Data protection laws
by jurisdiction

Jurisdiction: Europe

Country - EU

Law

The General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR")

Regulator

The European Data Protection Supervisor ("EDPS") is the European Union's (EU) data protection authority and monitors privacy within EU institutions and bodies. The European Data Protection Board ("EDPB") is an independent European body comprised of representatives of the national data protection authorities and the EDPS.

‍

Country - Belgium

Law

Act of 3 December 2017 establishing the Data Protection Authority, Act of 30 July 2018 on the Protection of Natural Persons with Regard to the Processing of Personal Data ("the Act"), and the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR")

Regulator

The Data Protection Authority ("Belgian DPA")

‍

Country - Bulgaria

Law

The Protection of Personal Data Act 2002 (last amended in 2019) ("the Act") and the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR")

Regulator

The Commission for Personal Data Protection ("CPDP")

‍

Country - Cyprus

Law

Law 125(I) of 2018 Providing for the Protection of Natural Persons with regard to the Processing of Personal Data and for the Free Movement of Such Data ("the Law") and the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR")

Regulator

The Office of the Commissioner for Personal Data Protection ("the Commissioner")

‍

Country - Czech Republic

Law

Act No. 110/2019 Coll. on Personal Data Processing ("the Act") and the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR")

Regulator

The Office for Personal Data Protection ("UOOU")

‍

Country - Denmark

Law

Act No. 289 of March 8, 2024, on supplementary provisions to the GDPR (Regulation (EU) 2016/679).

Regulator

Danish Data Protection Authority (Datatilsynet).
‍

Country - Hungary

Law

Act CXII of 2011 on the Right to Informational Self-determination and on the Freedom of Information, as amended by Act XXXVIII of 2018, and the GDPR (Regulation (EU) 2016/679).

Regulator

National Authority for Data Protection and Freedom of Information (NAIH).

‍

Country - Ireland

Law

Data Protection Act 2018 ("the Act") and the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR")

Regulator

The Data Protection Commission ("DPC")

‍

Country - Italy

Law

Personal Data Protection Code, with Provisions to Adapt the National Legislation to the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR") ("the Code") and the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR")

Regulator

The Italian data protection authority ("Garante")

‍

Country - France

Law

Act No.78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties (as amended to implement the GDPR) and the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR")

Regulator

The French data protection authority ("CNIL")

‍

Country - Germany

Law

Federal Data Protection Act of 30 June 2017 (implementing the GDPR) (as amended) ("the Act") and the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR")

Regulator

The Federal Commissioner for Data Protection and Freedom of Information ("BfDI"). Please note that there are also regional laws and regulators.

‍

Country - Greece

Law

Law 4624/2019 on the Personal Data Protection Authority, Implementing the General Data Protection Regulation (Regulation (EU) 2016/679) and Transposing into National Law the Data Protection Directive with Respect to Law Enforcement (Directive (EU) 2016/680) and Other Provisions ("the Law"), and the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR")

Regulator

The Hellenic Data Protection Authority ("HDPA")

‍

Country - Lithuania

Law

Law No XIII-1426 of 30 June 2018 amending Law No I-1374 and the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR)

Regulator

State Data Protection Inspectorate ("VDAI")

‍

Country - Luxembourg

Law

Act of 1 August 2018 on the Organisation of the National Commission for Data Protection and Implementing the GDPR ("the Act") and the General Data Protection Regulation (Regulation (EU) 2016/679)

Regulator

The National Commission for Data Protection ("CNPD")

‍

Country - Poland

Law

Act of 10 May 2018 on the Protection of Personal Data ("the Act") and the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR")

Regulator

The Polish data protection authority ("UODO")

‍

Country - Portugal

Law

Law No. 58/2019, which Ensures the Implementation in the National Legal Order of the General Data Protection Regulation (Regulation (EU) 2016/679) on the Protection of Individuals with Regards the Processing of Personal Data and the Free Movement of Such Data ("the GDPR Implementation Law") and the General Data Protection Regulation (Regulation (EU) 2016/679)

Regulator

The Portuguese data protection authority ("CNPD")

‍

Country - Romania

Law

Law No. 190/2018 Implementing the General Data Protection Regulation (Regulation (EU) 2016/679) ("the Law") and the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR")

Regulator

The National Supervisory Authority for Personal Data Processing ("ANSPDCP")

‍

Country - Spain

Law

Organic Law 3/2018, of 5 December 2018, on the Protection of Personal Data and Guarantee of Digital Rights ("LOPDGDD") and the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR")

Regulator

The Spanish data protection authority ("AEPD")

‍

Country - Sweden

Law

The primary pieces of legislation are the Act with Supplementary Provisions to the GDPR (SFS 2018:218), the Ordinance with Supplementary Provisions to the GDPR (SFS 2018:219) and the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR")

Regulator

The Swedish Authority for Privacy Protection ("IMY")

‍

Country - Switzerland

Law

The Federal Act on Data Protection 2020 ("FADP")

Regulator

The Federal Data Protection and Information Commissioner ("FDPIC")

‍

Country - The Netherlands

Law

The Act Implementing the GDPR ("the Act") and the General Data Protection Regulation (Regulation (EU) 2016/679)

Regulator

The Dutch data protection authority ("AP")

‍

Country - United Kingdom

Law

The Data Protection Act 2018 ("the Act") and the UK General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR")

Regulator

The Information Commissioner's Office ("ICO")

‍

Jurisdiction - Asia-Pacific

Country - Australia

Law

Privacy Act 1988 (No. 119, 1988) (as amended) ("the Privacy Act")

Regulator

The Office of the Australian Information Commissioner ("OAIC")

‍

Country - New Zealand

Law

Privacy Act 2020 ("the Act")

Regulator

The Office of the Privacy Commissioner of New Zealand ("OPC")

‍

Country - Singapore

Law

Personal Data Protection Act 2012 (No. 26 of 2012) ("PDPA")

Regulator

The Personal Data Protection Commission ("PDPC")

‍

Jurisdiction - Middle East

Country - United Arab Emirates

Law

Federal Decree-Law No. 45 of 2021 regarding the Protection of Personal Data ("the Law") and Data Protection Law DIFC Law No. 5 of 2020

Regulator

The UAE Data Office and DIFC Commissioner of Data Protection

‍

Jurisdiction - Canada

Country - Canada Federal

Law

Personal Information Protection and Electronic Documents Act 2000 ("PIPEDA") and Personal Information Protection Act, SBC 2003 c 63 ("PIPA") (applicable only for British Columbia)

Regulator

The Office of the Privacy Commissioner of Canada ("OPC") and The Office of the Information and Privacy Commissioner for British Columbia ("OIPC") (applicable only for British Columbia)

‍

Jurisdiction - Latin America

Country - Mexico

Law

Federal Law on the Protection of Personal Data Held by Private Parties ("FLPPDPP"), Regulations to the Federal Law on the Protection of Personal Data Held by Private Parties ("the Regulations")

Regulator

The National Institute for Access to Information and Protection of Personal Data ("INAI")

‍

Country - Chile

Law

Law No. 19.628 on the Protection of Private Life 1999 ("the Law")

Regulator

Currently, oversight is carried out by the Chilean Transparency Council ("CPLT")

‍

Jurisdiction - Africa

Country - South Africa

Law

Protection of Personal Information Act, 2013 (Act 4 of 2013) ("POPIA"), Commencement of Section 1, Part A of Chapter 5 and Sections 112 and 113 of POPIA (April 2014), and Regulations Relating to the Protection of Personal Information (2018) ("the Regulations")

Regulator

The Information Regulator ("the Regulator")

‍

Country - Kenya

Law

The Data Protection Act, 2019 (the Act) and the Data Protection Regulations, 2021 (the 2021 Regulations)

Regulator

Office of the Data Protection Commissioner (ODPC)

‍

Data protection lawsby jurisdiction

Jurisdiction: Europe

Country - EU

Law

Regulator

Country - Belgium

Law

Regulator

Country - Bulgaria

Law

Regulator

Country - Cyprus

Law

Regulator

Country - Czech Republic

Law

Regulator

Country - Denmark

Law

Regulator

Country - Hungary

Law

Regulator

Country - Ireland

Law

Regulator

Country - Italy

Law

Regulator

Country - France

Law

Regulator

Country - Germany

Law

Regulator

Country - Greece

Law

Regulator

Country - Lithuania

Law

Regulator

Country - Luxembourg

Law

Regulator

Country - Poland

Law

Regulator

Country - Portugal

Law

Regulator

Country - Romania

Law

Regulator

Country - Spain

Law

Regulator

Country - Sweden

Law

Regulator

Country - Switzerland

Law

Regulator

Country - The Netherlands

Law

Regulator

Country - United Kingdom

Law

Regulator

Jurisdiction - Asia-Pacific

Country - Australia

Law

Regulator

Country - New Zealand

Law

Regulator

Country - Singapore

Law

Regulator

Jurisdiction - Middle East

Country - United Arab Emirates

Data protection laws
by jurisdiction