Personal Data Protection Ordinance, 2025: Key Features, Rights & Compliance Obligations in Bangladesh

     By Mostafizur Rahman

The Personal Data Protection Ordinance, 2025 marks a major milestone in Bangladesh’s digital governance framework. Promulgated on 6 November 2025 under Article 93(1) of the Constitution, the Ordinance establishes a comprehensive legal regime to protect personal data, recognizing it as a form of individual property and safeguarding fundamental privacy rights in the digital age.

Prior to this Ordinance, data protection in Bangladesh was governed indirectly through provisions of the ICT Act, 2006, the Digital Security Act, 2018, sectoral regulations (such as banking and telecom rules), and internal contractual practices. The 2025 Ordinance fundamentally changes this position by recognising personal data as a legally protected interest and imposing enforceable obligations on both public and private entities.

This law applies not only within Bangladesh but also has extra-territorial reach, impacting foreign entities that process data of individuals located in Bangladesh.

Scope and Applicability (Sections 1 & 4)

The Ordinance applies to:

  • Bangladeshi citizens and residents,
  • Any entity processing personal data within Bangladesh, and
  • Foreign entities processing data outside Bangladesh where such processing relates to goods, services, monitoring, or record management of individuals in Bangladesh.

It also provides extra-state application, allowing offences committed abroad to be tried as if committed in Bangladesh.

Key Definitions and Data Categories (Section 2)

The law introduces detailed definitions, including:

  • Personal Data
  • Sensitive Personal Data
  • Biometric, Genetic, Financial and Health Data
  • Data Fiduciary, Data Controller, and Processor
  • Child Data (below 18 years)

Sensitive personal data includes biometric information, political or religious beliefs, health data, sexual orientation, criminal records, and real-time geolocation data.

Lawful Basis for Data Processing (Sections 5–7)

Personal data may be processed:

  • With explicit, informed, and revocable consent, or
  • Without consent, under limited lawful grounds such as contractual necessity, legal obligations, protection of life, employment rights, or public interest.

Processing of sensitive personal data requires specific consent, except in narrowly defined legal or emergency circumstances.

Special Protection for Children’s Data (Section 9)

The Ordinance provides enhanced safeguards for children:

  • Mandatory verifiable parental or guardian consent
  • Prohibition on tracking, profiling, monitoring, or targeted advertising of children
  • Consent remains valid until the child turns 18

Rights of Data Subjects (Sections 10–14)

The Ordinance guarantees strong, non-waivable rights, including:

  • Right to access and data portability (Section 11)
  • Right to rectification, updating, and completion (Section 12)
  • Right to withdraw consent and request erasure (Section 13)
  • System-wide correction and deletion through a “primary source of truth” mechanism (Section 14)

These rights apply universally and cannot be overridden by contract.

Obligations of Data Controllers & Processors (Sections 15–23)

Core compliance duties include:

  • Transparency and accountability (Section 15)
  • Purpose limitation and confidentiality (Section 16)
  • Robust security safeguards, including encryption and pseudonymization (Section 17)
  • Retention limits and record keeping (Sections 18–19)
  • Mandatory breach notification to the Authority (Section 20)
  • Data audits and Data Protection Plans (Sections 21–22)
  • Appointment of a Chief Data Officer by significant data fiduciaries (Section 23)

Exemptions & Public Interest Processing (Section 24)

Limited exemptions from consent apply for:

  • National security, law enforcement, public health,
  • Judicial orders, tax enforcement, journalism, research, and statistics.

However, exemptions cannot be misused and remain subject to oversight by the Authority.

Cross-Border Data Transfer & Data Localization (Sections 29–30) Amended as per 2026

The Personal Data Protection Ordinance, 2025 establishes the regulatory framework for cross-border data transfer and data localization in Bangladesh.

The Ordinance introduces:

  • Classification of personal data (public, internal, confidential, limited/restricted),
  • Conditions for international data transfers,
  • Mandatory local data mirroring for cloud storage (as amended),
  • Notification requirements for large-scale cross-border transfers of sensitive data.

Updated Local Data Mirroring Requirement (Amendment to Section 29)

Following the amendment to Section 29(7)(b) of the Personal Data Protection Ordinance, 2025, the cloud data localization obligation has been specifically defined. Under the amended provision: In the case of:

  • Restricted personal data as defined in Section 29(1)(d), and
  • Critical Information Infrastructure (CII) as defined in Section 2(1)(h) of the Cyber Security Ordinance, 2025 (Ordinance No. 25 of 2025),

At least one synchronized real-time copy of cloud-stored data must be maintained within Bangladesh. This amendment clarifies that mandatory local mirroring is now primarily required for restricted personal data and CII-related data, reflecting a more targeted, risk-based data localization approach.

Enforcement, Fines & Penalties (Sections 31–48)

Administrative Fines:

  • Up to 2%–5% of annual turnover in Bangladesh for violations of data subject rights (Section 32)
  • Up to BDT 25 lakh for security failures (Section 33)

Amendment to Section 48: Removal of Imprisonment

Another major reform is the amendment to penalty provisions:

  • The phrase “imprisonment or fine, or both” has been replaced with “fine”
  • This removes criminal jail liability and introduces a financial penalty–focused enforcement model.

Criminal Offences:

  • Unauthorized data processing or disclosure: up to 5 years imprisonment (Section 36)
  • Sensitive data violations: up to 7 years imprisonment (Section 37)
  • Children’s data misuse, fraudulently obtained consent, data tampering, or continued processing after consent withdrawal carry strict penalties.

Corporate officers and government officials may also be held personally liable.

Regulatory Authority & Governance (Sections 25–28)

The National Data Management Authority is empowered to:

  • Issue binding instructions,
  • Conduct inspections and audits,
  • Impose fines,
  • Suspend cross-border data transfers,
  • Formulate Standard Operating Procedures (SOPs).

The Personal Data Protection Ordinance, 2025 establishes a robust, rights-based, and enforcement-driven data protection framework in Bangladesh. Organizations – both domestic and international – must urgently align their privacy policies, consent mechanisms, IT security, HR practices, and cross-border data flows with this law to avoid severe penalties and reputational risk. The Personal Data Protection Ordinance, 2025 represents a structural transformation of Bangladesh’s data protection regime. By clearly defining personal data rights, imposing stringent compliance obligations, regulating cross-border data flows, and introducing meaningful penalties, the Ordinance aligns Bangladesh with global data protection standards.

Compared to the earlier legal framework, the change is fundamental: from implied, sector-based privacy rules to an enforceable, rights-centric data protection law. For businesses, employers, technology providers, and public authorities, compliance is no longer a matter of best practice—it is now a statutory obligation.