THE DATA PROTECTION ACT 20222023 (draft)

Bill no. .........., 20222023

An Act to provide protection to a person’s data and to control matters related to data
processing and to make provisions on matters incidental thereto.

BILL

Whereas it is necessary to make provisions as to collection, processing, storage, use or

reuse, transfer, disclosure, destruction of and to make provisions on matters related thereto; and

Whereas it is necessary to establish a controlling agency in the existing administrative

system to supervise and monitor data processing related functions; and

Whereas it is expedient to provide protection of data belonging to a person for the purpose
of overall development of the information and communication technology sector; and

Whereas it is expedient and necessary to provide data protection to a person and to control
matters related to data processing and to make provisions on matters incidental thereto;

Now, therefore, it is enacted as follows:

CHAPTER I

PRELIMINARY

1. Short title and commencement.-((1) This Act may be called the Date Protection Act,
20222023.

(2) Subject to sub-section (3), itIt shall come into force on such date as the Government may, by
notification in the official Gazette, appoint.

(3) Various dates for the commencement of different sections of: provided that this Act mayshall
not be determinedgiven effect by appointing a date within a period of three years from the date on
which this Act is published for public notice following its enactment in the notification issued
under sub-section (2).Parliament and assent by the President.

2. Definitions.-- In this Act, unless there is anything repugnant in the subject or context,--

(a) “anonymised or de-identified data” means data which are processed anonymously or
pseudonymously under this Act;

(b) “financial data” means any number or other data used to identify an account opened
by, or debit or credit card or payment instrument issued by, a financial institution to a
data subject or any data regarding the relationship between a financial institution and a
data subject including financial status and, credit history or transaction;
(c) “data” means information, knowledge, event, concept or instructions created in a
formal procedure and which is processed, is being processed or will be processed in
any manner or format in a computer system or computer network, including computer
printout, magnetic or optical storage media, punched card, punched tape, or which is
stored in any computer memory, and includes personal data for this purpose;

Provided that, any anonymised, encrypted or pseudonymised data which is

incapable of identifying any individual shall not be included within the purview of
personal data;

(d) “data subject” means a person associated with the data;

(e) “data protection office” means the data protection office established under this Act;

(f;(e) “data breach” means a breach of security leading to the accidental or unlawful
destruction, loss, alteration, unauthorised disclosure of, or access to, data transmitted,
stored or otherwise processed;

(f) “Agency” means the Data Protection Agency constituted under Section 35 of this Act;

(g) “genetic data” means data relating to the inherited genetic characteristics of a person
which give unique information about the behavioral, mental or the health related
characteristics of that person and in particular, the mental or health related
characteristics which are confirmed by analysis of a biological sample from that
person;

(h) “prescribed” means prescribed by rules;

(i) “controller” means any Government authority, a company or any juridical entity who
either alone or jointly processes data for any specific purpose or has control over it for
that purpose or authorises the processing of data by any other person legal person but
shall not include a data processor;

(j) “auditor” means a person engaged in data auditing having required qualifications under
section 29(3) of this Act;

(k) “profiling” means any act relating to collecting information or data of any person
where description of necessary information or data of such person is contained;

(l) “data processor” means any Government entity, a company or any other person,
juridical entity, or a person who processes the data on behalf of the data controller but
shall not include any employee of the data controller;

(m) “processing” means any active operation for the purpose of data processing whether or
not by automated means, such as collecting, recording, organizing, structuring, storing,
adapting or altering, retrieving, consulting, using, disclosing by transmission,
disseminating or otherwise making available, aligning or combining, restricting,
erasing or destructing;
(n) “Code of Criminal Procedure” means Code of Criminal Procedure, 1898 (Act V of
1898).

(o(o) “Commercial data” means any business data collected or otherwise processed
relating to buyers or consumers.

(p) “biometric data” means facial images, fingerprints, iris scans, or any other similar
data resulting from measurements or technical processing operations carried out on
physical, physiological, or behavioral characteristics of data subject, which allow or
confirm the unique identification of that natural person;

(p) q) “rules” means the rules made under this Act;

(qr) “person” includes any legal person, agency, partnership, company, association,
corporation, cooperative society, organisation or statutory body;

(rs) “user created or generated data” means any personal data (such as text message,
image, audio, video, email, personal documents or any other similar matter etc.) of a
data subject created by any individual or group of individuals for the purpose of
limited use or share;

(s) “

(t) Director General” means the Director General of the Digital Security Agency appointed
under the section 6(1) of the Digital SecuritySection 36 of this Act, 2018 ( Act No.46
of 2018);;

(tu) “consent” of the data subject means by any act or declaration any unambiguous
affirmative indication of the data subject to process data;

(uv) “health data” means data related to the state of physical or mental health of the data
subject, and includes records regarding the past, present or future state of the health of
such data subject, other ancillary data related to providing healthcare services in
relation to state of health and shall also include data collected in the course of
providing health care services;

(vw) “sensitive data” means the following data of a data subject -

(i) commercial or financial data;

(ii) health data including medical records of a natural person;

(iii) genetic data;

 (iv) biometric data;

(v) the commission or alleged commission by him of any offence, any proceedings
for any offence committed or alleged to have been committed by him, the disposal
of such proceedings or the sentence of any court in such proceedings; and

(vi) any other data as may be prescribed by rules;

3. Overriding effect of the Act.-- Notwithstanding anything contained to the contrary in any
other law for the time being in force, the provisions of this Act shall have effect.

4. Application-(- (1) This Act shall apply to all over Bangladesh and shall apply to any person in
the following cases:-: -

(a) collecting, processing, using, distributing or holding data of any person within
Bangladesh;

(b) collecting, processing, using, distributing or holding data of Bangladeshi citizens

living outside of Bangladesh; or

(c) processing of data by data controller or data processor not present within Bangladesh,
if such processing is in connection with any business carried on in Bangladesh, or any
activity of offering goods or services to data subjects or which involves profiling of
data subjects.

(2) Notwithstanding anything contained in sub-section (1), this Act shall not apply to processing
of anonymised, encrypted and pseudonymised data.

CHAPTER II

DATA PROTECTION

5. Data protection principles.-- For the purposes of this Act, any person who collects, processes,
uses or holds data shall comply with the following principles of data protection:

(a) Consent and accountability: person in connection with data collection and
processing shall be accountable to the data subject for the data collected or
processed; and any data other than sensitive data shall be processed after
receiving consent from the data subject in question; and no sensitive data of a data
 subject can be processed except in accordance with the provisions of this Act and
rules made there under;

(b) Fair and reasonable: collecting and processing data in a fair and reasonable
manner as per the provisions of this Act and rules made thereunder;

(c) Integrity: Additional and unnecessary data which is not relevant to a data subject,
shall not be collected, processed, held or used and accurate, up-to-date data which
is consistent with the purpose shall be collected, processed, hold or used;

(d) Retention: retain data for the period authorised by this Act and rules made there
under and for the purpose of which data of a data subject was processed, if no
longer exists, measures shall be taken to permanently destroyed such data;

(e) Access to data and ensuring data quality: ensuring quality of collected,
processed, held or used data and data subjects shall be given access to their data
and where the data is inaccurate or not up-to-date, they shall be given opportunity
of correction.

(f) Disclosure: always ensuring the principle of accountability, including participation

of the data subject in collection, processing, holding or using data, and subject to
the provisions of this Act, no data shall, without the consent of the data subject, be
disclosed for any purpose other than the purpose for which the data were
collected;

(g) Security: ensuring security of collected data and while processing data, taking
appropriate measures to protect the data from any loss, misuse, modification,
unauthorized or accidental access or disclosure, alteration or destruction.

(h) Risk based protection and consistent protection: Organizations covered under
this Act must comply with all relevant bilateral and multilateral agreements
regarding data processing and transfer by taking appropriate consistent protection
measures after determining the level of risk; in such case, additional instructions
given by the government, if any, must also be complied with; and

(i) Enforceable Standards: In case of all data processing and transfer, arrangements
must be in place for implementation of the terms of necessary practical
cooperation with the relevant regulatory authorities including compliance with all
standards contained in bilateral and multilateral agreements executed with
Bangladesh in this regard.

CHAPTER III

COLLECTION AND PROCESSING OF DATA

6. Collection and processing of data.-- The collection and processing of data shall be done in
compliance with the provisions of this Act and rules made there under.

7. Data collection and consent for data processing.-- (1) Data of a data subject shall not be
collected and processed unless the data subject has given his consent, no later than at the
commencement of the processing, to the collection and processing of data.

(2) The consent of the data subject under sub-section (1) must be free, specific, clear, and
capable of being withdrawn.

(3) The data controller shall bear the burden of proof to establish that proper consent has
been given by the data subject in accordance with this section.

(4) Where the data subject withdraws consent for the processing of any data necessary for the
performance of a contract to which the data subject is a party, all legal consequences for the
effects of such withdrawal shall be borne by him.

(a) all legal consequences for the effects of such withdrawal shall be borne by him;

(b) The data subject cannot raise any question of legality in respect of any performance
which takes place while his consent is in force.

(5) Notwithstanding sub-section (1), a data controller may process data of a data subject if
the processing is necessary-

(a) for the performance of a contract to which the data subject is a party;

(b) for the taking of steps at the request of the data subject with a view to entering into a
contract;

(c) for compliance with any legal obligation to which the data controller is the subject,
other than an obligation imposed by a contract;

(d) for protecting the vital interests of the data subject;

Explanation- “vital interests” means interests relating to life, death or security of a data
subject.

(e) for public health, treatment, medical or research purposes or to respond any medical
emergency involving a threat to the life or to the health of a data subject or any other
individual;

(f) for where the data controller can reasonably be expected to obtain the consent of the
data subject.

(g) for compliance with any order of the court of competent jurisdiction;

for performing any function to fulfill a legal obligation;

 (h) for the exercise of any function of the Government for the provision of any service or
benefit to the data subject from, or the issuance of any certification, license or permit by the
Government.

(6) A data controller may process data of a data subject in a manner prescribed by rules if the
processing is necessary for public interest.

8. Notice to the data subject.-(- (1) A data controller shall prior to collection of data or in
respect of holding, using or disclosing data to a third party provide a written notice in the
prescribed manner to a data subject and such notice shall contain the purpose and procedure of
collecting data of a data subject.

9. Protection of privacy.-- A collector, processor or controller shall not collect, hold or process
data in a manner which poses threat of possible violation of privacy of a data subject.

10. Manner of collection of data from data subject.-(- (1) Any person authorised by the
controller in this behalf may collect data from a data subject in such manner as may be
prescribed.

(2) Notwithstanding anything contained in sub-section (1), data may be collected in a prescribed
manner from any person, organization, statutory body or government authority where-

(a) the data is contained in a public record;

(b) the data subject has deliberately made the data public or the data subject has consented
to the collection of the data from another authorised source;

(c) the collection of the data from any source, other than the source as mentioned in
clause (b), which is not likely to prejudice the privacy of the data subject; and

(d) the collection of the data is necessary for the prevention, detection and investigation of
an offence or for the national security.

CHAPTER IV

PROCESSING OF SENSITIVE DATA

11. Sensitive data.-- Subject to sub-section (5) and (6) of section 7, a data controller shall be able
to process any sensitive data of a data subject in compliance with the following conditions:

(a) taking explicit consent from a data subject to process data;

(b) the processing is necessary for the purposes of exercising or performing any right or
obligation which is conferred or imposed by law on the data controller in connection with
employment;
 (c) in order to protect the interests of the data subject, in a case where consent cannot be
given by or on behalf of the data subject, or the data controller cannot reasonably be
expected to obtain the consent of the data subject;

(d) in order to protect the interests of another person, in a case where consent by or on
behalf of the data subject has been unreasonably withheld;

(e) to perform medical responsibilities undertaken by a healthcare professional, and to

respond to any medical emergency involving a threat to life or to the health of a data
subject;

(f) matters in connection with any legal proceedings;

(g) for the purposes of establishing legal rights, and in necessary cases to defend oneself in
a case or legal proceeding ;

(h) for compliance with orders of a court; or

(i) for the exercise of any functions conferred on any person under any law;

(2) any data which have been deliberately made public by the data subject for the public.

CHAPTER V

DATE OF CHILDREN

12. Data relating to children.-(- (1) A person shall not collect or process data relating to a child
unless the collection or processing thereof is carried out with the prior consent of the parent or
guardian or relevant person having authority to make decisions on behalf of the child or for
research or statistical purpose authorized by the Government.

(2) Every data controller shall process data of children in a manner that protects the rights and
interests of the child.

(3) The procedure for data processing of children, age verification, parental consent and related
other matters shall be prescribed by rules.

Explanation,-- For the purpose of this section-

(a) “child” means any person below the age of 18 (eighteen) years;;; and

(b) “authorised person” in relation to a child means any guardian or person authorized by a
court to have access and rectify data of a child who is a data subject;
 CHAPTER VI

DATA SUBJECT RIGHTS

13. Right of access to date.-- (1) In respect of data processed by the controller or any person
authorised by him, a data subject shall have the right to receive necessary data from the controller
and to access data related thereto.

(2) A data subject upon payment of a fee prescribed by rules, may make a data access request in
writing to the controller.

(3) The data controller shall provide the requested necessary data under sub-section (2) to the
data subject in a clear manner.

(4) A data access request for any data under sub-section (2) shall be treated as a separate single
request.

(5) Where a data controller does not hold the data, but controls the processing of the data in such a
manner as to prohibit the data subject controller who holds the data from complying, whether in
whole or part, with the data access request under sub-section (2), the first mentioned controller
shall be deemed to hold the data and legal liabilities of holding such data shall also extend to
him...

14. Right to correction, etc.- (1) Where necessary, having regard to the purposes for which data
is being processed, the data subject shall have the right to obtain the correction of inaccurate or
misleading data, the completion of incomplete data, and if the data stored by the controller is not
updated, the data subject shall have the right to correct, complete or update the data with proof.

(2) Where the controller receives a request under sub-section (1), and does not agree with the need
for such correction, completion or updating, the controller shall provide the data subject with
adequate justification in writing, in a manner prescribed by rules, for rejecting the request.

(3) Where the data subject is not satisfied with the justification provided by the controller under
sub-section (2), the data subject may request the controller to indicate the data in question as is
disputed.

(4) Where the data controller corrects or completes or updates data in accordance with sub-section
(1), the controller shall notify the data subject and all relevant entities within a period as may be
prescribed by the rules.

(5) Procedure of receiving request for correction, completion or update under this section and
disposing the same and correcting, completing, updating of data by controller and other matters
shall be determined by rules.

15. Withdrawal of consent.-- (1) A data subject may by a request in writing withdraw his
consent to the processing of data.

(2) The data controller shall, upon receiving the request under sub-section (1), cease the
processing of the data.
(3) The failure of the data subject to exercise the right conferred by sub-section (1) does not affect
any other rights conferred on him by this Act.

(4) The withdrawal of consent by a data subject under this section and other related matters shall
be determined by the rules.

16. Right to data portability.-- (1) The data subjects shall have the right to receive the following
data in a commonly used format, in an orderlygenerally structured form or in a machine readable
format:

(a) any of their data provided to the controller;

(b) any of their data included as a part of their profile;

(c) any data related to the data subject collected by the controller in any other manner;

(d) any data related to the data subject transferred to by a controller to any other controller.

(2) Provisions of sub-section (1) shall also apply to anonymously or encrypted processed data.

17. Right of foreign data subjects- Foreign persons residing or staying in Bangladesh shall have
rights in respect of data collected about him.

18. Right to erasure.-- (1) The controller on the basis of a request from a data subject shall erase
data related to that data subject within a period and in such manner as may be prescribed by the
rules for any of the following reasons:

(a) the data are no longer necessary in relation to the purposes for which they were
collected or processed;

(b) the data subject withdraws consent for data processing;

(c) the data subject raises objection regarding data processing under other
provisonprovision of this Act;

(cd) the data have beenprocessedbeen processed without authority;

(e) the data have to be erased for compliance with a legal obligation; orand

(f) such other reasons as may be prescribed by rules.

(2) Where the data controller has made the data public and is requested in pursuance of sub-
section (1) to erase the data, the controller shall take necessary measures to erase such data.

(3) Aforementioned sub-sections shall not apply to the extent that processing is necessary for-

(a) exercising the right of freedom of expression and data;

(b) compliance with a legal obligation or for the performance of a task carried out in the
public interest;

(c) reasons of public interest in the area of public health; or

 (d) archiving scientific or historical researches or statistics related to public interest in so
far as the right referred to in sub-section (1) is likely to render impossible or seriously
impair the fundamental objectives of that processing.

19. Right to prevent processing of data.-- (1) A data subject may at any time, by a written
request to a controller or processor, request the controller or processor to stop processing data
which causes or likely to cause unwarranted substantial damage to the data subject.

(2) A data controller after receiving the request under sub-section (1) shall inform the data subject
in a manner prescribed by rules that the data controller has stopped the data processing and if
such data processing cannot be stopped, the controller shall, with cogent reasons, inform the
Director General and the data subject about the matter.

(3) Where after being informed under sub-section (2), the Director General is satisfied that the
data subject is justifiably requested for prevention of data processing under this section, he can
direct the controller to take necessary measures in the aforementioned manner.

20. General conditions for the exercise of rights.-- (1) The exercise of any right under this
Chapter shall be on the basis of a request made in writing to the controller with sufficient data
proof to identity the data subject and the controller shall acknowledge receipt of such request in a
manner prescribed by rules.

(2) The conditions for the exercise of rights under this Chapter by the data subjects, procedures to
be followed by a controller in response to a request and conditions of refusal to comply with the
request and other matters in connection therewith shall be prescribed by rules.

CHAPTER VII

TRANSPARANCY AND ACCOUNTABILITY

21. Accountability-(1) The controller shall be responsible for complying with all obligations set
out in this Act and rules made thereunder in respect of any processing of data, and shall ensure
implementation of procedures of data processing.

22. Transparency.-(-(1) The controller shall take reasonable steps to maintain transparency
regarding general practices related to processing of data and shall ensure availability of the
following information to all the relevant persons in a prescribed form and manner prescribed by
rules-

(a) the categories of data generally collected and the manner of such collection;

(b) the purposes for which data is generally processed;

(c) any categories of data processed in exceptional situations or any exceptional purposes
of processing that create a risk of significant harm;

(d) the existence of and procedure for the exercise of data subject rights, and any related
contact details for the same;
 (e) description of procedure for filing complaints to the Director General inn respect of the
exercise of data subject rights;

(f) where applicable, transferring data to any other place by controller; and

(g) such other data as may be prescribed by rules.

23. Non-disclosure of data.-(2) In case of any significant operation related to the data
processing of any data subject, the controller shall notify the data subject concerned in
the manner prescribed by the rules.

23. Nondisclosure of data- Subject to the provisions of the Act, no data shall, without the
consent of the data subject, be disclosed for any purpose other than the purpose for which the data
was to be disclosed at the time of collection of the data.

24. Security requirement.-(- (1) The government may prescribe standards to protect data from
any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or
destruction.

(2) A data controller may, when processing data, take steps to protect the data as may be
considered necessary by having regard to:

(a) the nature of the data and loss, misuse, alteration, modification, destruction or the harm
that would result from such disclosure;

(b) reasons for which data is likely to be damaged;

(c) the place or location where the data is stored;

(d) the measures taken for ensuring the reliability, integrity and competence of personnel
having access to the data;

(e) any security measures incorporated for equipment installed in the place of storing data;

and

(f) the measures taken for ensuring the secured transfer of data.

(3) Where processing of data is carried out by a data processor on behalf of the data controller, the
data controller shall, for the purpose of protecting the data, ensure that the data processor
undertakes to adopt applicable technical and organizational security standards governing
processing of data, as prescribed by rules.

(4) The data processor is independently liable to ensure compliance with security standards
prescribed under sub-section (3).

25. Data Retention requirements.-(- (1) The data processed for any purpose shall not be kept
longer than the period prescribed by rules for the fulfillment of that purpose.
(2) It shall be the responsibility of the data controller to permanently destroy all data after lapse of
the period mentioned in sub-section (1).

26. Data integrity and access to data.-- (1) A data controller shall ensure that the data is
recorded in accurate, complete manner and kept up-to-date by having regard to the purpose for
which the data was collected and processed.

(2) A data subject shall be given access to his data held by a data controller and be able to correct
that data where the data is inaccurate, incomplete, misleading and not up-to-date, except where
compliance with a request to such access or correction is refused under this act.

27. Record to be kept by data controller.-(- (1) A data controller shall keep all records (such as
application, notice, request or any other information relating to data) regarding data processed by
him in a proper manner.

(2) The records mentioned in sub-section (1) shall be maintained in such manner and form as
prescribed by rules.

28. Provision related to data breach notification-(- (1) In the event of a data breach, as soon as
being aware of the data breach, the data controller shall without undue delay , notify the Director
General by a notice in respect of the data breach. .

(2) The data breach notification under sub-section (1) shall provide such data as may be
prescribed by rules.

(3) The data controller shall maintain record of any data breaches, comprising the facts relating to
the data breach, its effects and the remedial action taken and if applicable, shall provide necessary
directions to the processor regarding actions to be taken.

29. Data audits.-(- (1) The data controller shall have all activities related to processing of data
audited annually by an independent data auditor as authorised by the Director General under this
Act.

(2) The data auditor shall evaluate the compliance of all matters under the provisions of this Act
and rules made thereunder.

(3) The manner of conducting audits, presenting reports and other matters connected to it under
this section shall be prescribed by rules.

(4) The Director General may formulate an audit panel with persons having expertise in the area
of information technology, computer systems, data science, data protection or privacy for the
purpose of auditing.

(5) Notwithstanding anything contained in sub-section (1), where the Director General is of the
view that the data controller is processing data in a manner that is likely to cause harm to a data
subject, he may order the data controller by the auditor appointed by him to conduct an audit and
the relevant controller shall be bound to comply with the order.
30. Responsibility of the data controller in respect of data breach to the data subject- The
data controller shall have the following responsibilities regarding data breach of a data subject:

(a) taking appropriate technical and organisational measures and ensuring implementation
of those;

(b) perform the processing of data under this Act taking into account the nature, scope,
context and purposes of processing as well as the risks of varying likelihood and rights of
the data subject.

(c) following and implementing data protection policies or standard operations procedure
set out in section 38;40; and

(d) to fulfill the purposes of sub-sections (a), (b) and (c), undertaking and performing any
other responsibilities as may be prescribed by rules.

31. Data protection officer.-(-(1) For the purpose of data protection, the data controller shall
appoint a data protection officer, having qualifications prescribed by rules, under his control.

(2) The data protection officer shall perform such functions and duties as may be prescribed by
the rules. (3) By involving himself in the overall data processing activities, the data protection
officer shall systematically perform his responsibilities with due regard to the purposes, nature,
scope and context of processing.

32. Data protection by design.-- Controller-

(a) shall design proper installation of technical system as per the appropriate standards,
including compliance of organisational practices for avoiding harm to the data subject by
anticipating it;

(b) shall follow the standards prescribed by rules in respect of the technology used in the
processing of data;

(c) shall protect legal interests and privacy of the data subjects at every stage of data
processing, including deleting it from collected data; and

(d) shall process data in a transparent manner as per the procedure prescribed by this Act
and rules made thereunder.

CHAPTER VIII

EXEMPTION
33. Exemption.- SubjectExemption- Subject to the provisions of section 34, in order to conduct
data processing, the application of the provisions of this Act can be exempted in the following
matters:

(a) processing data for prevention or detection of any crime or arrest of any offender for
the purpose of investigation or filing cases against such person or the assessment or
collection of any tax, duty or any other imposition of a similar nature;

(b) processing data in relation to physical or mental health of a data subject, unless the
application of the provisions would be likely to cause serious harm to the physical or
mental health of the data subject or any other person;

(c) processing of data for preparing statistics or carrying out research ,,, unless the
resulting statistics or the results of the research are made available in a form which
identifies the data subject;

(d) processing of data for carrying out the purpose of any order or judgment of a court;

(e) processing of data for the purpose of discharging regulatory functions, unless the
application of a regulatory provision would be likely to prejudice the proper discharge of
those functions; orand

(f) processing data only for journalistic, literary or artistic or academic purposes.

34. Power to make further exemptions.-- (1) The Government may, by notification published in
the official Gazette, exempt, in addition to the exemption provided under section 33, the
application of any provision of this Act to any controller.

(2) The Government may impose necessary terms and conditions as it thinks fit in respect of any
exemption made under subsection (1).

CHAPTER IX

ESTABLISHMENT OF DATA PROTECTION OFFICEAGENCY, FORMATION ETC

35. EstablishmentFormation of the data protectionAgency, office etc.-(1) As soon afterTo

fulfill the commencementobjectives of this Act, the Government shall, by notification in the
official Gazette, establish, for carrying out the purposes of the Act,constitute an office to
beagency called data protection office.

(2)Bangladesh Data protection office shall be under the direct control and administration of
Digital Security Agency constituted under Digital Security Act, 2018.

(3) Data protection office shall be headed by the Protection Agency consisting of 1 (one) Director
General and 4 (four) Directors.

(2) The Director General shall be the chief executive officer of the Agency.

(3) The head office of the Digital Security Agency.

(4) The shall be situated in Dhaka, but the Government may appoint such officers and other
employees as it considerset up its branch office anywhere outside Dhaka if necessary.

36. Appointment of Director General and Directors etc.- (1) The Director General and
Directors shall be appointed by the Government from among persons having qualifications,
knowledge and experience in digital security, data protection, information and communication
technology, public service or law and their terms of service shall be determined by the
Government.

(2) The Director General and Directors shall be fulltime employees of the Agency and shall carry
out activities, exercise powers and perform duties subject to the provisions of this Act and rules
made thereunder.

(3) The Agency shall abide by the policy guidelines adopted by the Government in discharging its
responsibilities under this Act.

(4) If the office of the Director General becomes vacant or the Director General is unable to
perform his duties due to absence, illness or any other reason, the senior most Director shall
provisionally perform the duties of the Director General until the newly appointed Director
General takes over the office or the Director General is able to to resume his duties.

37. Agency manpower- (1) The Agency shall have the required manpower as per the
organizational structure approved by the Government.

(2) The Agency may appoint such number of staff, experts or consultants, as may be necessary for
the efficientproper performance of theits functions of, in the data protection office on such
termsmanner and conditions as may besubject to the qualifications prescribed by the rules.

36.

38. Powers of the data protection office.-(agency- (1) Subject to the provisions of this Act, the
data protection officeagency may take such measures and exercise such powers as may be
necessary for carrying out the proposes of the Act.

(2) Without prejudice to the generality of the powers conferred by sub-section (1), the data
protection officeagency shall, in particular, have power all or any of the, following:

(a) Investigative powers:

(i) to carry out investigations in the form of data protection audits;

(ii) to order the controller and the processor, and, where applicable, the controllers
or the processor’s representative to provide any information it requires for the
performance of its tasks;

(iii) to notify the controller or the processor of an alleged infringement of this Act
and rules made thereunder;

(iv) to obtain, from the controller and the processor, access to all data necessary
for the performance of its tasks;
 (v) to obtain access to any premises of the controller and the processor, including
to any data processing equipment and means for the purpose of examination;

(b) Corrective powers:

(i) to issue warnings to a controller or processor that intended processing

operations are likely to infringe provisions of this Act.

(ii) to order the controller or the processor to comply with the data subject’s
requests to exercise his rights pursuant to this Act;

(iii) to order the controller or processor to bring processing operations into

compliance with the provisions of this Act, where appropriate, in a manner and
within a period as may be prescribed by rules;

(iv) to order the controller to communicate a data breach to the data subject;

(v) if necessary, to impose a ban on processing;

(vi) to order the rectification or erasure of data;

(vii) presenting necessary data to the Director General in respect of imposing an

administrative fine under this Act; and

(viii) to order the discontinuation or suspension of data flows to a recipient in a

third country or to an international organisation;

(c) Authorisation and advisory powers:

(i) advising the controller regarding performance of his activities under this act
and rules made thereunder;;there under;

(ii) issuing security directions to relevant persons regarding data protection;;;

(iii) issuing directions to relevant persons to follow the guidelines regarding data
protection standards; and

(iv) authorising relevant persons to undertake administrative arrangements;

3739. Functions of the data protection office.-agency- For the purpose of this Act, the data
protection officeagency shall perform the following functions-

(a) overseeing the implementation of this Act;

(b (b) in fulfilling its responsibilities, taking appropriate initiatives to implement the policies
and programs adopted by the Government to improve the quality of life of the people;

(c) preserving the right to data privacy and encouraging everyone to take necessary
measures by monitoring, evaluating or investigating matters related to data protection;
 (cd) taking necessary measures to raise public awareness about the Act;

(d (e) enrollment of controllers and data processors in the manner prescribed by rules;

(f) imposition of administrative fine in accordance with the provisions of this Act;

(g) constituting an audit panel for the purpose of auditing any activities related to data
processing in accordance with the provisions of this Act

(h) receiving complaints relating to violation of the provisions of this Act and taking
measures in that respect;

(ei) maintaining a data protection and privacy register;

(fj) issuing directions for the collection, processing, holding, using and other related
matters of data in an efficient manner;

(gk) to do other acts incidental to any of the aforesaid functions; and

(hl) perform such other functions as may be prescribed by rules.

3840. Formulating standard operations procedure - (1) The Director General, subject to the
provisions of this act and rule made thereunder, with prior approval of the Government, may
formulate standard operations procedure regarding data collection, processing, storing or holding,
using and any other related matters.

(2) Without prejudice to the generality of the sub-sections (1), the Director General may, among
others, issue codes of conduct/practice in respect of the following matters, namely:-: -

(a) requirements for notice under section 8 of this Act including any model forms or
guidelines relating to notice;

(b) measures taken for ensuring quality of processing and holding of data;

(c) conditions for providing consent;

(d) matters related to data processing;

(e) exercise of any right by data subjects under this Act;

(f) exercise of the right of data portability;

(g) measures adopted to maintain standards of data processing, including transparency and
accountability from the controller and processor;

(h) methods of anonymous data processing;

(i) methods of destruction, deletion, or erasure of data;

(j) manner of data protection impact assessments;

(k) method of transferring data outside of Bangladesh; and

 (l) any other matter required for the fulfillment of the purpose of this Act

(3) Non-compliance by the data controller or data processor with any code of conduct issued
under this section shall be deemed to be a violation of the provisions of this Act.

3941. Power to issue directions.-- (1) The Director General may, subject to the provisions of this
act and rules, for the discharge of its functions under this Act, issue such directions in writing, as
he may consider necessary, to the controller or processors and the controller or processors shall
be bound to comply with such directions.

(2) The Director General may prescribe the time frame in the direction for discharge of its
function.

4042. Power to call for information.-(-(1) Without prejudice to the other provisions of this Act,
the Director General may, in writing, require a controller or processor or any other relevant person
to provide such data as may be required by it within a period specified by it for discharging its
functions under this Act.

(2) Relevant controller or processor or person shall be bound to provide data, if any order
to provide data is issued under sub-section (1).

4143. Power to conduct investigation.-- (1) The Director General may conduct an inquiry, and
where appropriate an investigation, where it has reasonable grounds to believe that the activities
of the controller or processor being conducted in a manner which is detrimental to the interest of
data subjects, or any controller or processor has violated any of the provisions of this Act or rules
made thereunder, or directions issued by the Director General thereunder.

(2) For the purpose of sub-section (1), the Director General may, by an order in writing, authorise
one of its subordinate officers to inquire or investigate.

(3) If any officer is authorised under sub-section (2), he shall submit his inquiry or investigation
report to the Director General.

(4) Procedure for inquiry or investigation under this Act shall be prescribed by rules.

CHAPTER X

DATA STORAGE AND TRASFER RELATED PROVISIONS

4244. Storage of sensitive data, user generated data and classified data. -(1) Sensitive data
Subject to the provisions of Section 45, sensitive data, user -generated data and classified data
shall only be stored in Bangladesh and no other state’s court, in a manner prescribed by law
enforcing agency or authority other than the courts, law enforcing agencies or authorities of
Bangladesh .

45. Data Transfer Provisions (1) In accordance with the provisions of the rules made in the light
of the principles of data protection described in Section 5, any data described in Section 44 shall
have jurisdiction over such databe transferred outside Bangladesh under this Act, if necessary, in
the interest of cross-border trade, international relations or any other matters specified by the
Government.

(2) In addition to is the matters stated in sub-section (1), the relevant sector-specific regulators,
such as, Bangladesh Bank, Bangladesh Telecommunication Regulatory Commission, National
Board of Revenue etc. shall follow their respective regulations in carrying out the matters
described in the said sub-section.

43. Provision regarding data transfer mentioned in section 42.- (1) Any data under section 42
that is specified, from time to time by general or special order, by the Government as classified
data, shall not be transferred to a place or system outside Bangladesh without prior authorisation
of the Government.

 (2)(3) Notwithstanding anything contained in sub-section (1) or any other provisions of this Act-

(a) the sensitive data of a data-subject and any other data, including user-generated data, with his
consent,

(b) for the purpose of maintaining international relations, cross-border business, immigration or
any other data as specified, from time to time, by the Government, may be transferred to any state
or organisation outside Bangladesh or any international organisation.

(3) The Director General shall be notified in a manner, as may be prescribed by the rules,
regarding any data transfer under this section to any other state or international organisation
outside of Bangladesh 

(a) The Government may from time to time declare the list of open data by notification in the
official Gazette, and approval from the Government or the Director General or any other authority
shall not be required in case of transfer outside Bangladesh and use at home and abroad of any
data listed in such manner; and

(b) If required by the data subject, any of his data including sensitive data and user-generated data
may be transferred with its consent to any other country or organization outside Bangladesh or to
an international organization outside Bangladesh in a manner prescribed by law.

CHAPTER XI

DATA PROTECTION REGISTER

4446. Registration of Controllers and Processors- (1) Every person intending to act as a
controller or data processor under this Act must be registered with the Agency.

(2) The procedure for registration under sub-section (1), the terms of registration, the renewal and
suspension of registration and matters relating thereto shall be prescribed by rules.
47. DATA PROTECTION REGISTER.( (1) The Director General shall keep and maintain a
data protection register as may be prescribed by rules.

(2) The Director General shall register in the data protection register, every person or
organisation’s name related to collection and processing of data and every matter in connection to
the purpose for which the data is collected or processed.

(3) Every controller shall record and preserve all matters in respect of a data subject
concerned, including collecting, processing, holding, adding, reducing, storing, updating,
returning of the data, in an accurate and up-to-date manner and in accordance with the procedure
prescribed by the rules and under the supervision of the controller.

4548. Access to register.-- The director General shall make the information contained in the data
protection register available for inspection by any person.

CHAPTER XII

COMPLAINTS, ADMINISTRATIVE FINES, ETC.

4649. Complaints against breach and non-compliance.-(- (1) A data subject or any person who
has a reason to believe that a data controller, data processor or data collector is infringing upon
their rights given under this Act or is acting in violation of the provisions of this Act, may make a
complaint within a prescribed period and in the manner as may be prescribed by rules to the
Director General.

4750. Inquiry and investigation of the complaints.-- (1) The Director General himself shall
inquire and as the case may be shall investigate every complaint made under section 46 in a
manner prescribed by the rules or shall authorise any officer subordinate to him to inquire or
investigate.

(2) If the Director General is satisfied after inquiring or investigating a complaint, as the case may
be, that any controller, processor, collector or any authorised person for this purpose has failed to
perform any function in accordance with the provisions of this Act or has done something that is
not permitted, the Director General may take necessary measures to initiate legal proceedings or
file a case against the relevant controller, processor, collector or an authorised person in a manner
as may be prescribed by the rules.

(3) The Director General may issue necessary orders to the controller or, as the case may
be, to a processor, collector or any authorised person to reinstate the rights of a data subject
provided under this Act.

4851. Unlawful processing of data.-- (1) If any person processes or knowingly aids in
processing of data in violation of any provision of this Act, disseminates or discloses data in
violation of any provision of this Act, such act shall be regarded as a violation of an order or
direction given under this Act or rules formulated thereunder, and for such violation an
administrative fine of not exceeding Taka three lakhs may be imposed and if a person commits
such violation for a second time or in a repetitive manner, an administrative fine of not exceeding
Taka five lac may be imposed on such person.
 (2) An administrative fine not exceeding Taka five lakhs may be imposed in respect of a
violation regarding sensitive data under sub-section (1).

49. 52. Failure to adopt appropriate data security measures.- - Any controller or relevant
person who, in violation of this Act and rules made thereunder, fails to adopt data security
measures that are necessary to ensure data security, such failure shall be regarded as a violation of
an order or direction given under this Act or the rules and for such violation an administrative
fine of not exceeding Taka three lakhs may be imposed on him.

5053. Failure to comply with orders.-- If a controller or relevant person fails to comply with the
orders made under this Act or the rules, such failure shall be regarded as a violation of an order or
direction given under this Act or the rules, and for such failure an administrative fine of not
exceeding Taka two lakhs may be imposed on him.

5154. Violation of provisions regarding transferring, selling of sensitive data etc.- (1) If a
controller or relevant person, alone or jointly with others, knowingly or intentionally or
recklessly, in contravention of the provision of this Act or the rules, obtains sensitive data, or
discloses sensitive data, or transfers sensitive data to another person, or sells or offers to sell
sensitive data to another person, which results in prejudice to a data subject, such act of that
person shall be regarded as a violation of an order or direction given under this Act or rules
formulated thereunder, and for such act an administrative fine of not exceeding Taka three lakhs
may be imposed on him.

(2) An administrative fine not exceeding Taka five lakhs may be imposed in respect of a
violation regarding sensitive data under sub-section (1).

5255. Violation of orders etc. prescribed by rules.-- Subject to the other provisions of this
Chapter, certain acts of any person may be specified by rules as violation of an order or direction
given under this Act or rules and for such acts administrative fines of such amounts as may be
prescribed by rules may be imposed on that person and such fine shall not exceed the amount
specified under this Act.

5356. Compensation.( (1) Where a data subject suffers damage through the contravention by a
controller, processor or collector of the requirements of this Act or rules, the data subject is
entitled to apply to the Director General or an authority prescribed by rules for compensation and
if such application is made, the Director General or an authority prescribed by rules shall dispose
of the matter in a manner prescribed in sub-section (2).

(2) Filing of complaint, legal proceeding regarding it, procedure of disposal and other
matters shall be prescribed by rules.

5457. Violation of provisions of this Act by a foreign company.-- Any foreign company
registered under Part X of the Companies Act, 1994 (Act No.18 of 1994) commits any act in
violation of section 48, 49, 50, 51 and 52 then an administrative fine of not exceeding 5% of
the company's total revenue for the preceding year may be imposed on the company.

5558. Imposition of administrative fine.-(-(1) Subject to the other provisions of this section, the
Director General, after providing reasonable opportunity to be heard to the relevant person, may
impose administrative fines as specified in sections 47, 48, 49, 50, 51, 52, 53, 54, 55 and 5457 and
in other cases, as may be prescribed by rules.

(2) Any person who fails to pay the administrative fine imposed under this Act within a
period prescribed by rules, such fine shall be recoverable as a public demand under the Public
Demand Recovery Act, 1912.

(3) Amounts of administrative fines that may be imposed shall be prescribed by rules,
depending on the seriousness of the complaints.

(4) Administrative fines may be imposed under this section, in addition to the penalties
under Chapter XIII.

5659. Appeals.-(- (1) Any person aggrieved by an order or decision under this chapter may
appeal, within 30 (thirty) days from the date notice of the order or decision, to the Government.

(2) A copy of the memorandum of appeal filed under sub-section (1) shall be provided to the
Director General or any authority prescribed by rules.

CHAPTER XIII

CERTAIN COMPLAINTS CONSIDERED AS OFFENCES AND MATTERS IN

CONNECTION TO THESE

5760. Director General’s power to return complain with directions.-- (1) If it appears to the
Director General that imposing an administrative fine is not an adequate remedy for the complaint
brought before him, he may regard such complaint as an offence under this Act and may return
the complaint to the relevant person with specific directions for availing proper legal remedy
regarding it.

(2) Every complaint under sub-section (1) shall be returned to the relevant person within
30 (thirty) days of filing of such complaint.

(3) If the Director General fails to return the complaint to the person concerned within a
period prescribed under sub-section (2), the person may submit an application to the Government
to avail appropriate remedy in that regard.

5861. Limitation on imposing penalty.-- If any complaint is considered as offence under section
57, any court having jurisdiction may impose a fine not exceeding Taka ten lakhs or
imprisonment not exceeding three years or both.
5962. Power to investigate offence.-- Notwithstanding anything contained in the Code of
Criminal Procedure, any qualified officer engaged under the Director General shall investigate
any offence committed under this Act.

6063. Trial of offence and appeal. (-(1) Notwithstanding anything contained any other law for
the time being in force, the offences committed under this Act shall be tried by the Cyber Tribunal
constituted under section 68 of the Information and Communication Technology Act, 2006 only.

(2) Any person aggrieved with the judgment of the Tribunal mentioned, he may prefer an
appeal before Appellate Tribunal constituted under section 82 of the act mentioned in in sub-
section (1).

6164. Application of the Code of Criminal Procedure.-(- (1) Save as anything contrary to the
provisions of this Act, the provisions of the Code of Criminal Procedure, 1898 shall be applicable
to the penalty, trial, appeal and all other incidental matters related to any offence under this Act.

(2) The Cyber Tribunal shall be deemed to be a Court of Sessions, and may exercise all powers of
a Court of Sessions while trying any offence under this Act or any other offence derived from it.

(3) The person presenting the case before the Tribunal on behalf of the complainant shall be
regarded as public prosecutor.

6265. Offences committed by companies.-(- (1) Where a company commits an offence under
this Act, every owner, director, manager, secretary, partner or any other officer or employee or
agent of the company having direct involvement in such offence shall be deemed to have
committed the offence; provided that he shall not be liable, if he can prove that the offence was
committed without his knowledge or that he had exercised all due diligence to prevent the
commission of such offence.

(2) Where a company mentioned in sub-section (1) is a body corporate having legal
personality, such company, apart from any person charged and convicted under that sub-section,
may also independently be charged and convicted under in the same proceedings, but the penalty
of fine only may be imposed on such company.

Explanation.-- For the purpose of this section-

(a) “company” means any commercial establishment, partnership, firm and association or
also includes organisation;
(b) “director” in relation to a commercial establishment includes any partner or member of
the board of directors.

CHAPTER XIV

MISCELLANEOUS
6366. Power of Government to issue directions in certain cases.- (1) The Government may,
from time to time, issue to the Director General such directions as it may think necessary in the
interest of the sovereignty and integrity of Bangladesh, the security of the State, friendly relations
with foreign States or public order.

(2) Without prejudice to the foregoing provisions of this Act, the Director General shall, in
exercise of its functions under this Act, be bound by such directions.

6467. Reports, etc.-- The Government may, from time to time, ask the Director General/to
furnish reports or descriptions of acts performed regarding any matters under this Act and if
asked, the Director General shall furnish such report.

6568. Delegation of powers.-- The Director General may, on such terms as are not inconsistent
with this Act or rules, delegate its powers and functions to any officer of the data protection
officeagency or to any other person.

6669. Data processed before the date of coming into operation of this Act.-- Where a data
controller has collected data from any data subject or any third party before the date of coming
into operation of this Act, he shall comply with the provisions of this Act and rules to process
such data.

6770. Power to remove difficulties.-- If any difficulty arises in giving effect to the provisions of
this Act, the Government may by written orders adopt necessary measures to remove the
difficulty.

6871. Cross border enforcement cooperation- For the purposes of this Act, the Government
may, if necessary, join any other state or multilateral organization or consortium for the purposes
of international cooperation, and the conditions laid down in the instrument of the said state or
organization or consortium shall be complied with.

72. Power to make rules.-- The Government may, by notification in the official Gazette, make
rules to carry out the purposes of this Act.

6973. Publishing English text.-- (1) After the commencement of this Act, the Government shall,
by notification in the official Gazette, publish the English text of this Act which shall be called the
Authentic English Text.

(2) In the event of conflict between the Bangla and the English text, the Bangla
text shall prevail.

[Items of rules may be specified here for the purpose of this Act after finalization]

Statement of object and reasons

Minister in charge.