Table of Contents
Article 1: Definitions
Article 2: Scope of Application of the Decree by Law
Article 3: Bureau's Power of Exemption
Article 4: Cases of Processing Personal Data without the Consent of its Owner
Article 5: Personal Data Processing Controls
Article 6: Terms of Consent to Data Processing
Article 7: The Controller's General Obligations
Article 8: The Processor's General Obligations
Article 9: Reporting Personal Data Breach
Article 10: Appointing Data Protection Officer
Article 11: Roles of Data Protection Officer
Article 12: Duties of the controller and the processor towards the Data Protection Officer
Article 13: Right to Receive Information
Article 14: Right to Request Transfer of Personal Data
Article 15: Right to correction or erasure of Personal Data
Article 16: Right to Restrict Processing
Article 17: Right to Stop Processing
Article 18: Right to Processing and Automated Processing
Article 19: Contacting the Controller
Article 20: Personal Data Security
Article 21: Assessment of the Impact of Personal Data Protection
Article 22: Cross-Border Transfer and Sharing of Personal Data for Processing Purposes if a Proper Protection Level is Available
Article 23: Cross-Border Transfer and Sharing of Personal Data for Processing Purposes if a Proper Protection Level is not Available
Article 24: Complaints
Article 25: Grievance against the Bureau's Decisions
Article 26: Administrative Penalties
Article 27: Authorization
Article 28: The Executive Regulation
Article 29: Regularisation
Article 30: Repeals
Article 31: Publication & Enforcement of this Decree by Law
Article 6
Terms of Consent to Data Processing
- To be considered, the consent of the Data Subject to the processing of date shall require the
following:
a. The Controller shall be able to prove the consent of the Data Subject in the event that the processing of Personal Data is based on the consent of the Data Subject.
b. The Consent shall be prepared in a clear, simple, unambiguous and easily accessible manner, whether in writing or electronically.
c. The Consent shall include the Data Subject’s right to withdraw it easily - The Data Subject may, at any time, withdraw their consent to the processing of Personal Data. Such withdrawal of consent shall not affect the legality of the processing based on the given consent before withdrawing it.
FAQs
For consent to be valid under Article 6, it must be clear, unambiguous, freely given, and based on an informed and specific choice by the Data Subject. The Controller must ensure that the Data Subject understands the purpose of the processing and the nature of the data being collected. Consent must be expressed in a way that clearly indicates agreement, such as through a written, electronic, or verbal statement. Silence, pre-ticked boxes, or inactivity do not constitute valid consent.
Yes, Data Subjects have the right to withdraw their consent at any time. However, the withdrawal does not affect the legality of data processing that was carried out before the consent was withdrawn. This means any processing conducted while the consent was valid remains lawful. Controllers must document the timeline of consent and its withdrawal to demonstrate compliance.
Controllers are required to provide Data Subjects with a simple and accessible way to withdraw their consent at any time. The mechanism should be as easy as giving consent—such as through a settings panel, account management interface, or direct contact option. Upon receiving the withdrawal, the Controller must cease processing unless another legal basis applies (e.g., legal obligation or contract performance).