Privacy Index
This Index seeks to assist in identifying and comparing priorities for principal data protection requirements across jurisdictions and is supported by expert local knowledge from OneTrust DataGuidance's network of privacy lawyers. It is not intended to provide detailed legal guidance. The Index also provides links for further information and detailed analysis.
Please see the Risk Score Key for further information.
Risk Score | Basis for allocation |
---|---|
0 | There is no relevant legal provision either generally or at the sector level |
1 | Sector specific (generally there is no legal requirement, but in some sectors, such as financial sector or health sector, there are) |
2 | General/basic (Laws & Regs only cover the basic essentials of the topic, requirements are general and not particularly strict) |
3 | Less comprehensive (Laws & Regs cover some relevant topics, and provide less strict requirements) |
4 | Somewhat comprehensive (Laws & Regs cover most relevant topics with some detail, and provide reasonably strict requirements) |
5 | Comprehensive (Laws & Regs cover all relevant topics in detail and provide strict requirements) |
Topic | Example |
---|---|
Data processing registration | GDPR = 0. There are no general data processing notifications, though this may vary at a Member State level. |
DPO appointment | GDPR = 4. DPO appointment is mandatory in several cases. DPO tasks are defined, as well as additional criteria and requirements. |
Data subject rights | GDPR = 5. Several rights such as the rights of access, rectification, erasure, objection, to be informed, and to data portability, are provided and how to exercise/respond to right requests are detailed. |
Data transfers | GDPR = 4. There are restrictions and several detailed mechanisms for enabling data transfers, but there are no localisation requirements. |
Direct marketing | GDPR = 3. Data subjects have a right to object, however the GDPR only provides relatively limited provisions specifically on direct marketing. |
Data processors | GDPR = 5. There are extensive requirements for data processors, for example on agreements between data processors and controllers, and data processor liabilities. |
Records of processing | GDPR = 5. There are detailed requirements for record maintenance, including on content of records, format of records, making records available, etc. |
Vendor & third party management | GDPR = 5. There are detailed requirements for agreements between parties, data sharing, data portability, liabilities, and security management of parties. |
Security controls | GDPR = 4. There are detailed requirements for technical and organisational security measures (i.e. encryption, pseudonymisation), appropriate safeguards must be used in several instances. However, the GDPR is less specific than other laws in terms of what 'appropriate safeguards' may be. |
Impact assessments | GDPR = 5. There are detailed requirements for when Data Protection Impact Assessments are required, the content of assessments, and prior consultation with the authority. |
DPA powers | GDPR = 5. Data protection authorities have detailed investigatory powers, may issue fines and other enforcement actions, and may authorise standard contractual clauses etc. |
DPA activity | Consideration is given regarding whether and how often there have been enforcement actions, as well as how strong any actions have been. |
Overall framework | GDPR = 5. The GDPR is a comprehensive data protection framework in light of the factors assessed. |
- title
- Data Processing Registration
- Data Protection Officer
- Data Subject Rights
- Data Transfers
- Direct Marketing
- Data Processors
- Records of Processing
- Third Party Management
- Security Controls
- Impact Assessments
- DPA Powers
- DPA Activity
- Overall Framework
- Afghanistan
0
0
0
0
0
0
0
2
0
0
1
3
3
These scores have been provided by Thomas Kraemer, Senior Council at Kakar Advocates LLC.
For further information regarding the landscape in Afghanistan please see the Jurisdiction Dashboard here.
- Angola
4
0
4
2
3
2
2
0
2
0
2
1
2
These scores have been provided by João Luís Traça, Partner at Miranda & Associados
For further information regarding the landscape in Angola please see the Jurisdiction Dashboard here.
- Argentina
4
0
4
4
3
3
2
3
4
0
5
3
4
These scores have been provided by Florencia Rosati, Partner at Estudio Beccar Varela.
Regarding impact assessments, please note that, Personal Data Protection Act, Act No. 25.326 of 2000 does not provide for the performance of privacy impact evaluations, however, the Argentinean and the Uruguayan data protection authorities have issued a guide recommending data controllers undertake an assessments when undertaking data processing that, due to its nature, scope, context or purposes, is likely to entail a high risk of affecting the rights of the data subjects, particularly in the following cases:
- systematic and exhaustive evaluation of personal aspects of human persons based on automated data processing, such as profiling, and on the basis of which decisions are made that produce legal effects for human beings or that significantly affect them in a similar way; or
- the processing of sensitive data on a large scale, or data related to criminal or contravention history.
For further information regarding the landscape in Argentina, please see the Data Protection Overview Guidance Note here, and the Jurisdiction Dashboard here.
- Armenia
4
0
5
5
2
4
3
3
2
2
4
4
3
These scores have been provided by Gor Margaryan, Managing Partner and Anzhela Abrahamyan, Associate at Legelata LLC
For further information regarding the landscape in Armenia please see the Jurisdiction Dashboard here.
- Australia
4
2
4
3
5
5
2
2
4
2
5
4
4
- Austria
1
4
5
4
4
5
5
5
4
5
5
4
5
These scores have been provided by Gernot Fritz, Principal Associate at Freshfields Bruckhaus Deringer LLP.
For further information regarding the landscape in Austria please see the the Jurisdiction Dashboard here.
- Bahrain
4
1
5
5
5
5
2
4
3
0
4
1
4
- Belarus
0
2
4
3
2
4
1
1
4
1
2
1
3
These scores have been provided by Kirill Laptev, Senior Associate at Sorainen & Partners FLLC.
Please note that the ratings for data protection officer, data subject rights, data transfers, data processors, and the overall framework have been based on draft provisions. The draft of a new law on personal data protection has passed its first reading (not final reading) in the Parliament, which would introduce further regulations in these areas.
For further information regarding the landscape in Belarus, please see the Data Protection Overview Guidance Note here, and the Jurisdiction Dashboard here.
- Belgium
1
4
5
4
3
5
5
5
4
5
5
4
5
- Bolivia
2
0
4
2
3
0
1
2
2
0
1
1
2
- Botswana
4
4
4
4
4
4
4
4
4
2
4
1
3
These scores have been provided by Angelica Bojosi, Partner and Shathani Kgwarae, head of the Knowledge Management at Desai Law Group
Please note that the ratings have been drafted based on the draft provisions which have not entered into effect. Therefore, the regulatory authority is yet to be set up and has not undertaken any regulatory activity.
For further information regarding the landscape in Botswana please see the Data Protection Overview Guidance Note here, and the Jurisdiction Dashboard here.
- Cayman Islands
0
0
4
4
3
4
5
3
4
0
5
2
4
- UAE - ADGM
3
4
5
4
3
5
5
5
4
5
5
4
5
Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in