General Provisions

Article 1: Purpose
This law is enacted to protect the privacy and personal information rights of individuals and to regulate the collection, processing, storage, and use of personal data by both public and private entities. Article 2: Definitions “Personal data” refers to any information relating to an identified or identifiable natural person. “Data subject” refers to the natural person to whom the personal data relates. “Data controller” refers to the natural or legal person, public authority, agency, or other body which determines the purposes and means of the processing of personal data. “Processing” refers to any operation or set of operations which is performed on personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction. “Consent” of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Article 2: Definitions
  • “Personal data” refers to any information relating to an identified or identifiable natural person.
  • “Data subject” refers to the natural person to whom the personal data relates.
  • “Data controller” refers to the natural or legal person, public authority, agency, or other body which determines the purposes and means of the processing of personal data.
  • “Processing” refers to any operation or set of operations which is performed on personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
  • “Consent” of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
  • Principles of Personal Data Processing

    Article 3: Lawfulness, Fairness, and Transparency
  • Personal data shall be processed lawfully, fairly, and in a transparent manner in relation to the data subject.
  • The data controller shall inform the data subject of the purposes for which the personal data are processed, as well as any other relevant information concerning the processing, in a concise, transparent, intelligible, and easily accessible form, using clear and plain language.
  • Article 4: Purpose Limitation
    Personal data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
    Article 5: Data Minimization
    Personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
    Article 6: Accuracy
    Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
    Article 7: Storage Limitation
    Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
    Article 8: Integrity and Confidentiality
  • Personal data shall be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
  • The data controller shall take steps to ensure that any natural person acting under its authority who has access to personal data does not process them except on instructions from the data controller, unless required to do so by law.