• Legal system, currency, language

    Constitutional. The official currency is the Kwanza (AOA). The official language is Portuguese.

  • Corporate presence requirements & payroll set-up

    A foreign entity may engage employees in Angola with proper payroll registrations, subject to business, corporate and tax considerations. The employer is responsible for withholding from an employee's pay, and delivering to the tax authority, income tax and contributions to Angolan social security. The level of income tax is defined by the government and varies in line with the employee's salary.

  • Pre-hire checks


    Immigration compliance and pre-hire medical examinations.


    Reference and education checks are permissible.

  • Immigration

    Criminal and medical checks must be issued by competent authorities, a criminal record must be issued by the home country and a medical certificate must be issued by a doctor in the employee’s home country.

    The visa/work permit requirements for overseas nationals to work in Angola are having a recognized travel document valid for the Angolan territory for at least 6 months, being of legal age, not being included in the national list of undesirable persons prohibited from entering into the national territory, not constituting a danger to public order or to social security interests, complying with all health regulations established by the Ministry of Health for entry into the national territory, having an employment contract or promissory employment contract, having a certificate of professional and educational qualifications and curriculum vitae, and obtaining a positive opinion of the competent Ministry.

  • Hiring options


    Indefinite-term contract (which is the rule), fixed-term or open-term (ie, a term contract whose termination date has not yet been defined, but that will be terminated as soon as the underlying need for contracting is no longer verified – for example, as a contract to cover absence), part-time contract, telework contract and contract under service commission regime – a particular type of contract for high-level employees which provides flexibility for termination and is not common. The parties may execute an employment contract for a fixed term or open term, which must be done in writing. Part-time, fixed-term and open-term employees may not be discriminated against due to their status.

    Independent contractor

    Independent contractors may be engaged directly by the company or via a personal services company. Engagement may be subject to misclassification exposure. The factors that tend to indicate an individual is an employee (rather than, for example, a self-employed independent contractor) are the existence of a work schedule, the scheduling of vacation, the worker’s legal subordination to the company, the company’s authority, direction and disciplinary powers, control of punctuality and attendance over the individual, integration into the structure of the company and use of work tools belonging to the company, among others.

    In the event of misclassification, the relationship may be converted into an employment relationship on a permanent basis, and the employer may be liable to pay: a fine for non-compliance, employment entitlements owed as of the commencement of the activity and social security contributions.

    Agency worker

    Agency workers may only be engaged to fulfill a temporary need for work. The agency work contract duration depends on the underlying reason for hiring and does not typically exceed 24 months. Agency workers have the right to equal treatment to employees in relation to pay and other regular benefits.

  • Employment contracts & policies

    Employment contracts

    Written employment contracts are common but not mandatory, except for fixed-term, part-time, telework and service commission regime contracts as well as contracts with foreign employees and underage employees. Employment contracts cannot contain conditions that are less favorable to employees than mandatory employment legislation.

    Probationary periods


    Employment contracts for an unlimited period of time may be subject to a probation period corresponding to the first 60 days of performance of work; the parties may, by written agreement, reduce or waive this period.

    The parties may extend the probation period, in writing, to up to 6 months in case of employees who perform management duties.

    In an employment contract for a fixed-term, the parties may set forth a probation period in writing, and its duration cannot exceed 30 days.


    Employers with more than 50 employees must, in order to organize the work and labor discipline, draft and approve work rules or policies defining rules for the technical organization of work, work discipline, safety, hygiene and health protection of work, performance indicators, a remuneration system, working hours for the several sections of the company or work center, control of entrances and exits and circulation within the premises of the company, and surveillance and control of production.

    Employers with 50 or fewer employees may, but are not required to, implement employee policies or handbooks on the matters described above.

    Third-party approval

    Whenever the employee’s handbook or any other rules and regulations establish rules on performance and discipline, remuneration systems, work performance or safety, hygiene and health protection at work, the employer must forward such regulations for information and registration purposes to the General Labor Inspectorate.

  • Language requirements

    Portuguese. Nevertheless, employment contracts and other documents may be drafted in a bilingual template.

  • Working time, time off work & minimum wage

    Employees entitled to minimum employment rights

    All employees are entitled to minimum employment rights.

    Working hours

    Maximum daily and weekly working hours are 8 hours per day and 44 hours per week. Overtime pay is required for hours worked in excess of these limits. These limits may be inapplicable to employees who perform direction and leadership duties, duties of inspection, or provide direct support to the employer, teleworking employees and for other employees who regularly perform their duties away from the workplace , without the immediate control of their manager or performance of work which, by its nature, can only be carried out outside the limits of working hours (ie, employees who may be exempt from a work schedule). The corresponding written agreement, ie, the agreement establishing exemption from work schedule for one of the above mentioned reasons) shall be included in the employee’s individual file. Typically, employees under exemption regime are entitled to an exemption bonus.


    Overtime may occur with an extraordinary increase in workload, to prevent serious damage or if due to force majeure. It is subject to the following maximum limits: (a) 2 hours per day, (b) 40 hours per month and (c) 200 hours per year.

    Each hour of overtime work is compensated with additional payment of up to 30 hours per month, corresponding to 50 percent of the value of the normal working hour. Overtime exceeding that limit is compensated with additional payment of 75 percent for each hour.

    For purposes of payment for overtime work:

    (a) fractions of time of less than 15 minutes are not considered;

    (b) fractions of time between 15 and 44 minutes are considered as half an hour;

    (c) fractions of time between 45 and 60 minutes are counted as 1 hour;

    (d) work performed on the day or half-day of complementary weekly rest is considered a normal working day.

    Employees who perform overtime work that prevents them from taking daily rest are entitled to paid compensatory rest equivalent to the hours of rest missed, to be taken on the following working day. Employees who perform overtime work on a mandatory weekly rest day are entitled to a paid compensatory rest day, to be taken on the following working day.


    The minimum wage is established by Presidential Decree. It is set out as a general minimum wage, but there is also a minimum wage for trade and extractive industry groups, transport services and manufacturing groups and agriculture groups. Under the Decree currently in force, the general minimum wage is AOA32,181.15. The following sector-specific minimum wages also apply:

    • Trade and extractive industry groups: AOA48,271.73

    • Transport services and manufacturing groups: AOA40,226.44 and

    • Agriculture groups: AOA32,181.15.


    Minimum 22 working days per year, plus 12 public national holidays.

    Sick leave & pay

    Employees are entitled to take off as much time as they need for sick leave. In this case, the employer continues to pay the employee’s salary for a period of 6 months, with the right of reimbursement from Social Security. For fixed-term employees, the obligation to pay salary ceases on the date of expiry of the fixed-term contract if the illness continues after that date.

    Employees can take up to 8 paid working days of leave per year to provide unavoidable assistance to members of the family, in case of illness or accident of the spouse, parents and children up to the age of 18.

    Maternity/parental leave & pay

    A pregnant employee is entitled to a paid maternity leave of 3 months. The amount of the maternity allowance is equal to the average of the 2 best monthly salaries from the 6 months preceding the commencement of the maternity leave. The maternity allowance is paid directly by the employer to the employee and, subsequently, the Social Security services reimburses the employer in full. Fathers are not entitled to any paid leave on the birth of a child; it is only considered as a justifiable reason for absence from work for 1 day. The father is also entitled to an unpaid supplementary leave of 7 consecutive or non-consecutive working days.

    Fathers are also entitled to replace the mother of their newborn child while on maternity leave in the event of the mother's proven physical or mental incapacity for the duration of the incapacity or in case of mother's death.

    Other leave/time off work

    Employees may also be entitled to leave for other purposes, such as for their wedding; relatives’ death, fulfillment of legal or military obligations which must be performed within the normal working period; attendance to tests by working students; attendance of training, professional proficiency, professional qualification or job conversion courses authorized by the employer; participation in cultural or sporting activities, either in representation of the country or the company or in official contests; the performance of necessary and urgent action in the exercise of leading tasks in labor unions as a union representative or as a member of the employee’s representative body; or the participation of the employee as a candidate to general or municipal elections approved by the competent authority.

  • Discrimination & harassment

    Discrimination based on the following protected characteristics is prohibited: race, color, gender, ethnic origin, marital status, origin or social rank, religious beliefs, political opinion, union affiliation and language.

  • Whistleblowing

    There is no special provision in this regard in Angola. Protection is only granted in the course of criminal action at the request of a whistleblower or by decision of the Public Prosecutor's Office.

  • Benefits & pensions

    Both employer and employee must pay contributions to social security in Angola to cover various employee benefits (eg, maternity leave payment and retirement pension). The employer must withhold the contribution due by the employee and deliver both contributions (ie, employer and employee) to social security every month.

    Current general rates are 3 percent of the gross wage for the employee and 8 percent for the employer.

    Employees with a minimum contributory period (ie, 35 years) qualify for a retirement pension at age 60 or in cases of total incapacity.

    Employers have no legal obligation to provide complementary or supplementary social benefits in addition to the social coverage provided for by the social public scheme. However, some companies – mostly large companies or multinational companies who have their own schemes worldwide – set up and provide private complementary health and pension schemes to their employees.

  • Data privacy

    The Data Privacy Law No. 22/11, June 17 governs Angolan data privacy and determines, in general terms, how to collect, use, disclose, store and give access to "personal information." 

    As a general rule, employers cannot require job applicants or employees to provide information about their life, health or pregnancy status.

    Job applicants or employees who have provided information containing personal data have the right to control their personal data, and may be informed of its content and the purposes for which it is intended, as well as demand that it be rectified and removed.

  • Rules in transactions/business transfers

    Provided that the same business activity is maintained, the new employer takes the position of the former employer in the employment contracts and takes their position in respect of the rights and obligations arising from the employment relationships. This is the case even if the employment contract is terminated before the transfer. The new employer takes their position as the employer of such former employees in respect of due and non-paid credits. Employees keep the same seniority and acquired rights which they had in the service of their former employer.

    The transferor must inform the employees' representative bodies or, in the absence of such bodies, the employees themselves of the transfer of the undertaking or establishment, the reasons for it and the date on which it is to take effect, its consequences for the employees and the measures envisaged for them.

    Employees must be informed in writing at least 22 working days before the transfer takes place or by posting a notice on the company's premises in the most accessible and visible places.

    The new employer must communicate the change of employer to the General Labor Inspectorate. The communication must be served within 15 business days following the transfer, stating the reason for the transfer and the future status of the employees.

    The transferor must inform the transferee of the terms and conditions that govern the employment relationship.

    Within 22 business days following the change of employer, the employees have the right to terminate the employment contract with prior notice, but this does not confer any right to compensation.

  • Employee representation

    Employee representative bodies are permissible but not mandatory.

    Trade unions are not common in Angola.

    In order to carry out their duties, trade union representatives are entitled to the following paid absences:

    1. 4 working days per month for carrying out duties as a member of the union's executive body;
    2. 4 or 5 hours per month for each union delegate or each member of the workers' representative body, depending on whether there are up to 200 or more employees affiliated to the respective unions at the work center.

    The employee must notify the employer in advance of the date and number of days they require for the exercise of trade union functions. Employers are obliged to provide a suitable place for workers' meetings whenever this is requested by the union representatives. Special protections against dismissal are granted to employees who perform, or have performed, duties as union representatives, either as leaders or delegates, or members of the employees’ representative body performing union-related activities.

  • Termination


    Unilateral termination by the employer: dismissal based on objective grounds (ie, redundancy reasons); disciplinary dismissal with just cause (ie, based on serious breach of the employee's duties).

    Termination without cause (with notice): only for employees hired under an employment contract of service commission regime (a particular type of contract for high-level employees which provides flexibility for termination but is not common).

    Other termination causes: mutual agreement, termination by the employee (ie, termination with notice or constructive dismissal with just cause), expiration (ie, fixed-term and open-term contracts or retirement).

    Employees subject to termination laws

    All employees.

    Restricted or prohibited terminations

    Special protection against dismissal is granted to employees who perform, or have performed, duties as union representatives, either as leaders or delegates, or members of the employees’ representative body performing activities; women covered by the regime of maternity protection; war veterans as per the definition provided by the applicable law; employees under the legal age; employees with a reduced work capacity or with a disability degree equal or higher than 20 percent.

    As a general rule, a copy of the notice served on the employee must be forwarded to General Labor Inspectorate.

    Third-party approval for termination/termination documents

    Except in respect of protected employees, third-party approval is not required to terminate an employment.

    Mass layoff rules

    If economic, technological or structural circumstances occur, which may be clearly demonstrated and which involve an internal reorganization or conversion, or the reduction or the shutting down of activities, which makes it necessary to eliminate or significantly change job positions, the employer may terminate the employment contracts of the employees who perform such job positions.

    Collective dismissal rules are triggered if the dismissal involves at least 6 employees.

    Information to the General Labor Inspectorate is required. However, there is no need to obtain approval for termination.

    The General Labor Inspectorate may undertake the diligence deemed necessary for clarification of the situation and, in case of a collective dismissal, during the period in which the evaluation of the General Labor Inspectorate occurs, the employer may promote a meeting with the representative body or with the committee appointed for the purpose of exchange of information and clarification and may forward the conclusions of the meetings to the General Labor Inspectorate.


    For individual dismissals based on objective grounds (up to 5 employees): the employer must forward, at least 30 days in advance, prior notice of dismissal to the employee or employees who occupy the job positions to be extinguished or transformed.

    For collective dismissal: the prior notice is 60 days.

    Notice periods in case of a fixed-term contract where the termination occurs by expiration: 30 days.

    Statutory right to pay in lieu of notice or garden leave

    Payment in lieu of notice is permitted (and required if the notice period is not honored).

    Garden leave is allowed during the notice period.


    Fair dismissal based on objective grounds (redundancy/collective dismissal):

    • 1 monthly base salary multiplied by the number of years of service up to 5 years, and .5 base salary multiplied by the number of years of seniority exceeding 5 years.
    • Fair disciplinary dismissal: no severance.
    • Higher severance payments may be agreed and are usual as a way to avoid litigation.   
  • Post-termination restraints

    A clause of the employment contract which restricts the activity of the employee for a period of time, which may not exceed 3 years from the termination of the contract, is lawful if the following conditions are met: (a) such clause is included, in writing, in the employment contract, or in its addendum; (b) the activity performed may cause real damage to the employer and may be considered as unfair competition; (c) the employee is paid a salary during the period of restriction of work: the corresponding amount will be included in the contract or its addendum.

    A clause which requires an employee who benefits from professional improvement or higher level education at the expense of the employer to remain at the service of the same employer for a certain period of time, provided that such period does not exceed 1 year, in case of training of professional improvement and up to 3 years in case of courses of high level education, is also lawful if established in writing. In this case, the employee may release themselves from remaining at the employer’s service by repaying to the employer the amount of the expenses incurred by the employer, in proportion to the remaining time until the term of the agreed period. The employer that hires the employee within the period of restriction of activity in the company is jointly liable for the damages caused by the employee or for the amount not returned by the employee.

  • Waivers

    In principle, statutory rights cannot be waived and any waiver of such rights will be null and void.

  • Remedies


    Fine corresponding to 5 to 10 times the average salary paid by the company.

    Unfair Dismissal

    The employee may challenge the validity of the dismissal before the labor courts.

    If the relevant court declares the dismissal to be unlawful, by final judgment, the employer must immediately reinstate the employee in the same job position and benefiting from the same previous conditions and compensate the employee for all damage caused, both pecuniary and non-pecuniary.

    In addition to reinstatement and compensation, the employee is entitled to the base salary they would have received if they had continued to perform work, until the date of final judgment, less the amount of salary for the period from the date of dismissal until 30 days before the legal proceedings are initiated, if the legal action is not brought within 30 days of the dismissal. The amount due is always limited to a maximum of 6 months’ salary.

    If reinstatement is not possible or the employee does not want reinstatement, the employer must compensate the employee by paying them compensation corresponding to their base salary as of the date of dismissal multiplied by the number of years of their seniority, with the minimum amount corresponding to 3 months’ base salary.

    Failure to inform and consult

    Not applicable.

  • Criminal sanctions

    Typically, non-compliance with employment laws leads to administrative proceedings which may lead to the payment of fines. If such non-compliance is based on violation of rights that deserve protection under criminal law, it may also lead to this type of judicial proceedings.

  • Key contacts
    João Guedes
    João Guedes
    Partner DLA Piper [email protected] View bio
    Daniela Rosa
    Daniela Rosa
    Senior Associate DLA Piper [email protected] View bio
    Islândia Ribeiro
    Islândia Ribeiro
    Senior Associate DLA Piper Africa [email protected] T +244 923 612 525 View bio

Data privacy


The Data Privacy Law No. 22/11, June 17 governs Angolan data privacy and determines, in general terms, how to collect, use, disclose, store and give access to "personal information." 

As a general rule, employers cannot require job applicants or employees to provide information about their life, health or pregnancy status.

Job applicants or employees who have provided information containing personal data have the right to control their personal data, and may be informed of its content and the purposes for which it is intended, as well as demand that it be rectified and removed.


The Argentine Data Privacy Law No. 25,326 (Ley de Protección de los Datos Personales or LPDP) protects the personal data stored in files, registers, data banks or other technical storage of data processing, whether public or private, in order to guarantee the right to honor and privacy of the data of individuals, as well as to restrict the access to such information, in accordance with the provisions set out in Article No. 43, third paragraph of the Argentine National Constitution.


Australia has stringent data privacy obligations. As a general rule, personally identifiable data may only be processed if it is required for the performance of the employment contract and constitutes an employee record. Certain acts and practices are exempt from the application of Australia's data privacy laws, but there are strict criteria which must be met for an exemption to apply. Employee records are generally exempt, but this exemption will not apply to documents that come into existence prior to the employment relationship (eg, pre-employment or hire documentation) or to documents relating to any contractors engaged by the business. At the time it collects personal information, the employer is required to provide the individual with a statement setting out the company's obligations under Australia's data privacy laws and the individual's rights. Further restrictions apply for sensitive personal data.

Employee records – with the exception of tax file numbers – are not covered by the Australian notifiable data breach regime, which requires notification to the Office of the Australian Information Commissioner (OAIC) and to affected individuals of any data breach that could result in serious harm. However, the OAIC advises that it is good practice for employers to notify employees affected by a data breach so that they may take protective action.

The monitoring of individuals and their data is covered by various surveillance legislation in each state or territory. Essentially, surveillance of employees is prohibited in sensitive areas, such as washrooms and change rooms, unless the surveillance device is installed pursuant to a warrant or authorization. Surveillance is permitted in public areas if it conforms with relevant legislation. The monitoring of an employee's use of a work computer (ie, emails and internet browsing) is governed by specific laws in some states.


Austria has made use of the opening clauses of the General Data Protection Regulation, particularly in the area of labor law. Several different national provisions must therefore be observed, such as the mandatory declaration of data secrecy, retention periods, provisions on the conclusion of works agreements, etc.




Personal data privacy is protected under Law No. 30 of 2018 with respect to Personal Data Protection (PDPL). Employees must be notified prior to processing their personal data, and their prior written consent should be obtained (unless exceptions stipulated under the relevant legislation are present) for such processing and transfer of their personal data.

Transfers of personal data out of Bahrain is prohibited unless the transfer is made to a country or region that provides an adequate level of protection to personal data.  There are 83 countries, including the UAE, Saudi Arabia, Oman, Jordan, Egypt, India, all EU countries, the USA and the UK that are listed as adequate for transfers.


Employees generally must be informed of personal data processing and, in certain cases, give prior and explicit consent. Special rules apply to data transfer outside the EEA. Significant and local-specific restrictions apply on monitoring email and internet use and use of cameras at the workplace. The personal data processing must occur in line with the General Data Protection Regulation (GDPR) and the Belgian data protection laws.


The new General Data Protection Law (Lei Geral de Proteção de Dados or LGPD) came into force on September 18, 2021. The LGPD is Brazil´s first comprehensive data protection regulation and applies to any processing operation carried out by a natural person or a legal entity, of public or private law, irrespective of the means used for the processing, the country in which its headquarters are located or the country where the data is located, provided that:

  • The processing operation is carried out in Brazil
  • The purpose of the processing activity is aimed at the offering or provision of goods or services, or at the processing of data of individuals located in Brazil, or
  • The personal data was collected in Brazil.  

The LGPD does not contain specific employment provisions, but its provisions cover employment data.

The monitoring of corporate email and internet use is allowed, but employees should be notified that they cannot expect privacy in the use of these work tools.


Legislative requirements vary by jurisdiction. Where privacy laws apply, personal information must only be collected with consent and may only be used for the purposes for which it was collected. In most jurisdictions, email and internet use may be monitored where notice has been given through clear employer policies.


The employer is obliged to maintain the privacy of the information and personal data related to its employees. The right to personal data protection has the status of constitutional right, and, therefore, any breach may lead to litigation for impairment of fundamental rights.


The Regulations on Employment Services and Employment Management require that an employee's personal data is kept confidential and not made public without the employee's consent.

The PRC Cyber Security Law imposes new security and data protection obligations on "network operators," puts restrictions on transfers of data outside China by "key information infrastructure operators" and introduces new restrictions on critical network and cybersecurity products.

The Civil Code strengthens protection on individuals’ privacy and personal information. It improves the legal definition of personal information and clarifies the connotation, principles and conditions of handling personal information as well as strengthens the information security obligations of processors.

The Personal Information Protection Law (PIPL) came into effect on November 1, 2021, setting out the first comprehensive legal regime regulating the protection of personal information in China. There are requirements on notification and obtaining separate consent when collecting, processing and transferring personal information. Additional legal grounds for processing personal information in addition to the general “consent-based” approach are included in the PIPL.

China continues to promote legislation related to personal information protection. On September 1, 2022, the Measures for the Security Assessment of Outbound Data Transfers (the Measures) came into effect, setting forth requirements for outbound data transfer. According to the measures, organizations may transfer or access most personal data outside of Mainland China if required conditions and procedures have been fulfilled, while certain data must nonetheless stay in Mainland China unless special sectoral approvals are obtained.

In February 2023, the Cyberspace Administration of China (CAC) released the Measures for the Standard Contract for Cross-Border Transfer of Personal Information (Measures), which has been effective since June 1, 2023. The Measure requires employers who adopt the China standard contractual clauses (SCC) route for cross-border transfers of China personal data to file their signed China SCCs together with the supporting personal information impact assessment report with their local CAC branch by no later than November 30, 2023. However, on September 28, 2023, the CAC released a Draft Provisions on Regulating and Promoting Cross-border Data Flows, which proposed that employee data, necessary for HR management, may be exempt from the cross-border data transfer burdens.


Subject to certain exceptions, all data processing in Colombia should be based on consent for it to be lawful. Before employees provide consent for the processing of their personal data, they must receive certain information concerning the identity of all data controllers, the means and purposes for the processing of their data, and their rights. The processing of sensitive information requires explicit consent, which cannot be compulsory in any way. To process personal data, data controllers must provide a privacy notice to the affected employees prior to the collection and processing of personal data. In the case of data transfers to other data controllers, the privacy notice must contain the name of the transferee or the person to whom the information is transferred. Unless data is transferred for processing purposes, transfers of personal data to domestic or foreign 3rd parties must be pre-approved by the data subject/employee. If data is transferred for processing purposes, no prior consent is necessary, and the data controller and processor may enter into a data processing agreement for it to be lawful.

Employees have the right to know, update and rectify their personal data. The right to rectify personal data may be exercised in relation to partial, inaccurate, incomplete, split or deceptive data, and/or data that cannot be processed. They also have the right to request a copy of the consent that was granted to the data controller, the right to be informed about the use that has been effectively given to their information, and the right to revoke the consent granted for the processing of their personal data and may request to remove their personal information from the employers or subcontractor's databases by filing a formal claim, save for information directly related to their employment (eg, HR core data, recruitment, performance, global compensation learning and training-related data and master data). This possibility is only applicable in the case of wrongful use of the employee's information.

Czech Republic

Generally, employees must be notified of personal data processing (eg, camera recordings) and, in certain limited cases, give their consent (eg, for use of the employee’s personal data for marketing purposes). Significant restrictions on monitoring employees, including email and internet use.

The Czech Republic is subject to the General Data Protection Regulation (GDPR). The local law implementing the GDPR was issued in 2019.


Employers must comply with the General Data Protection Regulation (GDPR) as of May 25, 2018 as well as the Danish Data Protection Act.

Employees have the right to detailed information about the processing of their data. All information provided must be concise, transparent, easily accessible and in plain language. Employers must provide information on the legal basis for processing and, if the data is sensitive, which of the conditions for processing special categories of personal data on which the employer relies. The notice must also advise the employees of their rights under the GDPR.


Employees must usually be notified about personal data processing and give consent to this when necessary. Only necessary data may be processed. Special rules apply to data transfers outside of the EEA. There are significant restrictions on monitoring email and internet use.

From May 2018, Finland has been subject to the General Data Protection Regulation (GDPR) which introduced significant new obligations and onerous sanctions for employers.


The General Data Protection Regulation (GDPR) came into force on May 25, 2018. It applies to any processing of personal data within the EU. The GDPR implements new rights for data subjects, such as right to access, data erasure, data portability and consent.

Where data processors/controllers process operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data, a Data Protection Officer (DPO) must be appointed.

Data transfers outside of the EU are subject to additional requirements. Significant restriction on monitoring internet and e-mail use even when on company's IT device.


Covered by the EU-wide General Data Protection Regulation (Datenschutzgrundverordnung, or GDPR) entered into force in May 2018 and the complementing Federal Data Protection Act. Processing of personal data is generally unlawful except as listed by the Act and the General Data Protection Regulation, a works council agreement or free and individual consent. Appointment of data protection officers is required if 20 or more individuals deal with automated processing of personal data, if processing operations are subject to data protection impact assessment or in the case of business processing of personal data for specific purposes. Special rules apply to data transfer outside the EEA. Significant restrictions on monitoring email and internet use exist.

Hong Kong, SAR

The PDPO is principally concerned with 6 data protection principles (DPPs). Broadly, these require:

  • That personal data is only collected for a lawful purpose, that only personal data that is necessary and not excessive for that purpose is collected and that individuals are informed of certain things before data is collected or used (DPP 1);
  • That all reasonably practicable steps are taken to ensure that personal data is accurate and that it is only retained for as long as is necessary to fulfill its purpose (DPP 2);
  • That personal data is not, without the prescribed consent of the job applicant or employee, used for a purpose other than the purpose for which it was collected (DPP 3);
  • That all reasonably practicable steps are taken to ensure that the personal data is secure and protected against unauthorized or accidental access, processing, erasure or other use (DPP 4);
  • That all reasonably practicable steps are taken to ensure that an individual may access information about the data user's policies and practices in relation to personal data, the kind of personal data about them that is being held and the purposes for which it will be used (DPP 5); and
  • That, with some exceptions, an individual is entitled to request access to all personal data held by a data user and to correct that data if it is inaccurate (DPP 6).

There are provisions in the PDPO that restrict the transfer of personal data outside of Hong Kong, but these are not currently in force.


Employers must balance their need to obtain, use, store and disclose information for effective management and business purposes with their employees' right to privacy. The law distinguishes between ''personal data'' and ''sensitive personal data.'' Special rules apply for the transfer of personal data within and outside of the EEA. The National Authority for Data Protection and Freedom of Information is responsible for ensuring compliance and enforcing data protection.

Since May 2018, Hungary has been subject to the General Data Protection Regulation (GDPR), which introduced significant new obligations and onerous sanctions for employers.


Employee records and employee access to data

The Information Technology Act, 2000 (IT Act) covers data protection and violation of personal privacy. This statute safeguards against certain breaches in relation to data from computer systems, prevents unauthorized use of computers and creates liability for damage suffered in the event of unauthorized access, downloading, extraction and copying of data from a computer system or network. It stipulates the penalty for breaches of confidentiality and privacy.

The storage, management and handling of sensitive personal data or information belonging to persons located in India is currently regulated by the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (Sensitive Information Rules) enacted under the IT Act and will be governed by the Digital Personal Data Protection Act, 2023, once it is implemented.

Sensitive personal data or information is defined under the Sensitive Information Rules to include passwords, financial information, physical, psychological and mental health conditions, sexual orientation, medical records and history, and biometric information.

A company receiving any of the above types of information as a result of either using the services of an individual or employing an individual must comply with the Sensitive Information Rules regarding processing and storing such information.


Law No. 27 of 2022 on Personal Data Protection regulates that personal data subjects have the right to obtain information regarding identity clarity, basis of legal interest, purpose of requesting and using personal data, and accountability of parties that request personal data. In conducting personal data processing, the personal data controller must obtain proof of consent given by the personal data subject.

Under Law No. 39/1999 on Human Rights, each individual has the right to their own privacy and cannot be subjected to an investigation in relation to personal data without their agreement, except on the order of a court or other legitimate authority under prevailing legislation.


Ireland is subject to the General Data Protection Regulation (GDPR), which places significant obligations and onerous sanctions for employers. GDPR requires employers to identify a legal basis for their processing of personal data, and it is unlikely that a catch-all consent will enable processing of employee data by an employer. Employers must ensure that they have GDPR-compliant documentation and that they are able to deal with the new rules on subject access requests. There continue to be significant restrictions on monitoring employees, including email and internet use.


Employees generally must be notified of the terms of the employer's personal data processing policy, and must consent to it. Registrations in the Databases Register may be required. Special rules apply to data transfer outside Israel. Significant restrictions on monitoring email and Internet use. Monitoring personal email is restricted.


Employees generally must be notified of personal data processing – and, in certain cases, give consent. Special rules apply to data transfer outside the European Economic Area (EEA). Not possible to control or monitor employees remotely with devices unless upon agreement with works council or authorization of the Labor Office, with the exception of the instruments used by the employee to carry out their work or to detect access or attendance.

Since May 2018, Italy has been subject to the General Data Protection Regulation (GDPR), which introduced significant new obligations and onerous sanctions for employers.


The receipt, maintenance of and access to personal information relating to an individual is regulated by the Act of Protection of Personal Information. Broadly, upon the collection of such information, the collector must notify the person of the purpose of the use of such information and thereafter must take necessary and proper measures to prevent leakage, loss or damage of that information, and take other reasonable steps to control the security of the personal information. In addition, the party maintaining such information is required to adopt internal regulations designed to ensure the confidential and secure maintenance of such information as long as it is held. Disclosure of personal information to 3rd parties (parent and affiliated companies are considered 3rd parties) is strictly limited.


The Data Protection Act, 2019 gives effect to Article 31(c) and (d) of the Constitution on the right to privacy. It is supported by the Data Protection (General) Regulations 2021, the Data Protection (Complaints Handling Procedure and Enforcement) Regulations 2021 and the Data Protection (Registration of Data Controllers and Processors) Regulations 2021.The Act establishes the Office of the Data Protection Commissioner, makes provision for the regulation of the processing of personal data and provides for the rights of data subjects and obligations of data controllers and processors, among others. The Act is modeled along the lines of the EU General Data Protection Regulations (GDPR).

The Constitution guarantees the right to privacy.

The Computer Misuse and Cyber Crimes Act, 2018 creates various offenses, including the right to privacy, in relation to computer systems.


There are no clear laws in Kuwait comparable with those in the US or Europe concerning the handling and transmitting  of employees' personal information, nor do any provisions address the cross-border flow of data. However, it is advisable to seek prior written consent to the processing of personal data from the employee to the extent necessary to address the various privacy protections set out in Kuwait law, including those set out in the Kuwait Penal Code, E-Commerce law and the Kuwait Constitution.


The General Data Protection Regulation (GDPR) has been in force since May 25, 2018. It has been complemented by the Luxembourg law of August 1, 2018 on the organization of the CNPD.

Since then, the processing of personal data is no longer subject to a prior notification to/authorization from the National Data Protection Commission (Commission Nationale pour la Protection des Données or CNPD). However, the processing of personal data for the purpose of supervising employees in the context of employment relationships may only be carried out by the employer under certain conditions.

The employee's consent does not legitimize the processing of data.

In case of conducting employee monitoring, the employer must first notify:

  • The employees concerned
  • All persons external to the company who may also be concerned (eg, customers, suppliers or visitors) and
  • If a surveillance system is used in the workplace, the staff delegation or, failing this, the Inspectorate of Labor and Mines (Inspection du travail et des mines or ITM).

Please note that a number of strict requirements apply in this context according to the Labor Code.

Data subjects have the right to lodge a complaint with the CNPD.


Collection and processing of personal data is governed by the Personal Data Protection Act 2010 (PDPA). Employers must obtain employees' consent (implied or express) before collecting and processing employees' personal data, and explicit consent is required if "sensitive personal data" is being collected. Employers must notify their employees of the nature and purpose of information being collected, to whom it is being disclosed, and that the employees have the right to access such data. Employee consent is also required before employee personal data is shared with third parties (for example, external payroll service providers).

As a result of the PDPA, an employee consent/notice document is required. This document has to be bilingual – in both English and Bahasa Malaysia – and is usually a separate document and referenced in the employment contract.


To process personal data, data controllers must provide a privacy notice to the affected employees prior to the collection and processing of such personal data. In the case of data transfers, the privacy notice must contain the name of the transferee or the person to whom the information is transferred. All transfers of personal data to domestic or foreign 3rd parties must be pre-approved by the data subject (ie, the employee).


Employees must be notified of data processing in accordance with law No 09-08 on data protection. Employees' consent to the processing of their data is required. Employees should be given the right to have access to and modify/amend their personal data.

Employers must declare data processing to the National Control Commission for the Protection of Personal Data (Commission Nationale de protection des Données Personnelles).


The Constitution of the Republic of Mozambique, as well as the recently enacted Electronic Transactions Law (The Law No. 3/2017, of January 9), prohibits access to data bases or to computerized archives, files and records for obtaining information on the personal data of third parties, as well as the transfer of personal data from one computerized file to another that belongs to a distinct service or institution, except in cases provided for by law or by judicial decision.

The Labor Law establishes that employers may not require an employee to supply information regarding their private life, except when particular requirements inherent to the nature of the professional activity so require. In addition, employees' personal data obtained by an employer is subject to a duty of confidentiality, and information where the release of which would violate that employee's privacy rights may not be given to a third party without the consent of the employee, unless it is required by law.


There are not currently any specific laws or regulations in Myanmar relating to data privacy. However, per the Law Protecting the Privacy and Security of Citizens enacted on March 8, 2017, a person is not allowed to do the following without permission of the relevant authorities:

  • Request or acquire any private call data, electronic communications data and information from operators or supply such information
  • Open, search, seize, destroy or damage any envelope, parcel or correspondence communicated that are the personal affairs of other individuals and
  • Criticize or interfere in the personal affairs and family affairs of any citizen or engage in conduct that may be detrimental to the good name, standing or dignity of an individual

Other than the above, there are currently no other laws or regulations on data privacy.


Employees generally must be notified of personal data processing – and, in certain cases, give consent. Registrations with the Information Commissioner are required. Special rules apply to data transfer outside the EEA. Significant restrictions on monitoring email and internet use.

Being an EU member state, the Netherlands are subject to the General Data Protection Regulation (GDPR), which includes significant obligations and onerous sanctions for employers regarding privacy and personal data of employees. In general, the GDPR aims at empowering individuals (including temporary employees, job applicants, contractors, trainees and other workers) with regard to controlling the use of their personal data and at harmonizing the data protection legislation across the EU.

New Zealand

The Privacy Act 2020 controls New Zealand data privacy and determines how employers collect, use, disclose, store and give access to "personal information."


The Nigeria Data Protection Act 2023 (“The Act") has been enacted to safeguard the fundamental rights and freedoms, and the interests of data subjects, as guaranteed under the Constitution of the Federal Republic of Nigeria. Among other things, the objective of the Act include: the protection of personal information; establishing the Nigeria Data Protection Commission for the regulation of the processing of personal information; promoting data processing practices that safeguard the security of personal data and privacy of data subjects; protecting data subjects’ rights, and providing means of recourse and remedies, in the event of the breach of the data subject’s rights; and strengthening the legal foundations of the national digital economy and guarantee the participation of Nigeria in the regional and global economies through the beneficial and trusted use of personal data etc. The Act does not repeal prior regulations such as the Nigeria Data Protection Regulation, 2019 (NDPR) and the Nigeria Data Protection Regulation- Implementation Framework, 2020.

The Act and the International Labour Organization Guidelines on the Protection of Workers’ Personal Data contain key provisions and best practice requirements that organizations must comply with in processing employees’ personal data. The scope of Personal Data as defined under the Act also includes the personal data of employees. Thus, the employees of an organization have data subject rights which must be respected and processed according to the relevant laws in Nigeria. The Act provides standards and principles which employers must comply with in processing all personal data in their custody, including employees’ data.


Notification to the employee is required. An obligation to notify the Data Inspectorate may apply. Significant restrictions on monitoring and control of employees. Special provisions apply for transmission of data outside the EEA.


There is a new law RD 6/2022, enforced from February 12, 2023, which protects personal information. Key provisions include the following:

  • Prior to processing personal data, the data controller (ie, the employer – a person who determines the purpose and means of processing personal data) is required to issue a notice to the data subject (ie, the employee). The notice should set out certain mandatory information, including the purpose of processing their data, details of the controller and processor (a person who processes personal data on the controller's behalf), the rights of the data subject as well as the degree of disclosure of that data.
  • Personal data can only be processed within a framework of transparency, honesty and respect for human dignity.
  • Before processing, the controller must obtain express written consent of the data subject.
  • Data subjects are granted various rights under the law. These include the rights to transfer their personal data to another controller; erasure of personal data; obtain a copy of their processed personal data; revoke their consent and amend, update or block their personal data; and be notified of any breach or infringement of their personal data.
  • The law requires controllers to appoint a data protection officer, maintain records, and implement controls and procedures to protect personal data.
  • The law allows for the transfer of personal data outside of Oman only in accordance with "controls and measures specified in the regulations" – however, no transfer may take place if it would cause harm to the data subject.

In addition, the Electronic Transactions Law, RD 69/2008 (ETL) provides for the protection of personal data and regulates the transfer of personal data outside of Oman.

The Cyber Crime Law, Royal Decree no. 12 /2011 (Cybercrime Law) provides that it is an offense to violate the privacy of individuals through technology and prohibits the collection of private data.

It is advisable to seek prior written consent from employees to the processing of their personal data to the extent necessary to overcome the various privacy protections set out in the applicable civil and criminal laws.


During the employment relationship, companies collect employee personal data. The processing of personal data must be done in accordance with the guiding principles provided by the law.

According to the Peruvian Data Protection Law, consent and privacy notices must be obtained/given before the personal data is obtained/processed. Pursuant to the law, personal data may only be processed and/or transferred with prior consent. Such consent must be free, informed, express and unequivocal. However, a company does not need the express consent of the employee to obtain personal data if this information is necessary for the operation of the employment relationship, but it must comply with the duty of inform about the processing of personal data.


When an employer collects and processes personal information of its employees, especially sensitive personal information, the employer must comply with applicable guidelines on the adoption of organizational, physical and technical security measures and the registration thereof with the National Privacy Commission. The data subject must have given their consent prior to the collection, or as soon as practicable and reasonable. An employer's collection of personal information from its own employees does not require the employee's prior written consent, provided the personal information collected and the processes applied to such information are only to the extent necessary for compliance with legal requirements prescribed for an employer-employee relationship.


An employer is obliged to respect its employees' dignity and other personal rights, including their privacy and the confidentiality of the content of employees' private correspondence. There are statutory rules which forbid the secret monitoring of employees, and there are specific rules to introduce camera monitoring and other forms of employee monitoring, including monitoring of software and the internet, among others.

The Polish Labor Code sets forth specific rules regarding collecting and processing personal data of the candidates and the employees and, in particular, lists the types of data that may be requested by the employer. In matters not regulated by the Labor Code, general rules on data protection provided for in the Act on the Protection of Personal Data and the General Data Protection Regulation (GDPR) apply.


Since May 2018, Portugal is subject to the General Data Protection Regulation (GDPR), which introduced significant new obligations and onerous sanctions for employers.

The local privacy law under the GDPR (Law no. 58/2019) entered into force on August 9, 2019. Limitations to the use of consent within a working relationship and video surveillance were introduced by this law.


On November 2016, Qatar issued a stand-alone data protection law No. 13 of 2016 on Protection of Personal Data Privacy (Data Protection Law). Businesses must take action to protect the privacy of personal data or risk fines of up to QAR 5 million. Key features of the law include:

  • Personal data is defined as data relating to an individual whose identity is determined, or able to be reasonably determined, either through the data or through linking this data with other data
  • The Data Protection Law applies to personal data when it is processed electronically, or when it is accessed or collected or extracted otherwise in preparation for its electronic processing, or when it is processed in a traditional and electronic way together
  • The processing of personal data will be regulated in a way which bears similarities with existing data protection regulations elsewhere in the world
  • Particular protection will be provided to certain types of personal data, such as data relevant to children, to physical and mental health and to crimes referred to as sensitive personal data
    • For example, parental consent will be required in connection with the online collection and processing of the personal data of children
  • Businesses will need to implement suitable measures, including training, to protect personal data from loss, damage, modification, disclosure or illegal access
  • Direct marketing will require the prior consent of the intended recipient and, amongst other requirements, the relevant communication must include a means by which the recipient may opt-out of future communications

This law may sit alongside the QFC data protection regulations and rules. It is also important to note that as per the Qatar Penal Code it is advisable to seek prior written consent to the processing of personal data from the employee to the extent necessary to overcome the various privacy protections.


Employees must be informed of personal data processing – and in certain limited cases, must give consent.

Since May 2018, Romania has been subject to the General Data Protection Regulation (GDPR), which introduced significant new obligations and onerous sanctions for employers. Under the GDPR, specific rules apply to any personal data transferred outside the European Economic Area aimed at ensuring that appropriate safeguards are provided for the transferred personal data and that enforceable data subject rights and effective legal remedies for data subjects are available.

Monitoring of employees, including email and internet use, may be performed under very specific circumstances, provided that the legal provisions which impose restrictions on interference with the protection of private life, data privacy and electronic communications are complied with.


Employers are generally required to obtain the prior written consent of their employees in order to process their personal data (eg, for transfer of personal data to 3rd parties including cross-border transfers).

Saudi Arabia

The Personal Data Protection Law applies to any processing of personal data related to individuals that takes place in Saudi Arabia. General Shariah principles provide for personal data protection rules which imply that employers should include provisions in employment contracts where the employee's consent is required for the employer to use or disclose the employee's data to 3rd parties, to the extent that such disclosures may be required.


Generally, employers are required to at least notify applicants of the purposes for which their personal data is being used in connection with the management and termination of employment and/or obtain their consent where collecting, using or disclosing their personal data.

However, under the PDPA, an employer is permitted to collect, use and disclose the employees' personal data for purposes of managing or terminating an employment relationship without the need to seek employee's consent, so long as the employee has been notified of the purposes of such collection, use and disclosure and/or provides their consent prior to such collection, use and disclosure. Further, employers may collect, use and disclose personal data without obtaining the employees' consent or notifying them where it is necessary for evaluative purposes, including the determination of the suitability or eligibility of an individual to whom the data relates for employment, continuance in employment or promotion.

Note that employers must seek consent for purposes that are not related to, or for the collection of personal data that is not relevant to, the management or termination of an employment relationship or that are not relevant for evaluative purposes, unless any other exception under the PDPA applies.

Slovak Republic

Covered by the national data protection laws and EU rules. Processing of personal data is generally unlawful except as allowed by the applicable legislation or based on consent of the individual. Special rules apply to data transfers outside the EEA.

In general, an employer may collect personal data about its employees which relates to their qualifications and professional experience, and other information which is relevant to the work carried out by the employees.

As of May 2018, Slovakia is subject to the General Data Protection Regulation (GDPR), which introduced significant new obligations and onerous sanctions for breach of personal data rules. In specific cases, also Act No. 18/2018 Coll. on Personal Data Protection, as amended, applies.

South Africa

The right to privacy is protected under the Constitution of the Republic of South Africa, 1996, the common law and the POPIA. Case law recognizes that the right to privacy is not absolute and may be limited where it is reasonable and justifiable to do so. Personal information may be processed on the basis of one of the justifications for processing personal information under POPIA. These justifications include consent and where it is necessary for pursuing the legitimate interests of the responsible party or employer or 3rd party to whom it is disclosed.

South Korea

Under the PIPA, an employee is entitled to request the employer to allow access to, correct or delete their personal information. The PIPA requires an employer to obtain the consent of the individual employee when their personal information is obtained or provided to 3rd parties.


Spain is subject to the General Data Protection Regulation of the European Union (GDPR). The Spanish legislation that implements the GDPR is the Organic Law 3/2018 on data protection and guarantee of digital rights (Ley Orgánica 3/2018 de protección de datos y garantía de los derechos digitales). Employees must generally be notified of personal data processing. Consent should not be relied upon for processing employee’s data except in very extraordinary cases. Registration of databases with the Spanish Data Protection Commissioner (AEPD) is no longer required. Special rules apply to data transfers, even between companies belonging to the same group. Although authorization from AEPD to conduct international data transfers is now exceptional and monitoring email and internet use in the workplace and video surveillance at work have been eased and aligned with the GDPR, significant compliance requirements remain. International data transfers are subject to significant controls and adequacy requirements.


The General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR") applies to the processing of employees' personal data. The employer must ensure that the principles relating to processing of employees' personal data are fulfilled (eg, that personal data shall be correct, adequate and relevant in relation to the purposes of the processing and may not be retained for a longer period than is necessary for the purposes of the processing); there must be a legal basis for the processing, such as performance of the employment agreement; and the employee must receive adequate information regarding the processing. Special rules apply to transfers of personal data outside the EU/EEA. Sweden has also issued national laws and regulations in addition to the GDPR including the Swedish Data Protection Act (2018:218) and the Data Protection Ordinance (2018:219), which regulates general aspects of data protection where the GDPR allows (eg, processing of personal identity numbers and processing of data relating to criminal convictions and offences). 


In general, employees should be notified of any processing of their personal data (and, in certain cases, give consent).. Special rules apply to data transfers outside of Switzerland. Significant restrictions on monitoring email and internet use.

Taiwan, Republic of China

The collection, processing and use of employee personal information is governed by the Personal Data Protection Act. The Act has notice and consent requirements that may be applicable to the collection, processing and use of employee information. This applies to cross-border transmission of the information or any use outside of the norms of a domestic employment relationship.

Under amendments to the Employment Service Act that came into force in late 2012, the amount of personal information that an employer may request from an employee or prospective employee has been severely restricted. Prohibited or restricted requests for personal information include physiological information (eg, medical tests and fingerprints), psychological information (eg, psychiatric tests and polygraph tests) and personal lifestyle information (eg, financial records, criminal records, family information/plans and background checks).


The Personal Data Protection Act B.E. 2562 (2019) (PDPA), the first law in the country relating to personal data,  came into force on June 1, 2022.  The legislation applies to the collection, use and disclosure of personal data used for non-personal objectives. The PDPA Committee was established to oversee the law’s implementation, including to issue subordinate regulations under the Act. As of this writing, the Committee has issued 9 regulatory ordinances under the Act.


Under Tunisian law, all people have the right to the protection of personal data related to their private life and this applies to both automated and non-automated treatment of data. Personal data is defined as information that directly or indirectly permits the identification of a physical person, except for data linked to public life or defined as such under the law. In general, any organization planning to process personal data must make a declaration of the data to be used to the National Authority for the Protection of Personal Data,. In addition, express written consent from the data subject is required in most cases, except for the consent of employees in the context of the processing of their personal data necessary for the performance of the employment contract.

Any transfer of personal data from Tunisia to another country requires the authorization of the National Authority for the Protection of Personal Data (INPDP).


Employees must be notified of personal data processing, and their prior written consent should be obtained (unless exceptions stipulated under the relevant legislation are present) for such processing and transfer of their personal data. Personal data should be processed:

  • In accordance with the law
  • In good faith
  • For definite, clear and legitimate purposes
  • In a relevant and measured manner

Data controllers (ie, individuals or legal entities that determine the purposes and means of processing personal data – for example, employers) are required to be registered with the Data Controllers Registry provided that they meet certain criteria.


The Data Protection and Privacy Act, 2019 was passed into law to supplement constitutional privacy protections under Article 27 of the Constitution of the Republic of Uganda. The Act regulates personal data collection, processing, use and disclosure, and applies to any person, entity or public body within or outside of Uganda who collects, processes, holds or uses personal data.

The Act requires an employer to obtain informed consent prior to collecting or processing an employee’s personal data. The Act permits processing or storage of personal data outside Uganda if adequate measures are in place in the country in which the data is processed or stored, at least equivalent to protections under the Act, or with the data subject’s consent.

Under the Data Protection and Privacy Regulations, 2021, every data collector, data processor or data controller must register with the Personal Data Protection Office. It is an offense to contravene this requirement.


In most cases, the processing of personal data requires the consent of the respective data subject. However, employers are allowed to process an employee's basic personal data without consent to the extent required to perform the employer's statutory obligations (eg, pay salary or statutory reporting).

Processing of sensitive data (eg, health status data, data related to religious beliefs or political views) is prohibited, unless the individual provides explicit consent or there is a statutory ground for processing these categories of data. The processing of sensitive data requires notification to the Ukrainian Parliament Commissioner for Human Rights.

Cross-border personal data transfers require documents such as an intercompany agreement on the transfer of data in addition to the data subject's consent.

United Arab Emirates

2021 saw a new data privacy law issued in mainland UAE, which borrows certain concepts from the GDPR.  Both DIFC and ADGM have their own data laws.

United Kingdom

The UK is subject to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, which impose significant obligations and onerous sanctions for employers. Under this regime, it is extremely difficult for employers to rely on consent as a basis for processing employee data, and other legitimate grounds generally must be identified.

United States

Certain states restrict the use of employees' social security numbers for any identifying purposes. Medical information must be maintained separately from personnel files and kept confidential. Otherwise, employers generally are entitled to monitor or search corporate emails of their employees and internet traffic accessed by their computer systems, on the premise that employees do not have an expectation of privacy in the use of their employer's computer systems or corporate emails, especially with a policy that says so. Jurisdictions vary as to an employer's ability to search or monitor personal email addresses and websites accessed from an employer's computer or premises.

The California Privacy Rights Act (CPRA) (effective on January 1, 2023) eliminates the California Consumer Privacy Act's (CCPA) exemption for employee personal information, imposing new requirements on employers.

Some states have adopted biometric privacy laws that can include a variety of identifiers such as retina scans, fingerprints, voice recognition, and facial recognition. These laws may be implicated by various practices (eg, system login, facility access, clocking in and out). The Illinois Biometric Information Privacy Act (BIPA) allows for a private right of action and potentially significant damages for violations, while other state statutes authorize enforcement by the attorney general.

Other state or local laws may apply to other types of workplace surveillance (eg, location tracking, electronic monitoring) and are becoming more common.

State laws may provide for additional individual data rights, including data breach notifications, or obligations on businesses processing personal data.


Although there is no specific regulation regarding data privacy, employers have a general duty to uphold employees’ right to privacy and must observe the data protection principles determined by the Supreme Court (DP Principles).

The DP Principles apply to systems, registers or compilations of data that allow the creation of a complete or partial profile of an individual forming part of such system, register or compilation (in this case, an employee, for example). There is no clear outline of what a “complete or partial profile” involves.

This means that, in general, employee consent is required to process personal data. Venezuelan case law does not draw a distinction between forms of personal data. Therefore, there are no separate standards for the protection of sensitive data.

Pursuant to the DP Principles, employers must (i) inform the employee what data has been collected, (ii) inform the employee of the purpose(s) of the collection of their personal data, (iii) inform the employee who will be the final users of the data (ie, whether any third parties will have access to the data) and (iv) allow the employee to correct any erroneous data or delete any data that may be incomplete, inadequate or excessive in relation to the purpose(s) for which they were gathered (and this must be communicated to any third party who has been given access to the personal data).

Venezuelan law also provides for the protection of private communications, and employers have a strict obligation to keep employee health information and records confidential.


Vietnamese laws do not provide for a separate framework governing the concept of personal data in an employment context, but personal data provisions are provided under various laws – mainly the Civil Code, the Law on Protection of Consumer’s Rights, the Law on Cyber Information Security, the Law on Cybersecurity and decrees, and circulars (including but not limited to the new Decree No. 13/2023/ND-CP of the Government dated April 17, 2023 on personal data protection which provides further requirements and responsibility of the data controller, data processor and data controlling and processing party.

General data security requires any party to obtain the respective individual’s consent if their personal information is collected, processed, used or stored in any way. Consequently, this requirement will equally apply to employers when handling their employees’ personal data (ie, the employer must obtain the employee’s direct consent). In addition to obtaining the above consent from employees regarding their personal data, there are certain general obligations and standards that employers must adhere to when collecting, processing and using the personal data of the data subject (ie, the employee). These rules are predominantly rooted in Vietnamese data privacy laws mentioned above. In addition, Decree No. 13/2023/ND-CP stipulates the obligations of entities in relation to data processing. If an entity involved in collecting and processing personal data, it is required to formulate and promulgate regulations on personal data protection, appoint personnel to be responsible for sensitive personal data protection, check the network security for the system and the means and equipment for personal data processing before processing, irrecoverable deletion or destruction of devices containing personal data, etc. On a separate note, if an entity conducting data cross-border transfers, it must prepare an impact assessment dossier on cross-border personal data transfer available at all times for the inspection of Ministry of Public Security.