Privacy Law at Brunei
Brunei Darussalam has enacted the Personal Data Protection Order 2025 (PDPO), marking a significant advancement in the nation's data privacy framework. Approved by the Sultan in January 2025 and set to be implemented in phases, the PDPO introduces comprehensive regulations governing the collection, use, and disclosure of personal data by private sector organizations and non-governmental organizations (NGOs)
📋 Key Provisions of the PDPO
1. Scope and Applicability
Private Sector Entities:The PDPO applies to all private sector organizations and NGOs operating in Brunei that process personal data
Government Agencies:While not directly governed by the PDPO, government bodies are required to manage personal data responsibly under existing frameworks, including the Data Sharing Guidelines and the Official Secrets Ac
2. Data Subject Rights
Consent:Individuals must provide informed consent for the collection and processing of their personal data, with the right to withdraw consent at any tim
Access and Rectification:Data subjects have the right to access their personal data and request corrections if necessary
Data Portability and Erasure Individuals can request the transfer or deletion of their personal data under certain conditions
3. Obligations of Data Controllers
Lawful Processing:Organizations must ensure that personal data is processed lawfully, with proper authorization and documentatio
Purpose Limitation:Data must be collected for specified, legitimate purposes and not further processed in a manner incompatible with those purposes
Data Security:Implement appropriate technical and organizational measures to protect personal data from unauthorized access, disclosure, alteration, and destructio
4. Cross-Border Data Transfers
Adequate Protection:Personal data may only be transferred outside Brunei if the recipient country ensures an adequate level of protection or if additional safeguards are implemented, such as binding corporate rules or standard contractual clause
5. Enforcement and Penalties
Regulatory Authority:The Authority for Info-communications Technology Industry (AITI) is responsible for enforcing the PDPO and ensuring complianc
Penalties:
Administrative Fines:Organizations may face fines for violations, with penalties varying based on the severity of the breac
Criminal Penalties:Serious violations, such as intentional misuse of personal data or providing false information to authorities, may result in criminal prosecution, including fines and imprisonment
🛠️ Compliance and Implementation
Grace Period Organizations are granted a one-year grace period to comply with the PDPO's requiremens
Training and Awareness AITI has initiated training programs, including the Certified Information Privacy Manager (CIPM) competency program, to equip Data Protection Officers in the private sector with the necessary skills for compliane
RELATED Blog
0 comments