E-Data Protection Law № 25/NA Laos

Regulation Summary

May 12, 2017: Law enacted.
June 23, 2017: Law went into effect.
2020: Additional regulations introduced to strengthen enforcement mechanisms.

All organizations processing personal data in electronic form in Laos, including both public and private entities.
Foreign businesses processing the personal data of Lao residents, if they operate within Laos or use local infrastructure.
Entities handling sensitive data such as biometric, health, financial, or government-related information.

Personal or household use of personal data.
Government agencies processing data for national security, taxation, or law enforcement purposes.
Data processing necessary for public interest activities, including research and statistical reporting under legal authorization.

Lawful Processing: Businesses must obtain consent or rely on a valid legal basis for processing personal data.
Purpose Limitation: Data may only be used for its specified, legitimate purpose.
Data Security: Companies must implement measures to protect personal data from unauthorized access, leaks, and breaches.
Accountability: Businesses must maintain records of data processing activities, appoint responsible personnel where required, and notify the relevant authorities in case of a data breach.

Cookie Consent: Websites must obtain consent for non-essential cookies and tracking technologies.
Privacy Notice: Websites must provide a transparent and accessible privacy policy.
User Rights Portal: Websites should enable individuals to submit and manage data access, correction, and deletion requests.
Secure Data Transmission: Encryption and security measures must be in place for handling personal data online.

Cross-Border Data Transfers: Allowed only if the receiving country provides adequate data protection, safeguards are implemented, explicit consent is obtained, or government approval is granted in cases where required by law.
Data Protection Officer (DPO): Required for large-scale or sensitive data processing entities.
Impact Assessments: Mandatory for businesses engaging in high-risk data processing, including profiling and automated decision-making.

Access: Individuals have the right to request copies of their personal data.
Rectification: Right to correct inaccurate or incomplete data.
Erasure: Right to request deletion of personal data in certain conditions.
Portability: Right to obtain and transfer personal data.
Objection: Right to refuse processing for direct marketing or automated decision-making.
Restriction: Right to request processing limitations under specific conditions.

Regulatory Body: The Ministry of Technology and Communications (MTC) oversees compliance and enforcement.
Fines: Penalties range from 5 million to 50 million Lao Kip (~$250 to $2,500 USD) depending on the severity of violations.
Sanctions: Businesses may face suspension of data processing activities, and responsible individuals may be subject to criminal penalties, including imprisonment for serious offenses.