The Data Protection Act 2025 of Kiribat
February 2025
National Regulations
The Data Protection Act 2025 of Kiribati establishes a legal framework for the processing of personal data to safeguard individuals’ privacy while promoting the responsible use of data in the digital economy.
The Act governs the collection, use, and protection of personal data both within Kiribati and, in some cases, outside the country. It applies to both private and public entities, including government bodies and companies processing data related to individuals in Kiribati. Certain exemptions apply for personal, household, or national security purposes.
Key features:
- Data subject rights: Individuals have the right to access their data, request corrections or deletions, and withdraw consent. They are also protected from solely automated decisions that significantly affect them.
- Legal bases for processing: Data can only be processed under specific lawful grounds, such as consent, contracts, legal obligations, emergencies, or legitimate interests, among others.
- Controller obligations: Entities controlling personal data must process it lawfully, fairly, and transparently, ensure data minimisation and retention limits, and maintain data quality.
- Security measures: Strict data security requirements are imposed, including technical and organisational safeguards, encryption, and breach notification duties.
- Data breaches: Entities must report harmful breaches to the authorities and affected individuals.
- International transfers: Transfers of data outside Kiribati require adequate protection or specific legal bases such as consent or contractual necessity.
- Enforcement: The Digital Transformation Office (DTO) enforces the Act, with powers to investigate, issue orders, and impose fines. Offences can lead to significant financial penalties or imprisonment.
- Impact assessments: High-risk processing requires prior data protection impact assessments and, in some cases, approval from the DTO.
Broader aims:
The Act supports safe and fair digital development, encourages data protection best practices aligned with international standards, and facilitates Kiribati’s participation in the global digital economy.