Data Protection Rights in Kuwait
Reviewed by the Commoner Law Editorial Team. Sourced from Kuwaiti national legislation, Amiri decrees, and ministerial decisions. Written in plain language for general understanding — this is educational content, not legal advice. Our editorial standards
What is this right?
Kuwait does not yet have a standalone data protection law — one of the gaps in its consumer framework — but several laws provide overlapping protections:
- The Constitution (Article 39) guarantees the privacy of communication — interception without a court order is illegal.
- The Cybercrime Law (Law No. 63 of 2015) criminalises unauthorized access to personal data, online identity theft, and unlawful surveillance — penalties include imprisonment.
- Banks and financial institutions must protect customer data under Central Bank of Kuwait (CBK) regulations.
- Telecom providers must protect subscriber data under the Communications and Information Technology Regulatory Authority (CITRA) rules.
- Sharing someone's personal information without consent is prosecutable under both the Penal Code and the Cybercrime Law.
- Kuwait is drafting a comprehensive data protection law but has not yet enacted one — unlike the UAE and Bahrain.
When does it apply?
- A company shared or leaked your personal data without your consent.
- You are receiving unsolicited marketing messages from a company you did not give permission to contact you.
- Your online accounts were breached due to a company's failure to protect your information.
What to Do If Your Personal Data Is Misused or Leaked in Kuwait
- Contact the company directly and demand they stop using or sharing your data.
- For telecom-related privacy issues, file a complaint with CITRA.
- For bank data breaches, report to the Central Bank of Kuwait (CBK).
- For online privacy violations, file a complaint under the Cybercrime Law at the Cybercrime Department of the Ministry of Interior or the nearest police station.
What should you NOT do?
- Do not share personal data online unnecessarily — only provide what is required for the transaction.
- Do not ignore data breach notifications — change your passwords and monitor your accounts immediately.
- Do not retaliate by exposing someone else's data — this is also a crime under the Cybercrime Law.
Common Questions
When does it apply — data protection rights?
A company shared or leaked your personal data without your consent.You are receiving unsolicited marketing messages from a company you did not give permission to contact you.Your online accounts were breached due to a company's failure to protect your information.
What should I do if a company in Kuwait has shared my personal data without consent?
Contact the company directly and demand they stop using or sharing your data.For telecom-related privacy issues, file a complaint with CITRA.For bank data breaches, report to the Central Bank of Kuwait (CBK).For online privacy violations, file a complaint under the Cybercrime Law at the Cybercrime Department of the Ministry of Interior or the nearest police station.
What should you NOT do — data protection rights?
Do not share personal data online unnecessarily — only provide what is required for the transaction.Do not ignore data breach notifications — change your passwords and monitor your accounts immediately.Do not retaliate by exposing someone else's data — this is also a crime under the Cybercrime Law.