LogoRegulatory Alerts
2025-07-02

Circular 18/2025: Data Protection System and Implementing Regulation for Data and Information Protection in the Banking Sector

The Central Bank of Libya issued Circular 18/2025 mandating the implementation of the Data Protection System and its Implementing Regulation for all financial institutions operating in Libya. The framework establishes strict controls for the collection, processing, storage, and transfer of personal, corporate, financial, and credit data, requiring domestic data hosting, advanced encryption, explicit consent mechanisms, and mandatory Privacy Impact Assessments. It designates a Libyan Data Controller within each institution to oversee compliance, mandates biannual training and incident reporting within 24 hours, and imposes a 100,000 Libyan Dinar fine per violation alongside additional regulatory sanctions.

Central Bank of Libya logo

Libya

Central Bank of Libya

Click to view thumbnail

Circular 18/2025

[Central Bank of Libya Logo]

P.O. Box 1103 | Telegram Address: Central Bank of Libya - Tripoli - Libya Reference: 804 / ( ) Circular No. 18/2025 Date: 6 Muharram 1447 AH Corresponding to: July 1, 2025

To: General Managers of Banks General Managers of Specialized Banks (Development, Agricultural, Rural, Savings, Real Estate Investment) Al-Mu'amalat Financial Services Company Licensed E-Payment Companies by the Central Bank of Libya

Greetings,

Subject: "Data Protection System and Implementing Regulation for Data and Information Protection in the Banking Sector"

Based on the provisions of Law No. (1) of 2005 on Banks and its amendments, and Anti-Money Laundering and Counter-Terrorist Financing Law No. (1013) of 2017, and the supervisory and regulatory role exercised by the Central Bank of Libya over all banks operating in Libya in accordance with the law.

And referring to Circular No. (10/2024) dated May 19, 2024, which forwarded AML/CFT controls to e-payment companies.

And to Circular No. (21/2024) dated December 4, 2024, regarding taking necessary measures to activate bank cards on e-commerce platforms and facilitate contracting with platform owners on the internet, according to required information security standards.

And to Circular No. (7/2025) dated February 20, 2025, emphasizing the necessity of notifying prepaid card owners not to lend issued cards to others to prevent use in suspicious activities related to AML/CFT.

And to Circular No. (8/2025) dated March 3, 2025, regarding fraud prevention and ATM security and safety requirements.

Therefore, we forward to you the Data Protection System and the Implementing Regulation for Data and Information Protection in the Banking Sector, for implementation according to the application mechanism outlined in the Regulation.

Peace be upon you.

Abdulmajid Muhammad Al-Maqouri Director of Banking and Currency Control Department

Copies to:

  • Mr. Governor
  • Mr. Deputy Governor
  • Mr. Director of Research and Statistics Department - Central Bank of Libya
  • Mr. Director of Libyan Financial Information Unit - Central Bank of Libya
  • Mr. Director of Information Technology Department - Central Bank of Libya
  • Mr. Director of Accounts Department - Central Bank of Libya
  • Mr. Deputy Director of Banking and Currency Control Department
  • Mr. Deputy Director of Banking and Currency Control Department for Office Supervision and Compliance Follow-up
  • Mr. Deputy Director of Banking and Currency Control Department for Banking Supervision - Benghazi
  • General Managers of Compliance Units at Banks
  • Banking and Compliance Finance Follow-up Department Ref: K/N/M Iyad / 0 / Circular 2025

Implementing Regulation for Personal Data Protection

Chapter One: General Provisions

Article (1) Definitions

In the application of the provisions of this System, the following words and phrases shall have the corresponding meanings unless the context indicates otherwise:

  • Competent Authority: The Central Bank of Libya.
  • Financial Institution: The entity licensed by the Competent Authority to maintain accounts and/or grant credit and/or deal in financial transfers or electronic payments.
  • E-Payment Service Provider: The entity licensed by the Competent Authority to provide electronic payment services.
  • Electronic Data: Data and information with electronic characteristics in the form of texts, symbols, sounds, graphics, images, computer programs, or other forms relying on electronic representation.
  • Personal Data: Any statement that leads to identifying an individual specifically, or makes identification possible directly or indirectly. Examples include: name, national ID number, family book number, family registration number, phone number, address, personal ID number, personal photos, personal document photos, email, residence permit for foreigners, and other data of a personal nature.
  • Corporate Data: Refers to legal entities, whether public or private, such as: customer number, account number, account balance, account transactions, statistical code, articles of association, commercial register, commercial license, advertising message, ownership structure.
  • Financial Data: Customer number, account number (local or international), account balance, account transactions, bank card data (local or international), credit data, e-wallet data, remittances, payment data (whether payer, payee, or payment method), ledger numbers. Any personal information linked to corporate data, such as employee or staff contact details, must be handled in accordance with personal data protection provisions.
  • Credit Data: Any personal statement regarding an individual or legal entity concerning the individual's request for financing or obtaining it from a financing entity, including any data related to their ability to obtain credit, repay it, and their credit history.
  • Data: Includes personal data, corporate data, financial data, and credit data.
  • Sensitive Data: A special category of personal data requiring additional protection due to its sensitive nature and high risks associated with its processing. Examples include, but are not limited to: health data, genetic data, biometric data.
  • Data Subject: The individual to whom the personal data relates.
  • Legal Guardian: The person who represents a minor or legally incapacitated person in court and acts on their behalf in all legal acts and financial transactions.
  • Funds: Assets or properties of any kind, whether material or immaterial, tangible or intangible, movable or immovable, regardless of the method of acquisition, and all rights related to them, and all documents or records proving ownership or a share therein, regardless of form, including electronic or digital documents. Examples include, but are not limited to:
    1. Cash in local and foreign currencies, virtual and electronic currencies, and bank account balances.
    2. Commercial papers.
    3. Bank credits.
    4. Traveler's checks.
    5. Financial remittances and securities such as shares, bonds, letters of credit, collection documents, and insurance policies.
    6. Promissory notes.
  • E-Wallet: An account containing electronic money value owned by the customer at e-payment companies.
  • E-Payment Systems: A set of software, arrangements, operating procedures, information systems, and communication networks prepared for payment, transfer, clearing, or settlement of funds in any currency. They are divided into:
    • Retail payment systems.
    • High-value payment systems.
    • Securities settlement systems.
    • Financial transfer and foreign exchange systems.
  • Payment Instruments: Any tool enabling the user to obtain funds, goods, and services, or to carry out payment and fund transfer operations.
  • E-Payment Services: Services related to managing electronic money, i.e., amounts traded electronically, as well as services related to issuing and managing any prepaid payment instruments, or any other activities involving obtaining funds, goods, and services that the Competent Authority decides to subject to these instructions via special orders issued for this purpose.
  • Electronic Money: Monetary value owed by the issuing party, stored electronically, magnetically, or by any other means, issued against receiving real cash deposited in settlement accounts at commercial banks to execute electronic payment operations, and serving as an accepted payment method in Libya.
  • Electronic Financial Card: A physical or virtual electronic medium used in withdrawal, deposit, or electronic payment operations using the information network or IT means.
  • Encryption: The process of converting electronic data into unknown or incomprehensible codes that cannot be read or identified without reverting them to their original form.
  • Publication: Broadcasting any personal data through a readable, audible, or visual medium.
  • Legal Document: A document clarifying the data subject's rights, which can be paper-based or electronic.
  • Official Communication Channels: Channels used for communication between the data subject and the financial institution, including authenticated email, the financial institution's electronic portal, and the data subject's personal visit to the institution's headquarters.

Article (2) Objective of the Regulation

The provisions of this Regulation aim to establish the necessary controls, conditions, and procedures to implement the Data Protection System issued by the Central Bank of Libya, ensuring transparency and fairness in data processing, enhancing trust in financial transactions, and achieving a balance between legitimate interests and individuals' rights to privacy protection.

Article (3) Scope of Data

The Regulation clearly defines the data falling under the System's scope, which includes personal data, corporate data, financial data, credit data, and data derived from these. Institutions may also include any data they deem particularly sensitive and requiring additional protection within the System's scope to raise the institution's data protection level.

Article (4) Scope of Application

The provisions of this Regulation apply to all financial institutions stipulated in the System, serving as a detailed reference for determining practical procedures and obligations, including data types collected, processed, and stored, especially sensitive data requiring additional protection. These institutions include:

  1. Central Bank of Libya.
  2. Libyan Banks.
  3. Branches and offices of foreign banks and financial service companies operating in Libya.
  4. E-payment companies.
  5. Financial exchange companies.
  6. Institutions or companies granting credit.
  7. Leasing companies.

The Competent Authority may add any additional institutions in the future.

Article (5) Right to Collect Data

First: The financial institution must provide a legal document to the data subject clarifying the purpose of data collection, the method of collection and processing, their rights, and the official communication channels they can use to contact the financial institution. Second: The institution must classify the data it intends to collect as basic or additional data.

Basic data is mandatory and cannot be used to provide the service to the data subject without it. Additional data assists the institution in its operations, but the service can be provided without it, making its provision by the data subject optional.

Third: The institution cannot condition the provision of services on the data subject providing data unless classified as basic data without which the service cannot be provided.

Chapter Two: Data Collection

Article (6) Steps of Data Collection

The institution must prepare a data collection form specifying the type, purpose, and mandatory/optional status. Collection must be documented via immutable electronic records containing:

  1. Purpose of data collection.
  2. Name of the employee responsible for data collection.
  3. Description of the data being collected.
  4. Data subject's signature.
  5. Date and time of data collection.
  6. Data collection channel.

Article (7) Data Collection Channels (Official Channels)

Conducted via:

  1. Personal visit by the data subject directly, or by their legal guardian, without an intermediary to the institution's headquarters or one of its branches.
  2. The institution's electronic portal.
  3. Authenticated email.

With a specified communication method with the data controller for any data-related requests, ensuring electronic communication means are secure and reliable.

Article (8) Consent Methods

Prior, free, specific, unambiguous, and provable upon request explicit consent must be obtained, documented via:

  1. Signature, whether paper (in-person), electronic, or digital (remote).
  2. Consent via digital applications, provided they are backed by biometric authentication (fingerprint or facial recognition), with a copy of the consent retained in electronic records.
  3. Voice, in case of recorded calls.

Article (9) Consent Controls

Implied consent is only recognized under specific rules and with the data controller's approval. All consent methods used must be documented. Consent must be separate from any other terms or clauses. The data subject must be informed of their right to withdraw consent at any time, and withdrawal does not affect the legality of transactions conducted prior to withdrawal.

Upon withdrawal, the institution must stop processing data based on that consent, while observing any legal requirements mandating data retention.

Article (10) Data Minimization and Legal Basis

Only the minimum necessary data must be collected, and the legal basis for each collection must be documented in an internal register.

Article (11) Correction and Update

The financial institution must provide a clear and accessible mechanism for the data subject to request correction or update of their personal and financial data. It must respond within 15 days of receiving the request, unless exceptional circumstances warrant an extension. In all cases, the data subject must be informed of the delay reason and expected response time, with the process documented in the electronic system.

Article (12) Data Subject Rights

Includes: access, correction, deletion, objection, and data portability to another entity, within available technical capabilities and subject to any other legal obligations imposed by competent legal authorities requiring data retention.

Chapter Three: Data Processing

Article (13) Processing Controls

a) All personal and financial data processing must be fair, transparent, and lawful. b) Processing must be for specific and legitimate purposes. c) Processing must not exceed the purpose for which the data was collected. d) Data accuracy must be maintained. e) Data processing protection must be proactively supported starting from system design stages, through development, and into services.

Article (14) Data Changes

The data subject must be informed of any material modification to their data via official channels and the reasons for the change, whether legal or contractual.

Article (15) Privacy Controls

Administrative privacy controls must be applied, such as:

  1. Data classification policy.
  2. Data privacy policy.
  3. Data processing policy.
  4. Access management policy.
  5. Encryption policy.
  6. Vulnerability management policy.
  7. Security incident response policy.
  8. Information retention and secure destruction policy.

These policies may be integrated into the institution's existing policies.

Technical privacy controls must include:

  1. Log monitoring system (a system that monitors logs and files and identifies any changes made to them).
  2. Access management system.

Chapter Four: Data Storage

Article (16) Storage Infrastructure

Data must be stored within Libyan territory in data centers approved by the Competent Authority, under integrated information security supervision, adhering to the highest cybersecurity and data protection standards, and PCI DSS certification must be obtained to ensure a minimum protection level.

Article (17) Conditional Local Hosting

Data hosting within Libya is permitted provided there is a Service Level Agreement (SLA) covering security and precautionary clauses, approved by the Competent Authority. PCI DSS certification is also required to ensure a minimum protection level, and financial institutions must conduct periodic audits to verify service providers' compliance with these standards.

Article (18) Prohibition of External Transfer

The transfer of personal, financial, or credit data outside Libyan territory is strictly prohibited.

Article (19) Encryption and Data Protection

Advanced encryption must be applied, encryption key management must be independent, and encryption techniques must be applied to all systems containing data, especially institutional databases. Encryption must be permanent, whether at rest or in transit, and encryption keys are not permitted to be stored in the same location as the data.

Article (20) Administrative and Technical Controls

Administrative policies must include:

  1. Information security policy.
  2. Risk assessment policy.
  3. Physical protection policy.
  4. Encryption key management policy.
  5. Access logs policy.
  6. Privilege management policy.
  7. Backup policy.
  8. Business continuity and disaster recovery plans.
  9. All employees must commit to the data confidentiality policy by signing a non-disclosure agreement.

These policies may be integrated into the institution's existing policies.

Technical systems must include:

  1. Identity management systems.
  2. Privilege management systems.
  3. Multi-factor authentication systems.
  4. Backup systems.
  5. Event monitoring and logging systems.
  6. Periodic security update management systems for systems and applications.

Article (21) Sensitive Data Management

Sensitive data requires strict protection via:

  1. Access restriction.
  2. Processing documentation via separate logs.
  3. Mandatory encryption.
  4. Obtaining explicit consent for processing sensitive data, unless the law stipulates otherwise.

Article (22) Contractual Obligations for Service Providers

When relying on a local service provider for data hosting, the institution must contractually oblige providers to apply and comply with ISO standards such as 27001/27701 and PCI DSS, commit to data protection, report incidents, periodically update Service Level Agreements (SLAs), prohibit processing data without prior consent from the financial institution, and obligate them to notify the financial institution immediately upon a security breach. Clear responsibilities must be defined for parties in case of non-compliance or breach, including conditions for data return or destruction upon contract expiration.

Chapter Five: Privacy Impact Assessment

Article (23) Cases Requiring Assessment

The financial institution must conduct a Privacy Impact Assessment periodically every six months, and also in any of the following cases:

  1. Creating new electronic financial services or making material updates to existing services.
  2. Beginning to collect or process new sensitive data, or in unprecedented ways.
  3. Using technologies that may significantly impact individual privacy, such as artificial intelligence or biometric authentication.
  4. Sharing data with third parties, or transferring data between different systems or databases.
  5. Implementing activities involving systematic or widespread monitoring of users.

Article (24) Assessment Steps

The financial institution must prepare an official Privacy Impact Assessment document containing at least:

  1. Description of the activity, system, or service under assessment.
  2. Identification of data types to be processed and the purpose of collection.
  3. Identification of data subjects (individuals, companies, etc.).
  4. Identification and assessment of potential risks to data subjects' privacy.
  5. Presentation of proposed technical and administrative measures to mitigate those risks.
  6. Data controller's opinion on the feasibility and security of processing.
  7. Retention of assessment results in a special record, and making it available to the Competent Authority upon request.

Article (25) Responsibility for Assessment

The Privacy Impact Assessment is a joint responsibility between the executing unit within the financial institution and the data controller. The assessment must be approved by senior management before implementing the project or change under assessment.

Article (26) Review and Update of Assessment

The Privacy Impact Assessment is updated in the following cases:

  1. Material changes in processing mechanisms.
  2. Discovery of new risks post-implementation. A version of any updated assessment is kept, stating the modifications and reasons.

Chapter Six: Data Incident Management

Article (27)

The institution must have a specific policy or plan for data incident management, including all procedures to be followed upon any incident, covering (incident detection and verification procedures, containment and mitigation procedures, incident investigation procedures, recovery procedures), and raising preventive measures to prevent recurrence.

Article (28)

Training on the incident management policy plan must be conducted and its effectiveness verified at least every six months, and must be documented.

Article (29)

The Competent Authority must be notified immediately upon any data leak or unauthorized access within 24 hours. The data subject must be notified in case of leak, damage, or unauthorized access to their data, if any of the above could cause serious harm to their data or themselves. The financial institution must notify them immediately. All incidents and corrective actions must be documented. The data controller is responsible for this procedure and bears liability. The notification to the Competent Authority must include a minimum of (nature of the security breach, categories and types of affected data, data controller contact information, potential consequences of the breach, actions taken or proposed to address or mitigate the breach's impact).

Chapter Seven: Data Removal and Destruction

Article (30)

Removal is carried out upon a formal request from the data subject or the data controller, after verifying the expiry of the retention purpose, without conflicting with the law.

Article (31)

Secure technical destruction (such as magnetic deletion) is used. The destruction date, data type, and responsible person are documented in a special record.

Chapter Eight: Data Controller

Article (32)

The Data Controller is a person appointed in the compliance department of the financial institution, reports to senior management, and oversees compliance with the System.

Article (33)

The Data Controller is the person legally responsible and accountable to the law and the Competent Authority.

Article (34)

The Data Controller must be of Libyan nationality, and their appointment is approved by the Competent Authority after the financial institution submits their file.

Article (35)

The Data Controller assumes the following responsibilities:

  1. Acting as the direct contact point with the Competent Authority and implementing their decisions regarding data.
  2. Overseeing review, audit, and impact assessment procedures, documenting assessment results, and issuing necessary recommendations.
  3. Enabling the data subject to exercise their rights.
  4. Notifying the Competent Authority of leak incidents.
  5. Overseeing the handling of violations within the financial institution.
  6. Responding to requests submitted by the data subject and the Competent Authority.
  7. Following up on the registration and updating of processing activity records.
  8. Preparing special reports for the Competent Authority.
  9. Overseeing training plans related to data protection and privacy.
  10. Ensuring all data processing operations are documented in accordance with the Regulation.
  11. Contributing to the investigation of any security breaches and providing recommendations to prevent recurrence.

Chapter Nine: Periodic Assessment and Compliance

Article (36)

The institution conducts an annual assessment of compliance with the System, documents the results, and sends these results as an annual report to the Competent Authority.

Article (37)

Mandatory training programs are implemented for employees, with employee understanding verified through annual tests, and results kept in records.

Chapter Ten: Penalties

Article (38)

Anyone violating the provisions of this Regulation shall be penalized with a fine of one hundred thousand Libyan Dinars for each violation, based on Law No. (1) of 2005 on Banks and its amendments, in addition to any other penalties imposed by the Competent Authority according to its authorities.

Data Protection System

Article One

Definitions: In the application of the provisions of this System, the following words and phrases shall have the corresponding meanings unless the context indicates otherwise:

  • Competent Authority: The Central Bank of Libya.
  • Financial Institution: The entity licensed by the Competent Authority to maintain accounts and/or grant credit and/or deal in financial transfers or electronic payments.
  • E-Payment Service Provider: The entity licensed by the Competent Authority to provide electronic payment services.
  • Electronic Data: Data and information with electronic characteristics in the form of texts, symbols, sounds, graphics, images, computer programs, or other forms relying on electronic representation.
  • Personal Data: Any statement that leads to identifying an individual specifically, or makes identification possible directly or indirectly. Examples include: name, national ID number, family book number, family registration number, phone number, address, personal ID number, personal photos, personal document photos, email, residence permit for foreigners, and other data of a personal nature.
  • Corporate Data: Refers to legal entities, whether public or private, such as: customer number, account number, account balance, account transactions, statistical code, articles of association, commercial register, commercial license, advertising message, ownership structure.
  • Financial Data: Customer number, account number (local or international), account balance, account transactions, bank card data (local or international), credit data, e-wallet data, remittances, payment data (whether payer, payee, or payment method), ledger numbers. Any personal information linked to corporate data, such as employee or staff contact details, must be handled in accordance with personal data protection provisions.
  • Credit Data: Any personal statement regarding an individual or legal entity concerning the individual's request for financing or obtaining it from a financing entity, including any data related to their ability to obtain credit, repay it, and their credit history.
  • Data: Includes personal data, corporate data, financial data, and credit data.
  • Sensitive Data: A special category of personal data requiring additional protection due to its sensitive nature and high risks associated with its processing. Examples include, but are not limited to: health data, genetic data, biometric data.
  • Data Subject: The individual to whom the personal data relates.
  • Legal Guardian: The person who represents a minor or legally incapacitated person in court and acts on their behalf in all legal acts and financial transactions.
  • Funds: Assets or properties of any kind, whether material or immaterial, tangible or intangible, movable or immovable, regardless of the method of acquisition, and all rights related to them, and all documents or records proving ownership or a share therein, regardless of form, including electronic or digital documents. Examples include, but are not limited to:
    1. Cash in local and foreign currencies, virtual and electronic currencies, and bank account balances.
    2. Commercial papers.
    3. Bank credits.
    4. Traveler's checks.
    5. Financial remittances and securities such as shares, bonds, letters of credit, collection documents, and insurance policies.
    6. Promissory notes.
  • E-Wallet: An account containing electronic money value owned by the customer at e-payment companies.
  • E-Payment Systems: A set of software, arrangements, operating procedures, information systems, and communication networks prepared for payment, transfer, clearing, or settlement of funds in any currency. They are divided into:
    • Retail payment systems.
    • High-value payment systems.
    • Securities settlement systems.
    • Financial transfer and foreign exchange systems.
  • Payment Instruments: Any tool enabling the user to obtain funds, goods, and services, or to carry out payment and fund transfer operations.
Share