Angola - Data Protection Overview
1. Governing Texts
Angola's framework on data protection consists of Law 22/11 on the Protection of Personal Data (only available in Portuguese here) ('the Data Protection Law'), which governs all kinds of processing of personal data relating to identifiable natural persons.
Furthermore, Presidential Decree 214/16 of October 10, 2016 (only available in Portuguese here) ('the Presidential Decree') establishes rules that govern the structure and operation of the regulatory body, the National Data Protection Agency ('APD').
It is worth noting that Angola has been adapting its legal framework in order to address the current Information Technology ('IT') climate, emphasizing cyber attacks and network protection. In this context, Law 23/11 of June 20, 2011, on Electronic Communications and Information Society Services (only available in Portuguese here) ('the Electronic Communications Law') and Law 7/17 of February 16, 2017 (only available in Portuguese here) ('the Protection of Information Systems and Networks Law') were enacted in order to protect Angola's cyberspace, establishing cooperation and reporting mechanisms in case of incidents and cyber attacks that may occur in relation to certain networks.
In 2021, two statutes have been published setting the fees to be paid to the APD. One is the Joint Executive Decree 72/21 of March 19, 2021 (only available in Portuguese here) approving the fees for the authorization of credit information private agencies, and the other is the Presidential Decree 60/21 of March 10, 2021 (only available in Portuguese here), approving all the other fees to be charged by the APD.
The privacy and data protection principles in the Constitution of the Republic of Angola (only available in Portuguese here) ('the Constitution') include not only the right to privacy in Article 32, but also a writ called habeas data (Article 69 of the Constitution) which grants to the data subject, the right to be informed of any data about them included in files, archives, and computerized records, as well as the purposes for which the personal data is processed and to request that such data be updated and corrected.
Angola has also enacted Law 11/20 of April 23, 2020, on the Identification and Location of Cellular Phones and Electronic Surveillance carried out by Police Authorities (only available in Portuguese here), as well as Law 2/20 of January 22, 2020, on Video Surveillance (only available in Portuguese here), which was regulated by Presidential Decree 308/21, of December 21, 2021 (only available in Portuguese here).
The APD, which only started to fully operate in 2020, has not issued any guidelines to date.
1.3. Case law
We are not aware of any case law where the courts have issued decisions. However, the APD issued its first fine in 2022, please refer to the section on enforcement decisions below.
2. Scope of Application
The scope of the Data Protection Law includes all data processing operations undertaken by any natural or legal persons from the public, private, or cooperative sectors. Further, the Data Protection Law does not make any distinction in relation to the nationality or place of residence of the data subject.
The Data Protection Law is applicable whenever one of the following conditions is met:
- the data controller has its head office in Angola (Article 3(2)(a) of the Data Protection Law);
- the data processing takes place within the scope of the activities of a data controller established in Angolan territory, even if its head office is not located in Angola (Article 3(2)(b) of the Data Protection Law);
- the data processing takes place outside of Angola in a place where Angolan law applies pursuant to international public or private law (Article 3(2)(c) of the Data Protection Law); and
- the data controller uses means located in Angolan territory, during the course of the data processing (Article 3(2)(d) of the Data Protection Law).
It should be noted that Article 3(3) of the Data Protection Law sets out that the controller is deemed to have recourse to means situated in Angolan territory when the personal data processing operations are carried out using means situated in Angolan territory or the personal data is hosted in the Angolan territory, it suffices, for the purposes of the Data Protection Law, that such means be merely used for the collection, recording, or transit of personal data within or through the territory of the Republic of Angola.
Unfortunately, no definition of 'means' is provided. Thus, there is a risk that this word encompasses infrastructures such as servers located in Angola or any agencies, affiliates, representatives, employees, or service providers located in Angola through which a foreign data controller collects or processes data. Therefore, a data controller that has no presence in Angola may still have to abide by the terms of the Data Protection Law even if the data processing operation it wishes to undertake only involves using servers that operate in Angola as a way to transfer data from one country to the other or if its business structure involves using a representative, agency, or another type of service provider located in Angola to collect data or to act as a data processor for it.
The Data Protection Law is not applicable to data processing operations carried out by a natural person in the course of strictly personal or domestic activities, as established in Article 4(1) of the Data Protection Law. Furthermore, the following circumstances are excluded from the scope of the Data Protection Law:
- the data processing takes place within the scope of laws applicable to state secrets and security, as well as judicial secret (Article 4(2)(a) of the Data Protection Law); and
- the processing of personal data of members of Angolan Armed Forces by unities, establishments, and military agencies or others, under the supervision of the ministerial department responsible for Armed Forces.
3.1. Main regulator for data protection
The APD is a legal person of public law, with legal personality, administrative, financial, and patrimonial autonomy, led by a board of directors with seven members and supervised by the President of the Republic of Angola.
3.2. Main powers, duties and responsibilities
As outlined in Article 44 of the Data Protection Law and in Article 5 of the Presidential Decree, the APD has several duties, notably:
- enforcing of the Data Protection Law;
- issuing recommendations, guidelines, and instructions on best practices in the processing of personal data;
- issuing recommendations on access to documents that name data subjects;
- assessing and deciding on complaints submitted to it;
- guaranteeing the exercise of the right of access, rectification, updating, and erasure of data;
- registering and publishing the registration of personal data filing systems;
- issuing guidelines on the application of necessary and appropriate technical and security measures;
- cooperating with international authorities on matters concerning the protection of personal data monitoring international movements of personal data; and
- applying penalties in relation to the protection of personal data under the terms of the applicable laws.
The APD also participates in awareness-raising activities.
4. Key Definitions
Data controller: Any natural or legal person or public authority that determines the purposes for which personal data is to be processed and the means through which this will be done (Article 5(i) of the Data Protection Law).
Data processor: A natural or legal person or public authority that processes personal data on behalf of a data controller under a contractual link between them (Article 5(m) of the Data Protection Law).
Sensitive data: Personal data that refers to a person's philosophical or political convictions, party or union affiliation, religious faith, private life, ethnic origin, health, and sex life, including genetic information (Article 5(c) of the Data Protection Law).
Data subject: An identified or identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identification number or to a combination of factors specific to their physical, physiological, mental, economic, cultural, or social identity. (Article 5(b) of the Data Protection Law).
Data processing: Any operation or set of operations performed on personal data, such as its collection, registration, recording, organization, storage, alteration, use, transmission, or dissemination (Article 5(o) of the Data Protection Law).
Consent: Any freely given specific and informed indication of their consent by which the data subjects signify that they accept that their personal data is going to be processed (Article 5(a) of the Data Protection Law).
5. Legal Bases
Under Article 12(1) of the Data Protection Law, personal data can be processed if unambiguous and express consent is obtained.
Under Article 12(2)(a) of the Data Protection Law, personal data can be processed when necessary for the performance of a contract or contracts to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract or making a declaration of negotiations.
Under Article 12(2)(b) of the Data Protection Law, personal data can be processed when necessary to comply with a legal obligation to which the controller is subject.
Under Article 12(2)(c) of the Data Protection Law, personal data can be processed for the protection of the vital interests of the data subject, by their legal representative if the subject is physically or legally incapable of giving their consent.
Under Article 12(2)(d) of the Data Protection Law, personal data can be processed for the performance of a mission of public interest or in the exercise of public authority vested in the controller or a third party to whom the data are communicated.
Under Article 12(2)(e) of the Data Protection Law, personal data can be processed for the pursuit of the legitimate interest of the controller or a third party to whom the data is communicated when the rights, freedoms, and guarantees of the data subjects do not prevail.
Under Article 18 of the Data Protection Law, the processing of personal data for the purposes of sending advertising messages addressed to the data subject's domicile, by mail or direct distribution shall be permitted on condition that the APD is notified, save when the recipient has expressly refused permission for such processing and the use of their data for this purpose.
Under Article 19 of the Data Protection Law, the processing of personal data for the purposes of sending advertising messages addressed by electronic means, namely by automatic calling machines, fax, or email, is subject to the unambiguous and express consent of the data subject. However, consent can be waived when:
- the messages are sent to the data subject as the representative employee or member of staff of a legal person;
- the messages are sent by the Government authorities through the electronic governance system of the Angolan Executive; and
- the messages are sent to natural persons with whom the product supplier or service provider has previously concluded transactions when such person has been explicitly offered the possibility of objecting to such processing on the occasion of the transaction concluded, and such processing does not require of the recipient any disbursement in addition to the cost of the telecommunications service.
As the person who determines the purposes for which personal data is to be processed and the means through which it will be done, the data controller must implement technical and organizational measures, as well as adopt sufficient security levels in order to protect personal data against any potential breaches that may occur.
Under Article 6 of the Data Protection Law, the processing of personal data shall be carried out in a transparent manner, with full respect for the principle of privacy, and for the fundamental public rights, freedoms, and guarantees enshrined in the Constitution and in the Data Protection Law. Further, personal data must be stored in such a way that permits the data subjects to exercise their rights of access, information rectification, deletion, and contestation. The processing of personal data shall be carried out in a lawful and fair manner, with respect for the principle of good faith. Therefore, any processing of personal data which leads to arbitrary and unlawful discrimination in relation to the data subject is deemed to be contrary to the principle of good faith.
Data controllers must also comply with the principle of proportionality, and as such, personal data, subject to processing must be pertinent, appropriate, and not excessive in relation to the purposes legitimating their collection and processing.
In relation to the purposes of the processing, Article 9 of the Data Protection Law sets that personal data must be collected and processed for purposes that shall be specific, stated, and legitimate in accordance with the provisions of specific legislation, if any. The processing of personal data may not be carried out for purposes other than, or incompatible with, those for which they were collected and processed unless:
- the data subject has given their express consent;
- the processing serves historical or statistical purposes, and the data has to this end been rendered anonymous; and
- the data is processed for the purposes of law enforcement or national security on the terms permitted by specific legislation when the rights, freedoms, and guarantees of the data subjects do not prevail in such cases.
Article 10 of the Data Protection Law also sets the principle of veracity, whereby personal data subject to processing shall be accurate, and appropriate measures must be adopted by the data controller to ensure that the data that are wholly or partially inaccurate are erased or rectified so as to correspond to the present and specific situation of the data subject.
7. Controller and Processor Obligations
Article 30 of the Data Protection Law governs security principles. Under this Article, the data controller must implement appropriate technical and organizational measures, and establish appropriate levels of security, to protect personal data against accidental or unlawful destruction, accidental loss, or unauthorized dissemination or access, fundamentally where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Taking into account the state of the art and the cost of their implementation, such measures must ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.
Furthermore, the data controller must draw up a document setting the security measures, rules, and procedures applicable to the processing of personal data, detailing the security levels, the resources to be protected, and the duties and responsibilities of the persons with access to the data.
These requirements are stricter in relation to sensitive data, unlawful activities, crimes and offenses, creditworthiness, video surveillance systems, and other electronic control systems. In these cases, the data controller must adopt appropriate measures to:
- prevent access by unauthorized persons to the systems and facilities used to process the data;
- prevent the personal data media from being read, copied, altered, or removed by unauthorized persons;
- prevent the unauthorized entering of personal data, the unauthorized persons taking cognizance of such data, and the unauthorized alteration or erasure of the personal data entered;
- prevent automated data processing systems from being used by unauthorized persons through data transmission facilities;
- ensure that only authorized persons have access to data covered by the authorization for the processing of the relevant category of data by the APD;
- ensure that checks are conducted of entities to which personal data can be transmitted through data transmission networks;
- ensure that ex post facto checks can be carried out of what data has been entered, when, and by whom, within a period appropriate to the nature of the processing; and
- prevent any unauthorized reading, copying, alteration, or erasure of the data in the transmission of personal data, and in the transportation of their respective media.
Moreover, the systems shall ensure that data relating to health and sexual life, including genetic data, are kept in separate systems from other personal data.
According to Article 35(1) of the Data Protection Law, data processing requires either prior notification to the APD or authorization from the same. In the first case, upon receiving a notification, the APD has a period of 30 days to respond. Once this period has elapsed, the data processing operation is considered to have been duly notified and can take place (Article 35(2) of the Data Protection Law).
Additionally, the APD will be able to grant block exemptions for certain categories that do not jeopardize fundamental rights or civil liberties, taking into consideration efficiency criteria (Article 35(3) of the Data Protection Law). These exemptions must specify the purposes for which the data is processed, the categories of data that are processed, the data subjects, and the relevant retention period.
In relation to authorizations, processing can only take place following the authorization issued by the APD.
As for submissions of notifications and authorizations, these should include the following information:
- name and address of the data controller and, if there is one, its representative;
- the purpose of the processing;
- recipients to whom the data can be transferred and how;
- the data retention period;
- the manner in which and the conditions under which data subjects can exercise their rights; and
- a general description of the security measures implemented.
Certain types of processing, such as the processing of sensitive data or the cross-border transfer of data to countries that do not provide for an adequate level of protection, can only take place once authorization from the APD is issued.
Notably, data processors do not need to carry out any notification to the APD while acting in the capacity of data processors. Only the data controller must inform the APD of the existence of this agreement.
Third party transfers
Under Article 21 of the Data Protection Law, a transfer of personal data to a third party to be used for the third party's own purposes will result in the third party also being considered a data controller for the purposes of the Data Protection Law. A transfer of personal data to a third-party controller requires the express consent of the data subject in advance and a notification to the APD. However, the Data Protection Law provides that the consent of the data subject does not need to be obtained in a number of circumstances, including where:
- the data was lawfully collected from publicly available sources;
- the transfer is necessary for the performance of a contract to which the data subject is a party to; or
- the transfer is necessary to undertake preliminary steps before executing a contract with the data subject.
As for international data transfers, Section VI of the Data Protection Law applies and the rules, and principles applicable to a transfer of personal data from Angola to a foreign country will depend on whether the APD deems the country to which the data is to be transferred to provide an 'adequate level of protection.'
If it does, then the transfer of data will only require a notification to the APD, and if it does not, then the data controller must obtain prior authorization from the APD. A country that provides an 'adequate level of protection' is one that provides, at least, a level of protection identical to the one granted by the Data Protection Law.
Authorization will be granted in the cases specified in Article 34 of the Data Protection Law, including:
- where the data subject has given express consent;
- where the transfer is necessary to execute a contract to which the data subject is part of or to carry out preliminary steps before executing a contract with the data subject;
- where the intended recipient of the data in the relevant country enters into a contract with the data controller and undertakes to provide an adequate level of protection for the data; and
- where the transfer is to another company in one particular corporate group that has implemented binding corporate rules on the privacy and protection of personal data.
To the present date, the APD has not issued any decision declaring that another country provides for an adequate level of protection.
There are no specific provisions on the duty of the data controller or data processor to maintain data processing records, although, needless to say, it is highly advisable should the APD carry out an audit.
There are no such requirements in the Data Protection Law.
There is no such concept in the Data Protection Law, and thus, no obligation to appoint a data protection officer ('DPO'). However, if a data processing operation falls under the scope of the Data Protection Law, the data controller, through communication with the APD, must nominate a representative established in Angola in order to delegate all of its rights and obligations under the Data Protection Law, as stated in Article 3(4) of the Data Protection Law. This representative is not similar to a DPO, being a mere point of contact.
There is no mandatory breach notification under the Data Protection Law.
There are no timeframes set in the Data Protection Law. Generally, personal data shall be stored in a form that permits identification of the data subject only for as long as it is necessary to achieve the purposes for which they were collected or processed and shall subsequently be erased or rendered anonymous.
There are no specific provisions regulating the processing of children's data. However, Article 25(4) of the Data Protection Law sets that information being provided to data subjects on their rights must be provided in a clear, precise, and objective manner, in particular when addressed to minors and persons with special needs.
Article 13 of the Data Protection Law establishes that sensitive data may only be processed when the following requirements are met:
- a legal provision permitting such processing; and
- authorization from the APD.
However, this authorization can only be granted whenever one of the following is met:
- data subject or their legal representative has given their unambiguous, express, and written consent;
- the data is processed with the unambiguous and express consent of the data subject by a foundation association or non-profit organization of a political, philosophical, religious, or trade union nature, in the course of its legitimate activities on the condition that such processing relates only to the members of the organization or persons who are periodically in contact with the same in connection with its aims, and that the data shall not be disclosed to third parties without the unambiguous and express consent of the relevant data subjects;
- it is necessary to protect the vital interests of the data subject or other person, and the data subject is physically or legally incapable of giving their consent;
- the data in question has been manifestly made public by the data subject and provided that their consent for the processing of the data may be legitimately inferred from their statements;
- the data processing is necessary for the declaration exercise or defense of a right in judicial proceedings and is carried out solely for this purpose; or
- for reasons in the public interest, the processing of the data is essential for the exercise of the controller's duties and responsibilities deriving from law or organizational statutes, including for the conduct of investigations by the judicial, police, and administrative authorities in the course of their duties.
The processing of sensitive data must be carried out in a manner that ensures non-discrimination and with the adoption of special security measures.
Health and sex life data
As per Article 14 of the Data Protection Law, in addition to the requirements set for sensitive data, processing of health and sexual life data shall only be processed when a data subject or their legal representative has given unambiguous, express, and written consent, and/or the APD has authorized the processing. The APD may authorize the processing without the consent of the data subject, when necessary for the purposes of preventive medicine, medical diagnosis, consented medical care, health service management, and statistics, or in the event of a medical emergency or when justified by the public interest. The processing of data relating to health and sexual life shall be carried out by a health professional registered with a corresponding professional body and subject to the duty of professional secrecy.
Criminal conviction data
Under Article 15 of the Data Protection Law, the processing of personal data relating to persons suspected of unlawful activities, criminal, and other offenses and the application of penalties, security measures, fines, and accessory penalties, which may be deemed to constitute sensitive data, can only be carried out by a public authority, in the following circumstances:
- when a legal provision exists permitting such processing by authorities with specific powers, in compliance with the procedural and data protection rules established by law, subject to prior recommendation from the APD; or
- with authorization from the APD, which shall only be granted when such processing is necessary for achieving the legitimate purposes of the data controller and in compliance with data protection and information security rules.
As per Article 16 of the Data Protection Law, processing of personal data relating to creditworthiness shall only be carried out in the following circumstances (unless the information is obtained from publicly accessible sources in compliance with their respective terms of consultation):
- unambiguous and express consent from the data subject; and
- authorization from the APD.
Further, the processing by a data controller of creditworthiness data relating to performance and non-performance of credit obligations is subject to notification of the data subject that their data is contained in the controller's file of debtors (and such notice being given within 60 days of the data being entered in the aforementioned file).
According to Article 23 of the Data Protection Law, a data transfer to the data processor can only be completed in two circumstances, either through a contract or another document with juridical value, in written form, establishing the data processor's obligation to comply with the Data Protection Law, or as long as a notification is submitted to the APD. In this regard, the Data Protection Law does not set special requirements to be included in the contract. In either case, unless otherwise stated by the data controller, the data processor will have to comply with the following obligations:
- the prohibition of disclosing personal data to other recipients;
- the compliance with the measures and security levels established in the Data Protection Law; and
- the destruction or returning of the personal data to the data controller when their contractual relationship ends.
More generally, the data processor, like the data controller, must comply with the rules and parameters established by the Data Protection Law. This includes following the instructions given by the data controller regarding the way data should be processed.
The data processor shall not process personal data for their own ends, nor communicate it to other recipients unless it receives such instructions from the data controller or if mandatory under the law. Otherwise, the latter will be considered as a data controller.
8. Data Subject Rights
It should be noted that while the Data Protection Law may not apply to a foreign entity, Constitutional rights like the below-mentioned belong to citizens at all times. Therefore, an Angolan court or the APD may consider that these rights cannot be excluded or avoided due to the fact that the party controlling their data does not have any presence in Angola, for reasons of public policy or public order.
The controller shall make at least the following information available to the data subjects:
- the controller's identity and address;
- the purposes of processing;
- the data recipients or categories of data recipients, if any;
- whether a response is mandatory or optional and the possible consequences of failure to respond;
- the existence and terms of the right of access and of rectification, updating, erasure, and objection;
- the consequences of collection of the data without the consent of the data subject, or of their representative in the event of the data subject's legal incapacity; and
- any other information needed to ensure the lawful processing of such personal data.
When the personal data is collected directly from the data subject, the information shall be provided at the time of collection unless it has previously been provided. For personal data not being collected directly from the data subject, the data controller must provide the subject with the information at the time of recording the data or, at the latest, within 30 days of such recording, unless such information is already known to them.
The obligation to provide information may be waived by legal provision or decision of the APD:
- for reasons of state security, crime prevention, and criminal investigation;
- when the provision of the information to the data subject proves impossible or involves disproportionate efforts, namely in cases of data processing with statistical, historical, scientific, or research purposes; or
- when so required by the law.
Data subjects can, upon request to the data controller, have access to any and all information relating to the identity and location of the data controller, the purposes for which the personal data is being used, and the identity of any third parties to whom the data may be transferred (Articles 25 et seq. of the Data Protection Law).
The right to access, correct, and delete any personal data is provided not only by the Data Protection Law but also by the Constitution, under which all Angolan citizens have the right to access any computerized data that relates to them, which is enforceable through habeas data (Article 69 of the Constitution).
Data subjects have the means by which the data subjects may exercise their right to correct any personal data relating to them (Section IV, and Articles 25 et seq. of the Data Protection Law).
A person bringing an action for habeas data can additionally request that such data be corrected or updated.
Data subjects have the means by which the data subjects may exercise their right to delete any personal data relating to them (Section IV, and Articles 25 et seq. of the Data Protection Law).
Data subjects are able to oppose data processing in certain circumstances, under Article 26(1) of the Data Protection Law, such as when there are serious and legitimate reasons pertaining to their particular situation.
No such right exists in the Data Protection Law.
Under Article 29 of the Data Protection Law, data subjects have the right not to be subjected to a decision that produces legal effects concerning them or significantly affects them and which is based solely on the automated processing of data intended to evaluate certain personal aspects relating to them, such as their performance at work, creditworthiness, reliability, or their conduct.
However, the data subject may be subjected to automated processing when it occurs in connection with the entering into or performance of a contract, provided the request for the entering into or the performance of the contract, lodged by the data subject, has been satisfied or that there are suitable measures to safeguard their legitimate interests, such as arrangements allowing them to put forward their point of view.
Anyone can submit a complaint to the APD. However, it is also possible to resort to administrative and legal means, in order to ensure the enforcement of the rights established in the Data Protection Law. Thus, anyone who bears moral or patrimonial damage because of improper use of their personal data has the right to demand compensation for said damages.
The Data Protection Law establishes both criminal and civil liability, as well as additional sanctions for breaches of the provisions of the Data Protection Law. Non-compliance can also lead to the payment of a fine, and it is worth noting that whenever an administrative infraction results from failure to comply with a duty, both the sanction and the payment of the fine will not exempt the offender ensuring compliance is achieved.
In this regard, a fine of between $75,000 and $150,000 may be imposed for the failure to comply with:
- the obligations set out in Articles 14, 15, 16, 17, 20, 30, 31, and 32 of the Data Protection Law;
- the obligation to notify the APD; and
- an order of the APD.
Furthermore, a fine between $65,000 and $350,000 may be imposed for the failure to comply with:
- the principles set out in Articles 6 to 11 of the Data Protection Law;
- the requirement to obtain the consent of the data subject for processing; and
- the provisions of Articles 18, 19, and 21 to 24 of the Data Protection Law.
Failure to abide by the obligations established in the Data Protection Law can also result in the payment of fines, especially failure to notify the APD when needed and failure to obtain data subjects' consent where required. If these misdemeanors are perpetrated by companies and associations, the monetary amount of the fines will triple. In both cases, the enforcement of fines is carried out by the APD, and both the negligence and attempt are punishable.
As per a decision, the APD has fined Banco de Poupança e Crédito (BPC), an Angolan bank, in the amount of $525,000 for violation of the Data Protection Law.
The decision is related to the public disclosure, on social media, of a list of employees who had their employment contract terminated for redundancy. This list contained personal data (as defined in the Data Protection Law), such as the employee's number, name, surname, occupation, and professional address, of a total of 278 employees dismissed for redundancy by BPC.
The amount of the fine was due to the following violations of the Data Protection Law by BPC:
- failure to implement technical and organizational measures to protect employees' personal data and not complying with Articles 30 and 31 of the Data Protection Law;
- failure to comply with the duties of care and confidentiality in relation to the access and undue disclosure of its employees' data in violation of the provisions of Article 32 of the Data Protection Law; and
- not having requested authorization from the APD for the processing of the personal data of its employees in violation of Article 35(1) of the Data Protection Law.