Gabon - Data Protection Overview
1. Governing Texts
Gabon has a data protection law specifically addressing global protection for information identifying individuals. The Gabon data protection authority, the Commission Nationale pour la Protection des Données à Caractère Personnel ('CNPDCP') has entered into discussions periodically with civil society and its representatives regarding various matters (such as employee unions), addresses formal data complaints and has carried out training programs and awareness activities, so there is awareness to data protection in the country. However, there is very limited available information on sanctions and penalties issued by the local data protection authority, and enforcement trends are therefore difficult to identify and predict.
1.1. Key acts, regulations, directives, bills
On 25 September 2011, Gabon adopted Law No. 001/2011 on the Protection of Personal Data (only available in French here) ('the Data Protection Law').
The Data Protection Law was enacted pursuant to the provision of Articles 1 and 47 of Constitution of the Republic of Gabon 1991 (only available in French here) ('the Constitution') and determines the rules on the processing of personal data. The objective of the Data Protection Law is to set up a system to fight invasions of privacy that may be generated by the collection, processing, use, or disposal, transmission, and storage of personal data. The current version of the Data Protection Law includes the modifications arising from Order 2-PR-2020 of 30 of January 2020.
Apart from the Data Protection Law, rules on personal data protection may be found in various legislative documents in Gabon, as detailed below.
Please note that at the time of authoring this note, some links to official documents are not available.
The Electronic Communications Law
Law No. 26/2018 of 22 October 2018 regarding the Regulation of Electronic Communications in Gabon, which includes the provisions on electronic communications introduced by Order 13-PR-2018 from 23 February 2018 (only available in French here) ('the Electronic Communications Law') regulates the electronic communication sector in Gabon and establishes the regulatory authority for the sector - the Electronic Communications and Postal Authority ('ARCEP'). Among other provisions, the Electronic Communications Law regulates subscriber and terminal identification, numbering, portability, and domain name identification. All these areas of regulation fall under the responsibility of ARCEP, except for the allocation and management of domain names which falls under the responsibility of the Minister in charge of electronic communications.
Regulation of electronic transactions in Gabon
Law No. 025/2021 of 28 December 2021 Regulating Electronic Transactions in Gabon (only available in French here) ('Electronic Transactions Law') provides the terms and conditions applicable to electronic transactions, as well as a framework for the measures that must be put in place to guarantee the integrity, confidentiality, and security of data by providers of electronic communications and technical services for securing electronic transactions (this includes timestamping providers, certification providers and encryption providers).
The legal regime at stake provides specific provisions which either mirror international practices on data protection or seek to address some form of protection for consumers, in comparable ways to the rights of a data subject.
In particular, the Electronic Transactions Law also sets out specific rules for e-commerce, distance contracts, electronic marketing, and administrative acts or contracts carried out through electronic means.
The Electronic Transactions Law establishes that the consumer has the right to be informed about the use of their data for marketing purposes. Furthermore, it is forbidden to send messages by electronic mail for the purpose of direct marketing without providing contact details to which the recipient can opt-out without any further costs. The Electronic Transactions Law also establishes that the burden of proof of prior consent from the recipient lies with the provider.
The Electronic Transactions law does not exempt providers of electronic goods or services or parties to electronic contracts from the general provisions of the Data Protection Law, or the decisions and guidelines by the CNPDCP, so we assume all general requirements of the data protection law should formally apply to this specific regime.
International Convention for the Suppression of the Financing of Terrorism
Law No. 02/2004 of 30 March 2005 ratifying the International Convention for the Suppression of the Financing of Terrorism ('Law No. 02/2004') authorises the ratification of the International Convention for the Suppression of the Financing of Terrorism which imposes obligations on the banking sector to verify the identity and address of its customers. Law 02/2004 requires that the verification of identity be done through the presentation of an official identification document with a photograph, which must be copied and kept by the banking entity. Moreover, the address must be proven by a substantiating document. In addition, financial institutions must keep, for at least five years, all necessary records on national or international transactions performed.
CEMAC AML/CFT Regulation
Regulation No. 01/03 relating to the Prevention and Suppression of Money Laundering and Financing of Terrorism in Central Africa ('the AML/CFT Regulation') enacted by Central African Economic and Monetary Community ('CEMAC') has direct applicability in the countries belonging to CEMAC, such as Gabon. In fact, the AML/CFT Regulation replicates the same identification obligations and retention periods as Law No. 02/2004. However, the AML/CFT Regulation also provides obligations for casinos and gambling establishments.
Order No. 15-PR-2018 on the Regulation of Cybersecurity and the Fight against Cybercrime (only available in French here) ('the Cybersecurity Regulation') provides a framework of the measures that must be put in place to guarantee the integrity, confidentiality, and security of data, such as authentication mechanisms and other recognised cybersecurity standards. In addition, the Cybersecurity Regulation sets out duties for network operators, electronic communication service providers, and information system operators by requiring them to retain connection and traffic data for a period of ten years and to install data traffic monitoring mechanisms on their networks and systems. Regarding network operators and electronic communication service providers, their data must only be accessible to judicial investigators. With respect to information system operators, the data must be only accessible if there is a judicial order. Notwithstanding, network operators and electronic communication service providers are liable if the use and retention of the data are not in accordance with the applicable laws and regulations.
Network operators must have an operation centre within Gabonese territory and every stakeholder must have a copy of the data in the national territory. Furthermore, electronic communication service providers and information system operators must put in place filters and measures to deal with attacks to the personal data of its subscribers. Furthermore, Order No. 7292-PM-MENCP of 16 July 2012 has created an Inter-Ministerial Technical Commission responsible for the examination of draft laws relating to the regulation of cybersecurity of electronic transactions and the protection of personal data, notably to contribute to initiatives and directives from the Economic Community of Central African States ('CEEAC') and CEMAC.
Declaration of Lomé regarding cybercrime and the fights against cybercriminal
To promote the adoption of digital activities and services and, more generally, to accelerate the digital transformation of African countries, on 23 and 24 March 2022 during the Cybersecurity Summit in Togo, Gabon undertook to sign and ratify (only available in French here) the African Union Convention on Cybersecurity and Personal Data Protection ('the Malabo Convention') and to enable the development of a secure African cyberspace by establishing and ensuring the effective implementation of a regulatory framework for cybersecurity and the fight against cybercrime.
The actions provided for in the declaration include the creation and operationalisation of specific cybersecurity authorities and agencies with appropriate human, technical, and financial resources and establishments of teams dedicated to the identification and coordination of cybersecurity incidents as wells as the development of cybersecurity strategies and policies.
Census data protection
Order No. 578-MEEDD of 2 October 2013 regarding the Processing of Personal Data for the General Population and Housing Census ('the GPHC Order'). The GPHC Order establishes the processing operations for the establishment of an exhaustive database with individual, demographic, economic, and social data of every citizen and resident of Gabon. The envisaged data subject rights replicate those provided for in the Data Protection Law, with the exception of the right to oppose to the processing, which is not applicable.
Article 1 of the Constitution acknowledges and guarantees human fundamental rights. In particular, it guarantees that the secrecy of correspondence, postal communications, telegraph, telephone, and telematic communications is inviolable and that restrictions to such inviolability must be set by law and only for the purposes of public order and state security. The Constitution also provides that the limits for the use of computers to safeguard citizens and the intimate, personal, and family life of people, as well as the full exercise of their rights, must be set by law. It should be noted that, in Gabon, the legislative branch shares the right to initiate new laws with the executive branch and any legislation, regulations, and orders on data protection derive directly from the Constitution.
Access to any guidelines by the CNPCP are not necessarily up-to-date or complete and, as such, available information is scarce. Any analysis regarding this matter must be considered on a sectoral and case-by-case basis.
In any case, the following deliberations by CNPDCP, as summarised below, were recently published in the Official Journal of Gabon:
Deliberation No.010/CNPDCP of 9 April 2019 regarding the implementation of video and tele-video surveillance systems by private or public entities as well as by individuals (only available only in French here) setting out the terms and conditions applicable to the purposes of processing, obligations of the data controller, rights of data subjects, and retention periods. Video and tele-video surveillance are only permitted in relation to a limited number of processing purposes, which can be grouped as follows: protection of persons and property, prevention of theft, terrorism and other crimes, regulation of transport flows, and detection of traffic offences. For implementation of these systems in public spaces, the data controller shall provide the CNPDCP with a declaration accompanied by the technical/security file of the equipment features and its location, a copy of the information notice used and the procedures applicable to access by data subjects. The same obligation applies if the cameras are in private places or places not open to the public but covering part of public spaces. For places not open to the general public and with restricted access or strictly private spaces a simple declaration to the CNPDCP is enough.
The declarations are followed by the issue of a receipt entitling the affixation of a compliance sticker by the data controller. The rules applicable to data controllers' obligations, including the obligation to provide information to data subjects do not differ greatly from what is set out in the Data Protection Law. However, data controllers must display a sign informing that the site is subject to surveillance. There is a general ban on cameras in the workplace for the purpose of monitoring work performance, as such, cameras may only be installed when justified by security requirements provided that employees' representatives are consulted beforehand. In relation to the retention period, the images must be erased after three months, except when the implementation of the surveillance systems results from a legal obligation that imposes otherwise.
Deliberation No. 016/CNPDCP
Deliberation No. 016/CNPDCP of 23 May 2019 regarding the implementation of geolocation devices in vehicles in an employment context (available only in French here) establishes the terms and conditions applicable to the purposes of processing, categories of data, obligations of the data controller, rights of data subjects, and applicable retention periods. As a rule, it is forbidden to collect location data outside working hours, including during lunch breaks and during commute time between the employee's home and place of work (and vice versa).
The implementation of geolocation devices is only allowed in relation to the following purposes:
- compliance with a legal obligation due to the type of vehicle or nature of the carried goods;
- prevention of theft and safety of persons;
- monitoring or invoicing of services directly linked to the use of the vehicle;
- resource optimisation for the provision of services in isolated locations; and
- monitoring of compliance with usage rules by the data controller.
In addition, the processing may have the secondary purpose of monitoring employees' working hours provided that this purpose cannot be achieved by any other means and subject to the general rule above mentioned. Although in certain cases (such as when sensitive data is being collected or because it involves transfers of data outside Gabon) an authorisation is required, a declaration of its implementation by the data controller accompanied by a technical file of the device's features is sufficient.
The rules applicable to the data controller's obligations and data subjects' rights do not differ greatly from what is set out in the Data Protection Law. In particular, data controllers must be informed the employees' representatives before implementing the geolocation systems and data subjects shall be given the opportunity to deactivate such system after working hours or during lunch breaks.
In regards retention periods, different rules apply according to the respective purpose. Three months are considered adequate; however, it can be extended to one year in some specific cases related to proving the performance of a service. Furthermore, geolocation data can be kept for five years for the secondary purpose of monitoring working hours. The deliberation also imposes obligations on security and traceability measures (such as limited access to the geolocation data on a need-to-know basis in accordance with working functions, log registry, and others).
1.3. Case law
Not applicable. As far as we are aware, at the date of authoring this note, Gabonese case law on data protection matters is scarce and largely non-public.
2. Scope of Application
2.1. Personal scope
Chapter I of the Data Protection Law establishes the scope of application of the legislation.
The following operations are subject to the Data Protection Law:
- any collection, transmission, use, and storage of data by a natural, legal, public, or private person;
- any automated or non-automated processing of data contained or to be included in a file; and
- any processing of data concerning public security, defence, research, and prosecution of criminal offences.
2.2. Territorial scope
The following operations are subject to the Data Protection Law:
- any processing operation carried out by a data controller on Gabonese territory or in any place where Gabonese law applies; and
- any processing operation carried out by a data controller, established, or not on Gabonese territory, which uses means of treatment located on the territory of Gabon, except for those that are only in transit on Gabonese territory.
2.3. Material scope
The Data Protection Law applies to any personal data processing, specifically:
- any collection, processing, transmission, retention, or otherwise use of personal data by an individual or a legal entity, both in the public and private sector;
- any processing (regardless of whether or not it is automatic) of personal data intended to be included in a file (with the exceptions set out in the following paragraph);
- any processing carried out by a data controller in Gabon territory or in another location where Gabon law applies (a local controller representative should be appointed in these cases);
- any processing carried out by a data controller (regardless of it being established in Gabon) that resorts to processing means located on Gabonese territory, except in the event that the processing is carried out only for the purpose of transit; and
- any personal data concerning public security, defence, investigation, and pursuit of criminal breaches or State security (even when the processing is linked to important economic or financial State interest, subject to any applicable derogations).
The following are excluded from the scope of the Data Protection Law:
- the processing of data carried out in the course of purely personal or domestic activities, except when personal data is intended for systematic communication to third parties or dissemination; and
- temporary copies associated with technical transmission and provision of access to a digital network for the purpose of automatic, transient, and intermediate storage of data, for the sole purpose of allowing certain parties with the best possible access to the data.
3. Data Protection Authority | Regulatory Authority
3.1. Main regulator for data protection
The Gabonese national authority for data protection is the CNPDCP.
3.2. Main powers, duties and responsibilities
The CNPDCP is an independent administrative authority whose main duties are to ensure that any processing of personal data is carried out in accordance with the provisions of the Data Protection Law and to inform all data subjects, data controllers, and others involved of their rights and obligations.
Chapter III of the Data Protection Law establishes the CNPDCP's powers and responsibilities which include:
- receiving the notifications of data controllers regarding processing operations;
- authorising processing operations that involve a high risk to rights and liberties of individuals;
- establishing and publishing standards for personal data processing and enacting model regulations for security (in this context, CNPDCP has issued guidelines on the processing of personal data in the context of CCTV systems);
- receiving complaints, petitions, and claims relating to the processing of personal data of an individual;
- advising public authorities, and where appropriate individuals and organisations on how to implement data processing operations;
- informing, without delay, the Public Prosecutor on offences committed;
- carrying out inspections, audits, and obtaining all information and documents considered necessary;
- answering requests for accessing processing operations;
- giving opinions, if requested, on the level of compliance of organisations as well as designing compliance products and rules;
- awarding compliance labels regarding personal data processing complying with the Data Protection Law;
- proposing to the Government of Gabon ('the Government') legislative or regulatory measures with regard to the evolution and adaptation of new technologies and the processing of personal data;
- representing Gabon in the international community on data protection related matters;
- preparing and defining, at the request of the Prime Minister, the Gabonese position on data protection related matters in view of international negotiations;
- imposing sanctions and penalties and delivering enforcement notices to data controllers in the case of non-conformity with the Data Protection Law; and
- submitting an annual activity report to the President of the Gabon National Assembly.
4. Key Definitions
The definitions are listed in Chapter I of the Data Protection Law.
Data controller: Any information related to an identified or identifiable natural person, directly or indirectly referencing an identification number, or one or more elements specific to their or their physical, physiological, genetic, psychological, cultural, social, or economic identity.
Data processor: All personal data relating to religious, philosophical, or political opinions, activities trade union, sex life, race, health, social measures, prosecution, and criminal or administrative sanctions.
Personal data: Any natural, legal, public or private person, any organisation or association which, alone or with others, makes the decision to collect and process personal data and determines the purposes thereof.
Sensitive data: Any natural, legal, public or private person, any organisation or association that processes data on behalf of the data controller.
Health data: Any information concerning the physical and mental condition of a data subject, including the genetic data.
Biometric data: A definition is provided for 'biometrics' (not specifically and verbatim as 'biometric data', and biometrics is defined as the mathematical analysis of biological characteristics of a person to determine their identity in an irrefutable manner, Biometrics is based on the principle of recognition of physical characteristics, including fingerprints, iris, retina, hand, voice, and deoxyribonucleic acid ('DNA'), which provide irrefutable proof of a person's identity, since they constitute a unique biological characteristic that distinguishes one person from another and can only be associated with one unique person.
Pseudonymisation: Any information regarding the physical and mental state of a data subject, including genetic information.
Third party: Any natural, legal, public or private person, any organisation or association other than the data subject, the data controller, the data processor, the sub-contractor and persons who, under the direct authority of the data controller or data processor, shall be entitled to process the data.
Processing of personal data: Any operation or set of operations provided for in the Data Protection Law carried out by means of automated or non-automated processes, and applied to data, such as the collection, organisation, storage, modification, extraction, copying, consulting, using, accessing, for communication by transmission, broadcast, or any other form of provision, reconciliation, or interconnection, as well as locking, encryption, the erasure or destruction of personal data and the interconnection of networks.
Interconnection of networks with personal data: Any connection mechanism consisting of linking the processed data for a specific purpose with other data (regardless of whether the intended processing is to be processed for identical), by one or various data controllers.
Data Subject: The individual whose personal data is processed.
Data Subject consent: Any unequivocal, free, specific, and informed manifestation of will, by which the data subject or their legal, judicial or conventional representative, accepts that their personal data is processed either by electronic means or manually.
5. Legal Bases
Some of the generally used legal grounds for processing personal data are indeed considered in the Data Protection Law (in its Chapter IV).
Article 46 of the Data Protection Law establishes that for the processing of personal data, a data controller must receive consent of the data subject or meet any of the following legal bases as established below.
5.2. Contract with the data subject
Article 46 of the Data Protection Law establishes the performance, either of a contract to which the data subject is a party, or pre-contractual measures taken at the request for such contract as a legal base.
5.3. Legal obligations
Article 46 of the Data Protection Law establishes that compliance with a legal obligation relating to the processing of data as a legal base.
5.4. Interests of the data subject
The Data Protection Law also foresees the legal bases of safeguarding the privacy of the data subject.
5.5. Public interest
The Data Protection Law establishes that the execution of a public service which relates to the controller or recipient of the processing, as a legal basis; however, does not explicitly refer to public interest.
5.6. Legitimate interests of the data controller
Article 46 of the Data Protection Law establishes that the realisation of the legitimate interest pursued by the controller or by the recipient, subject to the interests or the rights and freedoms of the person concerned, as a legal base.
5.7. Legal bases in other instances
The obligations of data controllers are listed in Chapter V of the Data Protection Law and are organised into four groups:
- transparency: The data controller must inform the data subject of the terms of processing, when the data is not collected from the data subject. In addition, the data controller must inform the data subject at least before the first communication and must also guarantee a lawful basis to carry out the processing operation;
- confidentiality: The data controller must assure that the processing of personal data is only carried out under their authority and instructions. In addition, the data controller must guarantee that only individuals who have technical and legal knowledge regarding the integrity of data, and in this sense the data controller must ensure that the individuals dealing with personal data has signed a non-disclosure agreement;
- security: The data controller is required to take any appropriate precautionary measures in regard to the nature of personal data, and, in particular, the data controller shall prevent personal data from being distorted, damaged, or unauthorised access by third parties. In particular, the data controller must:
- create different levels of access permissions, on a need-to-know basis depending on the position of its employees, thus avoiding unauthorised actions;
- use encryption or pseudonymisation;
- keep a record of who accesses the personal data, when and why, ensuring traceability of its use;
- maintain backups in secondary sources to prevent accidental changes or loss of data; and
- ensure the identity of the person who wants to access the data or the identity of the parties to whom the data will be disclosed; and
- retention: The data controller must guarantee that the data is kept for no longer than the purpose for which was collected.
The Data Protection Law expressly provides for limited data controller rights, and in practice provides data controllers with the right to:
- process personal data in the conditions provided for by law;
- refuse compliance with unreasonable requests and demands from data subjects; and
- appeal any sanctioning decisions by the CNPDCP before the State Counsel.
7. Controller and Processor Obligations
The data processor must present sufficient guarantees to ensure the security and confidentiality of personal data. This requirement does not relieve the data controller of its obligation to ensure compliance with the measure concerning security and confidentiality displayed in Chapter V of the Data Protection Law.
7.1. Data processing notification
Chapter IV of the Data Protection Law establishes the formalities that must be followed to performing processing operations. The processing of personal data may be subject to prior notification to, or authorisation from CNPDCP.
The requirement of prior authorisation is applicable in the event of:
- automatic or non-automatic processing of data regarding criminal convictions and infractions, except for processing carried out by Justice officials in the context of their obligations to ensure the security of possibly affected persons;
- automatic processing of genetic data (except when carried out by healthcare professionals for the purpose of preventive medicine, medical diagnosis, or the provision of medical care and treatment);
- automatic processing which, considering the nature of the data or of the underlying purpose of processing, may result in excluding an individual from rights, benefits, contributions, or contract(s), without a legal or regulatory basis;
- automatic processing aimed at interconnection by one or more entities in the context of public service aimed at different public interests, or interconnection between different entities, for different purposes;
- processing which concerns a person's registration number in a national identification database;
- automatic processing of data containing comments, observations, and analysis of social difficulties experienced by individuals; and
- automatic processing of biometric data required for controlling the identity of individuals.
The CNPDCP shall take a decision within two months from receiving the request for authorisation. This time limit may be renewed once by a decision from the President of the CNPDCP. Where the CNPDCP has not taken a decision within these time limits, the application for authorisation shall be deemed to be rejected.
Specific activities for data processing are subject to ministerial approval. Indeed, data processing carried out on behalf of the State and aimed at State security, defence, or public safety, or which is carried out for the purpose of preventing, investigating, detecting, pursuing, or executing criminal infractions is approved by the competent Government ministr(ies), subject to a prior opinion by the CNPDCP. Other matters are also approved by legislative measures, such as publicly relevant processing aimed at public census.
Other data processing operations are subject to a mere prior notification to the CNPDCP, except if a complete exemption from notification or authorisation applies. Specifically, the following activities are exempt from formalities:
- processing operations aimed solely at forming a register which is legally intended exclusively for public information and is open to public consultation by any person with legitimate interest;
- processing operations by any organisation, not-for-profit organisation, or any religious, political, philosophical, or trade union organisation or association - this exemption only applies if:
- the processing operations corresponds to the formal and official purpose of said organisation/association;
- the processing relates only to its members, and, where applicable, to people who have regular contact with the organisation/association in the context of its activity; or
- the data is not disclosed to third parties, unless the data subject has given their consent; and
- processing operations for which the data controller has appointed a data protection officer ('DPO'), unless personal data is being transferred across borders.
In addition, the CNPDCP may identify specific data processing operations which, due to their simplicity and low-risk level, may be subject only to a simplified notification process. This simplified process includes:
- the purposes of the processing operations;
- personal data or categories of personal data processed;
- the category or categories of persons concerned;
- the addressees or categories of addressees to whom personal data are communicated; and
- the data retention periods.
As far as we are aware, the CNPDCP has not issued any guidelines or public decisions in this respect.
7.2. Data transfers
Data transfers to another country are prohibited unless the other country ensures an adequate level of privacy protection and protection of fundamental rights and freedoms of individuals with regard to the processing operation.
The list of countries that comply with this adequate level of protection shall be published by CNPDCP. As far as we are aware, this list has not yet been published. However, the Data Protection Law does identify the criteria which must be considered by the CNPDCP in order to determine adequacy:
- the legal provisions existing in the country in question;
- the security measures enforced;
- the specific circumstances of the processing (such as the purpose and duration thereof); and
- the nature, origin, and destination of the data.
As an alternative to the 'adequacy' criteria, data controllers may transfer data if:
- the data subject has consented expressly to its transfer;
- the transfer is necessary to save that person's life;
- the transfer is necessary to safeguard a public interest;
- the transfer is necessary to ensure the right of defence in a court of law; or
- the transfer is necessary for the performance of a contract between the data subject and the data controller, at the request of the data subject, or for the performance of a contract between the data controller and a third party in the interest of the data subject.
Note that, except in very specific circumstances, the international transfer of non-encrypted personal data for the purpose of investigation in the health sector is not possible, given the sensitivity of the data at stake.
In relation to outsourcing, the Data Protection Law does not provide for specific provisions, except:
- the obligations applicable to the relationship with data processors;
- when data processors are located outside the country, the provisions applicable to international data transfers; and
- general security obligations, which vary depending on the nature of the data at stake.
No references are included to specific concerns regarding, for example, outsourcing to the cloud or to data centres.
7.3. Data processing records
The Data Protection Law does not foresee an express obligation for data controllers and/or data processors to maintain data processing records – note, however, that:
- in the most recent version of the law, this is foreseen as one of the tasks allocated to the DPO (if applicable and appointed); and
- the law does state that, upon the data subject's request, a copy of the personal data pertaining to said data subject must be made available to them (possible administrative fees set in proportion to the associated administrative costs may be set).
7.4. Data protection impact assessment
There are no requirements or recommendations for data controllers and/or data processors to carry out a Data Protection Impact Assessment ('DPIA') in the Data Protection Law.
7.5. Data protection officer appointment
No, the appointment of a DPO is left at the exclusive discretion of the data controller.
In any event, we call attention to the concept of DPO in the context of the Gabon law. Indeed, the position of DPO in the Data Protection Law is not entirely aligned with the terms in which this position is defined and approached in the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Please note that the Data Protection Law precedes the GDPR and has not since been amended. Rather, the concept is interpreted, in practice, as a position whereby a person assumes responsibilities on data protection within the company, and as a potential point of contact with the CNPDCP.
Subject to the section on data processing notification above, this position must be a person with the required qualifications to carry out its role, namely professional qualities, such as knowledge of the law and data protection related matters. If this position exists within the data controller's organisation, this must be made known to the CNPDCP, since the DPO will be the point of contact with the CNPDCP.
7.6. Data breach notification
No, there is no general data breach notification requirement. However, this is without prejudice to specific CNPDCP rights to monitor and control compliance and, in this context, demand information, documentation and other materials in the context of its supervisory powers.
7.7. Data retention
Under the Data Protection Law, personal data must not be kept for longer than the period necessary to achieve the purposes for which it was collected and processed.
This is naturally without prejudice to specific retention periods provided by sector-specific regulation or generally applicable judicial/administrative retention periods.
7.8. Children's data
Under the Data Protection Law, Chapter V provides for the exercise of the rights by data subjects who are minors. Specifically, parents/persons with legal guardianship over a minor shall receive any information regarding the processing of personal data of minors and may exercise any rights deriving therefrom on their behalf, when data is processed for the purpose of health related research. Note that this is without prejudice to, and should be interpreted in accordance with, general civil law rules on the representation of minors by their parents, tutors, or otherwise legal representatives. There are no data protection-specific provisions concerning the age of consent, the general rules of law apply.
7.9. Special categories of personal data
Chapter IV of the Data Protection Law foresees different requirements for the processing of certain categories of personal data.
Collecting or otherwise processing personal data revealing, directly or indirectly, the racial or ethnic origins, political, philosophical, or religious opinions, or trade union membership of data subjects, or which relate to their health or sex life is prohibited.
To the extent required by the purpose for which the data were collected, this prohibition may not apply, namely where:
- processing operations for which the data subject has given explicit consent to, unless the Data Protection Law clearly states that the abovementioned prohibition cannot be lifted by the consent of the data subject;
- processing is necessary for the preservation of human life, but to which the data subject cannot give consent to due to legal or physical incapacity;
- processing that is carried out by an association or any other non-profit organisation of a religious, philosophical, political, or trade union nature shall be made:
- solely in respect to the categories of data corresponding to the purpose of the said association or organisation;
- provided that the data relates only to members of that association or organisation and, where appropriate, to people who have regular contact with association or organisation in the course of their activities; and
- related only to data which shall not be communicated to third parties, unless the concerned data subjects have provided their express consent;
- the personal data was made public by the data subject;
- processing is necessary for the establishment, exercise, or defence of legal claims;
- processing is necessary for the purposes of preventive medicine, medical diagnosis, the administration of care or treatment, or the management of health-care services, and carried out by a member of a health-care profession or by another person who is bound by professional secrecy by reason of their duties;
- statistical processing is carried out for economic purposes by the statistical services of the competent ministries, in compliance with the law namely with regards to the obligation, coordination and secrecy in the field of statistics, after the opinion of the competent administration in the field and a declaration on behalf of the CNPDCP; and
- the processing is necessary for research in the field of health in accordance with the procedures laid down in the Data Protection Law.
With regards to the processing of data concerning health, the Data Protection law generally authorises the processing of this data for the purpose of providing healthcare services (general legal and ethical principles of confidentiality and data security applying to this processing), with specificities applicable to research within the field of health, and for the purpose of evaluation or analysis of practices or activities within healthcare and disease prevention.
Note that the right of access to health data has certain specificities, since the right may be exercised by the data subject directly, or through a healthcare professional or, in the event of a deceased data subject, this right may be exercised by their spouse or descendants or, if the deceased is a minor, by their parents or otherwise legal guardians.
The processing of health data for research purposes is subject to authorisation by the CNPDCP, which will decide subject to a consulting committee, which is set up in cooperation with a relevant minister. This committee must be composed of specialists in matters of research in the field of health, epidemiology, genetics, and biostatistics, and it has the power to opine on the methodology to be adopted within the research. In the event that the research requires the collection of biological samples and express identification, the informed and express consent of the data subject must be collected prior to any data processing operations.
Health data may be processed for the statistic evaluation or analysis of healthcare practices (including information from medical files, and data in information systems), if the information is completely aggregated and the patient/data subject cannot otherwise be identified. Specific derogations may be established, subject to prior authorisation by the CNPDCP, in certain circumstances and as assessed on a case-by-case basis.
The processing of personal data relating to offences, convictions and security measures is not prohibited if duly authorised by the CNPDC (the authorisation being unnecessary when the processing is carried out by competent public authorities). As a general rule, the processing of personal data relating to offences, convictions, and security measures may only be carried out by:
- jurisdictions, public authorities, and entities in charge of public service, within the scope of their legal powers; or
- judicial officers, for the strict purposes of their statutory tasks, exceptions to this apply, as decided and authorised by the CNPDCP.
The Data Protection Law also provides that no judicial decision involving an assessment of a person's behaviour may be based on automated processing of personal data intended to evaluate certain aspects of their personality.
7.10. Controller and processor contracts
Chapter IV, section III, sub-section II sets out requirements for processing activities carried out by a processor, which includes the obligations for the parties to enter into a contract binding the processor to the controller. The contract must define the obligations the processor is subject to in terms of data protection, security, and confidentiality of data.
In addition, the data processor must provide sufficient guarantees to ensure the implementation of the security and confidentiality measures. The processing of personal data must be carried under the authority of the controller and only on the data controllers' instructions.
To process data, the processor must employ persons with the necessary skills to ensure data confidentiality, as well as technical and legal knowledge and personal integrity. These persons must be subject to a formal written commitment towards compliance and confidentiality.
8. Data Subject Rights
8.1. Right to be informed
Data subjects have a general right to be informed as to the terms of the processing of their personal data. This is established as a general right, as well as specifically in what concerns the processing of health information, which reiterates that, when health data is processed for research purposes, the data subjects are to be informed of:
- the nature of the communicated information;
- the purpose of the processing; and
- the identity of natural or legal person receiving the data, if applicable:
- their right to access; and
- their right to oppose the processing.
8.2. Right to access
Chapter II of the Data Protection Law establishes the following data subject rights:
- right to request and access information pertaining to them and challenge the processing operation;
- right to obtain confirmation that their personal data is not subject to processing operations;
- right to obtain information relating to the purposes of the processing, the categories of personal data processed, the recipients to which the data are communicated, and possible transfers of personal data intended for a third country;
- right to obtain a copy of the personal data; and
- right to obtain information regarding the origin of the data.
8.3. Right to rectification
Chapter II of the Data Protection Law establishes the right to have their personal data rectified, completed, updated, locked, or deleted where it is inaccurate, incomplete, equivocal, out of date, or if the collection, use, communication, or conservation is prohibited.
8.4. Right to erasure
The Data Protection Law does provide for the right of data deletion, which is presented as a basic data subject right and may be exercised whenever the processing is unnecessary or obsolete, excessive, disproportionate, incorrect, or for which the processing/collection is illegal. Deletion of the data may also be requested whenever deletion itself is a legal obligation, or if the processing was based on data subject consent and the data subject withdraws this consent.
If the data has been forwarded to any third parties, the controller is charged with taking adequate reasonable measures to inform said third part(ies) that the data subject has exercised this legal right.
8.5. Right to object/opt-out
Chapter II of the Data Protection Law establishes the following data subject rights:
- right to oppose for legitimate reasons the processing of personal data concerning them; and
- right to oppose the processing of personal data for prospecting purposes.
8.6. Right to data portability
Article 6 of the most recent version of the Data Protection law defines portability as 'the technique allowing an individual to recover part of the date in a legible and open manner, allowing them to keep or transfer, to a third party through information systems, for repurposing/re-processing'. While it is unclear how the specific mechanics of exercising this right should operate, considering the basic principles of the Data Protection law this may be understood to constitute a data subject right.
8.7. Right not to be subject to automated decision-making
Chapter II of the Data Protection Law establishes the right not to be subject to decisions made on the sole basis of automated processing that would produce significant or detrimental legal repercussions for them.
8.8. Other rights
Chapter II of the Data Protection Law establishes the right to complain to the CNPDCP.
Chapter VII of the Data Protection Law stipulates the sanctions for non-compliance.
The CNPDCP shall assess and impose the following measures or sanctions, depending on the seriousness of the breach:
- a warning, that can be made public; and
- a formal notice to restore compliance within a time limit defined by the CNPDCP.
If the data controller does not comply with the formal notice, the CNPDCP shall:
- suspend the data controller's data processing activities from a period up until two months, which may become permanent after the expiry of the two months; and
- a pecuniary penalty between XOF 1 million (approx. €1,520) to XOF 100 million (approx. €152,500).
In case of an emergency, provided that the breach is seriously hindering the data subject's fundamental rights, the CNPDCP may:
- suspend the data processing activities of the data controller for a period up to three months;
- block certain processing operations for a period up to three months; and
- ban any processing operations contrary to the provisions of the Data Protection Law.
Furthermore, if the data controller acts in bad faith other additional sanctions can be imposed.
The sanctions are imposed after a report of CNPDCP is made and after hearing the data controller.
The amount of the pecuniary penalty shall be proportionate to the seriousness of the breach and the benefits derived from such failure to comply. Upon a first breach, the fine may not exceed XOF 98.4 million (approx. €150,000). In the event of a repeat offence within five years from the date on which the pecuniary fine was imposed, it may not exceed XOF 300 million (approx. €457,340) or, in the case of an enterprise, 5% of the annual turnover.
In addition, a person who hinders the action of CNPDCP may be punished with imprisonment of six months to one year and/or with a fine from XOF 1 million (approx. €1,520) to XOF 100 million (approx. €152,500).
Finally, any offence committed by a person in breach of the Data Protection Law may also, depending on the circumstances, constitute a criminal infraction, in which case it is subject to the terms of the Law No. 42/2018 of 5 July 2019 the Penal Code of the Republic of Gabon (only available in french here).
9.1 Enforcement decisions
The CNPDCP has issued one deliberation where it applied a pecuniary penalty of 5 million XOF (approx. €7,600) for the use of geolocation systems without the necessary previous authorisation issued on behalf the supervisory authority.
Otherwise, note that sanctions and penalties are generally not made public.