August 2023

1. Governing Texts

There is no codified law which governs data protection in Iraq. Rather, data protection is governed briefly under various laws including the Iraqi Constitution, the Iraqi Penal Code No. 111 of 1969 ('the Penal Code'), the Iraqi Civil Code (only available in Arabic here), and other laws which are sector-specific (e.g. banking laws, securities laws, labor laws, tax laws, etc.). While a data protection law has been recently passed, it only applies to government entities, with the private sector remaining largely unregulated and subject to only piecemeal rules.

There are no data protection initiatives for the private sector. However, the Iraqi Government has been contemplating a cybercrime law for some time now.

1.1. Key acts, regulations, directives, bills

The legislation quoted in the present Guidance Note can be accessed here.

While there are no notable cybercrime and privacy laws, the Penal Code contains the following provisions on privacy:

• Article 437 of the Penal Code states that any person who by reason of their office, profession, trade, or the field of nature of their work, is privy to confidential information and discloses such information in circumstances other than those specified by law, or uses it to their advantage or to another's advantage, is punishable by a period of detention not exceeding two years and a fine for one of those penalties. However, there is no penalty if they have been authorized to make such a disclosure or if, by such disclosure, they intend to report a felony, misdemeanor, or prevent the commitment of such an offense; and
• Article 438(2) of the Penal Code states that any person who is privy to information contained in a letter, telex, or telephone conversation and discloses such information to a person other than for whom it is intended, and if this disclosure then causes damage to another, shall be punished by a period of detention not exceeding one year plus a fine for one of those penalties.

It is fair to say that these legal restrictions are not clearly intended to target commonplace commercial data processing, but such provisions might be used to challenge the use or disclosure of information. Written consent from the individual would typically be accepted as the basis for legitimizing the processing of such information.

Certain sector-specific general data protection requirements include the following:

• Document Retention Law No. 37 of 2016, which contains data retention rules for the public sector only;
• under Iraqi labor law, employers with more than 15 employees must keep a personal file for each employee for two years from the end of the employment relationship. The file should contain the employment contract, all employee documentation, and records of events during employment, including wages, bonuses, penalties, and yearly performance reports for employers;
• tax compliance records must be retained as tax authorities may have to approve the use of certain systems; and
• investment license compliance obligations include keeping records of materials imported with customs exemptions.

1.2. Guidelines

Not applicable.

1.3. Case law

Judicial decisions are not binding in Iraq and there is no reliable case law database in Iraq.

2. Scope of Application 

2.1. Personal scope

There is no general data protection law in the private sector.

2.2. Territorial scope

Not applicable.

2.3. Material scope

Not applicable.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

Not applicable.

3.2. Main powers, duties and responsibilities

Not applicable.

4. Key Definitions

Data controller: There is no definition under Iraqi law.

Data processor: There is no definition under Iraqi law.

Personal data: There is no definition under Iraqi law.

Sensitive data: There is no definition under Iraqi law.

Health data: There is no definition under Iraqi law.

Biometric data: There is no definition under Iraqi law.

Pseudonymization: There is no definition under Iraqi law.

5. Legal Bases

5.1. Consent

Legal bases for processing personal data are not formally recognized under Iraqi law, given that there is no generally applicable data protection law.

5.2. Contract with the data subject

Not applicable. See section on consent above.

5.3. Legal obligations

Not applicable. See section on consent above.

5.4. Interests of the data subject

Not applicable. See section on consent above.

5.5. Public interest

Not applicable. See section on consent above.

5.6. Legitimate interests of the data controller

Not applicable. See section on consent above.

5.7. Legal bases in other instances

Not applicable. See section on consent above.

6. Principles

Not applicable.

7. Controller and Processor Obligations

7.1. Data processing notification

There are no data processing registration requirements.

7.2. Data transfers

There are localization requirements scattered in the banking rules, tax record-keeping rules, and some other sectors. However, there are no notable restrictions on transfers of data and keeping backups. It is noted that Iraq still implements the Israel Boycott and using services based in Israel is grounds for blacklisting.

7.3. Data processing records

Not applicable.

7.4. Data protection impact assessment

There are no specific requirements for conducting Data Protection Impact Assessments ('DPIA'). However, sector-specific mandates may include similar requirements. For example, telecom and banking licenses may include such requirements.

7.5. Data protection officer appointment

There is no general obligation, though some sector-specific requirements may apply.

7.6. Data breach notification

There is no general obligation, though some sector-specific requirements may apply.

7.7. Data retention

There are no general data retention requirements. However, various sector-specific rules on record keeping may apply, for example, in banking, employment, trade in medicine, and commercial activities, etc.

7.8. Children's data

There are no specific provisions regulating the processing of children's data.

7.9. Special categories of personal data

There are no specific provisions regarding the processing of special categories of personal data.

7.10. Controller and processor contracts

There are no requirements for a contract to be in place between a controller and processor.

8. Data Subject Rights

8.1. Right to be informed

There are no statuary data subject rights. However, data subjects may have rights stemming from industry-specific regulations, for example, regulations of telecommunication services providers and consumer protection.

8.2. Right to access

Not applicable. See section on the right to be informed above.

8.3. Right to rectification

Not applicable. See section on the right to be informed above.

8.4. Right to erasure

Not applicable. See section on the right to be informed above.

8.5. Right to object/opt-out

Not applicable. See section on the right to be informed above.

8.6. Right to data portability

Not applicable. See section on the right to be informed above.

8.7. Right not to be subject to automated decision-making

Not applicable. See section on the right to be informed above.

8.8. Other rights

Not applicable. See section on the right to be informed above.

9. Penalties

Penalties vary depending on the industry but can include warnings, fines, revocation of licenses, and blacklisting.

9.1 Enforcement decisions

There are no noteworthy public enforcement decisions.