Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Cape Verde - Data Protection Overview
Back

Cape Verde - Data Protection Overview

December 2021

1. Governing Texts

Cape Verde is the first African country to have enacted a comprehensive framework for data protection with its Law No. 133-V-2001 on the Protection of Personal Data ('the 2001 Law'). The 2001 Law was amended once by Law No. 41/VIII/2013 of 17 September 2013 (only available in Portuguese here) and amended a second time by Law No. 121/IX/2021 of 17 March 2021 (only available in Portuguese here) ('the 2021 Amendment'). The National Commission of Data Protection ('CNPD') became operational in 2015 and has been active since. Cape Verde also has a notable presence on the international stage, and is one of the few jurisdictions outside of Europe to have ratified the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ('Convention 108').

1.1. Key acts, regulations, directives, bills

The main law governing data protection in Cape Verde is the 2001 Law. The 2001 Law was amended once by the 2013 Amendment and amended a second time by the 2021 Amendment.

The other relevant texts are:

  • Articles 41, 45, and 46 of the 2010 Constitution of the Republic of Cape Verde;
  • Law No. 42/VIII/2013 of 17 September 2013 instituting the National Commission of Data Protection, amended by Law No. 120/IX/2021 of 17 March 2021 (only available in Portuguese here); and
  • Law No. 86/VIII/2015 of 14 April 2015 on the Regulation of the Installation and Use of Video Surveillance Systems in Public Spaces (only available in Portuguese here), amended by Law No. 86/VIII/2015 of 1 July 2015.

1.2. Guidelines

The guidelines are issued by the CNPD:

  • Directive No. 08/2020 of 23 September 2020 concerning the processing of personal data for political marketing purposes in the context of election campaigns (only available in Portuguese here);
  • Deliberation authorisation No. 11/2018 of 21 December 2018 concerning the data processing of information, communication, and technology in the context of employment (only available in Portuguese here);
  • Deliberation authorisation of exemption No. 7/2015 of 27 August 2015 concerning the billing and management of contacts with customers, suppliers, and service providers (only available in Portuguese here);
  • Deliberation authorisation of exemption No. 6/2015 of 27 August 2015 concerning registration of entrances and exits of individuals in buildings (only available in Portuguese here);
  • Deliberation authorisation of exemption No. 5/2015 of 27 August 2015 of 27 August 2015 concerning the collection of membership fees in associations and contacts with respective members (only available in Portuguese here);
  • Resolution authorisation of exemption No. 4/2015 of 27 August 2015 concerning the administrative management of officials, employees, and service providers (only available in Portuguese here);
  • Deliberation authorisation of exemption No. 3/2015 of 27 August 2015 concerning library and archive user management (only available in Portuguese here);
  • Deliberation authorisation of exemption No. 2/2015 of 27 August 2015 concerning the processing of salaries, benefits, and allowances of employees or workers (only available in Portuguese here); and
  • Draft deliberation No. 1/2015 of 06 August 2015 concerning the fees of the National Commission of Data Protection (only available in Portuguese here).

1.3. Case law

In 2017, the CNPD imposed a fine against the Bank of Cape Verde and the private bank Novo Banco, S.A. in a case related to the disclosing of a list of 50 clients of Novo Banco in the media (only available in Portuguese here). The Bank of Cape Verde and Novo Banco have appealed the fine.

2. Scope of Application

2.1. Personal scope

The beneficiaries of the 2001 Law, as amended, are data subjects, i.e. individuals who may be directly or indirectly identified, in particular by reference to any information, of any nature and irrespective of the medium, such as, by way of example, a name, an identification number, location data, electronic identifiers, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Data subjects include deceased persons.

2.2. Territorial scope

The 2001 Law, as amended, applies to controllers and processors who are established in Cape Verde, as well as to controllers and processors who process the personal data of data subjects who are located in Cape Verde, irrespective of the location where the processing takes place; where the processing activities are related to the offering of goods or services to such data subjects, for free or for a fee, and monitoring their behaviour, provided that such behaviour takes place in the national territory; or, finally, in all the locations outside of Cape Verde pursuant to international law.

2.3. Material scope

The 2001 Law, as amended, applies to:

  • wholly or partly automated processing of personal data;
  • non-automated processing of personal data, provided that the data forms part of a filing system or is intended to form part of a filing system;
  • video surveillance and other forms of capture, processing, and dissemination of sound and images permitting persons to be identified, carried out by a data processor or data controller located in the country, or where an access provider is used for IT or telematic networks established in the country; and
  • the processing of personal data regarding public safety, national defence, and state security, without prejudice to special rules in instruments of international law to which Cape Verde is bound, and specific laws pertinent to the respective sectors.

However, the 2001 Law does not apply where the processing activity is carried out by individuals in the course of purely personal or household activities.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The main regulator for data protection is the CNPD.

3.2. Main powers, duties and responsibilities

CNPD is the supervisory authority. It has a regulatory role and is in charge of helping with the elaboration of codes of conduct and issuing deliberations and opinions in application of data protection law. CNPD's administrative functions include receiving and reviewing data processing notifications and issuing authorisations for some processing activities. CNPD also has enforcement powers which include investigation and the imposition of fines and other administrative sanctions.

4. Key Definitions 

Data controller: The person or group, public authority, service, or any other entity or body that, alone or jointly with others, determine(s) the purposes or the means for the processing of personal data.

Data processor: A person or group, public authority, agency, or any other entity or body that processes personal data on behalf of the data controller.

Personal data: Any information of any type or nature and irrespective of the medium involved, including sound and image relating to an identified or identifiable person, defined as the data subject.

Sensitive data: Data revealing philosophical, ideological, or political beliefs or penalty, religion, political party or trade union affiliation, racial or ethnic origin, and health and sex life, including genetic data.

Health data: Personal data concerning the physical or mental health of a natural person, including the provision of health services, that reveal information about their health status.

Biometric data: Personal data resulting from a specific technical processing relating to the physical, physiological, or behavioural characteristics of a natural person, which allow or confirm the unique identification of that person, such as facial images or dactyloscopic data.

Pseudonymisation: The processing of personal data in such a way that it can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and subject to technical and organisational measures to ensure that the personal data cannot be attributed to a natural or identifiable person.

5. Legal Bases

5.1. Consent

The default legal basis for processing is opt-in consent. Consent means any freely given specific and informed indication of his or her wishes by which the data subject, either by a statement or by an unambiguous affirmative act, signifies his or her agreement to personal data being processed.

5.2. Contract with the data subject

Consent is not required where the processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject.

5.3. Legal obligations

Consent is not required where the processing is necessary for compliance with a legal obligation to which the controller is subject.

5.4. Interests of the data subject

Consent is not required where the processing is necessary for protection of vital interests of the data subject if the latter is physically or legally incapable of giving their consent.

5.5. Public interest

Consent is not required where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data is disclosed.

5.6. Legitimate interests of the data controller

Consent is not required where the processing is necessary for pursuing the legitimate interests of the controller or the third party to whom the data are disclosed, except where such interests should be overridden by the interests or the fundamental rights, freedoms, and guarantees of the data subject.

5.7. Legal bases in other instances

Not applicable.

6. Principles

Under the 2001 Law, as amended, the processing of personal data must be conducted in strict compliance with the fundamental rights, freedoms, and guarantees of natural persons, in particular with the right to privacy and family life and the right to the protection of personal data. Personal data must be processed lawfully, transparently, and with respect for the principle of good faith. It must be collected for specific, explicit, and legitimate purposes and not further processed in a way incompatible with those purposes. Personal data must be adequate, relevant, and limited to the minimum necessary for the purposes for which it is processed. Personal data must be accurate and up-to-date. Where necessary, with appropriate steps being taken to ensure that inaccurate or incomplete data is erased or rectified without delay, taking into account the purposes for which it is processed. Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary, for the purposes for which it is collected or further processed.

7. Controller and Processor Obligations

7.1. Data processing notification

The 2001 Law requires the notification of the CNPD prior to the processing of data.

Notifications submitted to the CNPD must include the following information (Article 25 of the 2001 Law):

  • the name and address of the controller and of his representative, if any;
  • the purposes of the processing;
  • the description of the category or categories of data subjects and of the data or categories of personal data relating to them;
  • the recipients or categories of recipients to whom the data might be disclosed and in what circumstances;
  • the entity entrusted with processing the information, if it is not the controller themselves;
  • any combinations of personal data processing;
  • the retention period;
  • the form and circumstances in which the data subjects may be informed of or may correct the personal data relating to them;
  • proposed transfers of data to third countries; and
  • a general description enabling a preliminary assessment to be made of the adequacy of the measures taken to ensure the security of processing.

Prior authorisation

The controller is required to obtain the prior authorisation of the CNPD for the following activities (Article 24 of the 2001 Law):

  • the processing of sensitive personal data and data related to persons suspected of illegal activities, criminal and administrative offences and decisions applying penalties, security measures, fines, and additional penalties;
  • the processing of personal data relating to credit and the solvency of the data subjects;
  • the processing of data related to persons suspected of illegal activities, criminal and administrative offences and decisions applying penalties, security measures, fines, and additional penalties; or
  • the use of personal data for purposes other than those for which it was collected.

Applications for prior authorisation submitted to the CNPD must include the following information (Article 25 of the 2001 Law):

  • the name and address of the controller and of his representative, if any;
  • the purposes of the processing;
  • the description of the category or categories of data subjects and of the data or categories of personal data relating to them;
  • the recipients or categories of recipients to whom the data might be disclosed and in what circumstances;
  • the entity entrusted with processing the information, if it is not the controller themselves;
  • any combinations of personal data processing;
  • the retention period;
  • the form and circumstances in which the data subjects may be informed of or may correct the personal data relating to them;
  • proposed transfers of data to third countries; and
  • a general description enabling a preliminary assessment to be made of the adequacy of the measures taken to ensure the security of processing.

Information regarding personal data processing notification forms can be found on the CNPD's website. The relevant forms include:

  • General Notification Form (only available in Portuguese here);
  • General Video Surveillance Form (only available in Portuguese here);
  • Phone/Email/Internet Usage Tracking Form (only available in Portuguese here); and
  • Biometrics Form (only available in Portuguese here).

Fees

The administrative procedure for notification of data processing is subject to the payment of a fee, set by the CNPD, in Deliberation No. 1/2015 (only available in Portuguese here), published in Official Gazette No. 44, Series II, of 18 September 2015. The fixing of the amount of fees will include a reference to the cost of forms and administrative procedures relating to the registration, and the technical cost of issuing an opinion required to issue the authorisation. Relevant fees include:

  • the registration of personal data processing notifications, which does not imply the granting of prior authorisation, is subject to payment of a fee of CVE 3,000 (approx. €27);
  • the processing of personal data that implies the granting of prior authorisation, and in reference to examples provided for by the CNPD is subject to payment of a fixed fee of CVE 5,000 (approx. €45); and
  • in the event of special complexity, the CNPD may fix the amount of the fee payable to a maximum limit of CVE 7,000 (approx. €63).

Further information regarding the payment of fees can be found on the CNPD's website.

The notification obligation does not apply where the sole purpose of the processing is to keep a register, which according to law and regulations is intended to provide information to the public and which is open to consultation by the public in general or by any person demonstrating a legitimate interest (Article 23(4) of the 2001 Law). The CNPD may authorise the simplification of or exemption from notification for particular categories of processing which are unlikely, taking account of the data to be processed, to affect adversely the rights and freedoms of the data subjects and in to take account of criteria of speed, economy, and efficiency (Article 23(2) of the Law).

Further, notification is not required where the CNPD has issued deliberation exemptions and the processing is carried out in accordance with the terms specified in the relevant deliberation authorisation of exemption (found on the CNPD's website, only available in Portuguese here):

  • Authorisation No. 2/2015 (only available in Portuguese here) on the exemption from notifying the CNPD regarding the processing of employee's data relating to salaries, benefits, etc.;
  • Authorisation No. 3/2015 (only available in Portuguese here) on the exemption from notifying the CNPD regarding the processing of personal data of libraries and archives users for the purposes of management;
  • Authorisation No. 4/2015 (only available in Portuguese here) on the exemption from notifying the CNPD regarding the processing of employees and service providers’ data for the purposes of administrative management;
  • Authorisation No. 5/2015 (only available in Portuguese here) on the exemption from notifying the CNPD regarding the processing of personal data for the purposes of collecting contributions and contact details of members of an association in relation to the statutory activity of the association;
  • Authorisation No. 6/2015 (only available in Portuguese here) on the exemption from notifying the CNPD regarding the processing of personal data for the purposes of registering the entry and exits of persons. The exemption does not apply to personal data obtained through CCTV cameras; and
  • Authorisation No. 7/2015 (only available in Portuguese here) on the exemption from notifying the CNPD regarding the processing of personal data relating to customers, suppliers, and service providers for the purposes of billing and contact management.

In other words, the deliberation exemption does not automatically exempt the processing of data related to the relevant purpose to be exempted from notification, but rather only such processing activities that are described in the deliberation exemption, including the categories of data being processed.

Information regarding personal data processing notification forms can be found on the CNPD's website. The relevant forms include:

  • General Notification Form (only available in Portuguese here);
  • General Video Surveillance Form (only available in Portuguese here);
  • Phone/Email/Internet Usage Tracking Form (only available in Portuguese here); and
  • Biometrics Form (only available in Portuguese here).

7.2. Data transfers

Transfers of personal data to third countries, meaning countries outside Cape Verde, are not permitted, unless the third country presents adequate security safeguards. The adequacy assessment is the CNPD's responsibility. The CNPD would look at a number of factors such as the nature of the data, purpose, and duration of the proposed processing, country of origin and country of final destination, rule of law, both general and sectoral, in force in the country in question, as well as the professional rules and security measures which are complied by in that country.

Where third countries do not meet the adequacy requirement, transfers will need to be authorised by the CNPD. Such approval may be granted if the data subjects have given their unequivocal consent to the proposed transfer or if the transfer:

  • is necessary for the performance of a contract between the data subject and the controller of the processing the data or the precontractual measures taken on the data subject's request;
  • is necessary for the execution or performance of a concluded or to be concluded contract in the interest of the data's subject between the controller and a third party;
  • is necessary or legally required on the grounds of important public interest, or for the establishment, exercise, or defence of legal claims;
  • is necessary for the protection of the data subject's vital interests;
  • is made from a public register, within the context of the laws or regulations, which is intended for informing the public and open to consultation either by the general public or by any person who can demonstrate a legitimate interest, provided the conditions laid down in the law for consultation are fulfilled;
  • is carried out by a data controller who provides adequate guarantees with respect to the protection of the privacy and fundamental rights and freedoms of individuals and with respect to their exercise, particularly by means of appropriate contractual clauses; or
  • is necessary for the protection of state security, defence, public safety, and the prevention, investigation, and repression of punishable criminal offences.

7.3. Data processing records

Not applicable.

7.4. Data protection impact assessment

Data Protection Impact Assessments ('DPIAs') were introduced by the 2021 Amendment, which provides that where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, the controller must first conduct an assessment of the impact of the contemplated processing operations on the protection of personal data.

The DPIA is mandatory when:

  • there is a systematic and thorough assessment of personal aspects based on automated processing, including profiling, on the basis of which decisions are taken which produce legal effects or significantly affect a data subject;
  • there are large-scale processing operations of special categories of data, such as sensitive data or data relating to criminal convictions and offences; or
  • there is a systematic monitoring of publicly accessible areas on a large scale.

The DPIA must include at least:

  • a systematic description of the contemplated processing operations and the purpose of the processing, including, where applicable, the legitimate interests of the controller;
  • an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  • an assessment of the risks to the rights and freedoms of the data subjects; and
  • the measures contemplated to address the risks, including safeguards, security measures, and procedures to ensure the protection of personal data and to demonstrate compliance with the law, taking into account the rights and legitimate interests of data subjects and other persons concerned.

The controller must, at the time of notification of the processing, communicate to the CNPD the result of the DPIA.

7.5. Data protection officer appointment

The controller and the processor must designate a data protection officer ('DPO') where (Article 30(1) of the 2021 Amendment):

  • the core activities of the controller or processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale;
  • the core activities of the controller or processor consist of processing operations on a large scale sensitive data; or
  • the processing is carried out by a public authority or body, except courts and public prosecutors in the exercise of their procedural powers.

A corporate group may designate a single DPO, provided that the officer is easily accessible from each establishment (Article 30(2) of the 2021 Amendment). In addition, where the data controller or the data processor is a public authority or body, a single data protection officer may be appointed for several of these authorities or bodies, taking into account their organisational structure and size (Article 30(3) of the 2021 Amendment).

The DPO may be an employee or a contractor. The DPO is appointed on the basis of their professional qualities and, in particular, their expertise in the field of data protection law and practices, as well as their ability to perform the functions referred to in Article 32 of the 2021 Amendment (Article 30(4) of the 2021 Amendment).

The DPO has at least the following functions (Article 32(1) of the 2021 Amendment):

  • informs and advises the person responsible for the processing or the subcontractor, as well as the workers who process the data, regarding their obligations under the terms of the present diploma;
  • controls compliance with this statute with the policies of the data controller or the data processor regarding the protection of personal data, including the division of responsibilities, awareness and training of personnel involved in data processing operations, and the corresponding audits;
  • provides advice, when requested, with regard to the impact assessment on data protection and controls its implementation pursuant to Article 29 of the 2021 Amendment;
  • cooperates with the CNPD; and
  • contact point for the CNPD on issues related to the processing of personal data carried out.

In carrying out their duties, the DPO shall take due account of the risks associated with the processing operations, taking into account the nature, scope, context and purposes of the processing (Article 32(2) of the 2021 Amendment). The data protection officer is appointed on the basis of his professional qualities and, in particular, his expertise in the field of data protection law and practices, as well as his ability to perform the functions referred to in Article 32 of the 2021 Amendment (Article 30(4) of the 2021 Amendment).

The data controller and the data processor shall ensure that the DPO is involved, in an appropriate and timely manner, in all matters relating to the protection of personal data (Article 31(1) of the 2021 Amendment). The data controller and the data processor must also support the DPO in the exercise of the functions referred to in Article 16-G of the 2021 Amendment, providing them with the necessary resources to carry out these functions and to maintain their knowledge, as well, as giving them access to personal data and processing operations (Article 31(2) of the 2021 Amendment).

The data controller and the data processor shall ensure that the DPO does not receive instructions regarding the exercise of their functions. The person in charge cannot be removed or penalised by the controller or the subcontractor for carrying out their duties. The data protection officer reports directly to management at the highest level of the data controller or the data processor (Article 31(3) of the 2021 Amendment). In addition, the data subjects may contact the person in charge of data protection on all matters relating to the processing of their personal data and the exercise of the rights conferred on them by the 2021 Amendment. (Article 31(4) of the 2021 Amendment). On this point, the controller must communicate the contact details of the DPO to the CNPD.

The DPO is bound by the obligation of secrecy or confidentiality in the exercise of their functions (Article 31(5) of the 2021 Amendment). Furthermore, the DPO may exercise other functions and duties, and the controller or the processor shall ensure that these functions and duties do not result in a conflict of interest (Article 31(6) Amendment, and may be a member of the staff of the data controller or the data processor or exercise his functions on the basis of a service contract (Article 30(5) of the 2021 Amendment).

7.6. Data breach notification

In the event of a personal data breach, the controller must notify

  • the CNPD within 72 hours of becoming aware of the situation; and
  • the data subjects without undue delay, unless the breach is unlikely to result in a risk to the rights, freedoms, and guarantees of natural persons.

If the breach is on the processor's side, the data processor is required to notify the controller of the breach without undue delay.

7.7. Data retention

Data controllers and data processors must retain personal data only as long as may be reasonably necessary to satisfy the purpose for which it is processed. However, further processing of data for historical, statistical, or scientific purposes, as well as being stored for the same purposes for a longer period, may be authorised by the CNPD at the request of the controller, where justified by legitimate interest, for long as this does not compromise the rights, freedoms, and guarantees of the data subject.

7.8. Children's data

There are no provisions setting a special regime for the processing of children's data. Data subjects are adults when attaining the age of 18 years, but the general rule is that minors can enter into contracts or issue statements to the extent that the same are adequate and can be fully understood by the minors, taking into account their age. By way of an example, a 15-year-old can buy a bus ticket to return home from school.

7.9. Special categories of personal data

Special categories of data are referred to as sensitive data. Sensitive data is defined as data revealing philosophical, ideological or political beliefs or penalty, religion, political party or trade union affiliation, racial or ethnic origin, privacy, and health and sex life, including genetic data.

Under the 2001 Law, as amended, the processing of personal data concerning political, philosophical, or ideological beliefs or positions, religious faith, party or trade union membership, racial or ethnic origin, and the processing of genetic data, biometric data, data concerning private life, health, sexual life, or sexual orientation, is prohibited unless one of the exceptions below applies.

Sensitive data may be processed:

  • if the data subject expressed consent with the guarantee of non-discrimination and with adequate measures of assurance;
  • when it relates to data which are manifestly made public by the data subject, provided their consent for their processing can be clearly inferred from their declaration;
  • upon authorisation by the CNPD, when the processing is based on public interest or is necessary for the pursuit of the legitimate interests of the controller, with guarantees of non-discrimination and adequate security measures;
  • with foreseen legal authorisation with the guarantee of non-discrimination and the adequate measure of assurance;
  • when the purposes of data processing are purely statistical and not individually identifiable with the adequate measure of assurance;
  • when it is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving their consent;
  • when it is carried out with the data subject's consent in the course of its legitimate activities by a foundation, association, or non-profit seeking body with a political, philosophical, religious, or trade-union aim, and under the condition that the processing relates solely to the members of the body or to persons who have regular contact with it, in connection with its purposes, and that the data are not disclosed to a third party without the consent of the data subjects;
  • when it is necessary for the establishment, exercise, or defence of legal claims and is exclusively carried out for that purpose;
  • it is necessary for reasons of public interest in the area of public health, such as to protect against serious cross-border threats to health or to ensure a high level of quality and safety of healthcare and medicinal products or medical devices, provided that appropriate and specific measures are taken to safeguard the rights and freedoms of the data subject, in particular professional secrecy.

Specific exceptions include the following cases:

  • the processing of personal data concerning health, sex life, and sexual orientation, including genetic data, is permitted when it is necessary for the purposes of preventive medicine, for assessing the employee's ability to work, medical diagnosis, the provision of health, social care, or treatment, or the management of health or social care systems and services, provided that they are carried out by a health professional, subject to the obligation of professional secrecy, or by another person. Also subject to an equivalent obligation of secrecy, the CNPD has been notified, and appropriate information security measures are ensured;
  • the processing of sensitive data may still be carried out with adequate information security measures, when the indispensable security of the state, public security, and the prevention, investigation, or repression of penal infringements are demonstrated;
  • the creation and maintenance of central registers on persons suspected of unlawful activities, criminal offences, misdemeanours, criminal convictions, decisions imposing security measures, fines, and additional sanctions may only be maintained by public services with such legal competence, observing procedural and data protection norms provided for in a legal diploma;
  • the processing of personal data regarding suspected illegal activities, criminal offences, misdemeanours, criminal convictions, decisions imposing security measures, fines, accessory sanctions, and disciplinary infringements may be authorised by the CNPD, when such processing is necessary for the execution of legitimate aims by its responsible party, provided that the rights, freedoms, and guarantees of the data subject are not overruled;
  • the processing of personal data for police investigation purposes must be limited to what is necessary for the prevention of a concrete danger or the repression of a specific offence, for the exercise of the powers provided for in the respective organic statute or other legal provision and under the terms of an international agreement, treaty, or convention to which Cape Verde is a party.

Specific security requirements for the processing of sensitive data

Additional security measures are required for the processing of sensitive data, particularly to:

  • prevent unauthorised persons from accessing the premises used to process data;
  • prevent data media from being read, copied, altered, or modified by unauthorised persons;
  • prevent unauthorised input, as well as unauthorised acquisition of knowledge, alteration, or elimination of personal data input;
  • prevent automated data processing systems from being used by unauthorised persons by means of data transmission premises;
  • guarantee that authorised persons may only access data covered by authorisation;
  • guarantee the checking of entities to whom personal data may be transmitted by means of data transmission premises;
  • guarantee that it is possible to check a posteriori, in a period appropriate to the nature of the processing, the establishment in the regulations applicable to each sector of which personal data is introduced, when, and by whom;
  • prevent unauthorised reading, copying, altering, or eliminating of data when transmitting and transporting personal data.

Taking into account the nature of the entities responsible for the processing and the type of premises in which it is carried out, the CNPD may waive the existence of certain security measures, subject to guaranteeing respect for the fundamental rights, freedoms, and guarantees of the data subjects.

The systems must guarantee the logical separation between data relating to health and sex life, including genetic data, and other personal data.

Where circulation over a network of data may jeopardise the fundamental rights, freedoms, and guarantees of their data subjects, the CNPD may determine that transmission must be encrypted.

Controllers and persons who obtain knowledge of the personal data processed in carrying out their functions must be bound by professional secrecy, even after their functions have ended.

7.10. Controller and processor contracts

A contract between the controller and the processor is required and should provide, inter alia, that the processor must act only on the controller's instructions that the controller's obligations must also be incumbent on the processor. The contract must be in writing or equivalent means with legal value for evidence purposes and include the organisational and security requirements.

Under the 2021 Amendment, the processor must obtain specific prior consent from the controller prior to engaging a sub-processor. The 2021 Amendment does not provide for a general obligation with a right for the controller to object.

8. Data Subject Rights

8.1. Right to be informed

Principle

Prior to processing personal data, the controller must provide the following information to the data subject (except where the data subject already has such information):

  • the identity of the controller and of their representative and their address (if any);
  • the purposes of the processing;
  • the recipients or categories of recipients;
  • the contact details of the DPO, if applicable;
  • the mandatory or voluntary nature of the responses, as well as the possible consequences of failure to reply;
  • the existence and conditions of the right of access and the right to rectification, provided they are necessary, considering the specific circumstances of data collection, in order to guarantee the data subject that it will be processed fairly;
  • the decision of providing personal data for the first time to a third party for marketing or prospecting purposes and the data subject's right to object to such communication;
  • the decision that the personal data will be used on behalf of third parties, and the data subject's right to object to such communication; and
  • the security risks that may occur in the event data is collected on an open network.

Exceptions

The information requirement may be waived for reasons of state security, crime prevention, investigation, and when processing data for statistical, historical, and scientific research purposes, when the information or identification of the data subject would seem impossible, involve a disproportionate effort, or when the law expressly determines the recording or registering of such data or its dissemination.

The obligation to provide information does not apply where the personal data is processed for journalistic purposes or the purpose of artistic or literary expression, except to the detriment of rights, freedoms, and guarantees of the data subject.

8.2. Right to access

The data subject has the right to obtain from the controller, without constraints, with reasonable intervals and without excessive delay or expense:

  • confirmation as to whether or not data relating to them is being processed and information as to the purposes of the processing, the categories of data concerned and the recipients or categories of recipients to whom the data is disclosed, as well as a copy of the data being processed;
  • communication in an intelligible form of the data undergoing processing and of any available information as to their source;
  • knowledge of logic involved in any automatic processing of data, including profiling, concerning the data subject.

8.3. Right to rectification

Data subjects may request a data controller, without delay, to rectify inaccurate personal data concerning them. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of an additional statement.

8.4. Right to erasure

The data subject has the right to obtain from the data controller the erasure or destruction of their personal data without delay where:

  • the personal data is no longer necessary for the purpose for which it was collected or further processed;
  • the data subject withdraws the consent on which the processing of the data was based, and there is no other legal ground for the processing;
  • the data subject opposes the processing and there are no overriding legitimate interests justifying the processing; or
  • the personal data is unlawfully processed.

The right to erasure does not apply to where processing is necessary for:

  • the exercise of freedom of expression and information;
  • compliance with a legal obligation to which the controller is subject, for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller;
  • reasons of public interest in the area of public health; or
  • the establishment, exercise, or defence of legal claims.

8.5. Right to object/opt-out

Data subjects have the right to object to the processing of their personal data on the basis of compelling legitimate grounds relating to their particular situation to the processing of data relating to them.

Objection to personal data processing for direct marketing or any other form of commercial solicitation does not need to be justified and is free of charge.

8.6. Right to data portability

Data subjects have the right to recover their personal data they provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit such data, or have it directly transmitted, where technically feasible, to another controller without the possibility for the controller to whom the personal data have been provided, to prevent this, provided the processing is based on consent and is carried out by automated means. The right to portability will not adversely affect the rights and freedoms of others.

8.7. Right not to be subject to automated decision-making

Profiling leading to discrimination against individuals on the basis of sensitive data is prohibited.

In addition, data subjects will have the right not to be subject to a decision which produces legal effects concerning them or significantly affects them, and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to them, in particular their performance at work, creditworthiness, reliability, or conduct.

A DPIA is required in the event of systematic and comprehensive assessment of personal aspects relating to natural persons, based on automated processing, including profiling, and on the basis of which decisions are adopted which produce legal effects with regard to individuals or significantly affect them in a similar manner.

Exceptions

The principle does not apply where:

  • the decision is taken in the course of the entering into or performance of a contract, provided that the request for the entering into or the performance of the contract has been satisfied, or that there are suitable measures to safeguard their legitimate interests, particularly arrangements allowing the data subjects to express their point of view; or
  • the CNPD has permitted such decision-making process and has defined measures to safeguard the data subject's legitimate interest.

8.8. Other rights

Data subjects have the right to obtain from the controller the restriction of processing where one of the following applies:

  • they contest the accuracy of the personal data for a period enabling the controller to verify its accuracy;
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead;
  • the controller no longer needs the personal data for the purpose of the processing.

9. Penalties 

The maximum administrative fine amounts to CVE 3 million (approx. €27,210).

The maximum criminal penalties provide three years imprisonment and a fine equivalent to up to 240 days imprisonment, for a maximum CVE 4.8 million (approx. €43,530) for a natural person and CVE 24 million (approx. €217,650) for a legal entity.

In addition, the following sanctions can be imposed:

  • the temporary or permanent prohibition of processing, blocking, erasure, or total or partial destruction of data;
  • the publication of the judgment; or
  • public warning or censure of the controller of the processing.

Entities that negligently fail to comply with the obligation to notify the CNPD of the processing of personal data or provide false information in the notification or application commit an offence. Penalties are from CVE 50,000 (approx. €450) up to CVE 500,000 (approx. €4,500) if a single individual is concerned, whereas in case a group of people or an entity that does not have a legal personality is concerned, the fines will range from CVE 300,000 to CVE 3,000,000 (approx. €2,700 to €27,000). The relevant fines may be doubled if the processing of personal data is subject to the prior authorisation of the CNPD (Article 33 of the Law).

Anyone who intentionally fails to notify the CNPD fails to obtain prior authorisation from the CNPD, provides false information in the notification or authorisation applications or makes alterations that are not permitted by law to the authorisation applications will be punished with imprisonment for up to one year or a fine that relates to imprisonment of up to 120 days (Article 40 of the Law).

9.1 Enforcement decisions

Please refer to section on case law above.