May 2023

1. Governing Texts

In Mali, data protection is governed by Law No. 2013-015 of 21 May 2013 on the Protection of Personal Data (only available in French here) ('the Law') and Law No. 2019-056 of 5 December 2019 on the Repression of Cybercrime (only available in French here) ('the Cybercrime Law').

This legislation is applicable to natural, legal persons, the State, and any local authority, acting in whole or in part on the Malian territory.

The Malian data protection authority ('APDP') is in charge of informing and advising data subjects and controllers of their rights and obligations, ensuring compliance with the applicable legislation, inflicting administrative sanctions and, if necessary, referring offences to the competent Public Prosecutor's Office.

1.1. Key acts, regulations, directives, bills

The main laws relating to data protection in Mali are the Law, partially amended by Law No. 2017-070 of 18 December 2017 (only available in French here) ('the Amending Law') and the Cybercrime Law.

1.2. Guidelines

• Deliberation No. 2021-176/APDP of 11 August 2021 on amending deliberation No. 2017-024/APDP relating to the conditions for implementing a video-surveillance system in private places and workplaces (only available in French here)

• Deliberation No. 2021-066/APDP of 7 May 2021 relating to the processing of personal data implemented by public or private bodies relating to the geolocation of vehicles made available to employees (only available in French here)

• Deliberation No, 2021-081/APDP of 7 May 2021 relating to the conditions for implementing the processing of personal data implemented by public and private bodies and individuals for the preparation, exercise and follow-up of their disputes as well as the execution of the decisions rendered (only available in French here)

• Deliberation No. 2020-118/APDP of 12 August 2020 establishing a correspondent for the protection of personal data (cpd) with certain processing responsible (only available in French here)

• Deliberation No. 2020-034/APDP of 12 February 2020 on the adoption of the framework relating to personal data security and confidentiality measures (only available in French here)

• Deliberation No. 2017-16/APDP of 10 April 2017 on the conditions necessary for the use of biometric devices for the control of access to premises, devices, and computer applications on workplaces (only available in French here)
• Deliberation No. 2017-027/APDP of 16 August 2017 amending deliberation No. 2016-003 of 10 August 2016 relating to the formalities necessary for the processing of personal data (only available in French here)
• Deliberation No. 2017-024/APDP on the conditions for setting up a video surveillance system on private sites and workplaces (only available in French here)
• Deliberation No. 2017-045/APDP of 16 October 2017 on the implementation of access control devices and workplaces (only available in French here)

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

The Law is applicable to the processing of personal data by the State, local authorities, entities having legal personality, natural persons and private legal entities.

2.2. Territorial scope

The Law has been enacted by the National Assembly of Mali and it applies to all processing of data in the Malian territory or in a place where Malian laws apply.

2.3. Material scope

The Law applies to all types of processing except:

• the processing of data carried out by a person for the exclusive purpose of their personal or domestic activities, provided however that the data is not intended for systematic communication to third parties or for dissemination; and
• temporary copies made within the framework of the technical activities of transmission and supply of access to a digital network, with a view to the automatic, intermediate, and transient storage of data and for the sole purpose of allowing other recipients of the service the best possible access to the information transmitted.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The main regulatory authority for data protection in Mali is the APDP.

3.2. Main powers, duties and responsibilities

The main powers, duties, and responsibilities of the APDP are as follows:

• setting the standards and purposes of the collection of personal data;
• granting prior authorisation to any interconnection data;
• authorising the transfer of data;
• informing and advising data subjects and those responsible for processing their rights and obligations;
• ensuring that the processing cannot threaten data privacy;
• receiving complaints relating to the processing of personal data;
• carrying out the necessary checks on the regular processing of personal data;
• imposing administrative sanctions;
• referring matters relating to personal data to the public prosecutor; and
• issuing opinions on draft laws relating to the protection of personal data.

4. Key Definitions

Personal data: Any personal data that reveals, directly or indirectly, racial and ethnic origins, political, philosophical, or religious opinions, or trade union affiliation of persons or that concerns their health or sexual life or social measures, prosecutions, and criminal or administrative sanctions.

Sensitive data: Data relating to religious, philosophical, or political opinions, trade union activities, sex, race, health, social measures, prosecutions, and criminal or administrative charges.

Data controller: The natural or legal person, public or private, any other body or association which, alone or jointly with others, takes the decision to collect and process personal data and determine the purposes thereof.

Data processor: Any subcontractor, individual, public or private legal entity, any other body or association which processes data for the person in charge of the treatment.

Data subject: Any individual whose personal data is processed.

Biometric data: Not applicable.

Health data: Any information concerning the physical and mental condition of a data subject, including genetic or biological data.

Pseudonymisation: Not applicable.

5. Legal Bases

5.1. Consent

Consent is addressed and used as a legal basis under this law. It is defined as any express, unequivocal, free, specific, and informed expression of will by which the data subject or their legal, judicial or contractual representative, agrees to their personal data being processed.

5.2. Contract with the data subject

Not applicable.

5.3. Legal obligations

Not applicable.

5.4. Interests of the data subject

Not applicable.

5.5. Public interest

Not applicable.

5.6. Legitimate interests of the data controller

Not applicable.

5.7. Legal bases in other instances

Not applicable.

6. Principles

Lawfulness and fairness

The Malian government wanted to ensure that every person could benefit from data protection without distinction (gender, age, religion). This law guarantees that all processing respects fundamental rights and freedoms.

7. Controller and Processor Obligations

The data controller and their subcontractor must ensure that the security and confidentiality obligations are fulfilled when processing personal data.

In addition, data controllers are required to implement appropriate technical measures to protect personal data, in particular to prevent it from being distorted, damaged, or accessed by unauthorised third parties.

7.1. Data processing notification

Under the provisions of Article 57 of the Law, the data processor must notify the APDP that they intend to proceed with the processing of data and communicate the purpose of this. Any omission of this notification may be sanctioned by the APDP.

However, data processors of public entities do not have to notify the APDP provided that they sign an agreement with the authority.

7.2. Data transfers

Pursuant to the provisions of Article 11 of the Law, the data controller may transfer personal data to a foreign country:

• when the recipient state ensures a sufficient level of protection for individuals; and
• when the transfer and processing by the recipient of personal data guarantees a sufficient level of protection of privacy and the fundamental rights of individuals.

7.3. Data processing records

Not applicable.

7.4. Data protection impact assessment

Not applicable.

7.5. Data protection officer appointment

There is no provision relating to the appointment of a data protection officer.

7.6. Data breach notification

There are no provisions concerning data breach.

7.7. Data retention

According to the Law, data controllers must delete data upon request from the data subject if the data is incomplete, false, ambiguous, or outdated, withinn 30 days from the receipt of such request. See sections on the rights to rectification and erasure below.

7.8. Children's data

Not applicable.

7.9. Special categories of personal data

There are two categories of specific personal data: sensitive data, and data concerning offences and convictions.

The collection of sensitive data, understood as any data of a personal nature (religious, philosophical, political beliefs, trade union, sexual life, race health, morals) is prohibited. This prohibition can be subject to exceptions if the data is necessary or used to safeguard the person's life, used by a non-profit organisation, or in the context of a judicial action.

Concerning offences and conviction, the processing of these data can be exclusively made by: jurisdictions and public authorities in charge of a public service acting within the framework of their legal attributions; court officers; or other legal persons for the strict necessity of litigating offences they were victims of.  

7.10. Controller and processor contracts

The Law does not specify whether the relationship between a data controller and processor must be managed through contractual agreements.

However, the Law states that the subcontractor must present sufficient guarantees to ensure the implementation of security and confidentiality measures.

8. Data Subject Rights

8.1. Right to be informed

Pursuant to Article 15 of the Law, data subjects have a right to be informed and the data controller must inform the data subject of:

• the identity of the data controller and its representative (if any);
• the purposes of the processing;
• the category of data concerned;
• the recipients or categories of recipients of the data;
• the right to object to the collection of such data;
• the right to access the collected data and have it edited;
• the duration of the processing; and
• details on any intended transfer of the data.

Data subjects also have the right to be informed before their data is first communicated to third parties or used on behalf of third parties for prospection.

A specific provision is applicable in the context of electronic communications networks. Data subjects must receive clear and complete information on the purpose of any action tending to access, by electronic transmission, information stored in their terminal or to inscribe, by the same means, information in their terminal.

This provision shall not apply if the access to the information stored in the user's terminal or the inclusion of information in their equipment is solely for the purpose of enabling or facilitating communication by electronic means or if access is strictly necessary for the provision of an online communication service, at the express request of the user.

8.2. Right to access

Pursuant to Article 12 of the Law, data subjects have a right to obtain, from the data controller, access to information. Data controllers will have to provide an understandable communication of all the data concerning the subject, its origin, and any information and reasoning used in the electronic treatment of such data.

8.3. Right to rectification

Pursuant to Articles 13 and 14 of the Law, data subjects have a right to amend and/or erase information, both directly and indirectly.

They have a direct right to rectification and erasure if the data happens to be incomplete, false, ambiguous, outdated or if its collection, use, transfer, or retention is prohibited. The data processor will have to comply with this request within 30 days from the receipt of the said request.

In the event of a dispute, the burden of proof will lie with the data controller.

In addition, if the information has been transmitted to a third party, the data controller will carry out all the necessary diligence in order to notify the third party of the required steps in order to comply with the request.

The indirect right to amend and/or erase data comes into play when the processing of data concerns national security, defence, or public safety. In such a case, the data subject will have to address a request to the APDP who will appoint one of its members to carry out an investigation on the opportunity of the request. If the APDP determines, in agreement with the data controller, that the data does not concern national security, defence, or public safety, the information will be communicated to the data subject.   

8.4. Right to erasure

See section on right to rectification above.

8.5. Right to object/opt-out

Under the provision of Article 19 of the Law, data subjects have the right to object to the processing if they have legitimate reasons, unless the processing is based on a legal obligation.

8.6. Right to data portability

Not applicable.

8.7. Right not to be subject to automated decision-making

Not applicable.

8.8. Other rights

Not applicable.

9. Penalties

There are two kinds of sanctions for non-compliance with data protection laws, administrative sanctions pronounced by the APDP and criminal sanctions pronounced by a judge.

The following administrative sanctions provided by the Law can be pronounced by APDP:

• a warning to the data controller who does not comply with the obligations it creates;
• formal notice to the data controller at fault;
• a formal injunction to stop the processing of personal data against any data controller, in the event of fault; and
• withdrawal of approval.

In addition, pursuant to Articles 65 and 66, the judge can apply the following criminal sanctions:

• imprisonment; and
• fines of between XOF 2.5 million to XOF 10 million (approx. €3,820 to €15,290) or XOF 5 million to XOF 20 million (approx. €7,640 to €30,580).

9.1 Enforcement decisions

No decisions available.