Data Protection and Privacy Legislation in Angola
Angola’s Law 22/11 on the Protection of Personal Data, also known as the Data Protection Law for short, is a data privacy law that was passed in Angola in 2011. As many countries around the world have taken legislative measures to protect the personal data privacy rights of their citizens, Angola’s Data Protection Law was passed with such an aim. Moreover, the law also established the National Data Protection Authority or APD for short for the purposes of enforcing the various provisions of the law. To this end, the Data Protection Law lays out the legal framework that data controllers and processors within Angola must abide by when engaging in data processing activities within the country.
How are data controllers and processors defined under the law?
Under Angola’s Data Protection Law, data controllers are defined as “any natural or legal person or public authority that determines the purposes for which personal data is to be processed and the means through which this will be done”. Conversely, data processors are defined as any “natural or legal person or public authority that processes personal data on behalf of a data controller under a contractual link between them”. Furthermore, the law defines personal data as “any information of any kind or in any medium, including image and sound, relating to an identified or identifiable natural person (i.e. data subject)”.
In terms of the scope and application of the law, the personal scope of the law applies to “all data processing operations undertaken by any natural or legal persons from the public, private, or cooperative sectors”. Alternatively, the material scope of the law applies all data processing activities that take place within Angola, except processing activities that are carried out in the context of personal or domestic activities, while the territorial scope of the law is applicable under the following conditions:
- A data controller or processor maintains their “head office” within Angola.
- The data processing takes place within the scope of a data controller or processor who is physically located within Angola, even if its “head office” is not located within the country.
- The data processing takes place outside of the territory of Angola, in an area where Angolan law applies pursuant to “international public or private law”.
- A data controller or processor uses means within Angola during the course of their data processing operations.
What are the requirements of data controllers and processors under the Data Protection Law?
Under Angola’s Data Protection Law, data controllers and processors within the country are required to fulfil the following obligations:
- Preventing unauthorized individuals from accessing the systems and facilities that a data controller or processor uses to process personal data.
- Preventing personal data from being read, altered, removed, or copied from unauthorized individuals.
- Preventing the entering of personal on behalf of unauthorised individuals, as well as preventing said individuals from altering, erasing, or taking cognisance of said data.
- Preventing unauthorized individuals from using automated data processing systems, should a data controller or processor make use of said systems in the course of their operations.
- Ensuring that only authorized individuals are able to access any personal data that a data controller or processor has access to.
- Ensuring that entities that make use of data transmission networks for the purposes of transmitting personal data conduct checks to confirm that said networks are functioning properly.
- Ensuring that “ex post facto checks can be carried out of what data has been entered, when, and by whom, within a period appropriate to the nature of the processing”.
- Preventing any unauthorized erasing, alteration, reading, or copying of personal data during the transportation or transmission of said data.
What are the rights of data subjects under the Data Protection Law?
Under the Data Protection Law, data subjects are afforded the following rights as it relates to their privacy:
- The right to be informed.
- The right to access.
- The right to rectification.
- The right to erasure.
- The right to object or opt-out.
- The right not to be subject to automated decision making.
In terms of penalties that can be imposed as a result of failing to comply with the law, the National Data Protection Authority or APD has the authority to levy a variety of punishments and penalties against data controllers and processors who fail to adhere to the provisions of the Data Protection Law. Some of these punishments and penalties include a monetary fine ranging from $75,000 to $150,000, as well as both criminal and civil liabilities. Additionally, data controllers and processors who fail to notify the APD when they are required to do so also face further penalties under the law.
With the passing of the Data Protection Law in 2011, Angola joined a number of nations across Africa that have passed data privacy laws in the last fifteen years, such as the South African POPIA law, Ghana’s Data Protection Act, and Kenya’s Data Protection Act 2019. As data privacy continues to be an issue due to the ways in which personal data can be shared via the internet, many nations around Africa are sure to pass further data protection legislation, as well as amend current legislation to ensure that it is up to date as it relates to current data protection and privacy standards. Nevertheless, the Data Protection Law stands as the foremost protection of the personal data of Angolan citizens.