loading . . . QnA about the Personal Data Protection Ordinance, 2025 (āĻŦā§āϝāĻā§āϤāĻŋāĻāϤ āĻāĻĒāĻžāϤā§āϤ āϏā§āϰāĻā§āώāĻž āĻ
āϧā§āϝāĻžāĻĻā§āĻļ, ⧍ā§Ļ⧍ā§Ģ) You all know, Government of Bangladesh approve the the **Personal Data Protection Ordinance, 2025** which define/provide information about how any entity will use/handle/process personal data.
Here is the pdf link.
### **1. Can I delete my account from any Bangladeshi website/business/service/company?**
Yes. The Ordinance grants you, as the data subject (āĻāĻĒāĻžāϤā§āϤāϧāĻžāϰā§), a powerful right to have your data erased. This is primarily covered under **Section 13 (āϧāĻžāϰāĻž ā§§ā§Š)** of the law.
* **Your Right:** You have the right to withdraw your consent (āϏāĻŽā§āĻŽāϤāĻŋ āĻĒā§āϰāϤā§āϝāĻžāĻšāĻžāϰ) at any time.
* **The Business's Obligation:** Upon receiving your request, the data fiduciary (the website or business) **must erase** (āĻŽā§āĻāĻŋā§āĻž āĻĢā§āϞāĻŋāĻŦā§āύ) all of your personal data stored with them.
* **Specific Conditions:** **Section 13(2) (āϧāĻžāϰāĻž ā§§ā§Š(⧍))** explicitly states they must do this if:
* The data is no longer necessary for the original purpose.
* You withdraw the consent that the processing was based on.
* You object to the processing, or the data was processed unlawfully.
* **Exceptions:** A business may only refuse to erase your data under a few specific conditions, outlined in **Section 13(3) (āϧāĻžāϰāĻž ā§§ā§Š(ā§Š))** , such as if the data is required to comply with a separate legal obligation or is designated for archival purposes.
### **2. Can I turn off advertising calls/emails/newsletters, etc.?**
Yes. Your primary tool for this is the same right to **Withdraw Consent under Section 13 (āϧāĻžāϰāĻž ā§§ā§Š)**.
* **Consent Withdrawal:** Marketing communications like advertising calls, emails, and newsletters are legally based on your consent. The law states that your consent must be "voluntary, specific, clear and revocable" (āϏā§āĻŦā§āĻā§āĻāĻžāϧā§āύ, āϏā§āύāĻŋāϰā§āĻĻāĻŋāώā§āĻ, āϏā§āĻĒāώā§āĻ āĻ āĻĒā§āϰāϤā§āϝāĻžāĻšāĻžāϰāϝā§āĻā§āϝ). You can withdraw this consent at any time. Once you do, the business must stop processing your data for that purpose.
* **Protections for Children:** The law is even stricter regarding children (anyone under 18). **Section 9(3) (āϧāĻžāϰāĻž ⧝(ā§Š))** provides an explicit, outright **prohibition** on data fiduciaries conducting "tracking (āĻā§āϰā§āϝāĻžāĻāĻŋāĻ), monitoring (āĻĒāϰāĻŋāĻŦā§āĻā§āώāĻŖ), profiling (āĻĒāϰāĻŋāϞā§āĻāĻž) or **Targeted Advertisement** (āĻāĻžāϰā§āĻā§āĻā§āĻĄ āĻ
ā§āϝāĻžāĻĄāĻāĻžāϰā§āĻāĻžāĻāĻāĻŽā§āύā§āĻ)" directed at a child.
### **3. Where do I report if anyone doesn't listen?**
If a business or service (a "data-fiduciary") ignores your request or violates your rights, you can file a formal complaint with the **"Authority" (āĻāϰā§āϤā§āĻĒāĻā§āώ)**.
* **Right to Complain:** **Section 31 (āϧāĻžāϰāĻž ā§Šā§§)** , titled "Filing of complaints" (āĻ
āĻāĻŋāϝā§āĻ āĻĻāĻžā§ā§āϰ), states that if you have reason to believe your rights have been violated, you may file a complaint with the Authority.
* **The Authority:** The "Authority" is defined in **Section 2(4) (āϧāĻžāϰāĻž ⧍(ā§Ē))** as the **"National Data Management Authority" (āĻāĻžāϤā§ā§ āĻāĻĒāĻžāϤā§āϤ āĻŦā§āϝāĻŦāϏā§āĻĨāĻžāĻĒāύāĻž āĻāϰā§āϤā§āĻĒāĻā§āώ)** , which is the official body established to oversee and enforce this law.
1. **Can I see what information a company has collected about me?**
Yes. You have a **"Right to Access" (āĻĒā§āϰāĻŦā§āĻļāĻžāϧāĻŋāĻāĻžāϰ) under Section 11 (āϧāĻžāϰāĻž ā§§ā§§)**.You can request this from the data-fiduciary, and they must provide you with:
* A copy of your processed personal data in a "concise and understandable format" (āϏāĻāĻā§āώāĻŋāĻĒā§āϤ āĻ āĻŦā§āϧāĻāĻŽā§āϝ āĻŦāĻŋāύā§āϝāĻžāϏā§).
* A summary of the processing, its purpose, the types of data held, and details on any cross-border transfers.
* A list of all other persons, fiduciaries, or processors with whom your data has been shared.
1. **What if a company has my old address or my name spelled wrong? Can I make them fix it?**
Yes. You have the **"Right to correct, update, and complete data" (āĻāĻĒāĻžāϤā§āϤ āĻĒāϰāĻŋāĻŽāĻžāϰā§āĻāύ, āĻšāĻžāϞāύāĻžāĻāĻžāĻĻāĻāϰāĻŖ āĻ āϏāĻŽā§āĻĒā§āϰā§āĻŖāĻāϰāĻŖā§āϰ āĻ
āϧāĻŋāĻāĻžāϰ) under Section 12 (āϧāĻžāϰāĻž ⧧⧍)**.This allows you to request that the data-fiduciary correct any data that is "inaccurate or misleading" (āĻ
āĻļā§āĻĻā§āϧ āĻŦāĻž āĻŦāĻŋāĻā§āϰāĻžāύā§āϤāĻŋāĻāϰ), complete any incomplete data, and update any data that is out of date.
1. **What if a business refuses my request to correct my data?**
If the data-fiduciary refuses to correct your data, they must provide you with a written justification for their refusal. If you are not satisfied with their reason, you have two specific rights under **Section 12(3) (āϧāĻžāϰāĻž ⧧⧍(ā§Š))** :
1. You can request that the business mark your personal data as **"disputed" (āĻŦāĻŋāϰā§āϧāĻĒā§āϰā§āĻŖ āĻŦāϞāĻŋā§āĻž āĻāĻŋāĻšā§āύāĻŋāϤ)** ; and
2. You can request that they **inform the Authority (āĻāϰā§āϤā§āĻĒāĻā§āώāĻā§ āĻ
āĻŦāĻšāĻŋāϤāĻāϰāĻŖā§āϰ)** about the dispute.
3. **Are there special protections for my children's data?**
Yes. The Ordinance provides exceptionally strong protections for children, who are defined as anyone under 8 years of age. **Section 9(3) (āϧāĻžāϰāĻž ⧝(ā§Š))** contains an explicit and powerful prohibition: it states that a data fiduciary (any business or entity) **cannot** target a child for "tracking (āĻā§āϰā§āϝāĻžāĻāĻŋāĻ), monitoring (āĻĒāϰāĻŋāĻŦā§āĻā§āώāĻŖ), profiling (āĻĒāϰāĻŋāϞā§āĻāĻž) or Targeted Advertisement (āĻāĻžāϰā§āĻā§āĻā§āĻĄ āĻ
ā§āϝāĻžāĻĄāĻāĻžāϰā§āĻāĻžāĻāĻāĻŽā§āύā§āĻ)". This makes many common online business models illegal for users under 8 in Bangladesh.
1. **I corrected my address at my bank. Do I have to tell every other company that has my old address?**
This law introduces a highly advanced and unique system to solve this exact problem. **Section 4 (āϧāĻžāϰāĻž ā§§ā§Ē)** describes a "system-wide propagation" (āĻĒāĻĻā§āϧāϤāĻŋāĻāϤ āϏāĻā§āĻāĻžāϞāύ) mechanism. The goal is for the Authority to designate a "Primary Source of Truth" (āĻĒā§āϰāĻžāĻĨāĻŽāĻŋāĻ āĻā§āϏ) for key data (like "current address"). When you update your information at that primary source, that change is **automatically and mandatorily** sent to all secondary data fiduciaries (like other banks, mobile operators, etc.) to update their records. The law even specifies that these changes must be recorded in an "immutable ledger, blockchain or equivalent technology" (āĻ
āĻĒāϰāĻŋāĻŦāϰā§āϤāύā§ā§ āϞā§āĻāĻžāϰā§, āĻŦā§āϞāĻāĻā§āĻāύ) to ensure accuracy and create an audit trail.
1. **Is a government employee accountable if they leak my data?**
Yes. The law makes a specific point to include government accountability. **Section 47 (āϧāĻžāϰāĻž ā§Ēā§)** states that government employees, as well as employees of statutory or autonomous bodies, who are involved in violating a data subject's rights or are responsible for a data breach, shall be "considered to have committed a punishable offense" and are subject to the same administrative fines and penalties as others under the law.
1. **Does this law protect my data from the government?**
This is a significant area of concern for privacy advocates. While the law grants you many rights, **Section 24 (āϧāĻžāϰāĻž ⧍ā§Ē)** provides a long list of broad exemptions for state agencies. Your data can be processed without your consent for reasons such as "national security" (āĻāĻžāϤā§ā§ āύāĻŋāϰāĻžāĻĒāϤā§āϤāĻž), "public order" (āĻāύāĻļā§āĻā§āĻāϞāĻž), or "crime prevention, detection, investigation, or prosecution" (āĻ
āĻĒāϰāĻžāϧ āĻĒā§āϰāϤāĻŋāϰā§āϧ, āĻļāύāĻžāĻā§āϤāĻāϰāĻŖ, āĻ
āύā§āϏāύā§āϧāĻžāύ, āϤāĻĻāύā§āϤ āĻŦāĻž āĻĒā§āϰāϏāĻŋāĻāĻŋāĻāĻļāύ). Critics argue these terms are vague, undefined, and lack requirements for judicial oversight, creating a "systemic loophole" that could be used for mass surveillance.
1. **What happens if a big international company misuses my data? Is the penalty strong enough to hurt them?**
This is a potential weakness in the law's enforcement. The penalties are structured in two ways:
1. **Administrative Fines:** **Section 32 (āϧāĻžāϰāĻž ā§Šā§¨)** allows the Authority to fine a company up to 5% (for a "significant data-fiduciary") of its "annual turnover _in Bangladesh_ " (āĻŦāĻžāĻāϞāĻžāĻĻā§āĻļā§ āϤāĻžāĻšāĻžāϰ āĻŦā§āϝāĻŦāϏāĻžā§ā§āϰ āĻŦāĻžāϰā§āώāĻŋāĻ āĻāĻžāϰā§āύāĻāĻāĻžāϰā§āϰ). Critics note that a massive global corporation might have a very small turnover _in Bangladesh_ , making this fine too small to be a real deterrent compared to laws like the GDPR, which bases fines on _global_ turnover.
2. **Criminal Penalties:** The law's main "teeth" are in its severe criminal penalties, found in **Chapter 9 (āύāĻŦāĻŽ āĻ
āϧā§āϝāĻžā§)**. These are seen as disproportionately high and create risk for individuals rather than just corporations.
**11 What kind of data gets special protection?**
The Ordinance creates a special category called "Sensitive Personal Data" (āϏāĻāĻŦā§āĻĻāύāĻļā§āϞ āĻŦā§āϝāĻā§āϤāĻŋāĻāϤ āĻāĻĒāĻžāϤā§āϤ). To process this data, a company needs your "specific consent" (āϏā§āύāĻŋāϰā§āĻĻāĻŋāώā§āĻ āϏāĻŽā§āĻŽāϤāĻŋ), which is a higher standard than regular consent. According to **Section 2(23) (āϧāĻžāϰāĻž ⧍(ā§¨ā§Š))** , this sensitive data includes:
* Genetic and Biometric data
* Data on ethnic origin or community
* Political or philosophical ideology
* Religious beliefs
* Trade union membership
* Health data and sexual orientation
* Data on criminal offenses or allegations
* Crucially, your "real-time geolocation" (āϤāĻžā§āĻā§āώāĻŖāĻŋāĻ āĻāĻŋāĻ-āϞā§āĻā§āĻļ)
1. **What are the punishments if someone breaks this law?**
The punishments are severe and include both fines and prison time. Under **Chapter 9 (āύāĻŦāĻŽ āĻ
āϧā§āϝāĻžā§)** , various offenses carry heavy penalties. For example:
* **Section 36 (āϧāĻžāϰāĻž ā§Šā§Ŧ):** Processing or sharing your data without consent or legal basis can lead to up to **5 years in prison** and/or a fine.
* **Section 37 (āϧāĻžāϰāĻž ā§Šā§):** Unauthorized processing of your _sensitive_ data (like your health data or real-time location) is even more serious, with a penalty of up to **7 years in prison** and/or a fine.
* **Section 38 (āϧāĻžāϰāĻž ā§Šā§Ž):** Illegally collecting or using a child's data can result in up to **3 years in prison** and/or a fine.
1. **What is a "data-fiduciary" (āĻāĻĒāĻžāϤā§āϤ-āĻāĻŋāĻŽā§āĻŽāĻžāĻĻāĻžāϰ)?**
This is the legal term the Ordinance uses for any person or entity (like a company, bank, hospital, or social media platform) that, either alone or jointly with others, decides the purpose and method of processing your personal data. The law defines this in **Section 2(2) (āϧāĻžāϰāĻž ⧍(⧍))**. Essentially, they are the "custodian" of your data and are held legally responsible for protecting it. https://sayed.blog/the-personal-data-protection-ordinance-2025/