What Myanmar requires: data protection — statutes that apply today
Myanmar does not yet have a single Personal Data Protection Act akin to the EU GDPR or Singapore PDPA. Privacy and data-protection duties come from a patchwork of sources. A dedicated PDPA has been in draft / consultation but is not enacted as of 2026.
Filing | Deadline | Form | Authority
| Source | What it covers | Authority |
|---|---|---|
| Constitution of Myanmar (2008), Article 357 | Privacy of person, home, property, correspondence | Courts |
| Electronic Transactions Law (as amended) | Electronic data, fraudulent communications, certain offences relating to misuse of personal data | Ministry of Transport & Communications |
| Telecommunications Law | Confidentiality of telecom communications | MoTC / PTD |
| Banking, Health, Children Acts (sectoral) | Confidentiality of bank customer data, patient records, child data | Sectoral regulators |
| Penal Code (defamation, misuse) | Wrongful disclosure of private information | Courts |
| Employment contract / NDA | Contractual confidentiality | Civil enforcement |
Process — how data-protection duties work in practice
- Treat HR records as confidential by default; restrict access on a need-to-know basis.
- Include a confidentiality clause in every Employment Agreement and an NDA where appropriate.
- For health, banking, telecom data — apply the sectoral confidentiality rules in addition.
- Document third-party processor / cloud arrangements; require contractual safeguards.
- Watch for the Myanmar PDPA — if enacted it will introduce notification, lawful-basis, breach-notification, and DPO concepts.
Records and retention
| Record type | Retention duration | Reason |
|---|---|---|
| Personnel files | 7 years post-exit | ESDL 2013 |
| Confidentiality / NDA records | 7 years post-exit | Civil enforcement defence |
| Data-processing agreements | Life of contract + 7 years | Audit / dispute defence |
| Access logs (digital systems) | Per IT policy + 7 years | Breach investigation |
Employer takeaway
Myanmar's privacy regime is a patchwork of constitutional, sectoral, and contractual duties — there is no single PDPA as of 2026. Treat HR records as confidential by default, restrict access on need-to-know, and include confidentiality clauses in every contract. Watch the legislative pipeline — a comprehensive PDPA is under discussion. Retain HR records 7 years post-exit; OSH records 5 years.
Penalties for non-compliance
- Wrongful disclosure of personal information — civil damages and Penal Code liability.
- Electronic Transactions Law offences — fines + imprisonment in serious cases.
- Sectoral breaches (banking, telecom, health) — sectoral fines + licence consequences.
- Contract breach — damages and injunctive relief.
Common data-protection mistakes
- Treating Myanmar as "no privacy law" — sectoral and constitutional duties still apply.
- Sharing personnel files with line managers without need-to-know.
- Not having NDAs in place for senior or sensitive roles.
- Cloud-storing HR data overseas without contractual safeguards — see overseas cloud storage.
- See are HR records subject to data protection.
We publish practical, legally-grounded HR guidance for Myanmar employers. Each piece is reviewed by our compliance team against current MLIP and Labor Law requirements.