Bangladesh Approves ‘Personal Data Protection Ordinance, 2025’

On Thursday (October 9), the Advisory Council meeting, chaired by Chief Advisor Dr. Muhammad Yunus, approved the ‘Personal Data Protection Ordinance, 2025.’

During a press briefing held in the afternoon at the Foreign Service Academy in Bailey Road, Faiz Ahmed Taiyeb, Special Assistant to the Chief Advisor in charge of the Ministry of Posts, Telecommunications, and Information Technology, provided detailed information on the ordinance's approval.

Also present at the briefing were the Chief Advisor's Press Secretary Shafiqul Alam and Secretary of the Ministry of Posts, Telecommunications, and Information Technology Shish Haider Chowdhury.

Faiz Ahmed Taiyeb mentioned that the ordinance is aimed at addressing challenges related to ensuring privacy, reliability, security, and safety in personal data processing. It is also designed to protect the potential of the digital economy, promote responsible innovation, and establish secure data processing practices. The ordinance will play an essential role in regulating the collection, processing, storage, usage, transfer, publication, destruction, and international standards in the digital sector.

Key Highlights of the ‘Personal Data Protection Ordinance, 2025’:

• Total Clauses: 57

• Personal Data Ownership: The ordinance recognizes personal data as the property of the individual, with processing allowed only with their consent.

• Informed Consent: The individual’s consent must be obtained for the collection and processing of personal data, along with details on the purpose, duration, transfer, and withdrawal processes.

• Processing for Compatible Purposes: The data controller may process personal data further if it aligns with the original purpose.

• For Children or Incompetent Individuals: Parental or legal guardian consent is required for processing personal data of minors or individuals incapable of providing consent.

• Right to Access: Data holders can access their processed data upon written request.

• Sensitive Data: Processing of sensitive personal data will be subject to specific conditions and restrictions.

• Withdrawal of Consent: Individuals can withdraw their consent fully or partially at any time.

• Use of Data: Personal data collected for a specific purpose cannot be used for other purposes without the data holder’s consent.

• Independent Auditors: The authority set up under this ordinance will be empowered to appoint independent data auditors for periodic reviews of data processing activities.

• Exemption for Certain Purposes: The ordinance allows exceptions for national security, public interest, criminal investigation, tax evasion prevention, and public health purposes, in which case data can be processed without the data holder's consent.

• Categorization of Personal Data: The government has categorized personal data into four classes:

  1. Public or Open Personal Data

  2. Internal Personal Data

  3. Confidential Personal Data

  4. Restricted Personal Data

• International Data Exchange: The ordinance allows for the exchange of personal data with other countries or international bodies, following bilateral or multilateral agreements.

• Penalties for Violations: Administrative fines and compensation can be imposed for violations of the data holder’s rights.

• Punishments for Malicious Actions: The ordinance imposes penalties for unlawful data processing, unauthorized access, tampering, misuse, or illegal processing of sensitive data.

• Data Retention: Data controllers cannot retain personal data beyond the prescribed period.

This ordinance aims to enhance the protection of individuals' privacy in the digital age while ensuring compliance with international data protection standards.