Law: Law No. L/2016/037/AN on Cybersecurity and Personal Data Protection Law (only available in French here) ('Law on Cybersecurity and Personal Data')
Regulator: The establishment of an authority for personal data protection in Guinea is provided for under Article 47 of the Law on Cybersecurity and Personal Data.
Summary: The Law on Cybersecurity and Personal Data came into effect on 28 July 2016, and outlines requirements for combating cybercrime in part one, as well as for the protection of personal and sensitive data in part two.
The Law on Cybersecurity and Personal Data provides restrictions for cross-border data transfers. Notably the processing of personal data is considered legitimate if the data subject gives their express prior consent. However, the requirement for prior consent is waived when the processing is, necessary for compliance with a legal obligation, in performance of a task of public interest or in the exercise of public authority, necessary for the execution of a contract to which the data subject is a party or for pre-contractual measures, or to safeguard the interest or fundamental rights and freedoms of the data subject.
In addition, the Law on Cybersecurity and Personal Data establishes a range of principles for processors of personal data. These require, among other things, that personal data is collected for specified, explicit, and legitimate purposes, that such personal data be adequate, relevant, and not excessive with regard to the purposes for which it was collected, and the data is not kept for a period which exceeds the period necessary for the purposes for which it was collected. Further principles regarding the processing of personal data, under the Law on Cybersecurity and Personal Data include, among others, confidentiality, transparency, and accuracy.
Likewise, personal data controllers are required to take all necessary precautions with regard to personal data, and must take such a requirement into account when contracting with sub-processors. Moreover, the Law of Cybersecurity and Personal Data adds that data controllers and processors are required to ensure sub-processors compliance with the stated obligations.
Furthermore, the Law of Cybersecurity and Personal Data sets out a range of data subject rights, including the right to be informed, object, rectification, access, erasure, and not to be subject to automated decision-making.
In addition to the above, the Constitution of Guinea also provides for, under Article 12, a constitutional right to privacy. In addition, Law L/2016/035/AN on electronic transactions in the Republic of Guinea (only available in French here) provides requirements for digital advertisements to individuals and accompanying provisions relating to privacy.