An Overview of Bangladesh’s Personal Data Protection Act, 2026

I. Introduction

a. Vision 2041: Securing the Digital Transformation

With the aim of establishing “Digital Bangladesh”, the government of Bangladesh has introduced various comprehensive digital transformation strategies. Under these strategies, one such key framework is the “Smart Bangladesh Vision 2041”, which was formally announced by the Prime Minister of Bangladesh on December 12, 2022.

Table of Contents

The Personal Data Protection Act, 2026 (PDPA) (Law 63 of 2026) establishes a comprehensive framework for personal data privacy in Bangladesh. Originally promulgated as an Ordinance in late 2025 before being finalized by Parliament, this law directly supports the Smart Bangladesh Vision 2041 by strengthening the cybersecurity and data governance necessary for a secure digital economy.

b. Evolution from a “Draft Act” to the Enacted “Personal Data Protection Act, 2026”

The regulatory journey of data protection in Bangladesh progressed through several critical milestones:

  • November 27, 2023: The first draft of the Personal Data Protection Act, 2024 (PDPA) was approved by the then-cabinet of Bangladesh. The draft underwent multiple revisions throughout 2024 by various stakeholders.
  • November 6, 2025: The President of Bangladesh officially issued the Personal Data Protection Ordinance, 2025 (PDPO).
  • February 2026: The PDPO was amended when the President signed the Personal Data Protection (Amendment) Ordinance, 2026 on February 5, 2026.
  • March 2026: The updated, amended version of the Ordinance was officially published.
  • April 2026: The Bangladesh Parliament officially repealed the Personal Data Protection Ordinance, 2025 (PDPO) and formally passed the permanent Personal Data Protection Act, 2026 (PDPA) (Law 63 of 2026).

II. Who Needs to Comply with Bangladesh’s Personal Data Protection Act 2026 (PDPA)

a. Territorial Scope

The PDPA has extraterritorial application if the processing of personal data occurs outside Bangladesh but is in connection with any activity related to the provision of products or services to data subjects located within Bangladesh. It further applies to the monitoring or record management of data subjects residing within the country.

The PDPA prescribes that its provisions apply to all citizens, residents, and individuals working or temporarily staying in Bangladesh for business purposes, ensuring that any entity targeting these individuals must comply with the regulatory framework regardless of their physical location.

b. Material Scope

The PDPA applies to any data controller, processor, or person involved in processing personal data, including those performing duties or functions under this Act. This includes the processing of personal data within the borders of Bangladesh, though it excludes the mere transfer of personal data in transit through the country.

III. Definitions of Key Terms

a. Data Fiduciary

“Data-fiduciary” means a person who, alone or jointly, processes personal data for a specific purpose, supervises it for that purpose, or authorizes another person to process personal data.

b. Data Subject

“Data subject” means any natural person to whom personal data relates, whether identified or identifiable, and regardless of whether the individual is living or dead.

c. Person

Person refers to different entities depending on their role:

  • In the case of a data subject, it means any natural person.
  • In the case of a data controller or processor, it refers to the legal entity.

d. Personal Data

“Personal Data” means any information relating to an individual by which that individual can be identified. This includes, but is not limited to:

  • Identities: Name, parents’ names, identification number, mobile number.
  • Specific Data: Financial data, location data, or online identifiers.
  • Characteristics: Physical, physiological, genetic, biometric, psychological, or economic characteristics, and any other factors prescribed by regulations.

e. Processing

“Processing” refers to any operation performed upon personal data, whether or not by automated means. This includes activities such as:

  • Collection, recording, organization, and structuring.
  • Storage, retention, retrieval, and use.
  • Adaptation, alteration, or transfer.
  • Disclosure by transmission, dissemination, or otherwise making available.
  • Restriction, destruction, or erasure.

“Consent” means a clear, explicit, specific, and freely given positive indication by the data subject signifying their agreement to the processing of their personal data.

IV. Obligations for Data Fiduciaries

a. Grounds for Processing Requirements

Personal data may only be processed for a lawful purpose for which the data subject has given consent or where specific legitimate grounds exist. The processing must adhere to the principles of usefulness, necessity, proportionality, and purpose limitation. Personal data must not be disclosed for any purpose other than the specific reason it was collected unless the data subject provides additional consent.

The PDPA requires consent to be freely given, specific, unambiguous, and revocable. When seeking consent, the data controller must inform the data subject of the specific purpose of the processing, how long the data will be retained, any third-party transfers, and the exact procedure for withdrawing consent. For “Sensitive Personal Data,” the controller must obtain a higher standard of “specific consent” unless other legal conditions (such as contract execution or medical necessity) are met.

In addition to explicit consent, the PDPA stipulates conditions under which a data controller may process personal data (specifically sensitive data) without it. These include:

  • Contractual Necessity: For the execution of a contract where the data subject is a party.
  • Employment & Social Security: To perform duties or exercise rights conferred by law related to employment.
  • Medical Emergencies: For the performance of medical duties by health workers or emergency actions related to risks to the life or health of the data subject.
  • Legal Obligations: To perform any duty imposed on a person by or under any existing law.
  • Public Disclosure: If the data subject has voluntarily disclosed their personal data to the public.

c. Notice Requirements (Accountability and Transparency)

Data controllers are obligated to process data transparently and ensure information is available to all concerned parties. Before or during the processing of personal data, the controller must inform the data subject of:

  • The categories of data collected and the collection methods.
  • The general purposes of the processing.
  • Details of potential risks to the data in specific circumstances.
  • Procedures for exercising their rights and contact details for doing so.
  • Information regarding the transfer of data to other locations.
  • The identity of the data custodian and how to communicate with them easily.

d. Security & Data Breach Notification Requirements

Every data controller and processor must implement appropriate technical and organizational measures (such as pseudonymization and encryption) to ensure the security, integrity, and confidentiality of data. These measures must prevent accidental or unlawful loss, misuse, or unauthorized access.

  • Risk Assessment: Controllers must regularly test, monitor, and update security measures based on the sensitivity of the data and the potential harm of a breach.
  • Breach Notification: If a data breach is likely to cause “significant damage” to a data subject, the data controller is legally required to notify the Authority within the timeframe and manner prescribed by regulations.

e. Chief Data Officer (CDO) Requirement

All “significant” data controllers are required to appoint a qualified Chief Data Officer (CDO). The CDO acts as the primary representative of the data controller before the Authority. Their duties include:

  • Reporting important matters to the authorities and data custodians.
  • Serving as the point of contact for data subjects to exercise their rights.
  • Handling and resolving complaints regarding the misuse or inefficient management of sensitive personal data.

f. Data Processor Requirement

A data controller may engage a processor to handle personal data on its behalf, provided there is a valid legal contract. Crucially, the Act establishes that any processing done by a processor is “deemed to have been carried out by the data controller.” Therefore, the data controller remains legally liable for the actions of the processor and must take reasonable steps to ensure the processor complies with all Act regulations.

g. Retention and Record Keeping Requirements

Data controllers are prohibited from keeping personal data longer than necessary for the purpose it was processed (unless required for public interest, research, or statistics). Furthermore, the data controller must maintain a register and properly preserve all records related to processed personal data for a period of at least 5 (five) years, ensuring the tracking of how data was structured, modified, or stored.

V. Processing Children’s Data

a. Definition of a Child

Under the Act, a “Child” is defined as any person below the age of 18 (eighteen) years. The law also allows the Government to prescribe a different age if necessary.

Data controllers are permitted to process a child’s personal data only after obtaining consent from a parent, legal guardian, or a person legally empowered to make decisions on the child’s behalf. This requirement also extends to individuals who are otherwise incapable of giving consent. Such consent remains valid until the child reaches the age of 18 or the individual attains the legal capacity to provide their own consent.

VI. Data Subject Rights

The Act establishes that data subject rights are universal, inherent, inalienable, and inviolable. These rights cannot be waived or reduced by any contract or notice. To exercise these rights, a data subject must submit a written application to the data controller.

a. Right to Access & Portability

Data subjects have the right to access any of their personal data being processed by a controller. Upon request, the controller must provide:

  • Concise & Intelligible Format: A summary of the data, the purpose of processing, categories of recipients, retention periods, and safeguards used for cross-border transfers.
  • Third-Party Disclosure: A statement identifying all other persons, controllers, or processors with whom the data has been shared.
  • Data Portability: The right to receive their data in a prescribed format and, where applicable, have the controller arrange a direct transfer to another controller using Federated Interoperable Ecosystems (secure, standardized data exchange).

b. Right to Rectification & Update

Data subjects have the right to have inaccurate or misleading data rectified, and incomplete data completed.

  • Correction Process: If a controller corrects or updates data, they must inform the data subject and all concerned parties within 30 days.
  • Refusal & Objection: If the controller refuses to rectify the data, they must provide written justification. If the data subject is unsatisfied, they can require the controller to mark the data as “objectionable” and notify the Authority.

c. Right to Erasure (Right to be Forgotten)

A data subject can request the deletion of all their stored personal data under specific conditions:

  • No Longer Necessary: The purpose for which the data was collected no longer exists.
  • Withdrawal of Consent: The subject withdraws the consent that allowed the processing.
  • Unlawful Processing: The data was handled in violation of the Act.
  • Legal Obligation: Erasure is required to comply with a specific law.
  • Exceptions: A controller may refuse erasure if the data is required for legal compliance, archives, public interest, or if it relates to a necessary identifier while consent is still active.

The Act mandates that data subjects must be able to withdraw their consent, in whole or in part, at any time through a simplified manner specified in the regulations.

  • Scope: This includes withdrawing consent for general processing, automated decision-making, or specific protection measures.
  • Ceasing Processing: If a data subject expresses a desire to stop processing because of potential harm, the controller must inform the subject and immediately cease the processing activities.
  • Prior Lawfulness: While consent can be withdrawn at any time, any processing that happened legally before the withdrawal remains valid.

VII. Cross-Border Data Transfers

The Act regulates the movement of data outside the borders of Bangladesh to protect national sovereignty, national security, and the privacy of its citizens.

a. Classification of Data

While the Act applies to personal data generally, it identifies specific high-stakes categories that require stricter oversight during transfers. These include:

  • Confidential Personal Data: Data that requires specific protection measures and may be exempt from certain erasure requests.
  • Sensitive Personally Identifiable Data: A specific sub-category for cross-border purposes, including Government Unique IDs (NID, Passport, TIN), Biometric identifiers (fingerprints, iris scans), Genetic/DNA information, and Criminal records.

b. Conditions for International Transfer

To transfer personal data outside of Bangladesh, data controllers must meet specific transparency and safety requirements:

  • Mandatory Notification: In the case of cross-border transfers involving large amounts of “sensitive personally identifiable data,” the data controller must notify the relevant authorities.
  • Safeguard Disclosure: Upon request, a data controller must provide the data subject with a summary of the safeguards in place for cross-border transfers to ensure the data remains protected in the destination country.
  • Risk Assessment: Transfers are evaluated based on their potential risk to national sovereignty, national security, or financial stability.

c. Restrictions on Data Leaving the Country

The Act places heavy restrictions on the large-scale transfer of data deemed critical to the state. The following “Sensitive” category is subject to strict government oversight:

  • Unique Identifiers: Large-scale transfers of National Identity Card numbers, Passport numbers, and Taxpayer Identification Numbers (TIN/PAN) are restricted.
  • Biological Data: Biometric identifiers (facial recognition, iris scans) and Genetic/DNA information are heavily protected against leaving the country without authorization.
  • Security Records: Criminal records or conviction information are restricted to prevent risks to national security.

VIII. Regulatory Body: the Data Protection Authority (DPA)

a. The National Data Management Authority: Powers, Functions, and Investigative Reach

The Authority is the central regulatory body responsible for the oversight of data protection and is empowered by both the PDPA and the National Data Management Ordinance, 2025. Its primary mission is to ensure the lawful processing of personal data and to uphold the fundamental rights of data subjects.

1. Core Functions:

  • Implementation & Oversight: Ensuring the proper application of the Act and coordinating with Chief Data Officers (CDOs) across government ministries, departments, and private organizations.
  • Rights Protection: Upholding data subject rights and taking active measures to remedy any violations or deviations.
  • Security & Awareness: Ensuring data confidentiality, fairness, and interoperability while conducting public awareness campaigns about data privacy.
  • Innovation Support: Supporting the safe use of personal data in research, development, and economic innovation.

2. Investigative & Regulatory Reach:

  • Binding Instructions: The Authority has the power to issue mandatory instructions to data controllers and processors regarding their processing activities.
  • Power of Inspection: It may access any premises, equipment, or stored data to conduct examinations and audits of ongoing processing.
  • Enforcement Actions: The Authority can issue formal warnings, impose administrative fines, and order the immediate suspension or cessation of data transfers to foreign countries or international organizations if standards are not met.

b. Enforcement of Standard Operating Procedures (SOPs)

The Authority is responsible for formulating and enforcing Standard Operating Procedures (SOPs), which provide the technical and operational roadmap for compliance in Bangladesh. These SOPs, formulated with government approval, include:

  • Compliance Frameworks: Detailed procedures for obtaining valid consent, conducting Personal Data Protection Impact Assessments (DPIAs), and managing the destruction or erasure of data.
  • Operational Standards: Guidelines on data quality, retention, and the use of pseudonymization methods to protect identity.
  • Reporting & Portability: Standardization of notification forms and the specific procedures required to exercise the right to data portability.
  • International Standards: Clear protocols for transferring personal data outside of Bangladesh, ensuring that national sovereignty and security are maintained.

IX. Penalties & Enforcement

a. Remedy for Failure to Provide Proper Protection and Security of Data:

  • A data fiduciary or processor that fails to provide the protection and security of personal data prescribed under this Act, its rules, regulations, or standard operating procedures shall be deemed negligent in the performance of its duties.
  • For such negligence, an administrative fine not exceeding 25 (twenty-five) lakh Taka may be imposed on the responsible entity.

b. Administrative & Turnover-Based Fines:

  • A data fiduciary or processor that fails to comply with a data subject’s rights may face an administrative fine not exceeding 25 (twenty-five) lakh Taka.
  • If a designated significant data fiduciary commits a violation, the administrative fine may scale up to a maximum of 50 (fifty) lakh Taka.
  • For a second or subsequent commission of these violations, the Authority is empowered to impose an additional fine over and above the initial administrative penalties.

X. How Organizations Can Operationalize the Law

Step 1: Appoint a Chief Data Officer (CDO) (Section 23)

“Significant Data Controllers” are legally required to appoint a qualified Chief Data Officer.

  • Representation: The CDO acts as the primary contact between the organization and the National Data Management Authority.
  • Grievance Redressal: The CDO must establish a clear mechanism for acknowledging and resolving data subject complaints within the legally stipulated timeframe.

Consent must be built into the user journey, not hidden in fine print.

  • Consent Management: Ensure consent is specific, unambiguous, and easily revocable. For children (under 18), implement verifiable parental consent workflows.
  • Notice Delivery: Update Privacy Notices to include retention periods, transfer details, and the identity of the Data Custodian.
  • Standard Operating Procedures (SOPs): Align internal workflows with the SOPs formulated by the Authority regarding data quality and retention.

Step 3: Synchronize with the “Primary Source of Truth” (Section 14)

Organizations must ensure their databases are interoperable with national registries to maintain data accuracy.

  • Auto-Correction: If a data subject updates their “Primary Source” (e.g., Passport or NID), your internal records for that individual should be updated through the system-wide propagation process.

Step 4: Establish Breach Response & Security Measures (Sections 17 & 20)

Security is a continuous obligation, requiring both technical safeguards and proactive planning.

  • Technical Safeguards: Deploy encryption, pseudonymization, and regular risk assessments.
  • Breach Protocol: Develop a response plan to notify the Authority of any breach likely to cause “significant damage” within the prescribed time limit.

XI. How Securiti Can Help

Securiti helps organizations comply with Bangladesh’s PDPA by automating personal data discovery, consent management, data subject rights, retention and erasure workflows, breach response, and cross-border transfer governance. With unified privacy, security, and data governance capabilities, Securiti enables controllers, processors, and CDOs to build a scalable, regulator-ready compliance program.

Request a demo to see how Securiti can simplify your PDPA compliance journey.

Similar Posts

Leave a Reply