Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Ethiopia - Data Protection Overview
November 2022
1. Governing Texts
Ethiopia does not have a single and comprehensive legal instrument regulating privacy and data protection, including the obligations of data controllers and processors, as well as the rights of data subjects in general. There are, however, rules contained in the Constitution of the Federal Democratic Republic of Ethiopia (1995) ('the Constitution'), and other laws that deal directly or indirectly with data privacy and/or data protection. The Ministry of Innovation and Technology ('MINT') (the former Ministry of Communication and Information Technology ('MCIT')) has recently issued a Draft Data Protection Proclamation which is yet to be approved.
While there is also no national data protection authority, some sector-specific government authorities (including the authorities listed under the section on guidelines below) have the power to regulate privacy and/or data protection issues within their regulatory scope.
1.1. Key acts, regulations, directives, bills
The key laws which provide for privacy and data protection rules include:
- the Constitution;
- Freedom of the Mass Media and Access to Information Proclamation No. 590/2008 ('the Mass Media Proclamation');
- Civil Code of the Empire of Ethiopia Proclamation No. 165/1960 ('the Civil Code');
- Criminal Code of the Federal Democratic Republic of Ethiopia Proclamation No.414/2004 ('the Criminal Code');
- Criminal Procedure Code of the Empire of Ethiopia, 1961 ('the Criminal Procedure Code');
- the Food, Medicine, and Healthcare Administration and Control Council of Ministers Regulation ('the Regulation');
- the Communications Service Proclamation No.1148/2019 ('the Communications Service Proclamation')
- Computer Crime Proclamation No. 958/2016 ('the Computer Crime Proclamation');
- Registration of Vital Events and National Identification Cards Proclamation No. 760/2012 ('the Registration of Vital Events and National Identity Card Proclamation');
- Federal Tax Administration Proclamation No.983/2016 ('the Federal Tax Administration Proclamation');
- Authentication and Registration of Documents' Proclamation No.922/2015 ('the Documents Authentication and Registration Proclamation');
- Electronic Signature Proclamation No.1072/2018 ('the Electronic Signature Proclamation');
- Electronic Transaction Proclamation No.1205/2020 ('the Electronic Transaction Proclamation');
- Licensing and Authorisation of Payment Instrument Issuers Directive No. ONPS/01/2020 ('the Licensing and Authorisation of Payment Instrument Issuers Directive'); and
- Financial Consumer Protection Directive No. FCP/01/2020 ('the Financial Consumer Protection Directive').
The Constitution
The Constitution contains provisions pertaining to the protection of privacy that mirror the protections enshrined in major international human rights instruments.
Accordingly, Article 26 of the Constitution provides that 'everyone has the right to privacy [including] the right not to be subjected to search of his [or her] home, person or property, or the seizure of any property under his [or her] personal possession.' Moreover, Article 26(2) stipulates that 'everyone has the right to inviolability of [their] notes and correspondence including postal letters, and communication made by telephone, telecommunications, and electronic devices'.
Article 26(3) of the Constitution envisages exceptions where these rights could be limited. As such, the right to privacy can be restricted in 'compelling circumstances and in accordance with specific laws whose purposes [are] safeguarding of national security or public purpose, the prevention of crimes or the protection of health, public morality or the rights and freedom of others'.
Ethiopia is also a party to a number of international and regional human rights instruments that provide for the right to privacy and protection of personal information including the Universal Declaration on Human Rights 1948, International Covenant on Civic and Political Rights 1966, the Convention of the Rights of the Child 1989, and the African Charter on Rights and Welfare of the Child 1990. According to Article 9 of the Constitution, these and other human rights instruments ratified by Ethiopia form an 'integral part' of the laws of the country.
The Mass Media Proclamation
The Mass Media Proclamation, which is applicable to all media operating in Ethiopia, contains provisions protecting privacy and personal data in the form of limitations to the right to seek and access any information held by public bodies. Public agencies are required to reject requests to access records if the concerned records relate to 'personal information' of third parties, including individuals who passed away within less than 20 years of the time of the application.
A request for access to public records can be rejected if (Article 18(1) of the Mass Media Proclamation):
- it relates to information supplied by the third party in confidence and if it would potentially prejudice the supply of similar information in the future when public interest so demands; and
- the disclosure of the record would constitute an action for breach of duty of the confidence owed to the third party in terms of an agreement and would likely result in legal action against it.
A third party whose information is requested for disclosure has the right to be notified and can protest against the disclosure (Article 19 of the Mass Media Proclamation).
The Civil Code
The privacy-related rights recognised under the Civil Code include the constitutional right not to be subjected to search except in cases provided by the law (Articles 11 and 13). Article 11 provides that 'no person may have [their] freedom restricted, or be subject to a search, except in cases provided by the law'. Articles 20 and 24 of the Civil Code provide for the right to refuse to be compelled to submit oneself into a medical examination without consent and the right not to be compelled to reveal facts obtained in the course of one's professional duty (see section on personal scope below). Moreover, Article 31 of the Civil Code stipulates that the addressee of a confidential letter may not divulge its content without the consent of the author except in judicial proceedings where they have a legitimate interest.
The Criminal Code
Articles 604 to 606 of the Criminal Code criminalise the violation of privacy safeguards guaranteed under the Constitution. Pursuant to Articles 604 and 605 of the Criminal Code, whoever commits any of the enumerated acts constituting a violation of the privacy of a domicile or restricted area is punishable with up to five years of imprisonment in aggravated cases.
According to Article 606 of the Criminal Code, violation of the privacy of correspondence or consignments including intrusion of one's letter, telegram, telecom, and other electronic correspondence, among others, is punishable, upon complaint, with up to six months of imprisonment or a fine. Moreover, Article 399 of the Criminal Code criminalises breaches of professional secrecy. Accordingly, professionals including advocates, legal advisors, attorneys, arbitrators, experts, jurors, employees of private companies, doctors, dentists, nurses, and auxiliary medical personnel, who disclose a secret obtained in the course of professional duties, are punishable by law.
The Criminal Procedure Code
Article 32 of Criminal Procedure Code provides that no person or premises will be searched without a court warrant except for under certain exceptions provided for by law. These exceptions include:
- where the offender is followed in hot pursuit and enters the premises or disposes of articles that are the subject matter of an offence in the premises; and
- where there is a reasonable cause for suspecting that Articles which may be material evidence are concealed and there are good grounds for believing that delay would likely result in removal of such Articles.
As an exception to the protection provided under Article 20 of the Civil Code, Article 34 of the Criminal Procedure Code provides that physical examination may be made, upon the order of an investigating officer, on the person accused of a crime. An examination for such purposes may include the taking of a blood test.
The Regulation
Article 77(2) of the Regulation stipulates that 'a health professional may not disclose, verbally or in writing, information regarding a patient unless the appropriate organ believed that there is a prominent health risk to the public demanding to do so, it is ordered by a court, they get written consent from the patient or the patient's guardian or it is permitted by law. The health professional may, however, release or transfer such information of patients for the purpose of conducting scientific research in a manner the information does not identify directly or indirectly any individual patient'.
The Communications Service Proclamation
The Communications Service Proclamation mandates the Ethiopian Communication Authority ('ECA') with a power to promote information security, data privacy, and protection. To this effect, the ECA is empowered to issue Directives in order to ensure that the interests of consumers of communication services are protected (Article 50(1) of the Communications Service Proclamation).
The Computer Crime Proclamation
The Computer Crime Proclamation criminalises persons who intentionally commit a 'computer crime'. Computer crime is defined as a crime committed against a computer, computer system, computer data, or computer network; a conventional crime committed by means of a computer, computer data, or computer network; or dissemination of illegal computer content data through a computer, computer system, or computer network (Article 2(1) of the Computer Crime Proclamation).
The Registration of Vital Events and National Identity Card Proclamation
The Registration of Vital Events and National Identity Card Proclamation guarantees the protection of personal data collected in relation to the registration of vital events and national identity cards. Information specific to an individual may not be disclosed to any other person without the consent of the concerned individual or a court order. However, the Registration Proclamation allows the disclosure of such information for the purposes laid down under Article 64(1), which include considerations of national security, crime prevention and investigation, tax collection, administrative and social services, and the implementation of risk management systems for financial institutions. Moreover, such information must be properly kept in a central database by the appropriate organ so that the information collected for one purpose is used for other purpose by organs established by law with respect to the registration of vital events or the issuance of national identity cards. Apart from this, the information cannot be used for other purposes or shared with other organs. A government agency that collects such information has the obligation to protect the data from electronically designed attacks, thefts, and other similar criminal abuse.
The Federal Tax Administration Proclamation
Pursuant to Article 8 of the Federal Tax Administration Proclamation, every tax officer is obliged to maintain the secrecy of documents and information received in [their] official capacity. In addition, Article 8 enumerates the conditions under which tax information or documents can be disclosed. These include disclosure to:
- another tax officer for carrying out official duties;
- law enforcement agencies;
- the Tax Commission or Court for the purposes of establishing tax liability;
- a foreign country with which Ethiopia has a bilateral agreement for exchange of information;
- the Auditor-General and Attorney General for the performance of official duties;
- regional Tax Authorities; and
- a person in the service of the government statistical department or conducting research where disclosure is necessary for official duties provided disclosure does not identify the specific person.
Disclosure to any other person can only be made with the written consent of the person to whom the information relates, and other organs authorised by law.
Furthermore, a person to whom the information is disclosed has the obligation to maintain the secrecy of the information and only use such information to the minimum extent necessary to achieve the object for which the disclosure is permitted and required to return any documents obtained for the purpose to the Ministry of Revenue.
The Documents Authentication and Registration Proclamation
Article 21 of the Documents Authentication and Registration Proclamation obliges the notary to keep the confidentiality of information obtained in the performance of its official duty. No information is allowed to be shared with third parties except in accordance with a court order or upon request by other bodies empowered by law. However, the notary has the obligation to report to the appropriate organ if it accesses information related to the commission of a crime.
Electronic Signature Proclamation
'Certificate provider' is defined as a legal person duly authorised or recognised to issue a certificate (electronic data which links public keys to the person named in the certificate and confirms the real identity of that person) and related service. Article 29 of the Electronic Signature Proclamation stipulates that the certificate provider is required to keep the custody of information related to certificate issuance, suspension, revocation, or related services for two years. It must keep personal information confidential unless clearly provided otherwise by law.
Electronic Transaction Proclamation
Article 43 of the Electronic Transaction Proclamation provides that, with the exception of legally authorised persons, a person who can access electronic messages, any other written documents, or other electronic devices has the obligation to keep it confidential.
Licensing and Authorisation of Payment Instrument Issuers Directive
Article 12(2)(f) of the Licensing and Authorisation of Payment Instrument Issuers Directive provides that a payment instrument issuer, upon opening an account, is required to enter into an agreement with a user and the agreement should state the confidentiality of all users' information.
Financial Consumer Protection Directive
Article 4.4 of the Financial Consumer Protection Directive requires financial service providers to keep the financial consumers' data they collect confidential and secure. They can only use and disclose such data for legitimate purposes agreed to by the financial consumer, security provider, or otherwise permitted by law. Moreover, Article 5.4 of the same Directive requires the financial service providers to put in place and apply policies as well as procedures to ensure the confidentiality and security of the financial consumers' data. It also requires them to inform and make available to financial consumers and security providers regarding their policies.
Draft Data Protection Law
The MCIT had prepared a Draft Data Protection Proclamation. The most recent version of the Draft Data Protection Proclamation contains detailed provisions on data collection, use, protection and processing, and provides for the establishment of a regulatory entity called the Data Protection Commission. The draft provides for the definition of 'personal data' and sets out the principles (the principle of fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, security, and data transfer) governing the processing of personal data.
It also contains the fundamental rights of data subjects including the right to be informed, right of access, right to rectification, right to erasure, right to object, right not to be subject to an automated decision making, right to restriction and right to data portability.
The Draft Data Protection Proclamation defines 'personal data' as any information relating to an identified or identifiable natural person who can be identified:
- from such data; or
- from such data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of intentions of the data controller or any other person in respect of the individual.
The Draft Data Protection Proclamation lists certain personal information as 'sensitive personal data.' This category of personal data includes information on racial or ethnic origin, political opinion, religious belief, membership to a trade union, physical, and mental health condition, sexual life, genetic information, commission, or alleged commission of a crime and legal proceeding against the subject. Among others, the Draft Data Protection Proclamation contains principles on the collection and protection of personal data, the rights of data subjects and conditions for the processing of sensitive private data.
It is unclear at the time of this writing when the draft will be tabled before the House of Peoples' Representatives and enacted.
1.2. Guidelines
There are no comprehensive guidelines for data protection in Ethiopia.
1.3. Case law
Ethiopia follows a predominantly civil law system and does not have a strong case law tradition. However, since 2005, the ruling of the Cassation Division of the Federal Supreme Court ('Cassation Bench') on the interpretation of the law is proclaimed to be binding on all other courts. As of the date of writing, however, the Cassation Bench has only issued one such ruling pertaining to the protection of privacy. In RiyanMiftah vs ElsiwdiKebls Plc, the Cassation Bench delivered a landmark ruling stating that no image or photograph of a person may be publicly exhibited, sold, or disseminated without the consent of the person concerned and that the latter would be entitled to damages for any violation of their privacy rights. The decision of the Cassation Bench is a clear articulation of the provisions of Articles 27 and 29 of the Civil Code.
2. Scope of Application
2.1. Personal scope
The sector specific data protection rules discussed under the section on key acts, regulations, directives, bills above, apply to persons or entities covered by that particular legislation. For example, the rules provided under the Financial Consumer Protection Directive apply to financial service providers, financial product and service, financial consumer, and security provider. Financial service provider means banks, insurers, microfinance institutions, capital good finance companies, postal savings, money transfer institutions, or such other similar institutions as specified by the NBE. Security provider means a financial consumer that provides or proposes to provide a security.
Article 16 of the Mass Media Proclamation provides that any public relation officer should reject a request for access to a record of the public body if its disclosure would involve in unreasonable disclosure of personal information about a third party, including a deceased individual passed away less than 20 years ago.
2.2. Territorial scope
There is no clear guideline regarding the territorial and extraterritorial scope of the existing sector specific data protection rules. However, it can be inferred that the data protection rules discussed under the section on key acts, regulations, directives, bills above apply to the processing of personal data/information in the context of the activities of a data controller or processor in Ethiopia.
2.3. Material scope
Although it is not clear under the existing data protection rules, it is our understanding that the privacy and data protection rules apply to the processing of personal data and information of entities both in automated and non-automated means.
3. Data Protection Authority | Regulatory Authority
3.1. Main regulator for data protection
Although there is no central data protection authority, there are various sector specific government bodies/authorities which regulate privacy and data protection. These include:
- the ECA, a regulator of the telecommunication sector, is empowered, among others, to 'promote information security, data privacy, and protection';
- the Information Network Security Agency ('INSA'), which is mandated to ensure that information and computer-based key infrastructure are secured;
- the Ethiopian Ministry of Revenue ('MoR'), which is the ministerial body responsible for the implementation and enforcement of tax laws including rules on the protection of tax information;
- MINT, a federal ministry organ, is empowered mainly to ensure and set general policy framework for the provision of quality, reliable and secure information technology service and oversee the implementation thereof;
- the National Bank of Ethiopia ('NBE'), the banking sector regulator, is conferred with certain powers related to privacy and data protection in relation to the financial sector. Its mandate includes collecting data from any person in order to prepare various periodic economic studies and related activities. Any information obtained by the NBE from an operator, participant, issuers of payment instruments, or the central counter party must not be directly and indirectly disclosed to third party unless the disclosure is:
- for the purpose of fulfilling the legal requirements under the National Payment System Proclamation No. 718/2011;
- necessary to ensure financial integrity, effectiveness, and security of the system;
- to a recipient who is legally authorised to get such information or to a body for which the national bank is accountable;
- to a recipient who is legally authorised to get such information;
- ordered by a court of law; and
- for the purpose of meeting obligations under the international agreements.
- the Ethiopian Food and Drug Administration ('FMHACA'), which regulates the safety and quality of medicines, has certain powers relating the protection of information of patients by health professionals. These include taking measures with respect to the incompetent and unethical health professionals who breach their professional duties including professional secrecy;
- the Ethiopian Document Authentication and Registration Agency ('EDARA'), which is an organ responsible for coordinating and supporting the authentication and registration activities. It performs the activities of document authentication and registration and serves as a central data base for documents authenticated and registered; and
- the Financial Intelligence Center ('FIC'), which is an organ responsible for coordinating various institutions involved in the fight against money laundering and the financing of terrorism, to organise and analyse the information it receives and to perform other related tasks.
3.2. Main powers, duties and responsibilities
Please refer to the section on main regulator for data protection above for the general powers of each authority.
4. Key Definitions
Personal data: Article 2(8) of the Mass Media defines 'personal information' as information about an identifiable person including but not limited to:
- information related to medical, educational, academic, employment, professional, or criminal history of the individual or information relating to financial transactions;
- ethnic, national, or social origin, age, pregnancy, marital status, colour, sexual orientation, physical or mental health, well-being, disability, religion, belief, conscience, culture, language, or birth;
- an identification number, symbol, or other identifier assigned to individual, address, fingerprints, or blood type;
- personal opinions, views, or preferences, except as related to another individual;
- views or opinions on grant proposals, awards, or prizes granted to another individual, provided such views or opinions are not associated with individual's name; and
- views or opinions of others about the individual's name; in combination with other personal data, or alone, it could reasonably be linked to personal data (except for deceased persons who died more than 20 years ago).
Sensitive data: Not available.
Data controller: Not available.
Data processor: Not available.
Data subject: Not available.
Biometric data: Not available.
Health data: Not available.
Pseudonymisation: Not available.
5. Legal Bases
Consent of the data subject, lawful, and legitimate purpose and public interest are the common legal basis found under most of the existing sector specific data protection laws.
5.1. Consent
The consent of the data subject is required in order to process certain personal data, unless it is legally permitted to do otherwise. For example, under Article 5.4.7 of the Financial Consumer Directive, a financial service provider should only use and disclose financial consumer's and security provider's data consistently with the original purpose of collection or with the explicit and informed consent of the financial consumer or otherwise required or permitted by the Financial Consumer Protection Directive or other laws.
As discussed under the section on key acts, regulations, directives, bills above, a health professional is not allowed to disclose the medical information of their patient unless they get written consent from the patient or the patient's guardian.
5.2. Contract with the data subject
Not applicable.
5.3. Legal obligations
Not applicable.
5.4. Interests of the data subject
Not applicable.
5.5. Public interest
The Constitution obliges public officials to respect and protect the right to privacy of an individual and place no restrictions (including on the confidentiality of personal information) except in compelling circumstances and in accordance with specific laws whose purpose shall be safeguarding the interest of the public (i.e. national security, public peace, the prevention of crimes, the protection of health, public morality, or the rights and freedom of others). Article 15(1) of the Prevention and Suppression of Money Laundering and Financing of Terrorism Proclamation No. 780/2013 ('Prevention and Suppression of ML/FT Proclamation') allows the FIC to obtain from any persons information it deems useful for the accomplishment if its functions.
5.6. Legitimate interests of the data controller
Article 4.4 of the Financial Consumer Protection Directive provides that a financial service provider should use and disclose the financial consumer's or security provider's data only for 'legitimate purposes' agreed to it by the financial consumer or security provider or otherwise permitted by law. Moreover, Article 5.4 (5.4.6) of the same Directive stipulates that a financial service provider shall collect a financial consumer's or security provider's data only using lawful or fair means and for legitimate purposes necessary for the activities of the financial service provider.
A tax officer may disclose information related to a tax payer on conditions (lawful purposes) mentioned under the section on key acts, regulations, directives, bills above.
5.7. Legal bases in other instances
Not applicable.
6. Principles
The principles of data protection law (transparency, purpose limitation, data minimisation, accuracy, storage limitation, confidentiality, and accountability) are not clearly provided under the existing sector specific data protection rules.
However, some of these principles (particularly the principle of confidentiality, accountability, and purpose limitation) are indirectly reflected under the existing privacy and/or data protection rules.
The Financial Consumer Protection Directive, for example, requires financial service provider to collect the financial consumer's or security provider's data only using lawful and fair means and for legitimate purposes necessary (principle of purpose limitation).
The Electronic Transaction Proclamation obliges persons who can access electronic message or any other written documents to keep it confidential and violation of which entails a criminal liability (principle of confidentiality and accountability).
Article 8(3) of the Federal Tax Administration Proclamation also requires any tax officer to maintain the secrecy of the tax information received in their official capacity and any person other than the tax officer who receives a tax information in their official capacity is required to maintain the secrecy of the information except to the minimum extent necessary to achieve the object for which the disclosure is permitted (principle of purpose limitation).
7. Controller and Processor Obligations
The Financial Consumer Protection Directive requires financial service providers to implement appropriate organisational, physical, and technical measures to ensure that data is protected against misuse, unauthorised disclosure, accidental loss, destruction, or damage.
7.1. Data processing notification
There are no provisions requiring data processing notifications.
7.2. Data transfers
According to the Licensing and Authorisation of Payment System Operators Directive No. ONPS/02/2020, Point of Sale ('POS') machine operators are not allowed to send domestic payment information outside Ethiopia for the purpose of authorisation, clearing and settlement. They can only send payment data made through the international card scheme to the financial institution or national switch. Similarly, Automated Teller Machine ('ATM') operators shall not send any transaction outside Ethiopia for the purpose of processing, authorisation and switching.
7.3. Data processing records
There is no clear obligation to maintain data processing records.
7.4. Data protection impact assessment
There are no clear requirements/recommendations to carry out a Data Protection Impact Assessment.
7.5. Data protection officer appointment
There are no clear requirements/recommendations to appoint a data protection officer.
7.6. Data breach notification
The Licensing and Authorisation of Payment Instrument Issuers Directive requires payment instrument issuers to report to the NBE any cybersecurity breach or data loss.
Financial institutions, designated non-financial businesses, and professions that suspect or have reasonable ground to suspect that funds or property are the proceeds of a crime, or related to, or are to be used for financing of terrorism are required to report promptly to the FIC (Article 17 of the Prevention and Suppression of ML/FT Proclamation).
The government organs who have knowledge of the commission of crimes stipulated under the Computer Crime Proclamation (including breach to privacy/data by illegal and unauthorised access) or the dissemination of any illegal content data by third parties through the computer system it administers are required to immediately notify the INSA, report the crime to the police, and take appropriate measures (Article 27).
7.7. Data retention
Article 24 of the Computer Crime Proclamation stipulates that any service provider is required to retain computer traffic data disseminated through its computer systems or traffic data relating to data processing or communication service for one year. The data is required to be kept in secret unless its disclosure is ordered by a court. Service provider means a person who provides technical data processing, communication service, or alternative infrastructure to users by means of a computer system.
As indicated under section on key acts, regulations, directives, bills above, electronic certificate providers is required to keep the custody of information related to certificate issuance, suspension, revocation, or related services for two years.
Financial service providers are required to retain copies of concluded contract documents, Key Facts Statements, and other records relating to the provisions of financial products or services for ten years from the time when that version ceased to be used or after the business relationship has ended or as may be required by relevant laws (Article 7 of the Financial Consumer Protection Directive).
7.8. Children's data
There are no specific provisions regulating the processing of children’s data. However, producing, transmitting, and distributing the picture and video of a minor or a person appearing to be a minor engaged in a sexually explicit conduct is punishable under the Computer Crime Proclamation.
7.9. Special categories of personal data
In principle, information which relates to the following is not allowed to be disclosed by the public relation officer as provided under Articles 21-25 of the Mass Media Proclamation.
- the protection of proceedings of law enforcement and legal investigation;
- the protection of records privileged from production in legal proceedings;
- defence, security, and international relations;
- cabinet documents; and
- economic interests and financial welfare of the country and commercial activities of public bodies.
7.10. Controller and processor contracts
There is no requirement to have a vendor management contract in place.
8. Data Subject Rights
Data subject rights (right to be informed, right to access, right to rectification, right to erasure, right to object, right to portability, and right not to be subject to automated decision making) are not clearly provided under the existing sector specific data protection rules. However, some of these rights are reflected in some of the sector specific privacy and/or data provisions.
8.1. Right to be informed
Article 5.4.2 of the Financial Consumer Protection Directive obliges financial service providers to inform and make available to financial consumers and security providers information regarding their policies for collection, use, and disclosure of data, kind of data that it collects, and on the third parties to whom it may disclose such data. It also requires them to provide copies of the privacy policy to the financial consumers and security providers up on request and to make available the privacy policy on their official website.
Per Article 5.4.7 of the Financial Consumer Protection Directive, financial service providers should obtain the explicit and informed consent of the financial consumer in order to use and disclose their data unless otherwise permitted by the Directive or other laws.
Article 15 of the Mass Media Proclamation provides that a public relation officer, when it is requested to disclose information concerning a third party, should give a notice to such third party within 15 days from the receipt of the request for any protest against the proposed disclosure. The third party is required to lodge their objection within 15 days from the issuance of the notice. Failure to lodge such an objection will result in disclosure of the information to the person who has made the request.
8.2. Right to access
Article 5.4.9 of the Financial Consumer Protection Directive further provides that financial service providers should give financial consumers and security providers the right to access to their data within a reasonable time and free of charges.
8.3. Right to rectification
Moreover, according to Article 5.4.10 of the Financial Consumer Protection Directive, if the financial consumer or security provider claims that any data about them held by the financial service provider is inaccurate or incomplete, the financial service provider should correct it within a reasonable time and take reasonable steps to advise any third party that has access to inaccurate or incomplete data about the correction.
8.4. Right to erasure
Not applicable.
8.5. Right to object/opt-out
Not applicable.
8.6. Right to data portability
Not applicable.
8.7. Right not to be subject to automated decision-making
Not applicable.
8.8. Other rights
Article 40 of the Mass Media Proclamation provides that where any factual or matters injurious to the honour or reputation of any person is reported in a mass media, the person shall have the right to have their reply inserted, free of charge, in the publication in which the report has appeared.
9. Penalties
The penalties for breach of data protection rules are provided across various sector specific privacy and/or data protection laws. These laws provide different penalties for non-compliance to the privacy and data protection rules as outlined below.
Financial sector
The National Payment System Proclamation provides that a director, a manager, or an employee of an operator (NBE, financial institutions, any other entity authorised by the NBE as operator), a participant, or issuer of payment instrument who discloses confidential information relating to any person except when legally required or ordered by court of law, NBE, legally authorised person, will be punished with rigorous imprisonment from ten to 15 years and with a fine from ETB 50,000 (approx. €919) to ETB 100,000 (approx. €1,837) (Article 35(2)(e) of the National Payment System Proclamation).
Article 58(7) of the Banking Business Proclamation generally provides a penalty of imprisonment of up to three years and a fine up to ETB 10,000 (approx. €184) on any persons who contravene or obstruct the provisions of the Banking Business Proclamation, Regulations, and Directives including the provisions on non-disclosure of confidential information
The Financial Consumer Protection Proclamation provides that financial institutions, which contravene the provisions of the Financial Consumer Protection Directive (including the privacy and data protection provisions), will be subject to a penalty of ETB 10,000 (approx. €184) for each violation. In addition, the NBE my take any other measures it considers necessary.
Health sector
The Criminal Code provides a penalty of simple imprisonment or fine for breach of professional duties including by health professionals.
The FMHACA may take various forms of measures on health professional who breaches their professional obligations based on the proposal from the Health Professional's Committee. Moreover, a breach of professional duties may also entail tortuous liability pursuant to Article 2031 of the Civil Code. Hence, a person practicing a profession including health professionals is liable in the event of imprudence or of negligence constituting 'definite ignorance of their duties'.
ICT sector
Part II of the Computer Crime Proclamation criminalises illegal/unauthorised access, illegal interception, interference with a computer system, causing damage to computer data, and other criminal acts related to the usage of computer devices and data. Article 3 of the Computer Crime Proclamation provides, 'Whosoever, without authorisation or in excess of authorisation, intentionally secures access to the whole or part of a computer system, computer data, or network will be punishable with simple imprisonment not exceeding three years or fine from ETB 30,000 (approx. €550) to ETB 50,000 (approx. €919) or both'. If the crime is committed against 'a computer system, computer data or network that is exclusively destined for use by a legal person or on critical infrastructure, it is punishable with up to ten years' imprisonment and/or ETB 100,000 (approx. €1,840) fine.'
'Critical infrastructure' means computer systems, network or data where the attack would have a considerable damage on public safety and the national interest. Similarly, persons who intercept non-public data or data processing services may be punished with rigorous imprisonment not exceeding five years and/or ETB 50,000 (approx. €919) fine (Article 4(1) of the Computer Crime Proclamation). If the crime of interception is on computer data or system exclusively destined for the use of a specific legal person or critical infrastructure, the punishment will be rigorous imprisonment of up to ten years and/or a fine of ETB 200,000 (approx. €3,670) (Article 4(2) of the Computer Crime Proclamation). Illegal interference with a computer system is likewise punishable with rigorous imprisonment ranging from three to 20 years and/or a fine of up to ETB 500,000 (approx. €9,180) depending on whether the crime is committed on a computer system that exclusively used by a specific legal person or critical infrastructure (Article 5 of the Computer Crime Proclamation). Damage to computer data is punishable with up to ten years of rigorous imprisonment and/or ETB 100,000 fine (approx. €1,840) (Article 6 of the Computer Crime Proclamation). Criminal acts related to the use of computer device and data are punishable with between one and five years' imprisonment and ETB 5,000 (approx. €90) to ETB 50,000 (approx. €920) fine (Article 7 of the Computer Crime Proclamation).
According to Article 12 of the Computer Crime Proclamation, 'whosoever intentionally produces, transmit, sales, distributes, makes available, or possesses without authorisation any picture, poster, video, or image trough a computer system that depicts a minor engaged in sexually explicit conduct or a person appearing to be a minor engaged in sexually explicit conduct shall be punishable with rigorous imprisonment from three years to ten years'.
According to Article 17 of the Payment Instrument Issuers Directive, if a director, a manager, or an employee of a payment instrument issuer discloses any confidential information relating to any person except as required or ordered by a court, law, legally authorised person, or the NBE, they may be punished with a rigorous imprisonment from ten to 15 years and with a fine from ETB 50,000 (approx. €919) to ETB 100,000 (approx. €1,834). The NBE may also take its own administrative measures in accordance with the National Payment System Proclamation No. 718/2011.
9.1 Enforcement decisions
Not applicable.