Dünyada ve AB’de KVK

Türkiye ve Dünyada

Syber Security - World

DÜNYADA ve AB'DE KVK

DÜNYADA KİŞİSEL VERİLERİ KORUMA MEVZUATI

Total # of Countries that has Data Protection Law: 138 (December, 2019)

Togo

Togo

Togo Data Protection Law  (11.11.2019)   **NEW**

Click here for "Togo Data Protection Law"

 

Brazil

Brazil

Brazilian Privacy Bill (14.08.2018)

Click here for "Brazilian Privacy Bill "

 

Kenya

Kenya

Kenya Privacy Bill (03.07.2018)

Click here for "Kenya Privacy Bill "

 

New-Zealand

New Zealand

New Zealand Privacy Bill (20.03.2018) 

Click here for "Privacy Bill of New Zealand"

"Much has changed in the world since the Law Commission reported in 2011. New Zealand’s once world leading privacy law has slipped behind developments in a number of jurisdictions we compare ourselves to. Better privacy and data protection regulation is a growing trend in OECD countries which include Britain, Canada and Singapore. Australia has already reformed its Privacy Act and in Europe, the General Data Protection Regulation (GDPR) is set to take effect in May this year.

The new Bill includes moves in that direction by:

  • empowering my office to issue a compliance notice in the event of a breach of the Act;
  • empowering my office to issue a determination when a person has requested access to personal information and has been refused; and
  • the introduction of mandatory reporting of harmful privacy breaches – bringing New Zealand into line with international best practice."

Click here for more information.

Colombia

Colombia

Colombia #1581 Law on the Protection of Personal Data (17.10.2012)

Click here for "#1581 Law on the Protection of Personal Data"

 

Philippines

Philippines

Philippines Data Privacy Act (25.07.2011)

Click here for "Philippines Data Privacy Act"

 

AB (üye ve aday) ÜLKELERİNDE KİŞİSEL VERİLERİ KORUMA MEVZUATI

Albania

Albania

Albania Law No 9887 on Protection of Personal Data (10.03.2018)

Click here for "Albania Privacy Bill "

Austria

Austria

Data Protection Act (2000)

The Austrian Data Protection Act (Datenschutzgesetz 2000; DSG 2000, Federal Law Gazette I No. 165/1999) came into effect on 1 January 2000. In implementation of the Directive on Data Protection 95/46/EC, the act provides for a fundamental right to privacy with respect to  the  processing  of  personal  data  which  entails  the  right  to  information,  rectification  of incorrect data and removal of unlawfully processed data. It regulates the pre-conditions for the  lawful  use  and  transfer  of  data,  including  mandatory  notification  and  registration obligations with the Data Protection Commission. Furthermore, it provides for judicial remedy in case of breach of its provisions.

Belgium

Belgium

Law on the protection of private life with regard to the processing of personal data (1992)

The 'Privacy Law' of December 1992 is intended to protect citizens against the abusive use of  personal  data.  The  law  defines the  rights and  duties of both  the  data  subject  and  the processor. It moreover provides legal basis for the creation of an independent body in charge of overseeing the correct use of personal data, namely the Commission for the Protection of Privacy. Since its promulgation, this law has been significantly modified in 1998 in order to transpose the EU Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Directive 95/46/EC). This law is now available in its ‘consolidated version’ dated August 2007.

In addition, it is worth noting that a specific law containing provisions relating to spamming was adopted on 24 August 2005, so as to transpose the related article of the EU Directive 2002/58/EC on privacy and electronic communications (the ‘ePrivacy Directive’).

Bulgaria

Bulgaria

Law for Protection of Personal Data (2002)

Adopted  in  January  2002  and  last  amended  in  October  2016,  the  Law  for  Protection  of Personal  Data  has  been  modelled  on  the  EU  Directive  95/46/EC  on  the  protection  of individuals  with  regard  to  the  processing  of  personal  data  and  on  the  free  movement  of such  data.  It  applies  to  the  protection  of  individuals  with  regard  to  the  processing  of personal data, granting them the right to access and correct information held about them by  public  and  private  bodies.  It  defines  lawful  grounds  for  the  collection,  storage  and processing  of  the  personal  data  of  individuals.  Application  of  the  Act  is  overseen  by  the Commission for Personal Data Protection, an independent supervisory authority.

Croatia

Croatia

Law on Personal Data Protection (NN 106/12)

The Law on Personal Data Protection was adopted in June 2003, implementing the relevant EU  Directive  (95/46/EC).  It  foresees  that  personal  data  may  be  transferred  cross-border and  processed  in  another  jurisdiction,  to  the  extent  that  this  jurisdiction  can  ensure  an adequate level of protection. The law was amended once on 20 October 2006 (NN 118/06), while the last amendment took place on 3 April 2008 (NN 41/08).

Cyprus

Cyprus

The Processing of Personal Data (Protection of Individuals) Law (2001)

The 'Processing of Personal Data (Protection of Individuals) Law' (138(I)/2001) entered into force  in  November  2001,  and  was  amended  by  Law  37(I)/2003.  It  is  compliant  to  the acquis communitaire, and especially, the European Directive 95/46/EC on Data Protection. On  31  December  2007,  the  'Retention  of  Telecommunication  Data  for  Purposes  of Investigation of Serious Criminal Offences Law' of 2007 (Law 183(I)/2007) was introduced harmonising  Cypriot  legislation  with  EU  Directive  2006/24/EC  of  15  March  2006.  The  law regulates  the  terms  under  which  the  retention  of  personal  data  for  the  purpose  of  crime investigation, detection and prosecution is legal.

Czech-Republic

Czech Republic

Act on the Protection of Personal Data (2000, last amendment: 2011)

The Data Protection Act (No. 101/2000) was adopted in April 2000 with the aim to protect the citizens’ right to privacy. (Click HERE for Consolidated version of the Personal Data Protection Act) To this end, it regulates the rights and obligations regarding the processing of personal data and specifies the conditions under which personal data may be transferred to other countries. Furthermore, it allows individuals to access and correct their personal information held by public and private bodies. It is enforced by the Office for Personal Data Protection. It was last amended in 2011.

Denmark

Denmark

Act on Processing of Personal Data (2000)

This act entered into force on 1 July 2000 in order to implement Directive 95/46/EC on the protection  of  individuals  with  regard  to  the  processing  of  personal  data  and  on  the  free movement  of  such  data,  allowing  individuals  to  access  their  records  held  by  public  and private bodies. The Act, which was amended in 2007, is enforced by the Datatilsynet (Data Protection  Agency).  Other  laws  regulating  the  processing  of  personal  information  by  the public  sector  include  the  Public  Administration  Act  of  1985,  the  Publicity  and  Freedom  of Information Act of 1985, the Public Records Act of 1992 and the National Registers Act of 2000. These laws set out basic data protection principles and determine which data should be available to the public and which data should be kept confidential.

Act on Electronic Communications Networks and Services (2014)

Providers of electronic networks and services are required to notify the competent body for eGovernment in cases of data breaches that have significant consequences on the provision of services or concern person-identifiable information. This legal requirement implements in part Directives 2009/140/EC and 2009/136/EC. The Act has been amended several times and amendments have been consolidated in the Amendment Act of 2014.

Act on Marketing Practices (2013)

In June 2003, an amendment to the Marketing Practices Act was adopted to implement the Directive  on  ‘privacy  and  electronic  communications’  2002/58/EC.  This  transposition entailed a change to Denmark's legal data protection framework on spam. According to the Directive, people who have already given their address to businesses can be spammed with advertisements for 'similar services' ('soft opt-in'), which the Danish legislation Act had not allowed  until  then.  Amendments  have  been  consolidated  in  the  Consolidated  Marketing Practices Act (2013).

Estonia

Estonia

Consumer Protection Act (2004)

This  Act  entered  into  force  on  15  April  2004  and  it  regulates  the  offering  and  sale,  or marketing  in  any  other  manner,  of  goods  and  services  to  consumers  by  traders. Furthermore, it determines the rights of consumers as the purchasers or users of goods or services,  and  provides  for  the  organisation  and  supervision  of  consumer  protection  and liability for violations of this Act. Some minor amendments were included and entered into force on 1 January 2015 (proceedings and punishments for legal persons).

Personal Data Protection Act (1996)

The first Personal Data Protection Act (PDPA) entered into force on 19 July 1996. The Act was amended in 2003, to be made fully compliant with the EU Data Protection Directive 95/46/EC, and  once  again  amended  in  January  2008.  The  Act  protects  the  fundamental rights  and  freedoms  of  persons  with  respect  to  the  processing  of  their  personal  data,  in accordance  with  the  right  of  individuals  to  obtain  freely  any  information  that  is disseminated for public use.

The 2008 version of the Act introduced several changes. Firstly, the previous classification of personal data into three groups (non-sensitive personal data, private personal data and sensitive personal data) has been replaced by two data categories: (1) 'personal data' and (2)  'sensitive  personal  data',  the  latter  being  the  sub-class  under  special  protection. Secondly, all processed personal data are protected and registered by Chief processors (i.e. controllers)  with  the  Data  Protection  Inspectorate,  the  data  protection  supervision authority.  Moreover,  the  new  PDPA  Act  extends  all  general  principles  applying  to  the processing  of  personal  data  and  to  the  processing  of  the  personal  identification  code (the unique number assigned to every Estonian citizen and resident).

From  1  January  2015  the  Data  Protection  Inspectorate  may  submit  reports  concerning significant  matters  which  have  an  extensive  effect  or  need  prompt  settlement  which become  known  in  the  course  of  supervision  over  compliance  with  the  Act  to  the Constitutional Committee of the Riigikogu and the Legal Chancellor. The current version can be found in this web address.

System of Security Measures for Information Systems (2008)

This Regulation entered into force on 1 January 2008 and establishes the system of security measures for information systems used for processing the data contained in state and local government databases and for information assets related therewith. The system consists of the  procedure  for  the  specification  of  security  measures  and  the  description  of organisational, physical and IT security measures to protect data. However, it is underlined that  this  Regulation  does  not  apply  to  security  of  information  systems  processing  state secrets.

Finland

Finland

Personal Data Act (1999)

The Personal Data Act, which came into force on 1 June 1999, replaced the Personal Data File Act of 1988, which was the  first law concerning data protection in Finland, aiming at preventing violations of integrity at all stages of data processing. The functional objective was to promote the development of and compliance with good data processing practices. The main principles of the protection of privacy remained largely unchanged in the 1999 Act. It accommodates the constitutional reform and the EU Data Protection Directive (95/46/EC).  The  basic  rights  and  freedoms  of  individuals  are  even  more  strongly  emphasised  in  the processing of personal data. It is overseen and enforced by the Data Protection Ombudsman.  Other legal documents contain special provisions regarding the processing of personal data. The Act on the Openness of Government Activities (1999) controls access to public registers. The protection of privacy in electronic communications is also regulated by the Information Society Code (2014).

France

France

Law on ‘Informatics and Liberty' (2004)

The Law on ‘Informatics and Liberty’ was adopted on 6 January 1978. The Law provides a legal framework for the use of identifiers in databases and the processing of personal data by  public  and  private  sector  organisations.  The  Law  created  a  National  Commission  for Informatics  and  Liberty  (CNIL),  which  is  in  charge  of  overseeing  its  implementation  and observance.  The  CNIL  also  has  an  advisory  role  in  the  planning  of  administrative  data systems.  The  Law  on  Informatics  and  Liberty  was  amended  by  law  no. 2004-801 of  6 August 2004 implementing the EU Data Protection Directive (95/46/EC).

Macedonia

Macedonia (FYROM)

Law on Personal Data Protection (2005, 2008)

Harmonisation  of  legislation  in  the  area  of  personal  data  protection  has  been  one  of  the government’s  priority  activities  since  2002.  A  new  law  on  personal  data  protection, amended  to  include  EC  recommendations,  was  drafted  in  2004,  adopted  on  25  January 2005 and modified to comply fully with the European Directive  95/46/EC in 2008 (Official Gazette no. 7/2005 and 103/2008). The law represents a 'lex generalis' in the area of data protection in the country.

According to the law, personal data shall be: fairly and lawfully processed; collected for specified, explicit and legitimate purposes; processed in a manner which is consistent and proportionate  with  these  purposes;  accurate  and  complete;  kept  for  no  longer  than  the necessary time frame for fulfilling the above mentioned purposes. Further amendments to the law were made in 2010, 2011, 2014 and 2015.

Law on Electronic Management (2009)

The Law on Electronic Management (Official Gazette, no. 105, 21/08/2009), adopted on 21 August  2009,  regulates  the  work  of  ministries  and  other  government  authorities  in  the exchange of data and documents in electronic format, in relation to the implementation of administrative services  by electronic means. Seven bylaws were adopted in June 2010 to enable  implementation,  as  well  as  that  of  electronic  workflow  procedures  and  electronic document exchanges. Those acts regulate issues such as environment and communication; certification  of  information  systems;  format  and  content  of  administrative  services  by electronic  means  such  as  electronic  documents;  standards  and  regulations  for  electronic communication;  technical  requirements;  security  of  information  systems;  format  and contentof administration of data bases and others.

Further amendments to the law were made in 2011.

Germany

Germany

Federal Data Protection Act (2003) 

Germany has one of the strictest data protection laws in the European Union. The world's first  data  protection  law  was  passed  in  the  German  Land  of  Hessen  in  1970.  In  1977,  a Federal Data Protection Law followed, which was replaced in 1990, amended in 1994 and 1997. An additional revision took place in August 2002 to align German legislation with the EU Data Protection Directive (95/46/EC). The general purpose of this law is 'to protect the individual against violations of his personal rights by handling person-related data.'

Greece

Greece

Law on the Protection of Individuals with regard to the Processing of Personal Data (1997)

Law 2472/1997 on the Protection of Individuals with regard to the Processing of Personal Data  was  adopted  in  April  1997. It  establishes the  terms  and  conditions under  which  the processing of personal data is to be carried out so as to protect the fundamental rights and freedoms  of  natural  persons  and  in  particular  their  right  to  privacy.  It  also  allows  any person  to  obtain  their  personal  information  held  by  government  departments  or  private entities. The law is enforced by the Hellenic Data Protection Authority. It is complemented by Law 2774/1999 on the Protection of Personal Data in Telecommunications, and by  Law 3115/2003 that establishes the Hellenic Authority for the Information and Communication Security and Privacy in order to protect the secrecy of mailing, the free correspondence or communication in any possible way, as well as the security of networks.

Law  on  the  Protection  of  Personal  Data  and  Private  Life  with  regard  to  Electronic Telecommunications (2006)

Law 3471/2006 was adopted on 28/06/2006, revising Law 2472/1997, and intending to the enactment  of  preconditions  with  regard  to  the  personal  data  processing  and  for  the assurance  of  the  confidentiality  in  telecommunications.  Law  3471/2006  was  amended  by Law 3917/2011 and Law 4070/2012.

Law  on  Strengthening  the  Institutional  Framework  to  Safeguard  Privacy  of  Telephone Communications (2008)

Law 3674/2008 sets out the obligations of the service provider for the security of telephone services.  According  to  these  provisions,  the  provider  is  responsible  for  security  matters under  the  supervision  of  premises,  facilities,  connections  and  hardware  systems  and software.  To  this  end  the  provider  has  an  obligation  to  take  appropriate  technical  and organisational measures and to use hardware and software that ensure the confidentiality of communications and the detection of breach, or attempted breach, of confidentiality of communications.

Hungary

Hungary

Act on Informational Self-determination and Freedom of Information

Act  No.  CXII  of  2011.  on  Informational  Self-determination  and  Freedom  of  Information (also available in English) is a combined Data Protection and Freedom of Information Act. This  Act  sets  rules  and  safeguards  the  processing  of  personal  data  of  public  and  private bodies.  Its  application  is  overseen  by  the  National  Data  Protection  and  Freedom  of Information Authority.

Iceland

Iceland

Act on the Protection of Privacy as regards the Processing of Personal Data, No. 77/2000

The  Act  on  the  Protection  of  Privacy  as  regards  the  Processing  of  Personal  Data (No. 77/2000)  was  passed  in  2000  and  came  into  effect  on  1  January  2001.  The  act implements the EC Data Protection Directive (95/46/EC) and deals with how the protective principle relates to data quality, and presents criteria for the legitimacy of data processing. The  act  applies  to  any  automated  processing  of  personal  data  and  to  manual processing of such data if it is, or is intended to become, a part of a file.

Ireland

Ireland


Data Protection Act (24.May.2018)  NEW !

An Act to establish a body to be known as An Coimisiún um Chosaint Sonraí or, in the English language, the Data Protection Commission; to give further effect to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 20161 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation); to give effect to Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 20162 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA; to give further effect to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data done at Strasbourg on the 28th day of January 1981 and for those and other purposes to amend the Data Protection Act 1988; to provide for the consequential amendment of certain other enactments; and to provide for related matters.

Data Protection Strategy 2014 - 2016

The mission of the strategy is to protect the individual’s right to data privacy by enabling people  to  know,  and  to  exercise  control  over,  how  their  personal  information  is  used,  in accordance with the Data Protection Acts and related legislation.

Data Protection (Amendment) Act (2003) 

The Data Protection Act of 1988 was amended in 2003 to ensure full compliance with the EU  Data  Protection  Directive  (95/46/EC).The  aim  of  the  Directive  is to  establish  common standards of data protection across Member States in order to protect personal privacy and to ensure the  smooth  operation of the internal market, while ensuring adequate levels of data protection in countries outside the European Economic Area to facilitate and encourage international  trade  (Department  of  Justice  and  Law  Reform).  The  Data  Protection Commissioner oversees and enforces the Act.

Copyright and Related Rights Act (2000).

This Act affects a total reform of Irish copyright and related rights law, bringing it fully into line with the requirements of EU and international law in this area. It places Ireland among world leaders in terms of standards for copyright protection.

Italy

Italy

Data Protection Code (2004)

The  Data  Protection  Code  entered  into  force  on  1  January 2004.  It  replaces the  previous Data  Protection  Law  (Law  no. 675/1996),  as  well  as  a  number  of  other  legislative  and regulatory provisions.

The  Data  Protection  Code  updates,  completes  and  consolidates  Italy's  data  protection legislation (1996) by introducing important innovations and conforming national legislation to  European  regulations,  in  particular  the  Data  Protection  Directive  (95/46/EC)  and  the Directive  on  privacy  and  electronic  communications  (2002/58/EC).The  code  aims  to strengthen the data protection rights of individuals, allowing them to exercise their rights and instigate proceedings more easily. The Code was lastly amended on 4 November 2010.

The  Data  Protection  Commissioner  ('Garante  Privacy')  is  in  charge  of  supervising  and enforcing the application of the Data Protection Code. In an effort to simplify the complaint process, the Commissioner has published a complaints' form on its website.

Latvia

Latvia

Personal Data Protection Law (2000)

The Law on Personal Data Protection was adopted by Parliament on 23 March 2000. It is based  on  standard  fair  information  practices  and  is  fully  compliant  with  the  EU  Data Protection Directive (95/46/EC). The aim of this Law is to protect the fundamental human rights  and  freedoms  of  natural  persons,  in  particular  the  inviolability  of  private  life  with respect to the processing of personal data. Application of the Law is overseen by the State Data Inspectorate, which is also responsible for spam supervision.

Information Technologies Security Law (2011)

The Information Technologies Security Law came into force on 1 February 2011. It aims to improve  information  technologies  security  by  defining  the  key  requirements  for organisations to guarantee the security of essential electronic services. The law provides for the  identification  and  protection  of  critical  infrastructure,  the  establishment  and organisation  of  an  IT  Security  Incident  Response  Institution  (national  CERT),  the determination  of  conduct  in  information  technology  security  incidents,  the  setup  of minimum security requirements for state and municipal institutions and the implementation of Directive 2009/140/EC by electronic communications service providers.

Liechtenstein

Liechtenstein

Data Protection Act

The Data Protection Act of 14 March 2002 provides for the rights and obligations of private individuals and State authorities, implementing into national law the EU Directive 95/46/EC on  the  protection  of  individuals  concerning  the  processing  of  personal  data  and  the  free exchange of data. The Act (register number 235.1) was supplemented by two regulations in July  2002  (register  number  235.11)  and  February  2006  (register  number  235.111).  The latter  concerns  the  use  of  personal  data  by  the  police  for  cases  related  to  terrorism, national  security  and  crime  prevention.  In  September  2008,  the  Parliament  adopts  a partial revision of the Data Protection Act bringing the law into line with EU agreements regarding the connection to European database systems, such as the Schengen Information System (SIS), or the Eurodac service. The revised law focuses on the independence of data  protection  from  the  Executive  and  underlines  its  main  role  in  ensuring  the  protection  of personal rights and the respect for privacy.

Lithuania

Lithuania

Law on Legal Protection of Personal Data (1996)

The  law  on  Legal  Protection  of  Personal  Data  was  adopted  on  11  June  1996  and  last amended on 1 January 2009. Its main purpose is the protection of an individual’s right to privacy with regard to the processing of personal data. The law is fully compliant with the EU Data Protection Directive (95/46/EC).

Luxemburg-flag

Luxemburg

Data Protection Act (2007) 

The Data Protection Act, which implements Directive 95/46/EC regarding the protection of personal  data  of  2  August  2002  and  which  was  amended  by  the  law  of  27  July  2007 governs the processing and use of personal data in Luxembourg.

The Data Protection Act of 2002 governs the processing and use of personal data, and goes beyond  the  framework  of  the  EU  Directive  by  covering  not  only  natural,  but  also  moral persons.  It  contains  specific  provisions  on  the  processing  of  medical  data  by  health services, the processing of personal data for surveillance purposes and in the workplace. The  Data  Protection  Act  applies  to  "data  controllers"  ("a  natural  or  legal  person,  public authority,  agency,  or  any  other  body  which  solely  or  jointly  with  others  determines  the purposes and methods of processing personal data") and "data processors" ("any natural or legal person, public authority, administrative body or other entity that processes personal data on behalf of the controller" excluding any of the data controller's employees).

The  law  also  created  a  new  data  protection  authority,  the  Commission  nationale  pour  la protection  des  données  (CNPD)  in  December  2002.  The  CNPD  is  an  independent  agency whose  task  is  to  regulate  the  processing  of  personal  data  in  Luxembourg  and  ensure compliance with data protection regulations. The Data Protection Act has also provided for an online public data processing register, which makes it possible to check if an authority, company,  association,  professional,  or  self-employed  worker  is  likely  to  hold  information about an individual and if they have declared as much to the CNPD.

Processing of Personal Data in the Electronic Communications Sector Act (2011)

The 'Processing of Personal Data in the Electronic Communications Sector Act',  which was adopted on 28 July, 2011 and which entered into force on 1 August, 2011, transposes the EU  Directive  on  privacy  and  electronic  communications  (Directive  2009/136/EC)  into Luxembourgish  law  and  forms  part  of  Luxembourg’s  legislative  'telecom  package'  (cf. below).  It  aims  at  protecting  the  privacy  of  Internet  users  (including  protection  against unsolicited commercial communications or 'spam') and users of added value services, such as  GPS.  The  National  Commission  for  Data  Protection  (CNPD),  which  was  created  by  the 2002  Data  Protection  Act,  is  competent  for  checking  the  legality  of  personal  data processing.

Malta

Malta

Data Protection Act (2001)

The Data Protection Act was passed on 14 December 2001 and came fully into force in July 2003. It was introduced in order to render Maltese law compatible with EU Data Protection Directive (95/46/EC), even though Malta was not yet an EU Member State at that time, this was a prerequisite prior to joining the EU. It outlines principles of ‘good information/ data handling’  to  guarantee  the  protection  of  personal  information.  Data  Controllers,  such  as educational  institutions,  employers  and  banks,  are  obliged  to  inform  individuals  of  the reasons for collecting information about them. Furthermore, individuals are to be assured that the data collected will not be used for any other reason than for the purpose it was collected  and  are  granted  rights  of  access  to  the  personal  information  held  by  the  data controller.  The  Act  provides  grounds  for  processing  “personal  data”  but  makes  special provision for processing “sensitive personal data”, a sub-set of personal data, in very specific stipulated circumstances.

Regulation 2016/679/EU will eventually supersede this Act on the protection of natural living persons with regard to the processing of personal data and on the free movement of such data, generally known as the General Data Protection Regulation. This Regulation will come into force in its entirety in all EU Member States from 25 May 2018.

Netherlands

Netherlands

Personal Data Protection Act (2000)

The EU Data Protection Directive (95/46/EC) adopted in 1995 regulates the processing of personal  data  within  the  European  Union.  The  Dutch  Personal  Data  Protection  Act  was adopted by the Dutch Parliament in July 2000 and came into force on 1 September 2001. It sets the rules for recording and using personal data, and ensured the transposition in Dutch law  of  the  European  Directive.  The  Act  is  overseen  and  enforced  by  the  Data  Protection Authority (DPA).

The EU General Data Protection Regulation (EU) 2016/679 of the European Parliament and of  the  Council  of  27  April  2016  on  the  protection  of  natural  persons  with  regard  to  the processing of personal data and on the free movement of such data better known as the General Data Protection Regulation is repealing the Directive 95/46/EC. The regulation will enter into force on 25 May 2018.

Norway

Norway

Personal Data Act (2000)

The  purpose  of  Act  No. 31  of  14  April  2000  relating  to  the  processing  of  personal  data (Personal  Data  Act)  is  to  protect  natural  persons  from  violation  of  their  right  to  privacy through  the  processing  of  personal  data.  It  ensures  that  personal  data  is  processed  in accordance with fundamental respect for the right to privacy, including the need to protect personal integrity and private life, and that personal data is of adequate quality. This Act transposes  the  Directive  95/46/EC  of  the  European  Parliament  and  of  the  Council  of  24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data into Norwegian law.

Personal Data Regulations

The  regulations on  the processing  of personal data  (Personal  Data  Regulations)  were  laid down by the Royal Decree of 15 December 2000 pursuant to Act No. 31 of 14 April 2000 on the processing of personal data (Personal Data Act), as amended on 23 December 2003.

Poland

Poland

Act on the Protection of Personal Data (1997)

The Act on the Protection of Personal Data was adopted on 29 August 1997 and has been amended a few times so far. This Act follows the rules established by European Union's Directive 95/46/EC on the protection of individuals with regard to the processing of personal data. The Inspector General for the Protection of Personal Data supervises the observance of the Act. In case of breach of the provisions on personal data protection, the Inspector General, ex officio, or upon a motion of a person concerned, by means of an administrative decision, shall order to restore the proper legal state.

Regulation on the Preparation and Provision of Electronic Documents and making available forms, samples and copies of electronic documents (2011)

The Regulation focuses on how to share copies of electronic documents and forms under conditions of safety. Accordingly, it clarifies the form of official certification of receipt of electronic documents by the recipient, the ways to safely share electronic copies of documents and safety conditions for forms and templates of shared documents. It has been amended twice so far.

Portugal

Portugal

Law on the Protection of Personal Data

Law no. 41/2004, of 18 August transposes into national law Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector, except for Article 13 which concerns unsolicited communications. This legislation applies to the processing of personal data within the context of publicly available electronic communications services and networks, while complementing the provisions of Law no. 67/98 of 26 October (Law on the Protection of Personal Data). Its provisions shall ensure protection of the legitimate interests of subscribers who are legal entities to the extent that such protection is consistent with their nature.

Romania

Romania

Law no. 677/2001 on the Protection of Persons concerning the Processing of Personal Data and the Free Circulation of such Data

The law allows individuals to access and correct personal information held by public or private bodies. It was complemented by recent additions such as Law no. 55, (OJ. no. 244/23.03.2005), which ratifies the Additional Protocol to The Convention for the Protection of Individuals with regard to automatic processing of personal data, referring to control authorities and cross-border data flow. Furthermore, a National Supervisory Authority for Personal Data Processing was established in 2005 by Law no. 102/2005 (O.J. no. 391/09.05.2005). All of the data protection files previously kept by the Ombudsman have now been handed over to the Authority, which supervises and controls the legality of the personal data processing under Law no. 677/2001.

Law no. 506/2004 on the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector

This Law on the processing of personal data and the protection of privacy in the electronic communications sector replaced Law no. 676 of 21 November 2001 on the Processing of Personal Data and the Protection of Privacy in the Telecommunications Sector. It closely follows Directive 2002/58/EC on personal data processing and privacy protection in the electronic communications sector.

Slovakia

Slovakia

Draft Cyber Security Act

The National Security Authority is working on drafting the Act on Cyber Security to comprehensively cover cyber and information security, introduce basic security requirements and other measures critical for coordinating the protection of information, communication and management systems. At the same time, the European NIS Directive on network and information security is being transposed into the Slovak legislative.

Act No. 122/2013 on Personal Data Protection as amended by Act no. 84/2014

This legislation (1 July 2013) implements the principles set in the EU's Data Protection Directive (95/46/EC). Under this Act, individuals can Access and correct personal informationheld by public and private bodies. The Act is enforced by the Office for Personal

Data Protection. This Act regulates:

  1. a) Protecting the rights of natural persons against wrongful interference with their private life in connection with the processing of their personal data
  2. b) Rights, duties and liability in connection with personal data processing
  3. c) Establishment of the scope of the powers and organisation of the Office for Personal Data Protection of the Slovak Republic.
Slovenia

Slovenia

Personal Data Protection Act

The Personal Data Protection Act (Official Gazette of the Republic of Slovenia No. 94/07), currently applicable, was adopted in July 2004 and came into force on 1 January 2005. It replaced a previous version, adopted in 1999, and transposed the EU Directive 95/46/EC on data protection into Slovenian Law.

The main goal of the Act is to prevent illegal and unwarranted violations of personal privacy in the course of data-processing, and to ensure the security of personal databases and their use. Until 1 January 2006, the Inspectorate for Personal Data Protection was in charge of overseeing the application of the Act. Since then, such responsibility has been transferred to the Information Commissioner (Information Commissioner Act, adopted in December 2005). The last amendment of the Personal Data Protection Act was performed in 2013.

Spain

Spain

Law on the Protection of Personal Data

The Organic Law 15/1999 of 13 December 1999 on the Protection of Personal Data brought Spanish law in line with the EU Data Protection Directive 95/46/EC.

This law regulates the processing of personal data in the public and private sectors. It grants citizens with the right to access and correct their personal information in the records held by public and private bodies. Personal information may only be used or disclosed to a third party with the consent of the individual, and only for the purposes that it was collected. Additional protections are provided for sensitive data. The Law is enforced by the Spanish Data Protection Agency.

Technical Security Instruction of the Report of the Security Status

The resolution of this Instruction from the 7 October 2016, establishes the conditions for the gathering and communication of data about the status of security. This will allow to know the main variables regarding the security of the information from the systems included in the scope of the National Security Framework. Moreover, it will help to elaborate a general profile for the state of cybersecurity in the public sector.

Technical Security Instruction on the Compliance with the National Security Framework

The resolution of this Instruction from 13 October 2016, establishes the criteria and procedure to determine the compliance with the National Security Framework and determines the mechanism to obtain and publish the declaration of compliance and security credentials.,.

Law 39/2015 on the Common Administrative Procedure Public Administration

The article 17 of the new Law 39/2015 on the Common Administrative Procedure Public Administration, states that each administration shall implement a single Digital Archive System for the long term preservation of documents belonging to resolved procedures. The article also requires the application of adequate security and privacy protection measures as required by the NSS and law on data protection.

Sweden

Sweden

Personal Data Act (1998)

The  Personal  Data  Act  came  into  force  on  24  October  1998.  The  Personal  Data  Act  was adopted  to  bring  Swedish  law  into  compliance  with  the  requirements  of  the  EU  Data Protection Directive 95/46/EC, which aims to prevent the violation of personal integrity in the  processing  of  personal  data.  The  Act  lists  certain  fundamental  requirements concerning  the  processing  of  personal  data.  These  demands  include,  inter  alia,  that personal  data  may  only  be  processed  for  specific,  explicitly  stated  and  justified  purposes and  if  the  person  registered  gives  his/her  consent.  Exemptions  to  this  rule  include  the exercise  of  official  powers,  or  the  fulfilment  of  a  legal  obligation  by  the  controller  of personal  data.  In  many  areas  of  the  administration  there  are  special  registry  laws  to supplement or replace the provision in the Personal Data Act.

Switzerland

Switzerland

Federal Act on Data Protection (2002)

The  Act,  approved  on  19  June  1992  and  entered  into  force  on  1  July  1993,  aims  to protect the privacy and the fundamental rights of persons when their data is processed. It applies to the processing of data pertaining to natural persons and legal entities by federal bodies and private persons.

For the first time in Switzerland, the public and private sectors are subject to the same rules.  In  the  public  sector,  the  Act  only  covers  the  activities  of  authorities  at  federal level.  However,  the  majority  of  Swiss  cantons  have  introduced  similar  legislation  to govern  public  sector  data  collection  and  processing  in  their  respective  localities.  The Swiss law was granted adequacy approval by the EU in 2000.

The Federal Council’s update of the Ordinance on Data Protection entered into force on 1 November 2016. The ordinance envisages that certain procedures and products used for processing personal data can be better certified and thereby data protection can be improved.

Ordinance  of  the  Federal  Department  of  Finance  on  Electronic  Data  and  Information (2009)

This  Ordinance  regulates  the  technical,  organisational  and  procedural  requirements concerning  the  evidential  value  and  control  of  data  and  information  (electronic  data) produced electronically or in a comparable manner in accordance with Articles 122–124 of the VAT Ordinance (VATO) of 27 November 2009.

Turkey

Turkey

Turkish Constitution (1982)

Section  5  of  the  1982  Turkish  Constitution  is  entitled,  'Privacy  and  Protection  of  Private Life'.  Article  20  of  the  Turkish  Constitution  addresses  the  issue  of  'Privacy  of  the Individual’s Life', and states: "Everyone has the right to demand respect for their private and family life. Privacy of individual and family life cannot be violated. Unless there exists a decision duly passed by a judge in cases explicitly defined by law…neither the person nor the  private  papers,  nor  belongings  of  an  individual  shall  be  searched  nor  shall  they  be seized".  With  the  2010  amendment  of  the  Constitution,  citizens  are  granted  the  right  to request  the  protection  of  their  personal  data.  They  have  the  right  to  be  informed  about their own personal data, accessing these data, requesting to be corrected  or deleted and learning whether it has been used for the purposes that the data were obtained in the first place.  Thus  individual  data  can  be  processed  only  as  foreseen  by  the  law  or  with  the consent of the person, as mentioned in Article 22.

Law on the Protection of Personal Data (2016)

After  the  2010  amendment  of  the  Constitution,  citizens  are  granted  the  right  to  request protection of their personal data. Hereinafter, individual data can be processed only in the circumstances envisaged in the law or with the express consent of the person. According to the regulation, relevant procedures and principles will be codified by law, namely the ‘Law on Protection of Personal Data’, which was published in the Official Gazette on 7 April 2016 numbered 29677.

This law regulates the conditions of processing and transfer of the personal data, rights and obligations, obligations of the data supervisor or the related person regarding data security to the institution and the board of the protection of the personal data.

 By-Law on Electronic Communication Security (2008)

The  By-Law,  which  was  adopted  on  5  November  2008,  identifies  the  obligations  of operators  with  respect  to  ensuring  security  of  electronic  communications  networks.  It covers  the  principles  and  basis  of  measures  to  be  taken  in  order  to  eliminate  the  risks stemming  from  threats  and  vulnerabilities  with  the  aim  of  ensuring  physical  data, hardware-software  and  personnel  security.  It  explicitly  states  that  personal  information processing and protection of privacy are not under its scope.

By-Law  on  the  Personal  Information  Processing  and  Privacy  in  the Telecommunications Sector (2004)

The By-Law on the Personal Information Processing and Privacy in the Telecommunications Sector was adopted on 6 February 2004 to define the procedures and principles related to guaranteeing  personal  information  processing  and  protection  of  privacy  in  the telecommunications sector.

Council of Europe's Convention on Cybercrime

Turkey became party to the Council of Europe Convention on Cybercrime (CETS No. 185), adopted in order to ensure international cooperation combating with cybercrimes efficiently. Subsequent  to  making  legislation  for  the  protection  of  personal  data,  approval  studies  of Conventions No. 108 and 181 aiming at the protection of individuals in case of processing these data to an automatic operation, will be launched.

*** Click HERE  for all legislation
about Personal Data Protection in Turkey
***

United-Kingdom

United Kingdom

Digital Economy Act (2010)

The Act concerns the online infringement of copyright. It creates a system which aims to increase the ease of tracking down and suing persistent infringers, and after a minimum of one year permit the introduction of 'technical measures' to reduce the quality of, or potentially terminate those infringers' Internet connections. It furthermore creates a new ex-judicial process to handle appeals.

Data Protection Act (1998)

The Data Protection Act 1998 received Royal Assent in July 1998 and came into force on 1 March 2000, giving effect to the EU Data Protection Directive (95/46/EC). It lays down rules for the way organisations have to treat personal data and information that apply to paper-based and electronic records. These rules are mandatory for all organisations that hold or process personal data, in the public as well as the private and voluntary sectors. The Act contains eight data protection principles, which state that all data has to be: processed fairly and lawfully; obtained and used only for specified and lawful purposes; adequate, relevant and not excessive; accurate, and where necessary, kept up to date; kept for no longer than necessary; processed in accordance with an individual's rights; kept secure; and transferred only to countries that offer adequate protection.


Yorum Yaz