Tilleke & Gibbins Lao Co.,Ltd
What law(s) specifically govern personal data / information?
Law on Electronic Data Protection No. 25/NA, dated May 12, 2017 (“The Law on Electronic Data Protection”)
Instruction on the Implementation of the Law on Electronic Data Protection No. 2126/MTC, dated August 8, 2018 (“The Instruction on the Implementation of the Law on Electronic Data Protection”)
Law on Electronic Transaction No. 31/NA, dated December 29, 2022 (“The Law on Electronic Transaction”)
Civil Code No. 55/NA, dated December 6, 2018 (“Civil Code”)
The Penal Code No. 26/NA, dated May 17, 2017 (“
Penal Code”)
What are the key data protection principles in this jurisdiction?:
In Laos, data protection is primarily governed by the Lao Civil Code and sector‑specific legislation, notably the Law on Electronic Data Protection and its implementation regulation.
The Lao Civil Code recognizes and defines certain fundamental rights of individuals, including the right to privacy. However, it does not provide detailed principles, compliance obligations, or enforcement mechanisms specifically applicable to personal data protection.
More detailed rules are set out under the Law on Electronic Data Protection, which regulates the collection, use, and disclosure of all forms of “electronic data,” including personal data. Under this law, electronic data is classified into three main categories:
- General data, which may be accessed, used, and disclosed without the consent of the data subject, provided that the source of the data is specified;
- Sensitive data, which includes, among others, financial information, curriculum vitae (CV) information, medical history, project plans, budget plans, and official trade secrets. The collection, use, or disclosure of sensitive data requires the consent of the data subject; and
- Prohibited data, which includes information relating to race, ethnicity, political opinions, religious beliefs, sexual behavior, criminal records, or other information that may affect national stability or public order. Prohibited data may not be electronically collected, used, or disclosed.
Overall, the data protection framework in Laos emphasizes data classification, consent requirements, and restrictions on certain categories of data, rather than a comprehensive principles‑based regime or role‑based obligations (such as controller and processor responsibilities) typically found in more mature data protection regimes.
What is the supervisory authority / regulator in charge of data protection?
The Ministry of Technology and Communications (“MTC”) has been designated by the Law on Electronic Data Protection to handle matters related to the protection of electronic data.
Lao Computer Emergency Response Team (LaoCert) under the MTC, is the frontline agency that receives reports of security breaches from individuals and legal entities operating in Laos, as well as complaints of offenses committed online.
Is there a requirement to register with a supervisory authority / regulator?
No.
Is there a requirement to notify the supervisory authority / regulator?
No.
Is it possible to register with / notify the supervisory authority / regulator online?
Not applicable.
What are the key data subject rights under the data protection laws of this jurisdiction?
The Law on Electronic Data Protection grants the data subject the following rights over any collected data:
- right to access;
- right to correct;
- right to stop the transfer; and
- right to delete the information.
Is there a requirement to appoint a data protection officer (or equivalent)?
No. Lao law does not require the appointment of a data protection officer or an equivalent role.
However, under the Law on Electronic Data Protection, data administrator is required to designate an staff member, or team responsible for managing data protection matters, particularly with respect to the security and safety of sensitive information. The law does not specify any formal requirements, qualifications, or expertise for such officer or team, nor does it impose role‑based responsibilities comparable to a data protection officer under more developed data protection regimes.
For clarity, Article 3(14) of the Law on Electronic Data Protection defined data administrator as
individual, legal entities or organization, that has a duty on the data protection work management e.g., ministries, telecommunication service provider, internet service provider, bank.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Lao data protection law does not expressly require data protection or privacy impact assessments in specific circumstances.
However, under Article 23 of the Law on Electronic Data Protection, the data administrator is required to conduct a risk assessment of the information system at least once a year.
This assessment focuses on system security and risk management, including monitoring access to data storage systems and implementing measures to protect against hacking, viruses, and other similar threats. While this requirement is not framed as a formal privacy or data protection impact assessment, it serves a comparable function in identifying and mitigating risks related to electronic data processing.
Does this jurisdiction have any specific data breach notification requirements?
Laos does not have a comprehensive or detailed data breach notification regime.
Article 26 of the Law on Electronic Data Protection requires a data administrator to notify LaoCERT in the event of an intrusion or electronic data breach, primarily for the purpose of obtaining technical support and assistance. The law does not require notification of affected data subjects, nor does it prescribe timelines, thresholds, or specific content requirements for such notifications.
What restrictions apply to the international transfer of personal data / information?
If data collected in Laos is to be transferred abroad, the data subject of the information must give consent.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
No, not expressly. Lao Law on Electronic Data Protection do not provide for explicit extra‑territorial application.
According to Article 6, the law applies to individuals, legal entities, and organizations, whether domestic or foreign, that reside in or carry out activities within the Lao PDR. The provision does not extend the scope of the law to entities located outside Laos solely on the basis that they target Lao data subjects or offer goods or services from abroad.
Nevertheless, offshore companies may be subject to the law to the extent that their activities involve the collection, use, or disclosure of electronic data in relation to Lao citizens. Overall, the law does not establish a clear or comprehensive extra‑territorial framework comparable to those found in more developed data protection regimes.
What rules specifically deal with marketing?
Lao Law on Electronic Data Protection establishes general requirements governing the collection, use, and disclosure of electronic data, but it does not provide specific or standalone rules for marketing or advertising activities.
Accordingly, any individual or entity conducting marketing activities in Laos shall comply with the general data protection principles, including lawful processing, consent (where required), purpose limitation, and data security, to the extent that marketing activities involve electronic data.
Do different rules apply to business-to-business and business-to-consumer marketing?
No.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
Lao data protection law does not contain specific provisions dedicated to electronic marketing. However, certain laws and regulations address aspects of electronic communications used for marketing purposes.
Under the Law on Electronic Transactions, electronic communications—including emails, messages, telexes, and other electronic means—are recognized as lawful methods for sending and receiving information. While this law does not regulate marketing content or practices specifically, it provides the legal framework for conducting communications electronically.
More specifically, unsolicited electronic marketing communications are regulated under the Decision on Protection of Consumers Using Telecommunications and Internet Services No. 1061, dated May 25, 2020. This decision restricts unsolicited commercial calls and messages by imposing limits on the permitted time periods, the number of communications per day, and the total number of communications per month per individual. It further requires marketers to obtain authorization through the relevant telecommunications or internet service providers, which are responsible for monitoring compliance and ensuring that such communications are made only by authorized persons.
What rules specifically deal with cookies?
Currently there is no specific law on cookies.
What are the consequences of non compliance with data protections laws (including marketing laws)?
Pursuant to Article 49 of the Law on Electronic Data Protection, violation of this law may lead to the following penalties: re-education, warnings, fines and/or criminal penalties depending on the seriousness of the violation, as well as liability for civil damages incurred.
In addition, Article 52 of the Law on Electronic Data Protection imposes a specific administrative fine of LAK 15,000,000 (approximately USD 707) for certain prohibited acts, including:
- sending or transferring electronic data without the consent of the data subject;
- accessing, collecting, using, disclosing, or disseminating electronic data relating to the State, individuals, legal entities, or organizations without consent; and
- collecting, using, or disclosing prohibited data.
Further, privacy‑related violations may also trigger criminal sanctions under the Penal Code. Under Article 229, any person who unlawfully discloses confidential private information obtained in the course of their profession or official duties, or who unlawfully intercepts private communications, causing damage, may be subject to a fine of LAK 3,000,000 (approximately USD 142) to 10,000,000 (approximately USD 472) and/or imprisonment for a term of three to six months.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
If a multinational organization has a local presence in Laos and wishes to share personal data from individuals in Laos with its group overseas, the following requirements must be fulfilled:
- Consent: It is necessary to obtain consent from the data subjects for the transfer and sharing of their personal data with other entities overseas.
- Data Protection Security Measures: It is necessary to ensure that the receiving entities within the group have adequate data protection security measures in place, including compliance with encryption standards and other security protocols to protect the data.
- Purpose Limitation: The data must be used exclusively for the purposes for which it was originally collected.
- Data Subject’s Rights: It is necessary to ensure that the rights of the data subject are upheld, including the right to access; right to correct; right to stop the transfer; and right to delete the information.
What upcoming data protection developments should multinational organisations be aware of?
Currently, the MTC is considering revisions to the Law on Electronic Data Protection, which may incorporate principles inspired by more developed data protection regimes, such as the GDPR. Multinational organizations should monitor these developments, as future reforms may introduce enhanced compliance obligations, including clearer consent standards, data subject rights, and enforcement mechanisms.