A New Data Protection and Privacy Landscape in Togo

Togo’s Law No. 2019-014 Relating to the Protection of Personal Data is a data protection law that was recently passed in Togo in 2019. As many countries throughout Africa have taken to legislative means to provide data privacy rights to their respective citizens, such as Kenya’s Data Protection Act and Ghana’s Data Protection Act, Togo has also taken steps to pass a similar data protection law. To this point, Law No. 2019-014 Relating to the Protection of Personal Data establishes the legal basis for which the collection and processing of personal data may be permitted. Moreover, the law also empowers the Togolese data protection authority, or PDCP for short to impose penalties against individuals and organizations who fail to follow the law.

How are data controllers and processors defined under the law?

Under Law No. 2019-014 Relating to the Protection of Personal Data, a data controller is defined as “any physical or legal person, public or private, any other body or association which, alone or jointly with others, takes the decision to collect and process personal data and determines its purposes”. Conversely, a data processor is defined as “any physical or legal person, public or private, any other body or association processing data on behalf of the controller”. Furthermore, the law defines personal data to include “any information relating to an identified or identifiable natural person, directly or indirectly, by reference to an identification number or to one or more elements specific to their physical, physiological, genetic, psychological, cultural, social or economic identity”.

As it relates to the scope and application of Law No. 2019-014 Relating to the Protection of Personal Data, the personal scope of the law applies to “any collection, processing, transmission, storage, and use of personal data by a physical person, the state, local authorities, and legal persons governed by public or private law”. Alternatively, the territorial scope of the law applies to any processing carried out by a person in charge, whether or not established on the territory of the Togolese Republic, which uses means of processing located on Togolese territory, while the material scope of the law covers all data processing activities that take place in Togo, with the exception of data processing that is done in the context of personal or domestic activities?

What are the obligations of data controllers and processors under Law No. 2019-014 Relating to the Protection of Personal Data?

Under Law No. 2019-014 Relating to the Protection of Personal Data, data controllers and processors within Togo are responsible for upholding the following principles when collecting or processing personal data:

• Principle of consent and legitimacy– The collection or processing of personal data is only considered legitimate if a data subject gives their consent to such activities, subject to certain exceptions as set forth in the law.
• Principle of lawfulness and loyalty– The collection, processing, storage, and transmission of personal data must be conducted in a fair, lawful, and non-fraudulent manner.
• Principle of purpose, relevance, and conservation– Personal data may only be collected or processed for explicit, specific, and legitimate purposes, and may not be further processed for any other purpose. Personal data that is collected or processed must also be relevant, adequate, and non-excessive in relation to the purposes for which it was collected or processed.
• Accuracy principle– All personal data that is collected or processed must be accurate, as well as updated when saif personal data has been found to be inaccurate or incomplete.
• Principle of transparency– Data controllers and processors are responsible for providing mandatory information to data subjects concerning the collection and processing of their personal data.
• Principle of confidentiality and security– All personal data that a data controller or processor stores must be handled in accordance with the principle of confidentiality, as well as protected according to the provisions set forth by the law.
• Principle of appropriate choice of the processor– In cases where a data controller chooses to outsource data processing operations, said data controller must “choose a processor who provides sufficient guarantees with respect to data processing. The nature of these guarantees is determined by regulation. In particular, the data controller and the processor must ensure compliance with the security measures defined in Article 52 of the Law”.

What are the rights of data subjects under Law No. 2019-014 Relating to the Protection of Personal Data?

Under Law No. 2019-014 Relating to the Protection of Personal Data, data subjects residing within Togo have the following rights with respect to the protection of their personal data, and in turn, their privacy:

• The right to be informed of the collection or processing of their personal data.
• The right to access their personal data that has been collected or processed.
• The right to rectify any personal data a data controller or processor may possess concerning them
• The right to erase any personal data a data controller or processor may possess concerning them.
• The right to object to or opt-out of the collection or processing of their personal data.
• The right to request a copy of their personal data, which may be “subject to payment of a sum which may not exceed the cost of reproduction”.
• The right for the “successors of a deceased person who can prove their identity to require that a data controller take into consideration the death of the data subject and make the necessary updates”.

In terms of the enforcement of the law, the Togolese data protection authority or PDCP has the authority to impose the following punishments and penalties against data processors, controllers, or applicable third parties or individuals who fail to comply with the law:

• A term of imprisonment ranging from one year to five years.
• A monetary fine ranging from XOF 1 million ($1,749) to XOF 25 million ($43,860).
• Other administrative fines and penalties.
• A combination of the penalties listed above.

Through the passing of Law No. 2019-014 Relating to the Protection of Personal Data, data subjects within Togo has the assurance that their personal data and privacy are protected by the law. As data protection continues to be an evolving issue due to the prevalence of online communication through the means of emails and popular social media sites, laws pertaining to privacy are more needed than at any other point in history. To this end, legislation such as Togo’s Law No. 2019-014 Relating to the Protection of Personal Data is only set to become more common in the future, as protecting the personal data of citizens is a concern that countries around the world must begin taking seriously.