Personal data protection in Angola is regulated by Law No. 22/11 of 17 June 11, the Personal Data Protection Law (LPDP), which determines the legal rules applicable to the processing of personal data. Various regulatory obligations related to compliance with the LPDP provide for notification to the regulator, the Data Protection Agency (APD).
The APD was established by Presidential Decree No. 214/16 of 10 October. The APD's governing bodies took office in October 2019. Recently the APD has started receiving the notifications provided for in the LPDP.
In this sense, entities obliged to make notifications to the APD can now comply with their legal obligations.
The LPDP applies to the processing of personal data carried out by any person in the public sector, the private sector or the cooperative sector, namely, when the data controller is based in Angola.
The "data controller" is the entity that determines the purpose and means of the processing of personal data. "Personal data" is any information relating to an identified natural person or identification, such as name, address, telephone number, etc.
The following is a brief summary of these obligations.
Processing of personal data
The processing of personal data is subject to notification to the APD. In some cases, for example the recording of telephone calls, the processing is subject to prior authorisation by the APD. Processing shall mean any operation on personal data, such as collection, recording, use, disclosure, interconnection and destruction of personal data.
The APD has already made available on its website a form to make the above notifications. One notification is required for each purpose of processing. A company will have to make the number of notifications corresponding to the purposes of processing it performs, for example: management of customers and suppliers; marketing and communication; human resources management; use of biometric system; use of video surveillance cameras; control of internet use, etc.
International transfers of personal data
International transfers of personal data are subject to notification to the APD. If the country concerned ensures an adequate level of protection, the international transfer of personal data is subject to prior notification to the APD. In the case of a country which does not ensure an adequate level of protection, the international transfer of data is subject to authorisation by the APD.
In the case of notifications, the APD shall express its opinion within 30 days of receipt, after which the processing shall be deemed to have been duly notified.
The APD may approve exemptions from notification for certain categories of treatment. However, so far it has not done so.
The APD must also, under Article 38 of the LPDP, organize and publish a public register of notified and authorized treatments.
Failure to notify the APD constitutes a misdemeanor punishable with a fine ranging from USD7,000 to USD15,000 (the equivalent in Kwanzas).
For more information on this matter, please reach out to us.