Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Mali - Data Protection Overview
April 2024
1. Governing Texts
In Mali, data protection is governed by Law No. 2013-015 of 21 May 2013 on the Protection of Personal Data (only available in French here) ('the Law') and Law No. 2019-056 of 5 December 2019 on the Repression of Cybercrime (only available in French here) ('the Cybercrime Law').
This legislation is applicable to natural persons, entities with legal personality, the State, and any local authority, acting in whole or in part on the Malian territory.
The Malian data protection authority ('APDP') is charged with informing and advising data subjects and controllers of their rights and obligations, ensuring compliance with the applicable legislation, inflicting administrative sanctions and, if necessary, referring offenses to the competent Public Prosecutor's Office.
1.1. Key acts, regulations, directives, bills
The main laws relating to data protection in Mali are the Law, partially amended by Law No. 2017-070 of 18 December 2017 (only available in French here) ('the Amending Law') and the Cybercrime Law.
1.2. Guidelines
- Deliberation No. 2021-176/APDP of 11 August 2021 on amending deliberation No. 2017-024/APDP relating to the conditions for implementing a video-surveillance system in private places and workplaces (only available in French here);
- Deliberation No. 2021-066/APDP of 7 May 2021 relating to the processing of personal data implemented by public or private bodies relating to the geolocation of vehicles made available to employees (only available in French here);
- Deliberation No, 2021-081/APDP of 7 May 2021 relating to the conditions for implementing the processing of personal data implemented by public and private bodies and individuals for the preparation, exercise and follow-up of their disputes as well as the execution of the decisions rendered (only available in French here);
- Deliberation No. 2020-118/APDP of 12 August 2020 establishing a correspondent for the protection of personal data (CPD) with certain processing responsible (only available in French here);
- Deliberation No. 2020-034/APDP of 12 February 2020 on the adoption of the framework relating to personal data security and confidentiality measures (only available in French here);
- Deliberation No. 2017-16/APDP of 10 April 2017 on the conditions necessary for the use of biometric devices for the control of access to premises, devices, and computer applications on workplaces (only available in French here);
- Deliberation No. 2017-027/APDP of 16 August 2017 amending deliberation No. 2016-003 of 10 August 2016 relating to the formalities necessary for the processing of personal data (only available in French here);
- Deliberation No. 2017-024/APDP on the conditions for setting up a video surveillance system on private sites and workplaces (only available in French here); and
- Deliberation No. 2017-045/APDP of 16 October 2017 on the implementation of access control devices and workplaces (only available in French here).
1.3. Case law
Not applicable.
2. Scope of Application
2.1. Personal scope
The Law is applicable to the processing of personal data by the State, local authorities, entities having legal personality, natural persons, and private legal entities.
2.2. Territorial scope
The Law has been enacted by the National Assembly of Mali and applies to all or partial processing of personal data in the Malian territory and wherever the Malian laws are applicable.
The Law applies to any processing carried out by a data controller, whether or not established on national territory, with the exception of means that are only used for purposes of transit on national territory.
2.3. Material scope
The Law applies to all types of processing of personal data, including any processing concerning public security, national defense, the investigation and prosecution of criminal offenses, or State security, even if linked to an important economic or financial interest of the State, subject to derogations.
The Law explicitly excludes the following cases out of its material scope:
- processing of personal data carried out by a person for the exclusive purpose of their personal or domestic activities, provided however, that the data is not intended for systematic communication to third parties or for dissemination; and
- temporary copies made within the framework of the technical activities of transmission and supply of access to a digital network, with a view to the automatic, intermediate, and transient storage of data and for the sole purpose of allowing other recipients of the service the best possible access to the information transmitted.
3. Data Protection Authority | Regulatory Authority
3.1. Main regulator for data protection
The main regulatory authority for data protection in Mali is the APDP.
3.2. Main powers, duties and responsibilities
The main powers, duties, and responsibilities of the APDP are as follows:
- setting the standards and purposes of the collection of personal data;
- granting prior authorization to any interconnection data;
- authorizing the transfer of data;
- informing and advising data subjects and those responsible for processing on their rights and obligations;
- ensuring that the processing cannot threaten data privacy;
- receiving complaints relating to the processing of personal data;
- carrying out the necessary checks on the regular processing of personal data;
- imposing administrative sanctions;
- referring matters relating to personal data to the competent Public Prosecutor's Office; and
- issuing opinions on draft laws relating to the protection of personal data.
4. Key Definitions
Data controller: The natural or legal person, public or private, any other body or association which, alone or jointly with others, takes the decision to collect and process personal data and determine the purposes thereof.
Data processor: Any subcontractor, individual, public or private legal entity, any other body or association which processes data for the person in charge of the treatment.
Personal data: Information existing in various forms and enabling a person to be identified directly or indirectly, by reference to an identification number or to one or more factors specific to their physical, physiological, biometric, genetic, psychological, cultural, social or economic identity. Such information may consist of universal identifiers enabling several filing systems making up databases to be linked together, or to be interconnected.
Sensitive data: Data relating to religious, philosophical, or political opinions, trade union activities, sex, race, health, social measures, prosecutions, and criminal or administrative charges.
Health data: Any information concerning the physical and mental condition of a data subject, including genetic or biological data.
Biometric data: Not applicable.
Pseudonymization: Not applicable.
Data subject: Any individual whose personal data is processed.
5. Legal Bases
5.1. Consent
Consent is defined as any express, unequivocal, free, specific, and informed expression of will by which the data subject or their legal, judicial or contractual representative, agrees to their personal data being processed (Article 3(3) of the Law).
5.2. Contract with the data subject
Not applicable.
5.3. Legal obligations
Not applicable.
5.4. Interests of the data subject
Not applicable.
5.5. Public interest
Not applicable.
5.6. Legitimate interests of the data controller
Not applicable.
5.7. Legal bases in other instances
Not applicable.
6. Principles
The Malian government wanted to ensure that every person could benefit from data protection without distinction (gender, age, religion). This law guarantees that all processing respects fundamental rights and freedoms.
Following Article 7 of the Law, personal data must:
- be collected and processed in a fair, lawful, and non-fraudulent manner for specific, explicit, and legitimate purposes;
- not to be used for other purposes;
- be adequate, proportionate, and relevant to the purposes for which they are collected or used;
- be accurate, complete, and, if necessary, kept up to date; and
- be kept in a form that permits identification of the persons concerned for no longer than is necessary for the purposes for which they are collected or used.
Furthermore, Article 8 of the Law outlines the obligations of security and confidentiality of the data controller and data processor.
7. Controller and Processor Obligations
Data controllers are required to implement appropriate technical measures to ensure the security of personal data, in particular, to prevent it from being distorted, damaged, or accessed by unauthorized third parties.
The data processor must implement appropriate security measures to ensure that the security and confidentiality obligations are fulfilled when processing personal data. The data controller remains responsible for ensuring compliance with these measures.
7.1. Data processing notification
Under the provisions of Article 57 of the Law, the data controller must notify the APDP regarding the intended processing of personal data and the purposes for which the data will be processed. Omission of this notification may be sanctioned by the APDP.
However, data processors of public entities do not have to notify the APDP provided that they sign an agreement with the authority.
7.2. Data transfers
Pursuant to the provisions of Article 11 of the Law, the data controller may transfer personal data to a foreign country:
- when, as established by the APDP, the recipient state ensures a sufficient level of protection for individuals; and
- when, based on a decision by the APDP, the transfer and processing by the recipient of personal data guarantees a sufficient level of protection of privacy and the fundamental rights of individuals.
7.3. Data processing records
Not applicable.
7.4. Data protection impact assessment
Not applicable.
7.5. Data protection officer appointment
There is no provision relating to the appointment of a data protection officer.
7.6. Data breach notification
There are no provisions concerning data breaches.
7.7. Data retention
According to the Law, data controllers must delete data upon request from the data subject if the data is incomplete, false, ambiguous, or outdated, within 30 days from the receipt of such request. See sections on the rights to rectification and erasure below.
7.8. Children's data
Not applicable.
7.9. Special categories of personal data
The collection of sensitive data is prohibited. This prohibition can be subject to exceptions if the data:
- is necessary or used to safeguard the person's life and the person is unable to provide their consent;
- is used by a non-profit organization for the sole purpose of management of their members; or
- is necessary in the context of a judicial action.
Concerning processing of personal data in the context of offences and convictions, the processing of these data can be exclusively made by:
- jurisdictions and public authorities in charge of a public service acting within the framework of their legal attributions;
- court officers; or
- other legal persons for the strict necessity of litigating offences they were victims of.
7.10. Controller and processor contracts
The Law does not specify whether the relationship between a data controller and processor must be managed through contractual agreements.
However, the Law states that the data processor must present sufficient guarantees to ensure the implementation of security and confidentiality measures.
8. Data Subject Rights
8.1. Right to be informed
Pursuant to Article 15 and Article 16 of the Law, the data controller must inform the data subjects, at the moment of collection of personal data, of:
- the identity of the data controller and its representative (if any);
- the purposes of the processing;
- the category of data concerned;
- the recipients or categories of recipients of the data;
- whether answering the questions is compulsory or optional, and the consequences of failing to do so;
- the right to object to being part of a filing system;
- the right to access the collected data and have it rectified;
- the duration of storage of personal data; and
- details on any intended transfers of the data.
Data subjects also have the right to be informed before their data is first communicated to third parties or used on behalf of third parties for marketing purposes, and of their right, free of charge, to object to such communication or use.
A specific provision is applicable in the context of electronic communications networks. Data subjects must receive clear and complete information on:
- the purpose of any action tending to access, by electronic transmission, information stored in their terminal or to inscribe, by the same means, information in their terminal; and
- the means available to the data subject to object to such processing.
This provision shall not apply if the access to the information stored in the user's terminal or the inclusion of information in their equipment is solely for the purpose of enabling or facilitating communication by electronic means or if access is strictly necessary for the provision of an online communication service, at the express request of the user.
8.2. Right to access
Pursuant to Article 12 of the Law, data subjects have a right to obtain, from the data controller, access to information, presented in an understandable form, of all the data concerning the subject, its origin, and any information and reasoning used in the electronic processing of such data.
The right to access is free of charge, can be exercised on-site or remotely, and must be tended to without delay. At the request of the data subject, a copy of their personal data is to be provided to the data subject.
The right to access may be exercised indirectly as outlined in the section right to rectification below.
8.3. Right to rectification
Pursuant to Articles 13 and 14 of the Law, data subjects, providing proof of identity, have a right to amend and/or erase information, both directly and indirectly.
The data subjects have a direct, free of-charge, right to request in written form the rectification and erasure if the data happens to be incomplete, false, ambiguous, or outdated, or if its collection, use, disclosure, or retention is prohibited. The data processor will have to comply with this request within 30 days from the receipt of the said request.
In the event of a dispute, the burden of proof will lie with the data controller.
In addition, if the information has been transmitted to a third party, the data controller will exercise due diligence to notify the third party of actions carried in order to comply with the request.
The indirect right to access, amend, and/or erase data comes into play when the processing of data concerns national security, defense, or public safety. In such a case, the data subject must address a request to the APDP who will appoint one of its members to carry out an investigation on the opportunity of the request. If the APDP determines, in agreement with the data controller, that the data does not concern national security, defense, or public safety, the request of the data subject will be complied with.
8.4. Right to erasure
See section on right to rectification above.
8.5. Right to object/opt-out
Under the provision of Article 19 of the Law, data subjects have the right to object to the processing if they have legitimate reasons.
8.6. Right to data portability
Not applicable.
8.7. Right not to be subject to automated decision-making
Not applicable.
8.8. Other rights
Not applicable.
9. Penalties
There are two kinds of sanctions for non-compliance with data protection laws, administrative sanctions pronounced by the APDP and criminal sanctions pronounced by a judge.
The following administrative sanctions provided by the Law can be pronounced by APDP:
- a warning to the data controller who does not comply with the obligations established in the Law or the reglementary acts of the APDP ;
- formal notice to the data controller at fault;
- a formal injunction to cease the processing of personal data against any data controller, in the event of fault; and
- withdrawal of approval.
In addition, pursuant to Articles 65 and 66, the judge can apply the following criminal sanctions:
- imprisonment; and
- fines of between XOF 2.5 million to XOF 10 million (approx. $4,100 to $16,370) or XOF 5 million to XOF 20 million (approx. $8,190 to €32,750).
9.1 Enforcement decisions
No decisions available.