Regulator: National Cyber Governance and Assurance Affairs, a division of the National Cyber Security Agency ('NCSA')
Summary: The Law was introduced in 2016 and is broadly modelled on the former European Union Data Protection Directive (Directive 95/46/EC). The Law establishes the consent of the data subject as the main legal basis for processing personal data, and details specific notification requirements for the processing of sensitive data. From an enforcement perspective, the Law also prescribes that corporate entities can be found liable for actions of third parties, such as contractors, where actions were carried out on the organisation's behalf. It is also stipulated that contracts or agreements concluded in violation of the Law shall be deemed null and void; however, this provision is likely to require further specifications, considering its potential effects on several business sectors as well as its civil law implications. Furthermore, the Law presents a unique approach to data transfers, providing that the data controller should not block a cross-border data flow unless it results in violation of the Law or constitutes a serious violation of the data subjects' right to privacy.
In addition, the NCSA has released detailed guidelines to aid regulated entities and individuals in implementation of the Law.