Law No. 81 on Electronic Transactions and Personal Data Lebanon

Regulation Summary

All entities processing personal data in Lebanon, including private and public organizations.
Foreign companies handling the personal data of Lebanese residents, if they operate within Lebanon or utilize local data infrastructure.
Businesses involved in electronic transactions, including e-commerce, financial institutions, and digital service providers.

Personal or household use of personal data.
Government agencies processing data for national security, taxation, or law enforcement purposes.
Data processing for journalistic, artistic, or academic research purposes, provided it adheres to legal safeguards.

Lawful Processing: Businesses must obtain consent or rely on a valid legal basis for processing personal data.
Purpose Limitation: Data may only be collected and processed for a specific, legitimate purpose.
Data Security: Organizations must implement safeguards to prevent unauthorized access, leaks, or breaches.
Accountability: Businesses must document data processing activities, designate responsible personnel when required, and notify authorities in the event of a data breach.

Cookie Consent: Websites must obtain user consent for non-essential cookies and tracking technologies.
Privacy Notice: Websites must provide a transparent and accessible privacy policy.
User Rights Portal: Individuals should be able to submit and manage data access, correction, and deletion requests.
Secure Data Transmission: Websites must ensure encryption and protective measures for handling personal data online.

Cross-Border Data Transfers: Permitted only if the recipient country ensures adequate protection, safeguards are applied, explicit consent is obtained, or government approval is granted where required.
Data Protection Officer (DPO): Required for businesses engaging in large-scale or sensitive data processing.
Impact Assessments: Mandatory for businesses conducting high-risk data processing, including profiling and automated decision-making.

Access: Individuals can request copies of their personal data.
Rectification: Right to correct inaccurate or incomplete data.
Erasure: Right to request deletion of personal data under certain conditions.
Portability: Right to obtain and transfer personal data.
Objection: Right to refuse processing for marketing or automated decision-making.
Restriction: Right to request limitations on data processing in specific cases.

Regulatory Body: The Ministry of Economy and Trade is responsible for compliance and enforcement.
Fines: Violations can result in fines ranging from 1 million to 30 million Lebanese Pounds (~$665 to $20,000 USD) depending on the severity of non-compliance.
Sanctions: In serious cases, businesses may face suspension of data processing activities, and responsible individuals may be subject to criminal penalties, including imprisonment for severe breaches.