An Innovative Legislative Framework for Privacy in Benin

Benin’s Law No. 2009-09 of May 22, 2009, Dealing with the Protection of Personally Identifiable Information, also known as the Law for short, is a data privacy law that was passed in Benin 2009. As one of the numerous countries around the world that have drawn influence from the European Union’s landmark General Data Protection Regulation or GDPR, Benin’s Digital Code, a telecommunications and cybersecurity law, promulgated the EU’s GDPR law to supplement the Law No. 2009-09 of May 22, 2009, Dealing with the Protection of Personally Identifiable Information. As such, the Law establishes the legal basis for which personal data may be collected and processed within Benin, as well the principles that individuals and organizations must follow when collecting or processing personal data.

How are data controllers and processors defined under the Law?

Under Law No. 2009-09 of May 22, 2009, Dealing with the Protection of Personally Identifiable Information, a data controller is defined as an individual who “controls the procedures and purpose of data usage. Data controllers are required to file an annual report with the APDP on compliance with the processing principles”. Conversely, the Law defines a data processor as a  “person, company, or other body which processes personal data on the data controller’s behalf”. Moreover, personal data is defined as “any information relating to an identified or identifiable natural person. It makes a direct reference to sound and image. In addition, the APDP considers that this definition applies to the data of a deceased individual authority”.

As it pertains to the scope and application of Law No. 2009-09 of May 22, 2009, Dealing with the Protection of Personally Identifiable Information, the personal scope of the law is applicable to all legal persons, agencies, or public authorities, or any other body that collects or processes personal data, whether said collection or processing is done via a third party or not. Alternatively, the territorial scope of the law applies to all data controllers and processors within Benin, including major social media and Fintech companies. Furthermore, the material scope of the law applies to all collection, processing, storage, use, and transmission of personal data, with certain exceptions, such as personal data that is processed in the context of the offering of staff management services.

What are the responsibilities of data controllers and processors under the law?

The Digital Code of Benin set forth the following data protection principles through the Law No. 2009-09 of May 22, 2009, Dealing with the Protection of Personally Identifiable Information:

• All personal data that is collected and processed must be done so fairly, as well as in accordance with the purpose for which said personal data was collected or processed.
• Data controllers and processors collect and process personal data in a manner that is transparent. In doing so, both parties are responsible for providing data subjects with clear, binding, and understandable information concerning the collection and processing of their personal data.
• The confidentiality of all personal data that is collected and processed must be upheld, particularly in instances where the collection or processing of personal data is conducted through the transmission of personal data through a data network.
• Data controllers and processors must “comply with the requirements (for instance, the controller must ensure that data is updated on a daily basis, to rectify or delete inaccurate and incomplete data) required by legislation to be processed”.

As Law No. 2009-09 of May 22, 2009, Dealing with the Protection of Personally Identifiable Information contains many provisions similar to the EU’s GDPR law that were adapted to fit the data protection needs of Benin, the law also mandates that data controllers and processors provide data subjects with data processing notifications, as well as data breach notification in the event that a data breach occurs. Additionally, data controllers and processors are also responsible for maintaining detailed data processing records, as well as following specific requirements set forth by the law as it relates to the collection and processing of both special categories of personal data, as well as children’s data. Organizations and agencies that collect and process personal data are required to appoint a data protection officer or DPO under certain circumstances.

What are the rights of data subjects under Law No. 2009-09 of May 22, 2009, Dealing with the Protection of Personally Identifiable Information?

Under Law No. 2009-09 of May 22, 2009, Dealing with the Protection of Personally Identifiable Information Beninese citizens have the following rights with respect to the protection of their personal data and privacy:

• The right to obtain a copy of their personal data in a clear format, as well as any further information relating to the origin of said personal data.
• The right to withdraw consent to the processing of their personal data, at any time.
• The right to object to the processing of their personal data, for lawful purposes or reasons.
• The right to oppose the processing of their personal data for use for marketing purposes.
• The right to request that their personal data be rectified or erased if it has been found that said personal data is incomplete or inaccurate.
• The right not to be subject to data processing decisions made on the basis of automated processing, permitting said decisions would pose significant harm or risks to the data subject.
• The right to have public information concerning them be deleted from records, otherwise known as the right to be forgotten.
• The right to obtain damages from a data controller or processor in the event of a data breach that resulted in “material or non-pecuniary damage to a person”.

In terms of penalties that can be imposed as a result of failing to comply with the regulations set forth by the law, Law No. 2009-09 of May 22, 2009, Dealing with the Protection of Personally Identifiable Information is enforced by the Beninese Data Protection Authority or APDP for short. As such, the APDP is authorized to levy the following punishments:

• A financial penalty.
• An injunction to cease the collection or processing of personal data.
• A temporary or final withdrawal of the authorizations of data controllers and processors under the law.
• The locking of certain personal data.

Benin’s Digital code and by extension, Law No. 2009-09 of May 22, 2009, Dealing with the Protection of Personally Identifiable Information, is considered to be one of the most innovative and sophisticated legal instruments concerning the protection of personal data in Africa. As such, Benin is a part of a handful of African countries that have been leading the way for comprehensive data protection legislation to be implemented around the continent, including Kenya’s Data Protection Act 2019 and Ghana’s Data Protection Act. To this end, citizens of Benin are afforded a level of data protection that remains largely unrivaled in not only their region, but the world as a whole.