Nepal does not have a comprehensive data protection legislation. Article 28 of the Constitution of Nepal, 2072 (2015 A.D.) recognizes privacy as a fundamental right and guarantees privacy of a person, his or her residence, property, document, data, correspondence and character which shall be inviolable. Additionally, National Civil Code 2074 (2017 A.D.) (‘Civil Code’) and National Criminal Code 2074 (2017 A.D.) (‘Criminal Code’) also contain general provisions relating to privacy and data protection. However, the primary data protection legislations are as follows:
•    Statistics Act 2079 (2022 A.D) (“Statistics Act”) 
•    Statistics Regulation, 2080 (2024 A.D.) (‘Statistics Regulation”), 
•    Individual Privacy Act 2075 (2018 A.D.) (‘Privacy Act”’) and
•    Individual Privacy Regulation 2077 (2020 A.D.) (“Privacy Regulation”)
•    Data Center and Cloud Service (Operation and Management) Directives 2081 (2025 A.D.) (“DCCS Directives”)
•    Cyber Security Bylaws, 2077 (2020 A.D.) (“Cyber Security Bylaws”)
•    Nepal Rastra Bank Information Technology Guidelines, 2012 A.D. ("NRB IT Guidelines")

The following judgments of the Supreme Court of Nepal constitute key precedents on matters relating to the data protection:
Bhaktaram Ghimire et.al. v. Government of Nepal [N.K.P. 2079, D.N. 11003]:
The Supreme Court held that it is unjustifiable for the personal details of the citizens of a sovereign, prosperous nation to be under the control of a foreign company or used according to the company's discretion. The personal information of citizens must remain entirely confidential.
Baburam Aryal v. The Government of Nepal [N.K.P. 2074, D.N. 9740]: 
The Supreme Court laid down that the right to privacy guaranteed by the Constitution is a fundamental right that may not be violated by the State or third parties. The Supreme Court further ruled that under the right to privacy, matters relating to a person's body, residence, property, documentation, data, communications, and character are inviolable, except as permitted by the law. An organization or department that collects information and has undertaken the responsibility of safeguarding such information must not use such information at its discretion. Instead, such an organization or department must protect such a 'data bank' of information at any cost. The Supreme Court further laid down that such an organization or department must not allow unauthorized access to such a data bank, even as an exception in the absence of a clear legal basis. 
Sapana Pradhan Malla v. Office of the Prime Minister and Council of Ministers et. al. [N.K.P. 2    064, 1208, D.N. 7880]: 
The Supreme Court held that the right to privacy guaranteed by the Constitution must be protected. An exception to this general principle is that information relating to a person may be shared with third parties only in cases where prior consent from the concerned person has been obtained. 
Roshani Poudel et. al. v. Office of the Prime Minister and Council of Ministers et. al. [N.K.P. 2077, 1232, D.N. 10526]: 
The Supreme Court held that it is imperative to guarantee that the right to privacy to protect people from discrimination and condemnation. Disclosure of personal information of a person or a citizen, except for a specific and legal purpose, violates the right against exploitation of the person or citizen, the right against violence, the right to privacy, the right to live with dignity and the established jurisprudence that govern the right to non-discrimination on the basis of health as well as international laws, the Constitution, and the Privacy Act.

§2 (c) of Privacy Act defines the term 'personal information' as:
•    caste, race, birth, origin, religion, color, or marital status of an individual;
•    education or academic qualification of an individual;
•    address, telephone, or email address of an individual;
•    passport details, citizenship certificate, national identity number, driving license, voter identity card, or other identification card issued by any public body to an individual;
•    correspondence sent or received by an individual containing personal information;
•    fingerprint, palm lines, the retina of the eye, blood group, or other biometric information of an individual;
•    details of criminal background, punishment, or sentence served by an individual for a criminal offense; and
•    views or opinions expressed by an individual in the capacity of a professional or an expert in a decision-making process.

Similarly, §27 (2) of Privacy Act defines “Sensitive Information” as following:
•    caste, race, or origin of an individual;
•    political affiliation;
•    religious faith or belief;
•    sexual orientation or an event relating to one's sex life; or
•    particulars relating to property.

§26 and §33 of Privacy Act as well as Rule 10 of Privacy Regulation provides that personal information data shall not be collected without informing a data subject about the purpose of collection of such data. Further, a data collector must set out the time of collection of information, its content and nature, objective for collection, method and process of testing information, certainty on maintaining the privacy of collected information and its protection. In the event data subject is unable to provide consent to the data collection, either due to him/her not attaining the age of majority or due to unsoundness of mind, consent may be provided by his/her guardian or curator on his/her behalf. 
Additionally, §27(1) of Privacy Act provides that a public body shall not process, or cause to be processed, any sensitive personal information remained under its responsibility or control. In addition, Privacy Regulation also prohibits a person from publishing or causing to publish personal document of an individual without his/her consent. 

According to § 12(3) and (4) of the Privacy Act, no public body, corporate entity, or individual is permitted to use personal data beyond the purpose for which consent was originally obtained.
As such, the obligations under the Privacy Act apply broadly to any natural or legal person, including government bodies, private companies, and individuals, who collect, store, or process personal data.

The key legislations do not explicitly provide definitions for the term ‘data processing’. While related provisions address the collection, use, and protection of personal data, a specific legal definition of data processing is not provided under the applicable legislations.

The major principles of data processing, recognized under the applicable laws, include: 
Lawfulness: The collection, storage, analysis, processing, or publishing of personal information is prohibited except authorized by the law. Notwithstanding the foregoing, personal information may be collected, processed, and used after obtaining consent from an individual. §8 of Statistics Act, §12(2), §23, §26 and §33 of Privacy Act, Rule 4 of Privacy Regulation
Principle of purpose limitation: A government agency or corporate body, that collects or processes personal information with the consent from an individual, must use such personal information for the specific purposes for which it is collected. §13 of Statistics Act, §12 (3) of Privacy Act, 
Accuracy principle: In the event, an individual submits an application to a public body to correct their personal data, which are under the responsibility, control, or protection of such body, along with sufficient evidence requiring change, then the public body must correct the information in case it deems necessary to do so. However, such correction may be done only upon request basis. There is no provision for automatic correction of personal data. §28 of Privacy Act
Principles of integrity and confidentiality: The applicable laws mandate public bodies to protect personal information under their control and responsibility and also to make proper arrangements against possible risks of unauthorized use, charge, disclosure, publication, or transmission of such personal information. §10 of Statistics Act, §25 of Privacy Act

§26 of Privacy Act allows the personal information collected by public entity to be processed or used upon obtaining consent of an individual. Furthermore, §12(3) of Privacy Act stipulate such data may only be used for the specific purpose for which it was collected. As of now, a dedicated data protection authority or regulatory body tasked with the enforcement and administration of privacy and data protection laws has not been formally established under the Privacy Act.  
Under the Statistics Act, a Chief Data Officer shall act as an administrative chief of the Statistics Office and act as a data protection officer for matters arising under the Statistics Act. 
Violations of the Privacy Act may result in both civil and criminal liability. Notably, §298 of the Criminal Code provides that unauthorized collection, use, or disclosure of personal information, notably, any unauthorized access to, interception of, or transfer of notices, information, or correspondence through electronic means is a punishable offence, with penalties of up to two years imprisonment, a fine of up to NPR 20,000 (approx. US$ 200) or both.

Public bodies or body corporate that collects data shall not use such data for any purpose other than the purpose stated during collection of data. Data storage must be conducted in accordance with specified standards and modern practices, facilitating easy transmission, reliable access, and long-term preservation without data degradation. §12 of Statistics Act 

Furthermore, entities must also avoid the unauthorized transmission or publication of stored personal data and have to make appropriate management against unauthorized access, unauthorized use, alteration, disclosure or publication and transmission of personal information. §25 of Privacy Act 

Moreover, no one except the official authorized under law or the person permitted by such official shall collect, store, protect, analyze, process or publish the personal information of any person. §23 of Privacy Act, Rule 10 of Privacy Regulation 

The applicable laws do not prescribe a fixed retention period but imposes a purpose limitation and prescribes that data must be retained only long as necessary for the purpose than it was collected. As such, Nepalese legal framework regulates the storage, security, and retention of personal data through a combination of statutory safeguards, organizational obligations, and purpose-based limitations on data use and retention.

The major data subjects’ rights under the key legislations can be summarized as follows:
Right to be informed: The Statistics Act provides that a data collector must inform the data subject about the purpose of data collection and matters relating to privacy prior to the collection of the data. Similarly, Privacy Act provides that an officer, who collects personal information, has the responsibility of notifying the data subjects about the purpose of data collection, the methods and processes used for handling the information, and matters related to the protection of the collected data. As such, data subjects can seek clarity on how their personal information is being managed and safeguarded. §13(1) of Statistics Act, §23(4) of Privacy Act
Right of rectification: In the event that personal information remaining under the responsibility, protection or control of any public entity is either wrong or is not based on the fact, the individual has right to file an application to correct such information. §28 of Privacy Act
Right to restrict sensitive data processing:  Sensitive Personal Information cannot be processed without explicit consent from the data subject. §27 of Privacy Act
Right to file complaints and seek compensation:  In the event of a violation of an individual’s right to privacy, they may file a complaint before the concerned District Court for any kind of damage, loss or injury caused. §30 & §31 of Privacy Act

The consent of data subject is the fundamental requirement for the lawful collection, use and processing of personal data in Nepal. The law recognizes informed, explicit and voluntary consent as a key mechanism for protecting the privacy rights of data subjects.
Requirement of Prior Consent: No personal information shall be used or processed without obtaining the consent of the data subject. Consent must be obtained before collecting or using personal data, and the individual must be informed about the purpose of data collection, the nature of data being collected, the intended use or processing and their rights relating to the data.  §23 and §27 of the Privacy Act
Further, Rule 10 of the Privacy Regulation reinforces that even if permission is obtained from a government body for collecting personal data, the individual’s consent is still required, unless otherwise provided by law.
Nature of Consent: Consent must be explicit, informed and voluntary. The Privacy Regulation provides that consent in writing must be obtained from a data subject to disclose or publish their personal data stored in electronic medium. § 5(2)(b) of Privacy Regulation, 
Similarly, the Statistics Act also requires that the Data Office or governmental agencies or entities obtain consent in writing from an individual or their legal representative before disclosing or publishing their personal information to anyone other than authorized officers or using such personal information as evidence before any agency. §10(1)(b) of Statistics Act

Authorization for the use of data is primarily governed by the Privacy Act, which requires that informed consent be obtained from individuals prior to the collection, processing, or use of their personal data. Consent must be explicit, informed and voluntary. §12, Privacy Act

The Privacy Act and the Privacy Regulation do not contain provisions for the cross-border transfer of data. However, under Privacy Act the transfer of personal data outside Nepal requires specific consent from the individual. §12, Privacy Act 

The applicable laws do not provide the explicit definition of incidents or breaches. However, provisions relating to unauthorized access, disclosure, or use of personal information may implicitly encompass such occurrences.

The Privacy Act does not explicitly provide for notification requirement upon the breach of data. However, in the context of data centers and cloud service providers, the DCCS Directive mandates that service providers report any unauthorized access to the relevant regulatory authority, and the National Cyber Security Centre. Likewise, customers are required to promptly notify the service provider upon detecting any unauthorized access. §§ 7(6) and 8, DCCS Directive.

The Privacy Act does not designate a single, specific regulatory authority for overseeing privacy-related matters. However, the following authorities can be considered key regulators depending on the context and sector involved:
•    Nepal Police Cyber Bureau – for investigating cybercrimes and privacy breaches.
•    Department of Information Technology – for policy-level oversight and coordination on digital privacy matters.
•    Nepal Rastra Bank – for enforcing data protection and privacy regulations within the financial sector.
•    Nepal Telecommunications Authority – for monitoring and regulating data privacy in the telecommunications sector.
•    National Statistics Office – For monitoring the collection of national-level data

A data breach constitutes a violation of §12(4) and § 26 of the Privacy Act, which govern the lawful use and processing of personal information. Pursuant to § 29 of the Privacy Act, such a violation may result in imprisonment for a term not exceeding three years, a fine of up to thirty thousand rupees, or both.
In addition to the criminal penalties, § 31 of the Privacy Act provides for civil remedies. If a data breach causes any form of damage, loss, or injury to an individual, the affected person (or victim) has the right to file a complaint before the concerned District Court to seek compensation for such damage, loss or pain. 

Electronic marketing in Nepal is regulated by the Advertisement Act and the Advertisement Regulation. The Advertisement Act defines “advertisement” broadly to include any promotional content disseminated through electronic media, including online platforms, websites, and social media.
According to §9 and §12 of the Advertisement Act, all advertisements must clearly mention the name, address, and other relevant details of the advertiser. If such information is not provided and the advertiser cannot be identified, the responsibility for the content lies with the publisher. 
§10 of the Advertisement Act prohibits the sending of advertisements via email or SMS without the prior consent of the recipient. The Advertisement Act empowers the Advertisement Board to regulate the timing and duration of advertisements broadcast through electronic media. Additionally, the local governments and the Provincial Ministry of Information and Communication are authorized to monitor advertisements and take action against those that violate the Advertisement Act or its regulations. 
Finally, § 25 of the Advertisement provides for penalties, stating that any violation of above-mentioned provisions may result in a fine of up to NPR 100,000 (approx. US$800).

There are no comprehensive industry-specific privacy requirements; however, the privacy matters are incorporated in the following specific legislations:   
E-Commerce: Businesses engaged in e-commerce are required to maintain the confidentiality of personal information and identifiable details of individuals involved in electronic transactions. Moreover, users must be allowed to access, modify, or deactivate their personal data on the platform. §12, E-Commerce Act 2081 (2025 A.D.) (“E-Commerce Act”)
Data Center and Cloud Service Provider: Service providers are under an obligation to ensure security for all users, control unauthorized access, report breaches, and take corrective actions. In order to comply with international standards, Service providers must appoint a compliance officer or partner with an authorized institution.  Service Providers are required to submit annual details to DOIT and also must conduct security audits annually. §7, DCCS Directive
Telecommunication Service Provider: Cyber Security Bylaws outlines data security measures for licensees, specifically telecommunications service providers licensed by the Nepal Telecommunications Authority ("NTA"). These measures include: 
•    Use of encryption techniques for data in transit;
•    Use of data masking, anonymization, or encryption for customer data at rest; and 
•    Non-Disclosure Agreement (NDA) with employees and Vendors §§ 50, 51, and 52, Cyber Security Bylaws
Bank: The NRB IT Guidelines published by NRB require Banks to have a data security policy and procedure in place to ensure the security of data stored or transmitted electronically. This should cover, among other things, appropriate data disposal procedures, storage of data in portable devices, security of media while in transit or in storage, physical and environmental control of storage media, encryption of customer's critical information being transmitted, transported, or delivered to other locations. §2, NRB IT Guidelines  

Under the current legal framework, there is no mandatory requirement for private entities to appoint a Data Protection Officer (DPO), except in the case of Data Centers and Cloud Service Providers, as outlined in response to Question No. 17.

The applicable laws do not explicitly impose obligations of record-keeping and documentation. Nonetheless, §25 of the Privacy Act imposes an obligation upon public entities that collect or process personal information, to protect personal information and also to make necessary arrangements for the protection of personal information against unauthorized use, tampering, disclosure, publication, or transmission.  

The NRB IT Guidelines require banks to conduct periodic risk assessments, at least annually, for each asset that could potentially affect the confidentiality, integrity, or availability of the bank’s information. (§2(2), NRB IT Guideline) However, apart from this requirement under the sector-specific regulatory framework, the applicable laws do not specifically mandate the conduct of Data Protection Impact Assessments (DPIAs).  
As such, while risk assessment obligations exist for regulated entities in the banking sector, there is no general legal requirement for DPIAs under Nepalese data protection law at this time.

§52 of the Cyber Security Bylaws requires telecommunications service providers to enter into a Non-Disclosure Agreement (NDA) with third-party vendors. The NDA must explicitly prohibit the copying, reproduction, distribution, or sale of digital data without prior consent. However, these Bylaws apply exclusively to the telecommunications sector and do not extend to entities operating in other industries.
Outside of this sector-specific requirement, there are no comprehensive or cross-sectoral legal provisions under the applicable Nepalese laws that regulate third-party vendor management in a uniform manner.
Nevertheless, the transfer of personal data with any third party, whether domestic or international, requires specific consent from the data subject. §12(2), Privacy Act.

A person who commits an offence under the Privacy Act is liable for a punishment of imprisonment of up to three years or a fine of up to NPR 30,000 (approx. US$230), or both. §29, Privacy Act. Under the Privacy Act, if a person suffers damage, loss, or injury due to an offense under the Privacy Act, they may file a complaint with the District Court for compensation. If the Court deems it necessary, it will order the offender to pay reasonable compensation to the victim. §31, Privacy Act 
Similarly, A person, who commits any offenses specified in the Statistics Act shall be liable for a punishment of imprisonment of up to one year or a fine of up to NPR 40,000 (approx. US$300), or both. §26, Statistics Act 
The Government of Nepal shall act as the plaintiff in cases under the Statistics Act and certain provisions of the Privacy Act, including but not limited to: collecting or using personal data without consent, and processing sensitive information without authorization, §29, Privacy Act, §28, Statistics Act.

The Statistics Act imposes an obligation on government agencies and other entities, including private organizations, to obtain prior approval from the National Statistics Office before collecting or publishing data that reflects information at the national level. Additionally, such data must be certified by the National Statistics Office prior to its publication or use. §§ 8(1), and 9, Statistics Act 
The Privacy Act requires informed consent from individuals before their personal data can be collected. §12(2) and 23(4), Privacy Act
Furthermore, §7(8) of the DCCS Directive mandates that data centers and cloud service providers must conduct a security audit of their infrastructure at least once per year. Other than this obligation, the applicable legal framework does not impose any additional specific requirements concerning ongoing compliance or periodic audits.

On June 11, 2025, the Ministry of Communication and Information Technology introduced the Information Technology and Cyber Security Bill 2082 (2025 A.D.) (“IT Bill”) in the parliament’s House of Representatives. The IT Bill aims to develop, promote, and regulate information technology, including electronic records, digital signatures, cyberspace, and various aspects of cyber security. Previously, the Information Technology and Cyber Security Bill ("IT Bill 2019") was initially introduced in the parliament in 2075 (2019 A.D.) but was later withdrawn by the government. The IT Bill shall come into effect immediately upon its passage by both Houses of Parliament and subsequent certification by the President. The legislative process is expected to take approximately six months to one year. 
Key changes in the IT Bill include: 
a.    Establishment of the National Cyber Security Center (NCSC): 
The NCSC will serve as a digital forensic laboratory, be responsible for licensing Cyber Security Service Providers and Cyber Security Auditors, and carry out their annual oversight and monitoring. §46, and 47, IT Bill

b.    Obligations for Critical Information Infrastructure (CII) Owners: 
CII owners are required to provide the NCSC, upon request, with information related to the design, configuration, and security of their infrastructure and connected systems, unless prohibited by existing laws. They must also conduct at least one annual security audit through an approved cyber security auditor and submit the report to the NCSC. In the event of a cyber security incident affecting CII or its connected systems, the CII owner must immediately report the event to the NCSC. §56, and 57, IT Bill 

c.    Data Retention and Destruction Requirements: 
Personal data collected for a specific purpose must be securely destroyed within 35 days after the purpose has been fulfilled. §61, IT Bill

d.    Data Localization and Security: 
Government, public sector, financial, and health institutions are required to encrypt and store sensitive data securely within Nepal. §62, IT Bill

e.    Penalties for Violations:
•    Unauthorized access, transmission, or alteration of data for personal gain: §81, IT Bill
Up to three years' imprisonment or a fine of up to NPR 500,000 (approx. US$ 3,650), or both.
•    Damage or obstruction of electronic data: §82, IT Bill
Up to three years imprisonment or fine up to NPR 300,000 (approx. US$ 2200) or both. 
•    Breach of privacy or unauthorized collection/disclosure of personal information: §86, IT Bill
Up to two years' imprisonment or a fine of up to NPR 300,000 (approx. US$ 2,200), or both.