Law No. 010-2004/AN on the Protection of Personal Data is a data protection law that was passed in Burkina Faso in 2004. As one of the first comprehensive data privacy laws to be passed in the continent of Africa, Burkina Faso has taken various steps to ensure that the personal data and privacy of its citizens are protected during the past fifteen years. This is evidenced by the country’s decision to submit an application to accede to the Council of Europe’s Convention for the protection of individuals with regard to automatic processing of personal data of 1981 or Convention 108 for short. To this end, Law No. 010-2004/AN on the Protection of Personal Data establishes the requirements that data controllers and processors within Burkina Faso must abide by when processing personal data.
How are data controllers and processors defined under Law No. 010-2004/AN on the Protection of Personal Data?
Under Law No. 010-2004/AN on the Protection of Personal Data, a data controller is defined as any “natural person or legal entity, public or private, which has the power to decide on the creation of personal data (Article 4 of the Law) and/or the power to decide data processing. This may include any structure or natural person that holds or collects information to create paper or digital files containing personal data”. Alternatively, a data processor is defined as “as any natural or legal person, public or private, any service, agency, body or association, which processes data on behalf of the controller”. Moreover, the law defines personal data as any “information that allows, in any form whatsoever, directly or indirectly, the identification of natural persons, in particular by reference to an identification number or to several characteristics specific to their physical, psychological, mental, economic, cultural or social identity”.
What are the requirements of data controllers and processors under Law No. 010-2004/AN on the Protection of Personal Data?
Under Law No. 010-2004/AN on the Protection of Personal Data, data controllers and processors operating within Burkina Faso are responsible for adhering to the following principles when collecting or processing personal data:
- Personal data must be collected and processed in a manner that is fair, lawful, and non-fraudulent.
- Data controllers and processors are responsible for informing data subjects of “the identity of the recipients, and the mandatory or optional nature of the questions asked, as well as the potential consequences in the event that no response is provided”.
- Personal data may only be collected for specific, explicit, and legitimate purposes, and data controllers and processors must refrain from using personal data in a manner that is not consistent with these purposes.
- Data controllers and processors are only permitted to collect or process personal data that is adequate, relevant, and proportionate, with respect to the intention for which said data is to be processed.
- Personal data may only be stored for “a period of time that does not exceed the time that is necessary to achieve the purposes for which the data were collected or processed. Beyond this ‘necessary period,’ the data can only be stored in a nominative form for historical, statistic, and scientific purposes”.
- Data controllers and processors are responsible for implementing appropriate technical and security measures for the purposes of protecting personal data against “accidental or unlawful destruction, accidental loss, tampering, broadcast, or unauthorized access”.
- In instances where a data controller or processor has been mistakenly transmitted to a third party, said data controllers and processors are responsible for notifying the relevant third parties “of the annulment or rectification of this information, except where provided otherwise by the CIL”.
What are the rights of data subjects under Law No. 010-2004/AN on the Protection of Personal Data?
Under Law No. 010-2004/AN on the Protection of Personal Data, data subjects residing within Burkina Faso are entitled to the following data protection and personal privacy rights:
- The right to be informed.
- The right to access.
- The right to rectification.
- The right to erasure.
- The right to object or opt-out.
- The right not to be subject to automated decision-making.
In terms of penalties that can be imposed upon data controllers and processors who fail to adhere to the provisions set forth in the law, Law No. 010-2004/AN on the Protection of Personal Data is enforced by the Commission de l’Informatique et des Libertés or CIL for short. As such, the CIL has the authority to impose a monetary penalty ranging from CFA 500,000 ($854) to CFA 5 million ($8,571), and a term of imprisonment ranging from six months to five years. Examples of specific actions that could lead to such penalties include “the automated processing of nominative information without complying with the prior formalities set forth by the Law” and “the diversion of the purpose of a collection or processing of personal data”.
While many countries within Africa have taken to passing comprehensive data privacy legislation within the past five years, including Zambia’s Data Protection Act and Zimbabwe’s Cybersecurity and Data Protection Bill of 2019, Burkina Faso’s Law No. 010-2004/AN on the Protection of Personal Data was ahead of its time in many ways. Despite the fact that the law was passed in 2004, it contains many provisions and principles that are similar to those of the European Unions General Data Protection Regulation or GDPR. What’s more, Burkina Faso has taken additional legislative measures to ensure the data protection of its citizens in recent years, as the country has very much set a standard for data protection within its region.