the data is transferred ensures a level of protection which is not lower than the level of protection ensured in Israel, or one of the listed conditions is met.

Yes – personal data may not be disclosed to a third party without the prior consent of the individual, unless the business operator handling the personal information adopts the opt-out method.

Yes – data transfers cannot take place unless the foreign country, where the data is being transferred, is specified and published in the Official Gazette by the Minister of Communication and Multimedia and such transfers are only permitted where certain criteria (e.g. the data subject has given his consent to the transfer of data, etc.) are met.

Yes – by implication from relevant laws, transfer of personal data
requires consent.

Yes – transfers of identity information cannot be made without consent. Also Pakistan prohibits data transfers to countries it does not recognise, which includes Israel, Taiwan, Somaliland, Nagorno Karabakh, Transnistria, Abkhazia, Northern Cyprus, Sahrawi Arab Democratic Republic, South Ossetia and Armenia.

No – however, the controller is accountable for complying with the Republic Act No.10173 and it must use contractual or other reasonable means to provide a comparable level of protection when the information is being processed by a third party.

Yes – controllers may process and transfer personal data when the
subject consents or without consent if deemed necessary for realising a
'lawful purpose'. A controller is not permitted to do anything which may block the flow of personal data across borders", unless the act of processing in question is otherwise in violation of the law or likely to cause serious damage to the personal data or privacy of the individual.

Yes – prior to transfer of the personal data out of Russia, the data controller must ensure the recipient state provides adequate protection of personal data. When there is no adequate protection cross border transfers are permitted if certain conditions are met.

Yes

Yes – an organisation must not transfer any personal data outside Singapore except in accordance with prescribed requirements.

Yes - a regulatory authority can choose to limit the transfer of data under specified circumstances.

The PDPA prohibits the transfer of personal data to third countries where data protection regulations are substantially deficient, except when the transfer is carried out according to certain rules prescribed by the regulator.

Yes – personal data can be transferred to third parties with the explicit consent of the data subject. The conditions and exemptions applied to collection and processing of personal data also apply to the transfer of personal data to third parties.

Yes – the recipient country must have adequate level of data protection.

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes.

Yes – the Data Protection Act implements the GDPR rules and adds further restrictions.

Yes

Yes – article 65 of the Act of 1 August 2018 provides specific technical measures that must be in place for limited categories of processing (processing of personal data for scientific/historical research purposes or for statistical purposes and processing for archiving purposes in the public interest).

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes – transfer of personal information is authorised by the Laws if the data subject provides prior, express and valid written consent to the company that manages the database. There are also specific limitations regarding cross-border transfers of personal information.

No

Yes – There are
different restrictions for transfers between data controllers and data
transmissions.

Yes – the Data Protection Law sets a list of conditions to be met for a transfer to be lawful.

No – there are generally no geographic transfer restrictions that apply in
the US, except with regard to storing some governmental records and
information.

Yes – personal information may only be disclosed to organisations outside Australia where the disclosing entity has taken reasonable steps to ensure the overseas recipient does not breach the APPs in relation to that disclosed personal information.

Yes - subject to compliance with the Information Privacy Principles, personal information may be transferred to a third country without restriction. However, both the Privacy Act and the HIPC will continue to apply to personal information and health information even when it is transferred out of New Zealand.

Personal data may only be transferred for legitimate purposes of the transferor and the transferee, and generally with the prior consent of the data subject who must be informed of the transfer’s purpose and of the transferee’s identity. This consent may be rescinded.

The cross-border transfer of personal data is prohibited to countries or international or supranational organisations which do not provide adequate protection to such data. Exceptions apply.

There is a general restriction on all international data transfers under the LGPD. However, the LGPD does provide for certain exceptions where the international transfer of personal data is permissible (similar to the GDPR's exceptions).

Yes

Yes

Yes – prior consent is required and it must be sent to an adequate country.

Yes – international data transfers are only permitted if the country or international organisation provides an adequate level of protection.

Yes – Anti-Cyber and Information Technology Crimes, No. 175/2018 (the "Anti-Cybercrime Law").

Yes – Act 1038 The Cybersecurity Act was passed on the 6 of November 2020.

No

Yes – Cybercrime act (Prohibition, Prevention Act, etc) 2015.

No

No

Yes – the Cybercrime and Cyber Security Bill 2017.

No – however a draft cybercrime law is in development that would introduce further measures to supervise the online environment.

Yes - the Cybersecurity Law, which came into effect on 1 June 2017.

There is no specific cyber security law, but there is legislation that deals with privacy protection and computer crimes, such as the PDPO, which deals with personal data and privacy protection – and the Crimes Ordinance, which deals with the criminal offence of obtaining access to a computer with a criminal or dishonest intent.

India currently does not have a dedicated law on cybersecurity. Specific provisions on cybersecurity are found in the Information Technology Act, 2000 (as amended in 2008).

No – though The Electronic Information Law is regarded as the main reference to cybersecurity in Indonesia and is supplemented by various other regulations.

No

No – Israel's cybersecurity related legislation comprises several laws and regulations covering various aspects of the cybersecurity sphere.

The Basic Act on Cybersecurity – this provides basic cybersecurity principles and measures, based on which the Cabinet and the ministries in Japan formulated a Cybersecurity Strategy 2018.

No – however the Government of Malaysia is currently taking steps to introduce such legislation.

No

No – Pakistan has no specific legislation in place addressing cyber security, however, the Ministry of Information Technology and Telecommunications has prepared a consultation draft titled, Personal Data Protection Bill 2020 (the "Draft Bill").

Yes – the Cybercrime Prevention Act and the Implementing Rules and
Regulations of Republic Act No. 10175 (the "Cybercrime IRRs").

Yes – 2014 Cyber-Crime Prevention Law.

No

Saudi Arabia does not yet have a modern data protection regime of general application, though it is understand that this topic is currently under consideration at a legislative level.

Yes – the Cybersecurity Act 2018 (No. 9 of 2018).

Yes – the PDPA and Cybersecurity Management Act 2018 (the "CSMA").

Yes – the Cybersecurity Act 2019.

No – however the preparation of cybersecurity rules is currently on the
agenda of the Government.

Yes

Yes – the Cybersecurity Law (CSL 2018) came into effect 1 January 2019.

No

Yes – several pieces of legislation have been built upon in recent years.

Yes – three main pieces of legislation. A) The Cybersecurity Act, B) GDPR and C) PPDA 2002.

Yes, cybersecurity is comprehensively governed by Act No. 181/2014 Coll. of 23 July 2014 on Cyber Security and Change of Related Acts (the "Cybersecurity Act") which also implemented the requirements set out by the Directive on Security Network and Information Systems (Directive (EU) 2016/1148) (the "NIS Directive").

No – cybersecurity in Denmark is regulated largely on a sector-specific basis through various supervisory authorities.

No – England & Wales has a number of laws that prescribe the standards of protection and security.

No – There is not one specific legislation addressing cybersecurity. With regard to
protection of personal data and cybersecurity, the two key pieces of legislation are :the GDPR and NIS Directive. France has several other acts promoting cybersecurity as well.

Yes - There is no code of cybersecurity law in Germany addressing cybersecurity comprehensively. German legislators have enacted diverse rules on cybersecurity in several statutes, acts, and ordinances. This is accompanied by numerous rules and guidelines by the respective competent authorities.

No

No, there is a general framework.

No

Yes – the European Union (Measures for a High Common Level of Security of Network and Information Systems) Regulations 2018 implementing the NIS Directive were published in September 2018.

Yes - there are several pieces of legislation containing cyber security law.

No.

No. Malta does not have a specific law which regulates cybersecurity. Accordingly, several laws govern different aspects of cybersecurity, and such laws include both primary and secondary legislation.

No - the Network and Information Systems Security Act 2018 implemented the NIS Directive. Furthermore, the Cybersecurity Act entered into force on 27 June 2019.

Yes – the Act on the National Cybersecurity System 1560.2018 entered into force August 28 2018 and transposed the NIS Directive.

No - Romania has not adopted a general comprehensive law on cybersecurity and its legal framework is mainly composed of sectoral laws, as well as guidance issued by the competent authorities.

Yes – the Network and Information Systems Regulations 2018.

Yes – the Slovak Act implementing the NIS Directive, effective from 1 January 2018.

Yes – the Network Information Security Directive has been transposed.

Yes – the NIS Directive was published in the Spanish Official Gazette on September 8 2018 in the form of the Royal Decree-law 12/2018 on security of networks and information systems.

No – a government bill implementing the NIS Directive is now being drafted which will be submitted to the Parliament for its decision.

No

Yes – The Law of Ukraine on the Main Principles of Maintaining Cybersecurity of Ukraine No 2163-VIII ('the Cybersecurity Law') dated 5 October 2017 came into effect on 7 May 2018. The Ukrainian National Security and Defence Council's resolution "On the Cyber Security Strategy of Ukraine" was enforced by a President's Decree in 2016.

No, there is no separate Cyber Security Law however both PIPEDA and CASL contain cybersecurity elements.

No - however there are cybersecurity provisions in different laws and regulations.

Yes – Resolution No. 105 National Action Model for responding to Cybersecurity Incidents of 9 August 2021.

No

No

No – but the 1996 Health Insurance Portability and Accountability Act, the 1999 Gramm-Leach-Bliley Act and the 2002 Homeland Security Act cover the cyber security of healthcare organisations, financial institutions and federal agencies respectively. Several states have implemented financial or health sector cybersecurity requirements. the
In June 2018, Ohio became the first US state to pass cybersecurity safe harbour legislation.

No – but there is a strong relationship between cybersecurity and general privacy law in Australia given that, for most organisations, the main information cybersecurity obligations are those contained in the APPs under the Privacy Act 1988.

No – but there is a strong relationship between cybersecurity and general privacy law in New Zealand given that, for most organisations, the main information cybersecurity obligations are those contained in Information Privacy Principle ("IPP") 5 under the Act.

There is no general cyber security law. However, the Data Protection Act of Argentina, Law 25,326 and Regulation Decree 1558/2001 (as amended by Decree 1160/10) contain applicable provisions and there is sector-specific legislation (covering, for example, including financial entities, internet service suppliers and public sector bodies).

No – currently, there are several pieces of legislation in Brazil dealing with different scopes of privacy and data protection such as intimacy, private life, honour, image, and secrecy of correspondence, bank operations, and communications.

However, there are few legal provisions which specifically address matters relating to cybersecurity. The LGPD may be understood as the main cybersecurity law applicable to Brazil and Law No. 12,965 of 23 April 2014 ("The Internet Act") is also relevant.

No, though cybersecurity is addressed in various pieces of sectoral legislation. Furthermore, Chile has deposited the instrument of succession to the Budapest Convention on Cybercrime in April 2018, so its national laws are likely to be updated in line with the treaty.

There are several laws, decrees and administrative acts that regulate cybersecurity in Colombia which includes the Cybersecurity Policy, the Budapest Convention and the Cybercrime Law amongst others.

No

No – however there are a series of decrees that are relevant to cybersecurity.

Yes (18)

No

No.

Yes (9)

Yes (3)

No

No

No

Yes (33)

No

Yes (14)

Yes (4)

No

Yes (20)

Yes (27)

Yes (2)

No.

No

No

No

Yes (43)

Yes (21)

Yes (12)

Yes (1)

Yes (5)

Yes (18)

Yes (9)

Yes (7)

Yes (38)

No

No

Yes (17)

No

Yes (24)

Yes (42)

Yes (41)

No.

Yes (25)

No.

Yes (33)

Yes (40)

No

No

Yes (37)

Yes (21)

No.

Yes (24)

Yes (28)

Yes (4)

Yes (31)

Yes (32)

Yes (35)

Yes (25)

Yes (14)

No

No

Yes (14)

No

Yes (9)

Yes (23)

Yes (13)

Yes (36)

Yes (29)

Yes (6)

Yes (7)

No

No