Certain obligations that apply to controllers and processors include recording processing activities, security and confidentiality requirements, data protection impact assessments, appointing a data protection officer in certain circumstances, reporting data breaches for 48 hours and registering with the supervisory authority before commencing a data protection activity. data processing. The law was amended in 2013, mainly to change the status of the National Data Protection Commission Comissão Nacional de Protecção de Dados, which was no longer a parliamentary committee and became an external body. Following this amendment, the Authority was established and became operational in 2015. Sam Jungyun Choi is a partner in the Technology Regulatory Group in the London office. His practice focuses on European data protection law and new directives and legislation relating to innovative technologies such as artificial intelligence, online platforms, and digital health products. Section 70 of the Zambia Data Protection Act of 24 March 2021 requires data controllers to process and store personal data on a server or data center in Zambia, unless the Minister prescribes categories of personal data that may be stored overseas. However, sensitive personal data cannot be subject to ministerial exceptions. Further clarifications, such as the existence of other exceptions and the criteria for cross-border transfers, may be provided by the Minister and the supervisory authority. In addition, the 2021 law strengthens security requirements with the obligation to conclude a contract with the recipient of the data that includes a clause to return the data when transferring data to a third country and to encrypt the data. Before processing personal data, controllers must inform POTRAZ of their planned processing activities, which may exempt certain categories from the notification obligation. Some common privacy principles, such as consent, data retention, data deletion, and the use of data breach notifications, are generally incorporated into data protection laws. These basic principles must be respected to do business in Africa.
Some countries in Africa, such as Ghana, South Africa and Lesotho, do not require notifications of personal data breaches to be sent to the data subject. However, it is considered a best practice to do so. Following the enactment of Kenya`s first data protection law in November 2019, the Office of the Data Protection Commissioner issued guidelines, including on consent, data protection impact assessment and the processing of personal data for electoral purposes. In December 2021, the Data Protection (General) Regulation 2021 was adopted and published. The regulations provide further details on the many areas covered by the law, including data subjects` rights, use of data for commercial and direct marketing purposes, data retention, data protection policies, contracts between controllers and processors, data localization, data protection by design or by default, Data breach notification, cross-border breaches Data transfers and data protection impact assessments. This regulation significantly complements data protection law. Mosa Mkhize is a policy advisor in the firm`s Africa practice group, through which she provides strategic policy and regulatory advice to clients doing business with and in Africa. Under the 2021 law, the processing of health data is significantly regulated and, as such, the law introduces a strict principle of data localization with the obligation to host health data in Burkina Faso, unless exempted by the DPA. The Data Protection Act is the first of its kind in Kenya. It provides a comprehensive legal framework for data protection and establishes guidelines for the use of personal data. The Act also establishes the Office of the Data Protection Commissioner, which has enforcement powers.
The Data Protection Act 2018 entered into force on 15 October 2021. The one-year grace period provided for by the 2018 law will therefore expire in 2022. The establishment of an operational data protection authority is also expected in the near future. Cape Verde is the first African country to be amended by Law No. 133/V/2001 of 22 December. January 2001 – General legal framework for the protection of personal data of natural persons – data protection legislation. The legal framework for data protection draws heavily on Council of Europe Convention 108 of 28 January 1980 (“Convention 108”) and Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, which has since been repealed. In order to address the compliance challenges faced by organizations doing business in Africa, it is important to understand how a data protection law is designed, especially in Africa. Although the appointment of a Data Protection Officer (DPO) is not mandatory, the law stipulates that this function can only be performed by a natural person.
Therefore, professional services firms and firms are not allowed to offer to act as DPOs under Zimbabwean law. In addition, the existence of a DPO must be reported to POTRAZ, which is empowered to issue guidelines on the functions and qualifications of DPOs. In addition, Zambian law introduces the role of data controller, which may be authorized by the Data Protection Officer, whose duties are to (i) promote compliance with data protection principles by data controllers and processors; (ii) ensure that controllers and processors apply appropriate policies and procedures to regulate the processing of personal data; (iii) raising awareness of data protection principles and rights among the public and stakeholders; and (iv) verify that controllers have put in place adequate safeguards to prevent personal data breaches. The auditors, as well as the Data Protection Officer, are able to carry out the mandatory annual audit of the controller`s processing policies and activities. The Southern African Development Community (SADC) is one of the thriving regional economic blocs on the African continent that has taken steps to support and enable the flow of personal data in the region. In this article, independent data protection expert Melody Musoni discusses the data protection laws and regulations governing cross-border data flows in Southern African countries, with a particular focus on Botswana. Articles 34 and 35 of the Personal Data Protection Act 2013 (Law 4 of 2013) (“POPIA”) deal with the processing of children`s data. PR de Wet and Jako Fourie of VDT Attorneys Inc.
provide a brief overview of the above sections and requirements, with particular emphasis on the higher level of protection that POPIA offers with respect to the processing of children`s personal data. The first in a series of articles to follow, this article will explain some practical implications for valid consent as a requirement as such, particularly in relation to the modern technological era we are in today. The new Data Protection Act of 30 March 2021 provides that the health data of identified or identifiable persons are hosted in Burkina Faso, except with the exception of the Data Protection Authority. So far, there is no general exception to this principle. The 2021 amendment also introduced broader rights for data subjects, very similar to those set out in the GDPR, such as the right to erasure, the right to restriction of processing and the right to data portability, in addition to the already existing rights of access and rectification.