Data Protection Laws

Data Protection Laws
Data Protection Laws
Data Protection Laws
Data Protection Laws

Check out the Data Protection Laws around the world.(Last updated: 03/04/2022)

Law: No data protection laws were identified.

Authority: No such entity exist.

Data Protection Officer: No such requirement..

Other: N/A

Breach Notification: N/A

Privacy Grade: F

Law: Law on the Protection of Personal Data No. 9887 of 10 March 2008 (as amended) ('the Law')

Authority: Information and Data Protection Commissioner ('IDP')

Data Protection Officer: As per Instruction No 47, Large processing data entities, which are considered data controllers or data processors that process data by automatic or manual means and have employed six or more persons, directly or by virtue of data processors, are required to appoint a data protection officer ('DPO').

Other: The law has been amended in 2012 and 2014. Cross border personal data transfer is permitted to countries with an adequate level of data protection. Whitelist can be found here.

Breach Notification: There is no requirement under the law to notify data security breaches to data subjects or the IDP.

Privacy Grade: C

Law: Law No. 18-07

Authority: Independent administrative authority know as "national authority" to be established.

Data Protection Officer: No such requirement.

Other: Express consent from the data subject is required before any personal data can be processed. The consent can be withdrawn by the data subject at any time. In some cases, consent is not required if the processing is necessary.

Breach Notification: The service provider must notify the national authority and the data subject without delay where such breach may affect privacy of the data subject.

Privacy Grade: C

Law: Law 29/2021

Authority: Andorran data protection authority ('APDA')

Data Protection Officer: Requires data protection officer in certain cases.

Other: Law 29/2021 defines several principals relating to the processing of personal data that are closely aligned to GDPR. Consent is required, and the data subject right includes the right to withdraw consent and the right to lodge a complaint with the supervisory authority. Also, Andorra has obtained an adequacy decision from the EU, which enabled free flow of data between EU Member States and Andorra.

Breach Notification: Require the data controller to notify ADPA in the event of a data breach within 72 hours of becoming aware of the data breach unless the breach is unlikely to pose a risk to the rights and freedom of individuals.

Privacy Grade: B

Law: Law No. 22/11

Authority: National Database Protection Agency ('APD')

Data Protection Officer: No such requirement.

Other: The law defines general data protection requirements and sets a baseline for personal data protection. Among other things, it defines data processing notifications, data subject rights, direct marketing, and data transfers. As per Electronic Communications and Information Society Services Law, companies that offer electronic communications services accessible to the public shall also keep an accurate register of data breaches, indicating the concrete facts and consequences of each breach and the measures put in place to repair or prevent the breach.

Breach Notification: No such requirement under Law No. 22/11. However, as per Electronic Communications and Information Society Services Law, companies offering electronic communications services accessible to the public shall, without undue delay, notify the APD and INACOM of any breach of security committed with intent or that recklessly leads to destruction, loss, partial or total modification or non-authorized access to personal data transmitted, stored, retained or in any way processed under the offer of electronic communications services.

Privacy Grade: C-

Law: Data Protection Act, 2013

Authority: The Information Commissioner

Data Protection Officer: No such requirement.

Other: Under the act it's obligation of public and private bodies which process any personal data(referred as "Data User" under the act) to adhere to numerous data protection principals. These principals include: Consent, Notice & Choice, Disclosure, Security, Retention, Data & Integrity and Data Access. The act gives data subjects within Antigua and Barbuda the right to access, the right to rectification, the right to erasure, the right to be informed and the right to object or opt-out.
The Information Commissioner enforces the Data Protection Act 2013 and has authority to impose sanctions against data users who violate the law.

Breach Notification: No such requirement.

Privacy Grade: C-