Data Protection and Personal Privacy Law in Cape Verde

Cape Verde’s Law No. 41 is a data protection law that was passed in 2013. Law No. 41 was passed for the purposes of updating Cape Verde’s previous data privacy law, Law No. 133, which had been passed twelve years prior in 2001. As such, Law No. 41 establishes the legal grounds upon which personal data may be collected and processed within the country of Cape Verde, as the law mandates that data controllers and processors operating within the country adhere to various requirements as it pertains to data processing. Furthermore, the law also allows for Cape Verdean citizens to file a complaint with the Comissão Nacional de Proteção de Dados Pessoais or CNDP for short, Cape Verde’s data protection authority, should they feel as though their rights have been violated under the law.

How is personal data defined?

Under Cape Verde’s Law No. 41, personal data is defined as “any information, regardless of its nature or the media on which it is stored, relating to an identifiable natural person.” Alternatively, the law defines sensitive personal data to include “personal data relating to an individual’s philosophical or political convictions, party or union affiliation, religious faith, private life ethnic origin, health, sex life, or genetic information.” As is the case with many other comprehensive data privacy laws, data controllers and processors within Cape Verde are responsible for handling the sensitive personal data of data subjects with an extra level of care, security, and responsibility, particularly as it pertains to cross border transfers of said sensitive personal data.

What are the requirements of data controllers and processors?

Under Cape Verde’s Law No. 41, data controllers and processors within Cape Verde have the following duties and responsibilities as it relates to the collection and processing of personal data:

• Personal data may only be processed if a data subject has consented to the processing of their personal, or if said processing is necessary for the compliance of another legal obligation to which a data controller or processor is subject to, among other conditions.
• Personal data must be processed in accordance with the principles of lawfulness, legality, and good faith.
• Personal data must be adequate, relevant, and non-excessive in relation to the purposes for which it was processed.
• Personal data must be accurate and updated where necessary.
• Personal data must be “stored in such a way that allows for the identification of data subjects only for the period necessary for the purposes for which the data was collected or processed.”
• Personal data must be “treated confidentially and be adequately protected, in particular where the processing includes data transmissions in a network.”

What are the rights of Cape Verdean citizens?

Under Cape Verde’s Law No. 41, Cape Verdean citizens have the following rights as it pertains to the protection of their personal data:

• The right to be informed.
• The right to access.
• The right to object.
• The right to oppose the use of their data for marketing or advertising purposes.
• The right to “have a data controller correct, supplement, update, lock, or delete personal data concerning them, if the data is inaccurate, incomplete, equivocal or out of date, or if its collection, use, communication, or conservation is prohibited.”
• The right “not be subject to a decision made on the sole basis of an automated processing that would produce adverse legal ramifications for them.”

In terms of punishments related to non-compliance with the law, Cape Verde’s Law No. 41Is enforced by the Comissão Nacional de Proteção de Dados Pessoais or CNDP for short. To this end, the CNDP has “the power to apply sanctions and fines on data controllers who violate data protection laws.” Moreover, Cape Verdean citizens all retain the right to file their own complaints with the CNDP, as the regulatory body also has the power to conduct investigations against data controllers and processors who are suspected to be in violation of the law. What’s more, the law also allows Cape Verdean citizens to request a specific remedy when filing a complaint with the CNDP.

Although the nation of Cape Verde is relatively small when compared to other countries around the world, as it boasts a population of just over 500,000 citizens, the country has nevertheless taken legislative means to ensure that their citizens have an adequate level of data protection. Through the passing of Cape Verde’s Law No. 41, Cape Verdean citizens can not only have the peace of mind that their data is being protected at all times, but said citizens can also file specific complaints concerning the scope and severity of any potential violations that may occur. As such, the country of Cape Verde has joined the ranks of other nations within the continent of Africa that have passed comprehensive data privacy laws in the past decades, including the likes of Togo’s Law No. 2019-014 Relating to the Protection of Personal Data and Zimbabwe’s Cybersecurity and Data Protection Bill of 2019.