What is the personal data protection law in Myanmar?
Myanmar does not have a single comprehensive personal data protection law on par with the GDPR. Privacy obligations come from the Constitution (Article 357), the Electronic Transactions Law, the Telecommunications Law, sectoral confidentiality rules, and contract / employment law. HR records remain subject to the duty of confidentiality and statutory retention; a dedicated PDPA is under development but not yet enacted as of 2026.
What Myanmar requires: data protection — statutes that apply today
Myanmar does not yet have a single Personal Data Protection Act akin to the EU GDPR or Singapore PDPA. Privacy and data-protection duties come from a patchwork of sources. A dedicated PDPA has been in draft / consultation but is not enacted as of 2026.
Filing | Deadline | Form | Authority
| Source | What it covers | Authority |
|---|---|---|
| Constitution of Myanmar (2008), Article 357 | Privacy of person, home, property, correspondence | Courts |
| Electronic Transactions Law (as amended) | Electronic data, fraudulent communications, certain offences relating to misuse of personal data | Ministry of Transport & Communications |
| Telecommunications Law | Confidentiality of telecom communications | MoTC / PTD |
| Banking, Health, Children Acts (sectoral) | Confidentiality of bank customer data, patient records, child data | Sectoral regulators |
| Penal Code (defamation, misuse) | Wrongful disclosure of private information | Courts |
| Employment contract / NDA | Contractual confidentiality | Civil enforcement |
Process — how data-protection duties work in practice
- Treat HR records as confidential by default; restrict access on a need-to-know basis.
- Include a confidentiality clause in every Employment Agreement and an NDA where appropriate.
- For health, banking, telecom data — apply the sectoral confidentiality rules in addition.
- Document third-party processor / cloud arrangements; require contractual safeguards.
- Watch for the Myanmar PDPA — if enacted it will introduce notification, lawful-basis, breach-notification, and DPO concepts.
Records and retention
| Record type | Retention duration | Reason |
|---|---|---|
| Personnel files | 7 years post-exit | ESDL 2013 |
| Confidentiality / NDA records | 7 years post-exit | Civil enforcement defence |
| Data-processing agreements | Life of contract + 7 years | Audit / dispute defence |
| Access logs (digital systems) | Per IT policy + 7 years | Breach investigation |
Employer takeaway
Myanmar's privacy regime is a patchwork of constitutional, sectoral, and contractual duties — there is no single PDPA as of 2026. Treat HR records as confidential by default, restrict access on need-to-know, and include confidentiality clauses in every contract. Watch the legislative pipeline — a comprehensive PDPA is under discussion. Retain HR records 7 years post-exit; OSH records 5 years.
Penalties for non-compliance
- Wrongful disclosure of personal information — civil damages and Penal Code liability.
- Electronic Transactions Law offences — fines + imprisonment in serious cases.
- Sectoral breaches (banking, telecom, health) — sectoral fines + licence consequences.
- Contract breach — damages and injunctive relief.
Common data-protection mistakes
- Treating Myanmar as "no privacy law" — sectoral and constitutional duties still apply.
- Sharing personnel files with line managers without need-to-know.
- Not having NDAs in place for senior or sensitive roles.
- Cloud-storing HR data overseas without contractual safeguards — see overseas cloud storage.
- See are HR records subject to data protection.
- Constitution of Myanmar (2008) — Article 357 (privacy)
- Electronic Transactions Law (as amended)
- Telecommunications Law
Related questions
Stop calculating PIT manually.
QHRM's payroll engine applies the latest Union Tax Law brackets, basic relief, and dependant allowances automatically.