1. Home
  2. News
  3. Key Highlights of the Personal Data Protection Ordinance, 2025 for Businesses 
Saqeb Mahbub, Partner and Md. Wazed Jamil, Senior Associate 

The Ordinance introduces a dedicated legal framework for safeguarding personal information in Bangladesh. It aims to ensure that personal data is collected and processed fairly, securely, and transparently. For businesses, it signals a shift toward international standards of data governance—similar to regimes now in place in India, Singapore, and the EU—and will help establish clearer rules of engagement for businesses handling personal data in Bangladesh. 

Scope and Applicability 

This Ordinance applies to any entity that processes personal data within Bangladesh or processes personal data outside Bangladesh for activities related to offering goods/services to or monitoring/profiling data subjects in Bangladesh.  

The Advisory Council (interim cabinet) has on 9th October, 2025 has given approval to the Personal Data Protection Ordinance 2025, however the Ordinance still awaits formal promulgation through Presidential assent. The majority of provisions will come into force immediately after promulgation, while penal provisions along with compliances which are dependent on certain contingencies will come into force, giving businesses time to prepare for compliance. 

Key Definitions 

The Ordinance defines key terms relevant to businesses: 

  • Data Fiduciary: Any person who processes personal data for specific purposes, supervises processing, or authorizes others to process data.  
  • Processor: Any person who processes personal data on behalf of a data fiduciary.  
  • Personal Data: Information relating to an identifiable person including name, identification numbers, financial data, location data, and other characteristics.  
  • Sensitive Personal Data: Includes genetic/biometric data, health data, political/religious beliefs, sexual orientation, and other special categories. 
  •  Confidential personal data: means any personal data, including any sensitive personal data which, if disclosed, shared, or processed without adequate security measures, may cause significant harm, discrimination, or breach of privacy to the data subject. Includes financial, health, biometric, and real-time location data, as well as any data designated as sensitive or confidential..  
  • Restricted personal data: means any personal data that has a potential impact on national security, public order, defense, critical infrastructure, or the fundamental rights and freedoms of any individual, and the processing, or transfer of which, or access to which, shall be subject to the strictest controls. This category may include classified datasets, critical health or security-related data, or any other personal data designated as ‘restricted’ by an authority or the government.  
Legal Basis for Processing Data 

Businesses must obtain voluntary, specific, explicit, and revocable consent before processing personal data. However, processing without consent is permitted in specific circumstances, including: 

  • Performance of a contract with the data subject  
  • Taking steps requested by the data subject to enter into a contract  
  • Establishing or defending legal rights  
  • Protecting vital interests related to life or health  
  • Implementing employment, labor rights, or social security rights  

The burden of proof regarding proper consent lies with the data fiduciary. 

Processing of Sensitive Personal Data 

Stricter conditions apply for processing sensitive personal data, requiring specific consent and additional legal bases. Businesses cannot conduct tracking, monitoring, profiling, or targeted advertising directed at children. 

Data Subject Rights 

Businesses must implement mechanisms to honor the following data subject rights: 

  • Access and Portability: Right to receive personal data in an intelligible format and have data transferred to another data fiduciary.  
  • Correction and Updating: Right to correct inaccurate data or complete incomplete data.  
  • Withdrawal of Consent: Right to withdraw consent for storage, processing, or automated decisions.  
  • Deletion: Right to have personal data erased under certain conditions.  
Accountability and Transparency Requirements 

Businesses must implement transparency measures and make available information about: 

  • Categories of personal data collected and collection methods  
  • Purposes of processing personal data  
  • Categories of data that may create risk of harm  
  • Methods for data subjects to exercise their rights  
  • Information about cross-border data transfers  
Security and Data Protection Measures 

Businesses must implement appropriate technical and institutional measures to ensure data security, considering factors such as data volume, sensitivity, potential harm, processing scope, and retention period. Required security measures include: 

  • Pseudonymization and encryption of personal data  
  • Ensuring system security, integrity, confidentiality, availability, and resilience  
  • Ability to restore data availability after incidents  
  • Regular testing and evaluation of security measures  
Data Breach Notification 

If a personal data breach could cause significant harm to data subjects, the data fiduciary must notify the Authority within the prescribed time limit. 

Data Retention 

Businesses cannot retain personal data longer than necessary for the original processing purpose. Records related to personal data processing must be preserved for at least 5 years. 

Data Audits 

Certain classes of data fiduciaries must undergo audits of their personal data processing activities by independent auditors authorized by the Authority. The Authority may also direct specific audits if it believes processing may be harmful to data subjects. 

Chief Data Officer Requirement 

Significant data fiduciaries must appoint qualified Chief Data Officers responsible for representing the business before the Authority, submitting reports, facilitating data subject rights, and handling complaints. 

Cross-Border Data Transfer 

The Ordinance classifies personal data into four categories: public/open, internal, confidential, and restricted. Confidential and restricted personal data must be stored within Bangladesh’s jurisdiction. Internal and confidential data may be transferred abroad with data subject consent or for contractual purposes, but only to countries with appropriate data protection standards. Large volumes of sensitive personally identifiable data require prior permission from the Authority. 

Penalties and Enforcement 

Non-compliance can result in significant penalties: 

  • Administrative Fines: 1-2% of annual turnover for general violations, 2-5% for significant data fiduciaries  
  • Criminal Penalties: Up to 5-7 years imprisonment and fines up to 20 lakh taka for serious violations  
  • Both company leadership and employees can be held liable for violations  

Specific offenses include processing without consent, unauthorized processing of sensitive data, misuse of children’s data, unauthorized access to data, fraudulent consent, and continued use after consent withdrawal. 

You may like

22 Sep 2025 5 Min Read

Bangladesh Bank publishes Latest Guidelines on Joint Ventures with Foreign Parties

Authors : Somaiya Islam and Faria Nowshin. Foreign investors often choose to operate or invest in B ...

Read More