Personal Data Protection & Spam Control

    Home /Resources /Corporate Compliance Requirement/Personal Data Protection Act and Spam Control Act In Bangladesh


    Guide to Setup Bangladesh Business














































    Industry Guide


























































    Learn Personal Data Protection & Spam Control Act

    After the revisions to the Personal Data Protection Act and the Spam Control Act, everything in the digital world has changed. Not only has the world changed dramatically in 2021, but so has the law that governs and protects countries. As we rapidly transition to a digital economy, data is becoming the most valuable commodity, and it necessitates careful management. These improvements are reflected in Bangladesh’s recent modifications to the Personal Data Protection Act and the Spam Control Act.

    Personal Data Protection Act and Spam Control Act In Bangladesh

    Changes Of Personal Data Protection Act Enhance Security

    Personal data protection act in the modern world is a complicated and contentious issue, especially as evidence mounts of not only spyware and surveillance technology infiltrating our data in the most insidious ways, but also of big tech companies collecting and mining user data and potentially holding more personal data about a country’s citizens than their own government.


    In Bangladesh, there was no legal protection for any infringement of personal data until recently. Bangladesh has passed the Digital Security Act 2018 (the’Act,’) to protect national digital security and implement legislation regarding digital crime identification, prevention, suppression, trial, and other connected topics. This Act also includes provisions for the protection of personal information.


    The Act’s Section 26 defines offenses involving the collection and use of personal information. Any unauthorized use of someone’s identification information, such as collecting, selling, taking possession, supplying, or using it, is defined as an infraction under section 26(1). Under the Act, any crime involving identity information is punishable by imprisonment for a term of not more than 5 (five) years or a fine of not more than 5 (five) lacs taka or both, and repeat offenses are punishable by 7 (seven) years of imprisonment or a fine of not more than 10 (ten) lacs taka or both.


    A consumer or user must now provide informed consent to the use of his or her data under the new standards. And this consent cannot be given on a blanket basis for everybody; rather, they must “opt-in” to grant the necessary authority. The permission terms and conditions, as well as information about the use and purpose of data collection, must be communicated in a clear and understandable manner. The request will be separated from other general terms and conditions and will contain the company’s contact information.


    Data portability obligations, which allow individuals to request the transmission of their data, are also exempted by the authority. The revisions provide people more control over their data while also balancing the requirement for businesses to maintain a competitive edge. The exceptions address the types of data that are applicable and the conditions in which obligations do not need to be met.

    Taking A Good Thing And Making It Even Better

    The Government hopes to secure Singapore’s position as a leading global business center in the contemporary digital economy by enacting an improved PDPA. Businesses may innovate by safely exchanging and analyzing data, while individuals can feel safer.


    Contact us today to learn more about the changes to the Personal Data Protection Act and the Spam Control Act. Our team of experts is ready to assist you in gaining a better understanding and complying with the law.

    FAQs For Personal Data Protection Act

    How does the Personal Data Protection Act work?

    In Bangladesh, the Personal Data Protection Act (PDPA) establishes a minimum level of protection for personal data. It lays out the rules for the acquisition, use, disclosure, and storage of personal data in Singapore. It also includes provisions for the creation of a nationwide Do Not Call (DNC) Registry.

    When is data protection officer appointed?

    The Personal Information Controller must appoint a person or people to be responsible for the organization’s Data Privacy Act compliance. Any data subject who requests it must be informed of the identity of the individual(s) so designated.

    What are the rules for employee data protection?

    Employees of private entities are subject to the same rules as other data subjects when it comes to collecting and processing personal data. The Data Privacy Act exempts personal data on government employees that is related to his position or functions.

    What are rules for crime data processing?

    The standards for handling criminal offense information are the same as those for Sensitive Personal Information. Furthermore, processing of Personal Information in connection with criminal offenses is thought to be likely to jeopardize a data subject’s rights and freedoms. As a result, Personal Information Controllers and Personal Information Processors who handle such personal data must register.

    Are privacy impact assessments mandatory?

    A privacy impact assessment must be conducted for each processing system of a Personal Information Controller or Personal Information Processor, according to Commission standards. For new and existing systems, programs, projects, procedures, measures, or technology products that incorporate or impact the processing of personal data, a privacy impact assessment will be required. Prior to the acceptance, use, or deployment of new processing systems, an assessment should be conducted.

    What are rules for data about children?

    Minors (those under the age of eighteen) are considered vulnerable data subjects. The processing of their data is thought to be likely to jeopardize their rights and freedoms. As a result, Personal Information Controllers and Personal Information Processors who process the personal data of minors are required to register.

    Get World-Class Personal Data Protection