Financial Crime World

Here is the rewritten article in markdown format:

Data Protection in Myanmar: Key Definitions and Principles

====================================================

Key Definitions

In order to understand data protection in Myanmar, it’s essential to know the key definitions related to personal data. Here are some of the most important ones:

  • Data controller: A person and its staff authorized by a Government department, or an entity having the power to collect, store, and use personal data according to the provision of the Electronic Transactions Law.
  • Personal data: Any information that relates to an identified or identifiable living individual.

The applicable law does not define health data, biometric data, pseudonymization, or sensitive data. It’s crucial for entities handling personal data to understand these concepts and ensure they are compliant with the law.

In Myanmar, the legal bases for data processing are limited. The only applicable basis is:

  • Consent (Section 27-A(ii) of the Electronic Transactions Law): The PDA shall seek the consent of the owner of data before any transfer.
  • Other legal obligations, interests of the data subject, public interest, and legitimate interests of the data controller are not applicable.

Principles for Data Protection

The Personal Data Act (PDA) in Myanmar requires that personal data be managed systematically in accordance with law and by degree of type and security. This principle is outlined in Section 27-A(i) of the Electronic Transactions Law.

Controller and Processor Obligations

Data controllers and processors have several obligations to ensure compliance with the law:

  • Data transfers: The PDA shall seek the consent of the owner of data before any transfer.
  • Data retention: The PDA shall destroy personal data when the designated period collected with the intention to be used is expired.

Data Subject Rights

While data subjects have several rights in other jurisdictions, the law in Myanmar does not provide for the following rights:

  • Right to be informed
  • Right to access
  • Right to rectification
  • Right to erasure
  • Right to object/opt-out
  • Right to data portability
  • Right not to be subject to automated decision-making

Penalties for Breaches of Personal Data

Failure to comply with the law can result in severe penalties. Here are some examples:

  • A PDA who fails to manage personal data shall, on conviction, be punished with imprisonment for a term which may extend from a minimum of one year to a maximum of three years, or a fine not exceeding MMK 10 million (approx.$4,766), or both.
  • Whoever commits, acquires, discloses, uses, destroys, alters, distributes, sends to any other person, or misuses the personal data of any person without the permission of such person shall, on conviction, be punished with imprisonment for a term which may extend from a minimum of one year to a maximum of three years, a fine not exceeding MMK 5 million (approx. $2,383), or both.

These penalties demonstrate the importance of complying with data protection laws in Myanmar.