Law: The Protection of Personal Data Act 2002 (last amended in 2023) ('the Act') and the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')

Regulator: Commission for Personal Data Protection ('CPDP')

Summary: The Act is the main source of local data protection law, having been adopted in 2002. Since then, it has undergone several amendments and was extensively modified, on 26 February 2019, to harmonise with the provisions of GDPR and to implement the GDPR into national legislation. The Act, together with the Rules on the Activity of the Commission for Personal Data Protection and its Administration set forth the legal framework for supervisory and regulatory functions of the CDPD. Since the entry into force of the GDPR, the CPDP has been very active both in terms of issuing regulatory guidance and in terms of enforcemen.