Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Lebanon: Privacy Landscape

While Lebanon does not have a comprehensive data protection legislation, privacy provisions are contained in Law No. 81 of 10 October 2018 on Electronic Transaction and Personal Data ('the Law'). This Insight provides an overview of the data protection regime in Lebanon.

Leonid Andronov / Essentials collection / istockphoto.com

Key takeaways

  • data protection requirements are regulated under the Law;
  • the Law establishes a legal regime governing protection of personal data in relation to any automatic or non-automatic processing activity in Lebanon;
  • the Law provides the Ministry of Economy and Trade a relevant role in the management of data processing activities; and
  • the Law addresses, among other things, data subjects' rights, transparency requirements, data retention periods, sensitive personal data, appropriate security measures, as well as criminal penalties.

Data protection regime

While the Law is not a comprehensive data protection legislation when compared with international standards, it does establish a legal regime governing the protection of personal data in relation to any automatic or non-automatic processing activity in Lebanon.

The Law does not establish an independent data protection authority; however, it provides that any intended data processing activity must be notified to the Ministry of Economy and Trade ('the Ministry').

The Law further includes specific privacy requirements in relation to data subjects' rights, transparency and information to be provided to data subjects, data retention periods, sensitive personal data, and appropriate security measures to be adopted by data controllers. Finally, the Law establishes certain criminal penalties for the violation of its privacy provisions.

In relation to certain fundamental data protection institutes, the Law provides for certain express definitions. Specifically, the Law defines the processing of personal data as any action or set of actions performed on data, regardless of the medium used, further listing a broad range of activities that must be deemed part of the definition of processing.

The Law also defines the data subject, who represents the natural person whose identification is made possible by the data, and the data controller, to be considerd as the natural or legal person who determines the purposes and means of the processing,

Lastly, the data recipient is defined as the person authorised to receive the personal data. On this last definition, it must be noted that the Law specifies that the data recipient and the data controller should be different and separate subjects, as well as that public authorities with a legal mandate to request personal data cannot be considered personal data recipients.

Material scope

Article 85 of the Law provides that it is applicable to all automatic and non-automatic processing of personal data, except where the processing related to personal activities is carried out by individuals exclusively for fulfilment of their needs.

Data processing principles

Article 87 of the Law states that organisations must collect personal data faithfully and for legitimate, specific, and explicit purposes. In addition, the data must:

  • be appropriate;
  • not exceed the set purposes;
  • be correct and complete; and
  • remain on a daily basis as relevant as possible.

In addition, data controllers must not subsequently process personal data for purposes that are not in line with the ones specified, unless the processing activity is connected to the processing of personal data for statistical or historical purposes or for scientific research.

Transparency

Article 88 and 89 of the Law highlights the transparency obligations that organisations must take into consideration in order to be compliant with the law.

In particular, data controllers, or their representatives, must inform data subjects of the following:

  • the identity of the data controller or the identity of its representative;
  • the purposes of the processing;
  • the mandatory or optional nature of the raised questions;
  • the consequences of non-response;
  • the persons to whom the data is to be sent; and
  • the right to access and correct information, as well as the means provided for the same.

The above information must, in explicit and clear statement, be included in the forms used for data collection.

Moreover, in relation to cases in which personal data is not collected from the concerned data subject, the data controller must inform the data subject personally and explicitly of the following:

  • the content of the data;
  • the purposes of processing; and
  • the data subject's right to object to the processing.

However, the above requirements are waived when the data subject is already aware of the above information or when informing him/her is not possible or requires an 'effort' that is not commensurate to the benefit of the processing activity.

Data retention

Article 90 of the Law provides that personal data shall not be legitimate except during the period specified in the declaration of processing or in the decision authorising the same.

Special categories of personal data

Article 91 of the Law addresses the processing of special categories of personal data. In particular, it is provided that data revealing, directly or indirectly, the health status, genetic identity, or sexual life of the data subject must not be collected and processed.

However, the Law lists the following circumstances in which the processing of the above sensitive data is permitted:

  • when the data subject has made such data available to the public or has explicitly agreed to the processing the same, unless there is a legal impediment;
  • in the event the data collection/processing is necessary to establish a medical diagnosis or to provide medical treatment by a healthcare professional;
  • in the event a right is proved or defended before a court; and
  • in the event of obtaining a license in accordance Article 97 of the Law.

Data subjects' rights

The Law provides for the following data subjects' rights:

  • right of access;
  • right of correction;
  • right to object the processing; and
  • right to object and review the use of data in automated decision-making processes.

Right of access

Article 99 of the Law states that data subjects have the right to inquire to the data controller about the processing of their personal data in order to determine whether his/her data is undergoing a processing activity.

In addition, the data controller must provide the data subject with a copy of the data belonging thereto at his/her request. In the case such data is encoded, compressed, or encrypted, the data subject must receive an understandable copy.

The data subject may also request the data controller, in accordance with the conditions specified in Article 99(2) of the Law, to hand over the following additional information:

  • the purposes, categories, source, subject, and nature of the processing;
  • the identity of the persons and their categories to whom the personal data is being sent, or those who can access the same; and
  • the timing and purposes of such access.

In relation to the exercise of the right of access, Article 100 of the Law clarifies that the data controller may receive a payment for giving a copy of the personal data belonging to the data subject, provided that the payment does not exceed the cost of copying.

Moreover, the data controller may object to requests of an arbitrary nature, in particular with regard to the number of requests or their repetitive or systematic nature. In this case, when a dispute arises, the burden of proving the arbitrary nature lies upon the data controller .

Right of correction

Article 101 of the Law provides that the data subject has the right to ask the data controller processing his/her personal data to correct, complete, update, and erase such data, when it is incorrect, incomplete, ambiguous, expired, or incompatible with the purposes of the processing, or when the data was not to be processed, collected, used, saved, or transferred.

In the event the personal data of the individual requesting correction have been sent to a third party, the data controller must notify the latter of the amendments made at the request of the data subject.

The data controller must, at the request of the data subject, perform the above operations free of charge within ten days from the submission of the correction request and must prove his/her performance of the same.

In addition, the data controller must automatically correct the data in the request when he/she is informed of one of the reasons requiring him/her to modify or cancel the data.

Right to object the processing

Article 92 of the Law states that data subjects have the right to object, for legitimate reasons, before the data controller , to the collection and processing of his/her personal data, including the collection and processing for the purpose of commercial promotion.

However, data subjects are not entitled to exercise the right of objection in the following circumstances:

  • in the event the data controller is obliged to collect the data under the law; or
  • in the event the data subject has agreed to the processing of his/her personal data.

Right to object and review the use of data in automated decision-making processes

Article 86 of the Law outlines that everyone has the right to review and object, before the personal data controller , to the information and analyses used in automated processing.

In this regard, no judicial or administrative decision requiring an assessment of human behaviour may solely rely on an automated processing of personal data that is aimed at identifying the qualities of the person or assessing certain aspects of his/her personality

Enforcement of data subjects' rights

Article 102 of the Law provides that data subjects may resort to the competent courts, in particular to the Magistrate of Summary Justice, in accordance with the dispute rules, in order to ensure the exercise of the rights of access and correction as outlined above, as well as to enforce the application of the provisions provided in Section IV of the Law in respect of personal data.

Exceptions

Article 103 of the Law states that in the event the processing activity is related to the internal or external security of the State, the data subject must not be informed of his/her data under processing in case the same may endanger the purposes of the processing or the internal or external security of the State.

Article 104 of the Law notes that the right of data subjects to access public records and files, as well as medical files containing personal data must be subject to the legal and regulatory provisions that govern the same.

Lastly, Article 105 of the Law provides that Articles 99, 100, and 101 of the Law must not apply to the processing of personal data carried out solely for the purposes of literary and artistic expression or for the purposes of the professional exercise of a journalistic activity, within the limits of the laws in force. However, the above does not preclude the application of laws that observe the conditions of exercise of the right of access, which regulate exposure to private life and the reputation of individuals.

Data security

Article 93 of the Law provides that the personal data controller must take all measures, in light of the nature of the data and the risks resulting from processing, in order to ensure the integrity and security of data and to protect the data against being distorted, damaged, or accessed by unauthorised persons.

Data processing notification

Article 95 of the Law provides that subjects wishing to collect and process personal data must inform the Ministry under a permit issued duly against a receipt.

Article 96 of the Law provides that the permit submitted to the Ministry in accordance with the above must include the following information:

  • objectives of the processing;
  • the personal data, and the source of the same, under processing;
  • the categories of individuals concerned;
  • the third parties, or the categories thereof, who can access the data;
  • the data retention period;
  • the identity and address of the data controller;
  • the identity and address of the representative of the data controller in the event the said controller is residing outside the Lebanese territory;
  • the agency or agencies assigned with implementing the processing;
  • the person or agency exercising the right of access and how they exercise the same;
  • the identity of subcontractors, if any;
  • where appropriate, the method of access, or any other form of connection between data and other processes, as well as possible data waivers to third parties;
  • where appropriate, transfers of personal data to another State, in any form;
  • the actions taken to ensure the integrity of personal data and to ensure preservation of secrets protected under law, which are to be properly implemented by the data controller; and
  • emphasis on the fact that the processing must be carried out in accordance with the law.

More specifically, Article 97 of the Law provides that personal data processing activities related to the following topics must be subject to licensing:

  • external and internal security of the State under a joint decision of the Ministry of National Defence and the Ministry of Interior and Municipalities;
  • penal offences and judicial proceedings of various kinds under a decision issued by the Ministry of Justice; and
  • cases of health, genetic identity, or sexual life of persons under a decision issued by the Ministry of Public Health.

Licences will be issued by the relevant authority within two months of the date of submission of the application, otherwise the application will be deemed implicitly denied upon expiry of the deadline. The Ministry and the applicant shall be notified in writing of the license or denial thereof.

Furthermore, Article 98 of the Law states that the Ministry must make available to the public, especially on its website, a list of possible processes that meet the licensing or authorisation requirements set forth above.

In particular, the list must define, for each authorised or licensed processing, the following:

  • the license or permit granted, the date thereof, and the date of commencement of the processing;
  • the name and purpose of the processing;
  • the identity and address of the data controller;
  • the identity and address of the representative of the data controller in the event the said controller is residing outside the Lebanese territory;
  • the personal data categories under processing;
  • the individual or administration exercising the right to access;
  • the third parties, or the categories thereof, who are authorised to access the data; and
  • where appropriate, the personal data intended for transfer to a foreign State.

Exceptions

Article 94 of the Law provides that no permit or license is required to process personal data in the following cases:

  • in the case of processing by the common rights officials, each as per his/her jurisdiction;
  • in the case of book-keeping, by non-profit organisations, of the members and clients, within the scope of the normal and legal exercise of their function;
  • in the case the subject of the processing the maintenance of dedicated records, under legal or regulatory provisions, in order to inform the public, which can be accessed by any person or persons having a legitimate interest;
  • in the case educational institutions process personal data of pupils and students for educational or administrative purposes;
  • in the case of the subject processing personal data are parties or members of the institutions, commercial companies, trade unions, associations, and self-employed persons, within certain limits and for the needs of exercising their activities in a legal manner;
  • in the case institutions, commercial companies, trade unions, associations, and self-employed process personal data of clients and customers, within limits and for the needs of exercising their activities in a legal way;
  • in case the data subject agrees in advance to the processing of his/her personal data, unless there is a legal impediment; and
  • in the case of processing provided under Law No. 140/1999, and within the limits provided in the same.

In addition, some processing activities, or certain categories above, may be exempted from the authorisation or licensing procedures in the event the implementation of the same will not entail any risk to the private life or personal freedoms of data subjects, in accordance with a decree approved by the Council of Ministers of Lebanon on a proposal of the Ministry of Justice and the Ministry.

Criminal provisions

The following conducts must be sanctioned with a fine from LBP 1 million (approx. €580) to LBP 30 million (approx. €17,610) and imprisonment from three months to three years, or with one of the two penalties (Article 106 of the Law):

  • anyone who has processed personal data without providing a permit or without obtaining a prior license before commencing the same in accordance with Section III of Chapter II of the Law;
  • anyone who has collected or processed personal data without complying with the rules established in accordance with Section II of part V of the Law; and
  • anyone who, even if negligently, discloses personal data under processing to unauthorised persons.

In addition, any personal data controller who refuses to respond within ten working days or who responds incorrectly to the request of the data subject, regarding the right of review or correction is liable to a fine of one LBP 1 million (approx. €580) to LBP 15 million (approx. €8,800) (Article 107 of the Law).

In the event of repetition of any of the acts provided for in Articles 106 and 107 of the Law, the penalties and fines provided for in the above must be increased by one third to one half (Article 108 of the Law).

Sectoral legislation & guidelines

Further to the Law, there are other privacy-related provisions across various laws including:

  • Article 579 of the Penal Code (Legislative Decree No. 340 of 1 March 1943); and
  • Articles 58 and 107 of the Consumer Protection Law (Law No. 659 of 4 February 2005).

In addition, and in relation to the financial sector, the following regulations governing data protection in Lebanon:

  • Law on Money and Credit promulgated by Decree No. 13513 of 1 August 1963;
  • Law No. 161 of 17 August 2011 on Capital Markets;
  • Regulations and circulars issued by the Bank of Lebanon, i.e. the Central Bank of Lebanon; and
  • Regulations issued by the Capital Markets Authority ('CMA') of Lebanon.

Matteo Quartieri Privacy Analyst
[email protected]