Data Act 2079 Nepal

    Overview

    The Data Act 2079 (2022) was enacted to regulate the collection, processing, storage, publication, and distribution of data in Nepal. The law aims to ensure the reliability, security, and transparency of data management across federal, provincial, and local levels, while supporting policy formulation, resource management, and service delivery.

     

    Regulation Summary

    Timeline
    • August 16, 2022 – Law passed by the National Assembly.
    • August 2022 – Law certified by the President.
    • September 2022 – Law officially published and came into effect.
    What Businesses Are Affected
    • Any government, private, public, or cooperative entity handling data in Nepal.
    • International organizations processing or storing data related to Nepali citizens.
    • Entities maintaining computer databases, electronic records, and digital data systems.
    • Businesses conducting surveys, censuses, or statistical analysis.
    Exemptions
    • Personal use of data for private and non-commercial activities.
    • Government security agencies handling national security and law enforcement.
    • Academic and research institutions using anonymized data.
    Responsibilities for Businesses
    • Obtain clear and explicit consent before collecting personal data.
    • Ensure the accuracy of collected and stored data.
    • Implement security measures to prevent unauthorized access and misuse.
    • Limit data collection and processing to lawful and necessary purposes.
    • Maintain detailed processing records and ensure accountability.
    • Provide individuals access to their personal data upon request.
    Specific Responsibilities for Website Owners
    • Cookie Consent: Obtain explicit consent for non-essential cookies and trackers.
    • Privacy Policy: Display a clear, comprehensive privacy notice covering:
      • Types of data collected
      • Processing and retention periods
      • Third-party data sharing policies
      • User rights and how to exercise them
    • Data Security: Ensure encryption of submitted data (e.g., forms, payments).
    • Right to Data Deletion: Provide users an option to request data deletion.
    Additional Requirements
    • Cross-Border Data Transfers: Allowed only if the receiving country has adequate protections.
    • Data Breach Notification: Entities must report breaches to the government and affected individuals.
    • National Data System: All data-collecting entities must integrate with Nepal’s national data system.
    • Survey and Census Regulations: Official surveys and data collection require government approval.
    Data Subject Rights
    • Access: Individuals can request a copy of their personal data.
    • Correction: Users can request corrections to inaccurate data.
    • Deletion: Data subjects can request deletion of their personal data under certain conditions.
    • Objection: Individuals can object to processing that affects their rights.
    • Portability: Users can transfer their personal data to another service provider.
    Enforcement
    • Regulatory Authority:
      • National Data Office under the Prime Minister’s Office oversees compliance.
    • Penalties:
      • Unauthorized data collection or misuse – Fines up to NPR 40,000 (≈ USD 300) or one-year imprisonment.
      • Failure to notify breaches – Fine up to NPR 20,000 (≈ USD 150).
      • Obstruction of government data auditsUp to six months' imprisonment.
      • Severe violations – Fine up to NPR 100,000 (≈ USD 750) or two years' imprisonment.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596