Ivory Coast - Data Protection Overview
1. Governing Texts
The protection of personal data has existed in the Ivorian legal framework for almost ten years. Côte d'Ivoire has adopted Law 2013-450 on the Protection of Personal Data ('the Law') to address the demands of digital transformation. However, the issue of personal data protection has grown since the entry into force of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Many international groups have required their subsidiaries in Côte d'Ivoire to comply with regulations. Today more and more companies and people are aware of this issue.
The Ivorian legal framework includes:
- the Law;
- Decision No. 2015-079 of 4 February 2015 On the approval of personal data processing by the Company Cargill West Africa ('the Decision');
- Order No. 511/MPTIC/CAB of 11 November 2014 defining the profile and setting out the conditions of use of the Data Protection Officer ('the Order');
- Law No. 2013-451 of 19 June 2013 relating to the fight against cybercrime (only available in French here); and
- Decree No. 2015-79 of 4 February 2015 on the Conditions for the Filling of Notification, Request, Granting and Retrieval of Authorisations for the Processing of Personal Data (only available in French here) ('the Decree')
The Telecommunications/ICT Regulatory Authority of Côte d'Ivoire ('ARCTI') has issued the following guidance:
- Personal Data Protection in a Few Questions (only available in French here) ('the Questions').
1.3. Case law
ARTCI makes decisions on requests for authorisation to process personal data. At the moment, there is a lack of jurisprudence on the same.
2. Scope of Application
The Law applies to (Article 3 of the Law):
- any collection, processing, transmission, storage, and use of personal data by a natural person, the State, local authorities, legal persons governed by public or private law;
- any automated or non-automated processing of data contained or intended to be included in a file;
- any data processing carried out on the national territory; and
- any processing of data concerning public security, defence, research, and prosecution of criminal offences or the security of the state, subject to derogations defined by specific provisions fixed by other texts of the law in force.
The Law does not apply to (Article 4 of the Law):
- data processing implemented by an individual in the exclusive context of personal or household activity, provided that the data is not intended for systematic communication to third parties or dissemination; and
- temporary copies made in the course of technical transfer of activities and access to a digital network supply for automatic, intermediate, and transient data and the sole purpose of allowing other recipients of the service the best access possible to the transmitted information.
The Law does not contain points on extraterritoriality. However, it may be noted that the transfer of data in the area of the Economic Community of West African States ('ECOWAS') does not require prior authorisation ARCTI.
The Law provides that the following will be subject to prior authorisation by ARCTI prior to any implementation (Article 7 of the Law):
- processing of personal data relating to genetic and medical data and scientific research in these fields;
- processing of personal data relating to offences, convictions, or security measures imposed by the courts;
- processing involving a national identification number or any other identifier of the same nature, in particular telephone numbers;
- processing of personal data involving biometric data;
- processing of personal data on grounds of public interest, in particular for historical, statistical, or scientific purposes; and
- intended transfer of personal data to a third country.
3.1. Main regulator for data protection
3.2. Main powers, duties and responsibilities
ARTCI ensures that the use of information and communication technologies does not infringe or involve a threat to the freedoms and privacy of users located throughout the national territory.
ARCTI's responsibilities include (Article 47 of the Law):
- informing data subjects and controllers of their rights and obligations;
- responding to any request for an opinion relating to the processing of personal data;
- receiving declarations and grant authorisations for the implementation of the processing of personal data;
- updating and make available to the public for consultation a directory of personal data processing;
- advising persons and bodies which process personal data or conduct tests or experiments in this field:
- making proposals for simplifying and improving the legislative and regulatory framework for the processing of personal data;
- establishing mechanisms for cooperation with personal data protection authorities of other countries; and
- carrying out, through sworn agents, checks on any processing of personal data; and
- imposing administrative and monetary penalties against processors who do not comply with the provisions of the law.
4. Key Definitions
Personal data: Any information of any kind, regardless of its medium, including sound and image relating to a natural person that is identified or identifiable directly or indirectly, by reference to an identification number or to one or more specific elements specific to its physical, physiological, genetic, psychological, cultural, social, or economic identity.
Data Subject: Any natural person who is the subject of personal data processing.
Processing: any operation or set of operations performed or not by automated processes or not, and applied to data, such as the collection, processing, recording, organisation, backup, copy, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, encryption, erasure, or destruction of personal data.
5. Legal Bases
The processing of personal data is considered legitimate if the data subject expressly gives their prior consent. However, this requirement of prior consent may be waived where the controller is duly authorised and the processing is necessary for (Article 14 of the Law):
- compliance with a legal obligation to which the controller is subject;
- the performance of a task in the public interest or within the exercise of public authority, which is entrusted to the controller or the third party to whom the data are communicated;
- the performance of a contract to which the data subject is a party or the performance of pre-contractual measures taken at the request of the data subject; or
- safeguarding the interest or fundamental rights and freedoms of the data subject.
See section on consent above.
See section on consent above.
See section on consent above.
See section on consent above.
Purpose limitation: Personal data must only be collected for specific, explicit, and legitimate purposes corresponding to the tasks of the controller. The purpose must not be diverted for purposes different from those initially advanced to collect the data (Article 16 of the Law).
Principle of lawfulness: The collection, recording, processing, storage, transmission and file interconnection of personal data must be made in a lawful and fair manner (Article 15 of the Law).
Principle of transparency: This principle requires that all information and communication relating to the processing of such personal data be easily accessible, easy to understand, and formulated in clear and simple terms (Article 18 of the Law).
Data minimisation: Data collected must be 'adequate, relevant, and limited to what is necessary for the purposes for which it is being processed.' The minimum amount of data must be collected and retained for a specific treatment (Article 16 of the Law).
Accuracy: Collected data must be accurate and updated regularly, and regular checks should be made on their accuracy and relevance (Article 17 of the Law).
Storage limitation: Data must be kept for a period that does not exceed the period necessary for the purposes for which they were collected or processed(Article 16 of the Law).
Confidentiality: Data processors must maintain the confidentiality of the data it receives while carrying out its activities. Only authorised persons may have access to information intended for them. Any unwanted access must be prevented (Article 19 of the Law).
7. Controller and Processor Obligations
The processing of personal data is subject to prior notification to the ARTCI. The notification includes a commitment that the processing meets the requirements of the Law. In response to the notification, the ARCTI will issue an electronic receipt, after which the processing may be carried out (Article 5 of the Law).
Notification to the ARTCI must contain at least the following (Article 9 of the Law):
- the identity, domicile, postal address of the responsible person of the processing or if it is not established in the Ivory Coast, those of his/her duly authorised representative, and in the case of a corporation, the company name, head office, the identity of its legal representative, registration number in the trade register, and the taxpayer account number;
- the purpose(s) of processing and a general description of its features;
- the interconnections considered in all other forms of connection in relation to other processing;
- the personal data processed, the origin of the data, and the categories of persons affected by the processing;
- the retention period of the processed data;
- the departments responsible for carrying out the processing and the categories of persons who, due to their duties or for the service requirements, have direct access to the data collected;
- the recipients authorised to receive processed data;
- the function of the person or department where the right of access is exercised;
- the measures are taken to ensure the security of the processing and the confidentiality of the processed data; and
- an indication of the use of a subcontractor or of a transfer of personal data to a third country.
In the event of changes in the particulars listed above, the data controller must inform the ARTCI without delay. In such a case, the ARTCI may require submission of additional information by the controller (Article 9 of the Law).
The ARTCI shall make a decision within one month of receipt of the notification. However, this period may be extended for an additional month by a reasoned decision of the ARTCI. The ARTCI may, before taking any decision on the approval of the processing of personal data, appeal to any expertise deemed necessary (Article 11 of the Law and Article 4 of the Decree). A lack of response within the time limit from the ARTCI is equivalent to a rejection of the notification, and in such case, the controller may appeal to the competent court (Article 11 of the Law).
The request for prior authorisation together with the particulars listed above must be sent to the President of the Regulatory Board of the ARTCI by electronic mail, post, or by any other means against an acknowledgement of receipt.
Certain categories of personal data require prior authorisation from the ARTCI before processing, including (Article 7 of the Law and Article 6 of the Decree):
- the processing of genetic or medical data, including the processing of such data for scientific research;
- the processing of personal data relating to offences, convictions, or security measures imposed by the courts;
- the processing of a national identification number or any other identifier of the same nature, such as telephone numbers;
- the processing of biometric data;
- the processing of personal data on the basis of public interest, particularly for historical, statistical or scientific purposes;
- the processing of personal data for the purpose of judicial proceedings or open criminal investigations;
- the processing of personal data by a foundation, an association, or any other non-profit organisation engaging in political, philosophical, religious, or trade union activities;
- the transfer of personal data to a third country; and
- the interconnection of files containing personal data which are for legal or statutory purposes that present a legitimate interest for data controllers.
The ARTCI shall take a decision within one month of receipt of the application for authorisation, however, this period may be extended by one additional month subject to a reasoned decision of the ARTCI. The lack of response of the ARTCI to the application within the timeframe listed above amounts to a rejection of the application for authorisation. In this case, the controller may appeal to the competent court (Article 11 of the Law).
The following types of processing are exempt from prior notification or authorisation requirements (Article 6 of the Law):
- data processed by an individual in the exclusive context of his personal, domestic or family activities;
- the processing of data relating to an individual which is prescribed by law or regulation;
- data processing where the sole purpose is the keeping of a register which is intended for private use only; and
- data processing where the data controller had appointed a data protection officer. This exemption does not apply where the data is transferred to a third country.
For the most common categories of processing of personal data, including those which are not likely to adversely affect the privacy or individual freedoms of the data subjects, the ARTCI prepares and publishes standards and procedures designed to simplify or to relieve the data controller from the obligation of prior notification (Article 8 of the Law).
The controller may be authorised to transfer personal data to a third country only if that State provides a higher or equivalent level of privacy protection, the fundamental rights and freedoms of individuals with regard to the processing of such data is or may be subject to (Article 26 of the Law).
Prior to any effective transfer of personal data to that third country (outside of the ECOWAS area), the controller must obtain prior authorisation from the Protection Authority (Article 26 of the Law).
The transfer of personal data to third countries shall be subject to regular monitoring by the Protection Authority with regard to their purpose (Article 26 of the Law).
No legal requirement to notify a data breach.
There are no requirements to carry out a Data Protection Impact Assessment ('DPIA') in the Law. However, ARCTI is beginning to impose it as a good practice for any sensitive data processing.
The Law provides for the creation of a correspondent for the protection of personal data, who is a person enjoying qualifications to perform such missions and is the independent natural or legal person designated by the responsible person to oversee the responsible person's obligations under the Law and ensure compliance with the Law ('DPO') (Article 1 of the Order).
They must keep a list of the processing performed immediately accessible to anyone upon request and cannot be subject to any sanction from the employer, because of the performance of their tasks. They can size the data protection body for the difficulties encountered in the performance of their duties (Article 12 of the Law).
Further, Article 12 of the Law provides that the designation of the DPO by a controller must be notified to ARCTI. It must also be made known, where appropriate, to the staff representative authorities.
The profile and remuneration conditions of the correspondent for the protection of personal data are the subject of the Order which define the profile and set out the conditions of use of the DPO.
Notably, the data controller or their legal representative cannot be designated as the DPO (Article 4 of the Order).
The DPO must (Article 12 of the Law and Article 10 of the Order):
- keep a list of the processing performed, immediately accessible to anyone upon request;
- take all precautions with regard to the nature of the data, in particular, to prevent it from being distorted, damaged, or accessed by unauthorised parties;
- maintain a copy of the codes and other means of access to the personal data;
- inform the controller of violations of the Law;
- facilitate data subjects who wish to exercise their rights, including their right of access; and
- contact the ARTCI regarding the difficulties encountered in the performance of their duties.
The DPO must comply with any request regarding the protection of personal data which comes from the judicial authorities. Furthermore, the DPO should present an annual report of their activities at the end of the year and send a copy to the ARTCI (Article 13 of the Order).
The DPO must report on the carrying out of their functions, which must be carried out in an independent and transparent manner and without any undue influence, to the data controller or its legal representative (Article 14 of the Order).
Natural persons acting as DPOs must meet the following criteria (Article 4 of the Order):
- have a minimum level of Baccalaureate +4 in Legal Sciences or the equivalent level in informatics or in the domain of telecommunications/ICT networks;
- have more than five years of professional experience with such skills;
- have competence in the field of data protection;
- have a good knowledge of the operation and management of databases, the means of storage of the data, and the politics and security of information systems;
- mastery of internet office tools;
- have an excellent relational and organisational capacity; and
- never have received a definitive criminal penalty or a temporary or final prohibition from an activity in the Ivory Coast or abroad, or a sanction from the ARTCI.
Legal persons acting as DPOs must have more than five years of experience of activity within juridical sciences, IT, telecommunications/ICT networks and produce statements of other probationary elements, as well as have at its disposal persons with, at the minimum, the profile of a DPO (Article 4 of the Order).
Where the DPO is a natural person, they must be a national of the Ivory Coast (Article 4 of the Order).
Legal persons acting as DPO must meet the following criteria (Article 4 of the Order):
- be a legal person under Ivorian law;
- produce financial statements and declarations to social welfare institutions; and
- produce an insurance policy for the occupational risk of professional activities relating to risk in personal data.
Notably, legal persons acting as a DPO can be appointed by one or more data controllers and may carry out its functions as such, under the control of the ARTCI (Article 4 of the Order).
Where the controller designates a DPO, it is exempt from the prior notification requirement except where the data is transferred to a third country (Article 6 of the Law).
The designation of the DPO by the data controller must be notified to the ARTCI. It must also be notified, as appropriate, to the staff representative authorities (Article 12 of the Law).
The notification to the ARTCI should be done in writing. The ARTCI has 30 days to oppose the appointment of the DPO if they do not meet the qualification criteria outlined above. When the ARTCI opposes the appointment of a DPO they may suggest an alternative DPO. If the ARTCI does not respond to the notification within 30 days, it may be construed that the DPO has been approved (Article 6 of the Order).
Where the DPO is only designated for certain types of processing, these must be specified in the notification (Article 7 of the Order).
If the controller is replacing the DPO, this must be notified in writing to the ARTCI and include the reasons for the replacement. The ARTCI may oppose the replacement within 30 days of receipt of the notification and suggest alternative DPOs. If the ARTCI does not reply within the 30 days, it can be construed as approval (Article 8 of the Order).
Replacement and termination
The data controller may only replace the DPO on the basis of a legitimate motive (see below) (Article 8 of the Order). The outgoing DPO must be informed and allowed to submit his observations regarding the proposed DPO replacement (Article 9 of the Order).
The DPO's functions may end (Article 11 of the Order):
- at the request of the controller, after the processing and after a favourable opinion or decision of the ARTCI;
- in the case of a dismissal, after observing a notice period of 30 days;
- in the case of a decision to appoint a replacement, in accordance with the criteria mentioned above under notification;
- in the case of bankruptcy, liquidation, or judicial order;
- in the case of death or permanent injury; and
- in the case of a breach of contract with the data controller.
The salary of the DPO may be freely negotiated with the data controller but may not be less than the average salary of employees in the same profile within the data controller's organisation (Article 12 of the Order).
There is no legal requirement to notify a data breach.
Data must be kept for a period not exceeding the period necessary for the purposes for which they were collected or processed.
Beyond this required period, the data may be retained only for the purpose of responding specifically to processing for historical, statistical, or research purposes under legal provisions (Article 16 of the Law).
The Law does not provide any provisions regarding the processing of children's data.
Sensitive personal data
It is prohibited to collect and process data which reveal racial, ethnic, or regional origin, affiliation, political opinions, religious or philosophical convictions, union membership, sex life, genetic data or more generally data on the health status of the person concerned (Article 21 of the Law).
Exceptions to the processing of special categories of data:
- when the processing of personal data relates to data which is manifestly made public by the concerned person;
- when the processing of genetic or data related to health is necessary to protect the vital interests of the person concerned or another person in the case where the person concerned is physically or legally incapable of giving their consent;
- when processing, namely of genetic data, is necessary for the establishment, exercise, or defence of a legal claim of the person concerned;
- when a judicial proceeding or a criminal investigation is opened. In this case, the processing of personal data is prosecuted for the determination of the facts or the manifestation of the truth; or
- when the processing is done within the legitimate activities of a foundation, association, or any other non-profit organisation with a political, philosophical, religious, fraternal, or union goals. However, the processing must be related only to members of this body or to persons with one regular contact related to its purposes and that the data is not disclosed to third parties without the consent of the persons concerned.
Specific provision regarding criminal conviction data
The processing of personal data carried out on behalf of the State, a legal person governed by public or private law managing a public service is authorised by decree, after a reasoned opinion by ARCTI (Article 13 of the Law).
These treatments cover, inter alia, the prevention, investigation, finding, or prosecution of criminal offences or the enforcement of criminal convictions or security measures (Article 13 of the Law).
The processing of personal data relating to offences, convictions, or security measures imposed by the courts, is also subject to prior authorisation by ARCTI prior to any implementation (Article 7 of the Law).
Where the processing of personal data is carried out on behalf of the controller, the controller must choose a processor who provides sufficient guarantees for the protection and confidentiality of such data (Article 20 of the Law).
It is the responsibility of the controller and processor to ensure compliance with the provisions of the Law (Article 20 of the Law).
8. Data Subject Rights
The Law provides that all information and communication relating to the processing of such personal data must be easily accessible, easy to understand, and formulated in clear and simple terms.
The controller is obliged to provide the person whose data is processed, at the latest, at the time of collection and whatever the means and media used, with the following information (Article 28 of the Law):
- its identity and, where appropriate, that of its duly authorised representative;
- the specific purpose(s) of the processing for which the data is intended;
- the categories of data concerned;
- the recipient(s) to whom the data may be communicated;
- the possibility of refusing to appear on the file in question; the existence of a right of access to data concerning the person and of a right of rectification of such data;
- the duration of data retention; and
- the possibility of any transfer of data to third countries.
Every data subject has the right to access the personal data that have been collected about them and to exercise this right easily and at reasonable intervals, in order to become aware of the processing and to verify its lawfulness.
Any natural person whose personal data is the subject of processing may request in the form of questions and obtain from the controller (Article 29 of the Law):
- information enabling the processing to be known and challenged;
- confirmation that personal data concerning them is/is not the subject of this processing;
- the communication of personal data concerning them and of any information available as to the origin of such data; and
- information on the purposes of the processing, the categories of personal data processed, and the recipients or categories of recipients to whom the data is communicated.
If the data subject is unable to access the right of access may be exercised by ARCTI, which has the power to investigate the matter and which may order the rectification, erasure, or blocking of data whose processing does not comply with the Law.
Any natural person, justifying their identity, may require the controller to rectify, complete, update, lock up, or delete personal data concerning them, as the case may be, which is inaccurate or incomplete, equivocal, outdated, or whose collection, use, disclosure, or retention is prohibited (Article 31 of the Law).
The person concerned has the right to obtain from the person responsible for the processing the erasure of personal data and on the termination of the distribution of such information, particularly with regard to the personal data that the person concerned was made available when they were a minor, or for one of the following reasons (Article 33 of the Law):
- data is no longer necessary for the purposes for which it was collected or subsequently processed;
- the person concerned has withdrawn the consent on which the processing was based or when the authorised shelf life has expired and there is no other legal ground for the data processing;
- the person concerned objects to the processing of personal data concerning them when there are no legal grounds of the aforesaid processing;
- data processing does not comply with the provisions of this Law; or
- for any other legitimate reason.
Where the controller has made public the personal data of the data subject, they shall take all reasonable measures, including technical measures, with regard to the data published under their responsibility, to inform third parties processing such data that a data subject requests them to delete any links to such personal data, or any copies or reproduction thereof (Article 34 of the Law).
The controller must carry out the erasure without delay, except where the retention of personal data is necessary (Article 35 of the Law):
- exercising the right to freedom of expression;
- for reasons of general interest in the field of public health, in accordance with the law; and
- compliance with a legal obligation to retain personal data provided for in the applicable legislation to which the controller is subject.
The controller must establish appropriate mechanisms to ensure compliance with the right to digital oblivion and erasure of personal data or must periodically review the need to retain such data, in accordance with the provisions of the Law (Article 36 of the Law).
Any natural person concerned has the right to (Article 30 of the Law):
- to object, for legitimate reasons relating to its particular situation, to the processing of personal data concerning it, except in the case of legal provisions expressly providing for the processing. In the event of legitimate opposition, the processing carried out by the controller may not relate to the data in question;
- to oppose, at its request and free of charge, to the processing of data concerning it for prospecting purposes; and
- to be informed before data concerning it is communicated for the first time to third parties or used on behalf of third parties for the purposes of prospecting and to be expressly granted the right to object, free of charge, to such communication or use.
Where personal data is automatically processed in a structured and commonly used format, the data subject has the right to obtain from the controller a copy of the data subject to the automated processing in a structured electronic format which is commonly used and which allows the data subject to be reused (Article 38 of the Law).
No administrative or private decision involving an assessment of human behaviour may be based solely on automated processing of personal data giving a definition of the profile or personality of the data subject (Article 25 of the Law).
The processing of sensitive personal data, without an exception, is prohibited and punishable by a term of imprisonment of ten to 20 years and a fine of CFA 20 million (approx. €30,520) to CFA 40 million (approx. €61,030) the collection and processing of data that reveal racial, ethnic or regional origin, filiation, political opinions, religious or philosophical beliefs, union membership, sex life, genetic data or more generally those relating to the health status of the person concerned (Article 21 of the Law).
Direct prospecting is prohibited and punishable by a term of imprisonment of one to five years and a fine of CFA 1 million (approx. €1,530) to CFA 10 million (approx. €15,260), direct prospecting using any means of communication using, in any form whatsoever, the personal data of a natural person who has not expressed prior consent to receive such prospecting (Article 22 of the Law).
Prohibition of interference with the action of ARCTI
Anyone who obstructs the work of ARCTI will be punished by a term of imprisonment of one month to two years and by a fine of CFA 1 million (approx. €1,530) to CFA 10 million (approx. €15,260):
- either by objecting to the exercise of the tasks entrusted to its members or to the authorised agents, in accordance with the provisions of this Law;
- by refusing to disclose to its members or authorised officials, information and documents relevant to their mission, or by concealing or removing such documents or information; or
- providing information that is not consistent with the content of the records as it was at the time the request was made or that does not present such content in a directly accessible form.
The amount of the financial penalty is proportionate to the seriousness of the breaches and the benefits derived from the breach. The amount of this penalty may not exceed the amount of CFA 10 million (approx. €15,270).
In the event of repeated failure to comply within five years of the date on which the financial penalty previously imposed has become final, it may not exceed CFA 100 million (approx. €152,600) or, in the case of an undertaking, it may not exceed 5% of the turnover excluding taxes of the last financial year closed within the limit of CFA 500 million (approx. €762,940).
These administrative and monetary penalties shall be applied without prejudice to criminal sanctions.
ARCTI has not yet issued any enforcement decisions.