Africa: Malabo Convention set to enter into effect following 15th ratification
OneTrust DataGuidance confirmed with Boubacar Diakite, Senior Associate at GSK Law, that the Convention on Cyber Security and Personal Data Protection (Malabo Convention) will enter into force on June 8, 2023. Boubacar explained that "under Article 36 of the Malabo Convention, 15 ratifications are needed for the treaty to come into force. [Specifically], I spoke with a friend who works at the African Union (AU) and he let me know that Mauritania (15th country) actually deposited their ratification on May 9, 2023. Thus, the treaty will come into force 30 days after the date of the last ratification, which is why it will come into force on June 8, 2023."
Who does it apply to?
The Malabo Convention will apply to the countries which have signed and ratified the treaty. Specifically, the following countries have ratified the Malabo Convention:
- Cape Verde;
- Côte d’Ivoire;
- Zambia; and
What are the key requirements?
The Malabo Convention introduces specific requirements for signatories including:
- requirements and principles associated with data processing;
- specific restrictions on the processing of sensitive personal information;
- data security obligations including taking appropriate precautions, according to the nature of the data, to prevent data from being altered, destroyed, or accessed by unauthorized third parties;
- restrictions on data transfers to non-AU member states unless such a state ensures an adequate level of protection with certain exceptions;
- establishing a national personal data protection authority in charge of protecting personal data; and
- vendor management requirements.
What rights do data subjects have?
The Malabo Convention provides data subjects with rights including:
- right to information;
- right of access;
- right to object;
- right of rectification or erasure; and
- right not to be subject to automated decision-making.
You can read the Malabo Convention here.