HR Insights · Myanmar

Are HR records subject to data protection law in Myanmar?

Yes — Myanmar HR records are protected via the Constitution, ETL, sectoral confidentiality rules, and contractual NDAs. No single PDPA yet.

QC
QHRM Content Team
HR & Compliance Editors
May 3, 2026
3 min read

What Myanmar requires: HR records and data-protection duties

Even without a single Personal Data Protection Act, Myanmar HR records are subject to data-protection duties. Sources include the Constitution (Article 357 — privacy), the Electronic Transactions Law, sectoral confidentiality rules (health, banking, telecom), the Penal Code, and contractual NDAs.

Filing | Deadline | Form | Authority

HR record categoryConfidentiality basisAuthority
Personnel file (CV, contract, performance)ESDL + contract + Penal Code defamationCivil + criminal courts
Salary / payroll recordsPayment of Wages Law confidentiality + Income Tax LawIRD audit / civil
Medical / sickness recordsSectoral health confidentiality + ETLHealth regulator + civil
Disciplinary / grievance recordsESDL + Penal Code defamationTownship labour office + civil
SSB IP recordsSocial Security Law 2012SSB + civil
Bank / payment account dataBanking confidentiality rulesBanking regulator

Process — how to handle HR data lawfully

  1. Limit access to HR records on a need-to-know basis (HR + line manager + payroll only where required).
  2. Include a confidentiality clause in every Employment Agreement.
  3. NDA for senior, technical, or sensitive roles.
  4. Use role-based access in HRIS / payroll systems with audit logs.
  5. For third-party processors (payroll bureau, cloud HRIS), execute a written processing agreement covering confidentiality, breach notification, and return / destruction at exit.
  6. Watch for Myanmar's PDPA — if enacted, expect notification, lawful-basis, and breach-reporting duties.
Download the Myanmar HR data-handling template Confidentiality clauses, access matrix, data-handling SOP. Used by 350+ Myanmar employers.
Get the template →

Records and retention

Record typeRetention durationReason
Personnel files7 years post-exitESDL 2013
Payroll / wage register7 yearsPayment of Wages Law / Income Tax Law
Confidentiality / NDA records7 years post-exitCivil enforcement
Access logs in HRISPer IT policy + 7 yearsBreach investigation
OSH (medical / training)5 yearsOSH Law 2019

Employer takeaway

Myanmar HR records are protected even without a single PDPA. Use need-to-know access, contractual confidentiality, and sectoral compliance for medical / banking / telecom data. Wrongful disclosure can attract civil damages, Penal Code liability, and Electronic Transactions Law penalties. Retain HR records 7 years post-exit (5 years for OSH), and document any third-party processor / cloud arrangements.

For HR teams handling sensitive personnel data
Never miss a Myanmar deadline. QHRM applies role-based access, audit logs, and retention timers — used by 350+ Myanmar employers.
Book a 15-min demo Start free trial

Penalties for non-compliance

  • Wrongful disclosure — civil damages + Penal Code liability.
  • Electronic Transactions Law offences — fines + imprisonment in serious cases.
  • Sectoral confidentiality breach (health, banking, telecom) — sectoral fines.
  • Contract breach — damages + injunctive relief.

Common HR data mistakes

  • Sharing personnel files with line managers who don't need them.
  • Sending payslips by unsecured email.
  • Not having a written processing agreement with payroll bureau.
  • Cloud-storing HR data overseas without safeguards — see overseas cloud servers.
  • See Myanmar's data protection regime.
Share this articleLast updated May 3, 2026
FacebookTwitterLinkedIn
QC
QHRM Content Team
HR & Compliance Editors · Yangon

We publish practical, legally-grounded HR guidance for Myanmar employers. Each piece is reviewed by our compliance team against current MLIP and Labor Law requirements.

More from the QHRM Blog

All articles →