Data & Privacy · Iran
Data & Privacy - Iran
Iran has no single comprehensive (GDPR-style) personal-data-protection law in force; data protection relies on a patchwork of sector-specific provisions in its E-Commerce and Computer Crimes laws plus constitutional privacy guarantees. A comprehensive Personal Data Protection and Safeguarding Draft Act was prepared in 2018 (an earlier bill was withdrawn in 2015) but remains unenacted with no clear timeline. There is no independent, operational data-protection supervisory authority today; the draft would create a Data Protection Commission chaired by the ICT Minister, whose independence has been criticized.
Iran has not enacted a unified personal-data-protection statute; protection depends on fragmented provisions across several laws rather than a dedicated framework.
Contains a chapter on the protection of personal data in electronic transactions, restricting collection/processing and storage of personal 'data messages' without consent.
Criminalizes unauthorized access to, interception of, and unlawful dissemination of personal/computer data, providing indirect data-security protection.
The 'Personal Data Protection and Safeguarding Draft Act' (prepared 2018 by the ICT Ministry and Parliament's Research Center; an earlier bill was withdrawn in 2015) draws on GDPR principles but has not been ratified and has no clear timeline for passage.
There is currently no operating data-protection authority. The draft would establish a Personal Data Protection Commission chaired by the Minister of Communications and ICT, alongside a supervisory council; critics note its government-dominated composition undermines independence.
Constitution Article 25 protects privacy of correspondence/communications, and the 2016 Citizens' Rights Charter affirms privacy and data rights, but the Charter is a non-binding policy document, not enforceable legislation.
Machine-assisted translation · verified 5/25/2026 · orientation, not legal advice. English version →