Data Privacy and Personal Data Protection Bangladesh: What the Law Says
By Advocate Md. Shah Alam · 2026-04-10 · 7 min read
⚠️ Legal Disclaimer: This article provides general legal information only and does not constitute legal advice.
For advice specific to your situation, consult Advocate Md. Shah Alam directly at +880 1712-655546.
As Bangladesh increasingly moves toward a digital economy, personal data — from medical records to financial information to online activity — is being collected and stored at an unprecedented scale. Bangladesh's legal framework for data privacy is still developing, but existing DSA provisions and international principles already provide important protections. This guide explains your rights.
What is Personal Data Under Bangladesh Law?
Personal data refers to any information that can identify a living individual — directly or indirectly. This includes:
Biometric data (fingerprints, facial recognition).
Online identifiers — IP addresses, browsing history, cookies.
Location data.
If your personal data has been improperly collected, shared, or exposed, a cyber law lawyer in Dhaka can advise on your remedies.
DSA Provisions Relating to Data Privacy
While Bangladesh has no standalone data protection law yet, the DSA provides some protections:
DSA Section 19 (Unauthorized Access): Accessing a system to obtain personal data without permission is a criminal offence — up to 14 years.
DSA Section 23 (Identity Information): Wrongfully collecting, selling, or using another person's identity information for fraudulent purposes — up to 5 years and BDT 5 lakh fine.
DSA Section 24 (Identity Theft): Using another person's identity information without permission — up to 5 years and BDT 5 lakh fine.
Additionally, certain sector-specific rules apply: Bangladesh Bank guidelines govern financial data, the Health sector has separate patient data obligations, and telecom providers are bound by BTRC (Bangladesh Telecommunication Regulatory Commission) rules on subscriber data.
What is a Data Breach and What Are Your Rights?
A data breach occurs when personal data is accessed, disclosed, or lost without authorisation — through hacking, employee misconduct, or poor security. If you are affected by a data breach in Bangladesh, you can:
File an FIR if the breach was the result of hacking (DSA Section 19).
File a complaint with relevant sector regulators (Bangladesh Bank, BTRC, etc.).
File a civil suit against the organisation responsible for negligently failing to protect your data, claiming damages for any harm caused.
Seek an injunction to prevent further use or distribution of the breached data.
The Proposed Bangladesh Data Protection Act
Bangladesh has been developing a dedicated Data Protection Act (DPA) — modelled on international frameworks including the EU's GDPR. Key anticipated provisions include:
Explicit consent requirements before collecting personal data.
Right to access your own data held by organisations.
Right to correct inaccurate data.
Right to request deletion of data (right to be forgotten).
Mandatory data breach notification obligations on organizations.
As of 2025, the DPA is in draft stage. Organisations operating in Bangladesh should begin preparing compliance frameworks now. Contact Advocate Md. Shah Alam in Uttara for guidance on current DSA-based data protections and emerging DPA compliance.
Frequently Asked Questions
Can I demand that a company delete my personal data in Bangladesh?
Under current law, there is no explicit statutory right to deletion (right to be forgotten). However, you can demand under contract law or in some cases invoke general legal principles if data was collected without valid consent or is being misused. This right is expected in the upcoming Data Protection Act.
What should I do if my NID data was leaked?
Report it to the Election Commission Bangladesh (which manages NID data) and the relevant national cybersecurity authority. You can also file an FIR if you can identify the source of the breach as criminal (unauthorized system access). Monitor your accounts closely for identity theft.
Is selling a customer database illegal in Bangladesh?
Selling identity information for fraudulent use is currently covered by DSA Section 23. More general restrictions on data selling are expected in the upcoming Data Protection Act. Currently, sector-specific rules apply (e.g., telecom subscriber data cannot be sold under BTRC rules).
Need Legal Help in Bangladesh?
Contact Advocate Md. Shah Alam: +880 1712-655546 |
WhatsApp
Uttara Chamber: House 46, Road 6/B, Sector 12, Uttara, Dhaka-1230
Court Chamber: Ainjeebi Samity Bhaban, 4th Floor, 6/7 Court House Street, Kotwali, Dhaka-1100