1. Knowledge base
  2. Regulation updates

October 2023 - UAE, New Zealand, Singapore, Philippines and Quebec, Canada

In the latest release, we added new regulations, which became effective some time ago. Also, we released changes for Quebec, Canada, reflecting additional provisions of Law 25 becoming effective in September 2023.

United Arab Emirates 

On November 28th, 2021, the UAE Cabinet announced that it had enacted Federal Decree Law No. 45/2021 regarding the Protection of Personal Data (“Federal Decree Law No. 45”), which constitutes an integrated framework to ensure the confidentiality of the information and protect the privacy of individuals in the UAE. It provides data management and protection governance and defines the rights and duties of all parties concerned. 

Federal Decree Law No. 45 provides citizens of UAE with the following rights concerning their personal information: 

  • Right to access personal information processed about them and right to be informed about the processing;
  • Right to correct inaccurate personal information; 
  • Right to restrict and stop the processing;
  • Right to object to the processing and decisions resulting from automated processing. 

Additionally, Federal Decree Law No. 45 requires that personal information processing cannot occur without the consent of the subject of the data unless exceptions apply for information collected both offline and online, with the use of cookies or other technologies. With this release, your website visitors from UAE will be asked to opt in for cookie collection and will be able to submit a data subject request. 


New Zealand 

The Privacy Act 2020 took effect on December 1st, 2020. It strengthened privacy protection and enhanced the role of the Privacy Commissioner of New Zealand, along with a requirement to report a personal data breach and authority for a Privacy Commissioner to start investigative actions and issue penalties for non-compliance it provides New Zealand citizens with the following rights: 

  • Right to access information; 
  • Right to correct personal information; 
  • Right to dispute the sharing of personal information (under some circumstances). 

Organizations must comply with The Privacy Act and provide a notice when personal information is collected. However, it does not directly require the collection of consent for the placement of cookies. If you believe that you collect personal information from website visitors with the use of cookies, you shall clearly describe this in a Privacy Policy published on the website. 

Read more details about the Federal Decree Law No. 45 (UAE) and The Privacy Act of 2020 (New Zealand).



The Personal Data Protection Act (“PDPA”) is Singapore’s law governing how organizations collect, use, and disclose personal data. It was passed in October 2012 and has suffered various modifications over the years, the most recent being the Amendment Act of 2020. 

Unlike other data privacy laws across the globe, it has been considered a lighter law than, for example, the GDPR, to which it bears little resemblance. Be that as it may, with the Amendment Act, the penalties have been increased, data portability has been regulated, and imprisonment for criminal offenses has been added to the text of the law. 

The PDPA grants 4 rights to data subjects: 

  • Right to access; 
  • Right to correct;  
  • Right to data portability; 
  • Right to object/opt out.  

Notifying data subjects of the purposes and collecting their consent for personal data processing is required, including when personal information is collected via cookies. With this release, users visiting your website will be asked to provide consent for cookie placement and receive access to the above-listed request types. 

A detailed overview of the Personal Data Protection Act is available on our website. 



The Republic Act 10173, officially known as the Data Privacy Act of 2012 (“Republic Act 10173”), is the Philippines’s data privacy law, aiming “to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth” while also ensuring “that personal information in information and communications systems in the government and the private sector are secured and protected.” The law became enforceable as of September 8th, 2012, and the regulating authority, the NPC, was established 4 years later, in 2016. As of September 9th, 2016, the NPC published ‘Implementing Rules and Regulations of Republic Act No. 10173, known as the Data Privacy Act of 2012,’ or the IRR, to help understand the requirements imposed on covered entities.  

Data subjects have the following access rights: 

  • Right to be informed; 
  • Right to object to the processing of his or her personal data, including processing for direct marketing, automated processing, or profiling;  
  • Right to Access; 
  • Right to Rectification; 
  • Right to Erasure or Blocking; 
  • Right to Data Portability. 

“While the inclusion of privacy policy is necessary to demonstrate adherence to the data privacy principle of transparency and uphold the right to information of the data subjects, the law does not provide for a specific format or approach for the personal information controller (PIC) or personal information processor (PIP) to adopt on how this should be properly manifested."

The Data Privacy Act does not require the use of cookie banners or consent for cookie placement. However, to stay compliant, companies are required to notify website visitors about the data collection and processing. 

For more information about the Data Privacy Act of 2012, we invite you to read our detailed overview here


Quebec, Canada 

Law 25, formerly Bill 64, or 'Act to modernize legislative provisions as regards the protection of personal information,' is Quebec’s modernized privacy law, the purpose of which  is “to establish, for the exercise of the rights conferred by articles 35 to 40 of the Civil Code concerning the protection of personal information, particular rules concerning personal information relating to other persons which a person collects, holds, uses or communicates to third persons in the course of carrying on an enterprise.” Law 25 brings a significant reform to the Private Sector Act, imposing changes that are to become effective over a period of three years, starting September 2022. Organizations collecting personal information from Quebec residents must be aware of Law 25’s impact, as it is one of North America’s most stringent data privacy regulations.

Law 25 came into effect starting September 2022 and will be implemented over 3 years, with increased enforcement occurring with each passing year. Starting from September 2023, to ensure compliance with Law 25, with this release, website visitors from Quebec will be asked to opt in for the placement of cookies.

Just like with any other data privacy regulation, Law 25 grants individuals several data subject access rights, as follows: 

- Right to be informed; 

- Right to access;

- Right to rectification;

- Right to erasure; 

- Right to object/opt-out; 

- Right to data portability; 

- Right not to be subject to automated decision-making. 

We have updated the previously published Bill 64 overview on our website, which is now available under the name "Quebec Law 25


The Clym team continues working on expanding the number of regulations covered as we aim to facilitate your website's compliance, no matter where your customers are coming from. 

If you encounter any challenges, please reach out to us at support@clym.io.