The government has approved the long-awaited “Personal Data Protection Ordinance, 2025”, designed to safeguard citizens’ data privacy and establish a comprehensive legal framework governing how personal information is collected, stored, processed and shared in the digital domain.
The approval came on Thursday during a meeting of the Council of Advisers, chaired by Chief Adviser Dr Muhammad Yunus.
Later, at a press briefing held at the Foreign Service Academy in Dhaka, where Chief Adviser’s Special Assistant for Post, Telecommunications and ICT Faiz Ahmad Taiyeb shared details of the new law besides Press Secretary Shafiqul Alam and ICT Secretary Shish Haider Chowdhury were also present at the briefing.
Chief Adviser’s Special Assistant for Post, Telecommunications and ICT Faiz Ahmad Taiyeb said the ordinance was formulated to address growing challenges surrounding data privacy, integrity and responsible innovation amid Bangladesh’s ongoing digital transformation.
“This law will ensure lawful and transparent processing of personal data, promote digital trust, and strengthen the foundation for a secure digital economy,” he said.
Key provisions
The proposed ordinance consists of 57 sections and recognizes that all personal data belongs to the individual it concerns. Processing such data will require the explicit consent of the data subject.
Before collecting or processing personal data, controllers must inform individuals about the purpose, storage duration and procedures for transfer or withdrawal.
The law also mandates parental or guardian consent when handling data of minors or individuals unable to give consent. Sensitive data can only be processed under specific conditions, while individuals will retain the right to access, correct, or withdraw consent for their data at any time.
Disclosure of personal information for purposes beyond those originally intended will be strictly prohibited without consent.
To ensure compliance, the ordinance introduces an independent data auditor responsible for reviewing and monitoring data processing activities.
However, exemptions have been included for cases involving national security, public order, defense, public health, crime prevention, tax investigations, education, research, and artistic or literary purposes.
Classification of personal data
Under the new law, personal data will be divided into four categories:
- Public or open personal data
- Internal personal data
- Confidential personal data
- Restricted personal data
International cooperation and penalties
The ordinance allows for bilateral and multilateral cooperation on cross-border data exchange and collaboration with international organizations or forums.
Violations such as unauthorized access, misuse, or the illegal processing of sensitive data may result in administrative fines, compensation, or criminal penalties. Data controllers are also prohibited from retaining information beyond the legally permitted period.
Faiz Ahmad Taiyeb described the move as a “significant milestone” in Bangladesh’s digital journey.
“By protecting citizens’ personal information, this ordinance will boost investor confidence, encourage innovation, and help establish a more secure and trusted digital ecosystem,” he said.
Officials and experts have lauded the Personal Data Protection Ordinance, 2025 as a crucial step toward aligning Bangladesh’s data governance framework with global standards—ensuring that digital progress goes hand in hand with privacy, accountability and transparency.