QnA about the Personal Data Protection Ordinance, 2025 (ব্যক্তিগত উপাত্ত সুরক্ষা অধ্যাদেশ, ২০২৫)

You all know, Government of Bangladesh approved the the Personal Data Protection Ordinance, 2025 which define/provide information about how any entity will use/handle/process personal data.
Here is the pdf link.

1. Can I delete my account from any Bangladeshi website/business/service/company?

Yes. The Ordinance grants you, as the data subject (উপাত্তধারী), a powerful right to have your data erased. This is primarily covered under Section 13 (ধারা ১৩) of the law.

• Your Right: You have the right to withdraw your consent (সম্মতি প্রত্যাহার) at any time.
• The Business's Obligation: Upon receiving your request, the data fiduciary (the website or business) must erase (মুছিয়া ফেলিবেন) all of your personal data stored with them.
• Specific Conditions: Section 13(2) (ধারা ১৩(২)) explicitly states they must do this if:
• The data is no longer necessary for the original purpose.
• You withdraw the consent that the processing was based on.
• You object to the processing, or the data was processed unlawfully.
• Exceptions: A business may only refuse to erase your data under a few specific conditions, outlined in Section 13(3) (ধারা ১৩(৩)), such as if the data is required to comply with a separate legal obligation or is designated for archival purposes.

2. Can I turn off advertising calls/emails/newsletters, etc.?

Yes. Your primary tool for this is the same right to Withdraw Consent under Section 13 (ধারা ১৩).

• Consent Withdrawal: Marketing communications like advertising calls, emails, and newsletters are legally based on your consent. The law states that your consent must be "voluntary, specific, clear and revocable" (স্বেচ্ছাধীন, সুনির্দিষ্ট, স্পষ্ট ও প্রত্যাহারযোগ্য). You can withdraw this consent at any time. Once you do, the business must stop processing your data for that purpose.
• Protections for Children: The law is even stricter regarding children (anyone under 18). Section 9(3) (ধারা ৯(৩)) provides an explicit, outright prohibition on data fiduciaries conducting "tracking (ট্র্যাকিং), monitoring (পরিবীক্ষণ), profiling (পরিলেখা) or Targeted Advertisement (টার্গেটেড অ্যাডভার্টাইজমেন্ট)" directed at a child.

3. Where do I report if anyone doesn't listen?

If a business or service (a "data-fiduciary") ignores your request or violates your rights, you can file a formal complaint with the "Authority" (কর্তৃপক্ষ).

• Right to Complain: Section 31 (ধারা ৩১), titled "Filing of complaints" (অভিযোগ দায়ের), states that if you have reason to believe your rights have been violated, you may file a complaint with the Authority.
• The Authority: The "Authority" is defined in Section 2(4) (ধারা ২(৪)) as the "National Data Management Authority" (জাতীয় উপাত্ত ব্যবস্থাপনা কর্তৃপক্ষ), which is the official body established to oversee and enforce this law.

4. Can I see what information a company has collected about me?

Yes. You have a "Right to Access" (প্রবেশাধিকার) under Section 11 (ধারা ১১).You can request this from the data-fiduciary, and they must provide you with:

• A copy of your processed personal data in a "concise and understandable format" (সংক্ষিপ্ত ও বোধগম্য বিন্যাসে).
• A summary of the processing, its purpose, the types of data held, and details on any cross-border transfers.
• A list of all other persons, fiduciaries, or processors with whom your data has been shared.

5. What if a company has my old address or my name spelled wrong? Can I make them fix it?

Yes. You have the "Right to correct, update, and complete data" (উপাত্ত পরিমার্জন, হালনাগাদকরণ ও সম্পূর্ণকরণের অধিকার) under Section 12 (ধারা ১২).This allows you to request that the data-fiduciary correct any data that is "inaccurate or misleading" (অশুদ্ধ বা বিভ্রান্তিকর), complete any incomplete data, and update any data that is out of date.

6. What if a business refuses my request to correct my data?

If the data-fiduciary refuses to correct your data, they must provide you with a written justification for their refusal. If you are not satisfied with their reason, you have two specific rights under Section 12(3) (ধারা ১২(৩)) :

1. You can request that the business mark your personal data as "disputed" (বিরোধপূর্ণ বলিয়া চিহ্নিত); and
2. You can request that they inform the Authority (কর্তৃপক্ষকে অবহিতকরণের) about the dispute.
3. Are there special protections for my children's data?

Yes. The Ordinance provides exceptionally strong protections for children, who are defined as anyone under 8 years of age. Section 9(3) (ধারা ৯(৩)) contains an explicit and powerful prohibition: it states that a data fiduciary (any business or entity) cannot target a child for "tracking (ট্র্যাকিং), monitoring (পরিবীক্ষণ), profiling (পরিলেখা) or Targeted Advertisement (টার্গেটেড অ্যাডভার্টাইজমেন্ট)". This makes many common online business models illegal for users under 8 in Bangladesh.

7. I corrected my address at my bank. Do I have to tell every other company that has my old address?

This law introduces a highly advanced and unique system to solve this exact problem. Section 4 (ধারা ১৪) describes a "system-wide propagation" (পদ্ধতিগত সঞ্চালন) mechanism. The goal is for the Authority to designate a "Primary Source of Truth" (প্রাথমিক উৎস) for key data (like "current address"). When you update your information at that primary source, that change is automatically and mandatorily sent to all secondary data fiduciaries (like other banks, mobile operators, etc.) to update their records. The law even specifies that these changes must be recorded in an "immutable ledger, blockchain or equivalent technology" (অপরিবর্তনীয় লেজারে, ব্লকচেইন) to ensure accuracy and create an audit trail.

8. Is a government employee accountable if they leak my data?

Yes. The law makes a specific point to include government accountability. Section 47 (ধারা ৪৭) states that government employees, as well as employees of statutory or autonomous bodies, who are involved in violating a data subject's rights or are responsible for a data breach, shall be "considered to have committed a punishable offense" and are subject to the same administrative fines and penalties as others under the law.

9. Does this law protect my data from the government?

This is a significant area of concern for privacy advocates. While the law grants you many rights, Section 24 (ধারা ২৪) provides a long list of broad exemptions for state agencies. Your data can be processed without your consent for reasons such as "national security" (জাতীয় নিরাপত্তা), "public order" (জনশৃঙ্খলা), or "crime prevention, detection, investigation, or prosecution" (অপরাধ প্রতিরোধ, শনাক্তকরণ, অনুসন্ধান, তদন্ত বা প্রসিকিউশন). Critics argue these terms are vague, undefined, and lack requirements for judicial oversight, creating a "systemic loophole" that could be used for mass surveillance.

10. What happens if a big international company misuses my data? Is the penalty strong enough to hurt them?

This is a potential weakness in the law's enforcement. The penalties are structured in two ways:

1. Administrative Fines: Section 32 (ধারা ৩২) allows the Authority to fine a company up to 5% (for a "significant data-fiduciary") of its "annual turnover in Bangladesh" (বাংলাদেশে তাহার ব্যবসায়ের বার্ষিক টার্নওভারের). Critics note that a massive global corporation might have a very small turnover in Bangladesh, making this fine too small to be a real deterrent compared to laws like the GDPR, which bases fines on global turnover.
2. Criminal Penalties: The law's main "teeth" are in its severe criminal penalties, found in Chapter 9 (নবম অধ্যায়). These are seen as disproportionately high and create risk for individuals rather than just corporations.

11 What kind of data gets special protection?

The Ordinance creates a special category called "Sensitive Personal Data" (সংবেদনশীল ব্যক্তিগত উপাত্ত). To process this data, a company needs your "specific consent" (সুনির্দিষ্ট সম্মতি), which is a higher standard than regular consent. According to Section 2(23) (ধারা ২(২৩)), this sensitive data includes:

• Genetic and Biometric data 
• Data on ethnic origin or community 
• Political or philosophical ideology 
• Religious beliefs 
• Trade union membership 
• Health data and sexual orientation 
• Data on criminal offenses or allegations 
• Crucially, your "real-time geolocation" (তাৎক্ষণিক জিও-লোকেশ) 

12. What are the punishments if someone breaks this law?

The punishments are severe and include both fines and prison time. Under Chapter 9 (নবম অধ্যায়), various offenses carry heavy penalties. For example:

• Section 36 (ধারা ৩৬): Processing or sharing your data without consent or legal basis can lead to up to 5 years in prison and/or a fine.
• Section 37 (ধারা ৩৭): Unauthorized processing of your sensitive data (like your health data or real-time location) is even more serious, with a penalty of up to 7 years in prison and/or a fine.
• Section 38 (ধারা ৩৮): Illegally collecting or using a child's data can result in up to 3 years in prison and/or a fine.

13. What is a "data-fiduciary" (উপাত্ত-জিম্মাদার)?

This is the legal term the Ordinance uses for any person or entity (like a company, bank, hospital, or social media platform) that, either alone or jointly with others, decides the purpose and method of processing your personal data. The law defines this in Section 2(2) (ধারা ২(২)). Essentially, they are the "custodian" of your data and are held legally responsible for protecting it.