Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Burkina Faso - Data Protection Overview
Back

Burkina Faso - Data Protection Overview

January 2022

1. Governing Texts

Burkina Faso enacted its first data Protection legislation in 2004 (Act No. 010-2004/AN of 20 April 2004) (only available in French here) ('the 2004 Act'). As such it was one of the forerunners in Africa, in this area. The 2004 Act provided for the creation of the regulatory authority, the Commission de l'Informatique et des libertés ('CIL'), which became operational in 2007.

A regulation adopted on 21 April 2021, the Act No. 001-2021/AN of 30 March 2021 ('the 2021 Act'), repealed and replaced the 2004 Act. The 2021 Act strengthens the protection of the privacy of individuals, including by broadening its geographical scope to offshore data controllers who carry out processing operations from Burkina Faso (irrespective of whether they use local means of processing), by supervising transborder transfers, and by providing a more comprehensive right to be informed.

In addition, the 2021 Act reinforces security requirements with the obligation, where data is transferred to a third country, to enter into a contract with the data recipient that includes a return of data clause and to encrypt the data.

The 2021 Act also has the particularity of introducing the principle of data localisation with the obligation to host health data in Burkina Faso unless an exemption is granted by the CIL.

The sanctions established under the 2021 Act are significantly stricter as they can reach 1% of a company's turnover excluding tax and 5% in the event of a repeat offence.

1.1. Key acts, regulations, directives, bills

Burkina Faso is a member state of Economic Community of West African States ('ECOWAS') and, as such the Supplementary Act A/SA.1/01/10 on the protection of personal data within the ECOWAS of 16 February 2010 region is applicable upon implementation locally.

In addition, Article 6 of the Constitution of Burkina Faso of 2 June 1991 (only available in French here) provides for a general right to privacy. The key laws governing data protection is the 2021 Act.

These laws are complemented with the following regulations:

  • Regulation No. 2021-0276/PRES of 20 April 2021 promulgating Act No. 001-2021/AN of 30 March 2021 on the protection of persons with regard to the processing of personal data;
  • Regulation No. 2018-1116/PRES/PM of 12 December 2018 renewing the term of office of a member of the Commission de l'Informatique et des Libertés (CIL);
  • Regulation No. 2018-1198/PRES/PM of 31 December 2018 renewing the term of office of the President of the Commission de l'informatique et des libertés (CIL);
  • Order No. 2018-003/CIL of 19 February 2018 laying down the rules of procedure of the Commission de l'informatique et des libertés (CIL);
  • Regulation No. 2009-824/PRES promulgating Act No. 045-2009/AN of 10 November 2009 on the regulation of electronic services and transactions in Burkina Faso; and
  • Regulation No. 2007-283/PRES/PM/MPDH of 18 May 2007 on the organisation and functioning of the Commission de l'informatique et des libertés (CIL) (only available in French here).

1.2. Guidelines

The CIL had published the following guidelines:

  • obligation of prior declaration of the processing of personal data (only available in French here);
  • obligation to obtain the consent of the data subject (only available in French here);
  • duty of legitimacy and lawfulness of personal data processing (only available in French here); and
  • duty to inform the data subject (only available in French here).

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

The 2021 Act applies to public and private organisations for the protection of the data of individuals, including deceased persons, through their estate, with regard to the exercise of the right of access to data and the right to erasure.

2.2. Territorial scope

The 2021 Act applies to the processing of personal data wherever it is carried out so long as the controller is established in Burkina Faso or, without being established in Burkina Faso, is subject to the laws of Burkina Faso under international public law (Article 3 of the 2021 Act)

The 2021 Act also applies to controllers and processors who have no presence in Burkina Faso and who conduct processing operations from the national territory, excluding the processing of transient data (Article 3 of the 2021 Act).

2.3. Material scope

The 2021 Act applies to the processing, whether or not automated, of personal data contained or intended to be contained in a file. In particular, it applies to the processing of personal data relating to electronic communications.

The 2021 Act does not apply to processing operations carried out by an individual in the exercise of exclusively personal or domestic activities, nor does it apply to temporary and transient data and to processing activities performed exclusively for literary and artistic or journalistic purposes (Article 4 of the 2021 Act).

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The main regulator is the CIL, which has been operational since 2007. With regard to direct marketing, the High Communication Council is also a competent authority. 

3.2. Main powers, duties and responsibilities

The CIL is the supervisory authority in charge of ensuring compliance with the provisions of the 2021 Act, in particular by informing all data subjects and data controllers of their rights and obligations and by monitoring the use of information and communication technologies applied to the processing of personal data (Article 45 of the 2021 Act).

The CIL is an independent administrative authority with administrative and management autonomy.

The CIL has regulatory and sanctionable powers. The authority adopts its own procedural rules. It must ensure that the use of information and communication technologies for the purpose of processing personal data does not pose any threat to individual or public freedoms and privacy. In this respect, it (Article 56 of the 2021 Act):

  • takes individual or regulatory decisions;
  • issues, where necessary, recommendations to facilitate compliance with the 2021 Act, particularly at sectoral level or according to the use of a particular technology or processing architecture;
  • may, in exceptional circumstances, prescribe security measures consisting in particular in the destruction of data carriers or the suspension of the authorisation;
  • sends warnings and reports to the public prosecutor's office any infringements of which it is aware;
  • ensures that the procedures for implementing the right of access, rectification and erasure do not hinder the free exercise of such rights;
  • receives complaints, petitions, denunciations and complaints;
  • must keep itself informed of the effects of the evolution of information and communication technologies and their uses on the right to protection of personal data and privacy, the exercise of freedoms and other fundamental rights and the functioning of democratic institutions;
  • keep itself informed of industrial and service activities which contribute to the
  • implementation of information and communication technologies;
  • advises persons and organisations that have recourse to the automatic processing of personal information or that carry out tests or experiments that may lead to such processing;
  • conducts a permanent mission of information, awareness-raising and training of the public in order to promote the right to protection of individuals with regard to the processing of personal data
  • conducts a permanent mission to inform, raise awareness and train the public in order to promote the right to protection of individuals with regard to the processing of personal data;
  • responds to requests for advice from the public authorities and, where appropriate, the courts;
  • proposes to the Government any legislative or regulatory measures likely to adapt the protection of fundamental rights and freedoms to the development of information and communication technologies and their uses;
  • authorises the transfer of personal data to another country; and
  • participate in international meetings and negotiations on the protection of individuals with regard to the processing of personal data.

4. Key Definitions 

Data controller: Any natural or legal person, public or private, any service, agency, body or association which, alone or jointly with others, takes the decision to collect and process personal data, determines the purposes for which it is to be done and the manner in which it is to be carried out (Article 5 of the 2021 Act).

Data processor: Any natural or legal person, public or private, any department, agency, body or association which processes data on behalf of the controller (Article 5 of the 2021 Act).

Personal data: Any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identification number, to one or more factors specific to their physical, physiological, genetic, psychological, cultural, social or economic identity (Article 5 of the 2021 Act).

Sensitive data: All personal data relating to health status, biometric data, genetic data, sex life, racial or ethnic origin, political, philosophical or religious opinions or activities, trade union membership, morals, the investigation and prosecution of offenders, criminal or administrative sanctions, related security measures or other social measures (Article 5 of the 2021 Act).

Health data: Not applicable.

Biometric data: Not applicable.

Pseudonymisation: Not applicable.

5. Legal Bases

5.1. Consent

The default basis for processing is consent of the data subject. However, consent is not required where the processing (Article 9 of the 2021 Act):

  • relates to data which is manifestly made public by the data subject for purposes which are legitimate;
  • is necessary to protect the vital interests of the data subject or of another person, where the data subject is physically or legally incapable of giving consent;
  • is for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment, or the management of health services, provided that it is carried out by a member of a health profession or by another person who is bound by professional secrecy by virtue of their duties;
  • in particular of biometric or genetic data, is necessary for the establishment, exercise or defence of legal claims;
  • is carried out in the context of the opening of legal proceedings;
  • is necessary for a reason of public interest, in particular for historical, statistical or scientific purposes;
  • is necessary for the performance of a contract to which the data subject is party or for the performance of pre-contractual measures taken at his or her request during the pre-contractual period;
  • is necessary for compliance with a legal obligation to which the controller is subject;
  • is necessary for the performance of a task carried out in the public interest by the public authority;
  • is assigned to the controller by a public authority that has the power to do so; and
  • is carried out in the course of the legitimate activities of a foundation, association or any other non-profit organisations with a political, philosophical, religious or trade union aim. However, the processing must relate solely to the members of that body or to persons having regular contacts with it in connection with its purpose.  

5.2. Contract with the data subject

Please refer to section on consent above.

5.3. Legal obligations

Please refer to section on consent above.

5.4. Interests of the data subject

Please refer to section on consent above.

5.5. Public interest

Please refer to section on consent above.

5.6. Legitimate interests of the data controller

Please refer to section on consent above.

5.7. Legal bases in other instances

Please refer to section on consent above.

6. Principles

The collection, recording, processing, storage and transmission of personal data must be carried out lawfully, fairly and not fraudulently (Article 7 of the 2021 Act). The data must be (Article 8 of the 2021 Act):

  • collected for specified, explicit and legitimate purposes and may not be further processed in a way incompatible with those purposes;
  • accurate and, if necessary, updated or delete; and
  • kept for no longer than is necessary for the purposes for which it is collected or processed. 

7. Controller and Processor Obligations

7.1. Data processing notification

The processing of personal data is subject to a declaration to the CIL, which must issue a receipt.

The declaration is not required for (Articles 28 and 30 of the Act):

  • processing operations of which specific purpose is limited to the preservation of archival documents;
  • processing carried out by an association or any non-profit organisation of a religious, philosophical, political or trade union nature, provided that such processing corresponds to the purpose of the association or body, that it relates only to only its members and that it is not communicated to third parties without their consent; and
  • processing operations carried out on behalf of the State, a public institution, a local authority or a private legal entity managing a public service and which are decided by legislative or regulatory act taken after an opinion from the CIL and concerning:
    • State security, defence or public safety;
    • the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal sentences or security measures;
    • population census;
    • personal data revealing religious, philosophical, political, trade union or ethnic convictions or activities, sex life, race, health and morals, genetic or biometric data, social measures, prosecutions, criminal or administrative sanctions; and
    • processing of wages, pensions, taxes and other settlements.

7.2. Data transfers

Localisation of health data

Health data enabling the direct or indirect identification of natural persons must be hosted in Burkina Faso, unless the CIL grants an exemption (Article 37 of the 2021 Act). No exemptions have been granted to date.

Cross-border transfers

Cross-border transfers must be authorised by the CIL (Article 42 of the 2021 Act). In addition Article 42 of the 2021 Act provides thatprior to any transfer of personal data to an external party, the controller must sign a data confidentiality clause and a data return clause with the contracting party in order to facilitate the complete migration of the data at the end of the contract; implement technical and organisational security measures, including encryption and procedures for testing, analysing and evaluating the measures taken.

Controllers may only transfer personal data to a foreign country or international organisation if that country or international organisation ensures an adequate level of protection of the privacy, fundamental rights and freedoms of individuals with respect to the processing of such data except where (Article 44 of the 2021 Act):

  • the data subject has given their specific, free, informed and unequivocal consent, after having been informed of the risks due to the lack of appropriate safeguards;
  • the transfer is necessary for the performance of a contract between the data subject and the controller or measures prior to entering into such a contract, taken at the request of the data subject;
  • the transfer is necessary to safeguard the vital interests of the data subject;
  • in exceptional circumstances, the transfer is authorised by an regulation;
  • overriding legitimate interests, including public interests, are provided for by law and constitute a necessary and proportionate measure in a democratic society;
  • the transfer is a one-off and not massive, concerns only data relating to the case in question, is necessary or legally required for the protection of an important public interest or for the establishment, exercise or defence of legal claims;
  • the one-off transfer is intended for a single person and is made from a public register which, by virtue of legislative or regulatory provisions, is intended for the information of the public and is open to consultation by the public or any person having a legitimate interest, insofar as the legal conditions for consultation are fulfilled in the case in question;
  • necessary, in the context of the performance of an international mutual legal assistance measure;
  • it is carried out in application of a bilateral or multilateral agreement to which Burkina Faso is party; and
  • a contract approved by the CIL binding the controller and its co-contractors provides for contractual clauses or internal rules that guarantee an adequate level of protection of privacy and the fundamental rights and freedoms of individuals.

7.3. Data processing records

Not applicable.

7.4. Data protection impact assessment

Not applicable.

7.5. Data protection officer appointment

The 2021 Act does not require a data protection officer ('DPO') to be appointed.

7.6. Data breach notification

Not applicable.

7.7. Data retention

Data must be kept for no longer than is necessary for the purposes for which it is collected or processed (Article 8 of the 2021 Act). Beyond the necessary period, data may only be kept for the specific purpose of processing for archival, historical, statistical or research purposes, in the public interest and in accordance with appropriate safeguards defined by the legislation in force or, in its absence, after authorisation by the CIL (Article 8 of the 2021 Act).

7.8. Children's data

Not applicable.

7.9. Special categories of personal data

Principles

It is prohibited to collect or process without the express consent of the data subject:

  • personal data revealing religious, philosophical, political, trade union or ethnic beliefs or activities, sex life, race, health and morals; and
  • genetic and biometric data, social measures, prosecution, criminal or administrative sanctions. 

Exceptions

  • Only the following may process personal data relating to offences, convictions and security measures:
    • Courts and public authorities acting within their legal powers;
    • legal persons managing a public service, after the assent of the CIL; and
    • court officers, strictly for the purpose of carrying out the tasks entrusted to them.
  • The processing of personal data for research purposes in the health field is authorised by the CIL after receiving the assent of the Health Research Ethics Committee.
  • Notwithstanding the rules on professional secrecy, members of the health professions may transmit personal data held by them for authorised health research purposes, unless the data subject objects.
  • The consent of the data subject is not required when the processing (Article 9 of the 2021 Act):
    • relates to data which are manifestly made public by the data subject for purposes which are legitimate;
    • is necessary to protect the vital interests of the data subject or of another person, where the data subject is physically or legally incapable of giving consent;
    • for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment, or the management of health services, provided that it is carried out by a member of a health profession or by another person who is bound by professional secrecy by virtue of his or her duties;
    • including biometric or genetic data, is necessary for the establishment, exercise or defence of legal claims;
    • is in the context of the opening of legal proceedings;
    • is necessary for a reason of public interest, in particular for historical, statistical or scientific purposes;
    • is necessary for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures taken at his request during the pre-contractual period;
    • is necessary to comply with a legal obligation to which the controller is subject;
    • is necessary for the performance of a task in the public interest entrusted to the public authority;
    • is assigned to the controller by a public authority that has the power to do so; or
    • is carried out in the course of the legitimate activities of a foundation, association or any other non-profit-making body with a political, philosophical, religious or trade union aim. However, the processing must relate solely to the members of that body or to persons having regular contact with it in connection with its purpose. The data shall not be communicated to third parties without the consent of the data subjects.

7.10. Controller and processor contracts

Controllers must enter into agreements with processors with security provisions and specifying in particular the only authorised processing operations and the use of the data at the end of the contract (Article 42 of the 2021 Act). In addition, where data is transferred cross border, the controller and the recipient must sign a data confidentiality undertaking and provide in their agreement that the data will be migrated back to the controller at the end of the contract.

8. Data Subject Rights

8.1. Right to be informed

The controller must proactively provide the data subject, at the latest at the time of data collection with the following information (Article 16 of the 2021 Act):

  • its identity and, if applicable, that of its representative;
  • the specific purposes of the processing for which the data is intended;
  • the categories of data concerned and whether answers to the questions are obligatory or voluntary, as well as the possible consequences of failure to respond;
  • the recipients to whom the data may be disclosed;
  • the existence of the right to access, rectify and erase the data;
  • the existence of the right to object to data processing on legitimate grounds;
  • the retention time;
  • the possibility of any transfer cross-border transfer of data with an indication of the protection afforded in the recipient country; and
  • the simple means to give consent for any stated purpose that requires it or to withdraw it.

This obligation to inform does not apply to the collection of personal data necessary for the detection of an offence concerning State security, defence and public safety (Article 16 of the 2021 Act).

8.2. Right to access

Upon establishing their identity data subjects have a right of access to their stored and processed data on site and/or by receiving a copy of the data. Reproduction fees can be charged to the data subject (Article 17 of the 2021 Act).

The estate of a deceased adult, may exercise the right to access unless where, in medical matters, the deceased person has expressed opposition to the right to access being exercised after their death (Article 17 of the 2021 Act).

8.3. Right to rectification

The data subject may require the controller to rectify, complete, update, block or delete personal data concerning them, as the case may be, if the data is inaccurate, incomplete, equivocal, out of date, or if their collection, use, communication or storage is prohibited, including with regard to third parties to whom such data have been communicated (Article 21 of the 2021 Act).

When the data subject makes a request in writing or by any other means, the data controller must prove, at no cost to the applicant, that the required operations have been carried out within a maximum of two months after the request was registered and that the changes made have been transmitted to any third parties to whom the data to be modified have been communicated (Article 21 of the 2021 Act)

In the event of a dispute, the burden of proof lies with the controller to whom the right of access is exercised (Article 21 of the 2021 Act).

8.4. Right to erasure

Data subjects have the right to obtain from the controller the removal of personal data relating to their private life and past activities, made public on a website, whether or not accessible by a search engine.

8.5. Right to object/opt-out

Data subjects have the right to object on legitimate grounds to the processing of their personal data (Article 20 of the 2021 Act). In the case of direct marketing, objections may be made on any grounds.

The controller may refuse the request to object where the processing is justified on legitimate grounds which override the interests, fundamental rights and freedoms of the data subject (Article 20 of the 2021 Act).

8.6. Right to data portability

Not applicable.

8.7. Right not to be subject to automated decision-making

evaluate certain aspects of the personality of an individual may not be used (Article 15 of the 2021 Act):

  • as basis for any court decision involving an assessment of human behaviour; or
  • as the sole basis for any administrative or private decision involving an assessment of human behaviour.

8.8. Other rights

Not applicable.

9. Penalties

The CIL may, without prejudice to criminal proceedings, impose the following administrative measures (Article 63 of the 2021 Act):

  • a warning;
  • a formal notice;
  • an order to cease the processing of data;
  • the blocking of certain personal data;
  • withdrawal of authorisation;
  • the confiscation of any material used to process personal data;
  • erasure of data, irrespective of the identity of the owner of the media;
  • up to two years' ban on managing any processing of personal data for a maximum of two years; or/and
  • publication of the sanction in several newspapers at the expense of the sanctioned person.

The CIL may impose the following administrative fines amounting to 1% of the turnover excluding tax of the previous financial year and 5% of the turnover excluding tax for the previous financial year in the event of a repeat offence.

Other sanctions can also reach up to CFAF 100,000,000 (approx. €154560) and 5 years' imprisonment.

9.1 Enforcement decisions

Not applicable.