Population: 32,866,268

Capital: Luanda

President: João Manuel Gonçalves Lourenço

2021 Freedom House Score: 31/100

Data protection law? Yes, with data protection authority appointed

Privacy enshrined in Constitution: Yes, the Angolan Constitution protects the right to privacy in Article 32.

DPA legislation: Angola’s Data Protection Law (Law 22/11) draws on provisions from the EU and Portuguese legal regimes for the protection of personal data. While the law was signed in 2011, the enforcement authority, known as the Agência de Proteção de Dados (APD), was only created in October 2019 and there is presently no significant level of enforcement.

Under the law, data subjects have the right to:

• access their personal data;
• have their personal data corrected or deleted;
• ask a responsible party to limit the activities for which their data is used;
• not be subject to decisions based solely on automatic processing that would significantly affect them; and
• object to the use of their personal data for advertising purposes.

ICCPR: Acceded

Council of Europe Convention 108: No

Council of Europe Convention 185: No

Malabo Convention: Ratified

ECOWAS Supplementary Act on Personal Data Protection: No

Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No

Applies to natural persons: Yes

Applies to juristic persons: Yes

Applies to public entities: Yes

Domestic/personal purposes exclusion: Yes

National security exclusion: Yes

Law enforcement exclusion: Yes

Cabinet or Executive Council exclusion: No

Judicial functions exclusion: Partial

Journalistic, literary or artistic purposes exclusion: No

Temporary copies exclusion: No

Other exclusion(s): No

Broad or vague exclusions: No

Applies to foreign entities: Yes

Excludes foreign entities that only transit personal data through the country: Yes

Personal data is any given information, regardless of its nature, including images and sounds related to a specific or identifiable individual.

Sensitive personal data is personal data related to:

• philosophical or political beliefs;
• political affiliations or trade union membership;
• religion;
• private life;
• racial or ethnic origin; or
• health or sex life (including genetic data).

To lawfully collect and process sensitive personal data, a legal provision must allow for processing and entities must obtain prior authorisation from the APD. If sensitive personal data processing results from a legal provision, the APD must be provided with notice.

Except in certain circumstances provided by law, entities must obtain prior consent from data subjects and give prior notice to the APD to lawfully collect and process personal data.

All data processing must follow these general principles: transparency, legality, good faith, proportionality, truthfulness, respect to private life and legal and constitutional guarantees.

Data processing must be limited to the purpose for which the data is collected, and personal data must not be held for longer than is necessary for that purpose.

There are specific rules applicable to the processing of personal data related to:

• sensitive data on health and sexual life;
• illicit activities, crimes and administrative offenses;
• solvency and credit data;
• video surveillance and other electronic means of control;
• advertising by email;
• advertising by electronic means (direct marketing); and
• call recording.

Specific rules for the processing of personal data within the public sector also apply.

Notification that data is being processed: Yes

Notification to DPA in event of data breach: Yes

Notification to data subject in event of data breach: Yes

Timeframe for notification is specified: No

Exceptions exist to breach notifications: Yes

Requires a data processing register: Yes

Register is publicly available: No

Provides for terms of service icons: No

DPA must submit at least annual report: Yes

DPA report is made public: No

Explicit provision for civil liability: No

Established/designates a Data Protection Authority: Yes

DPA is empowered to investigate: Yes

DPA is empowered to subpoena or request evidence: Yes

Law provides for criminal penalties: Yes

Law provides for administrative penalties: Yes

DPA is independently structured (does not exist within or receive instructions from another public body): No

DPA receives funding directly from the state budget/legislative body: Yes

DPA may receive some forms of external funding/own revenue: Yes

Adequate protections against undue removal: No

Number of members in DPA: 7

Maximum term length for members of the DPA (years): 15

Right of data subject to access a copy of their personal data: Yes

Right of data subject to request a correction of data: Unclear

Right of data subject to request deletion of data: No

Justification required for a request for deletion: NA

Defines the requirements for consent: No

DPA is mandated to participate in policy formulation: No

The APD must be notified prior to any international transfers of personal data to countries deemed to have an adequate level of protection.

Cross-border personal data transfers to countries without an adequate level of protection must be authorised by the ADP, and specific requirements must be met. Harmonised, compulsory internal data protection and privacy rules may demonstrate an adequate level of protection for transfers between companies in the same group.

The communication of personal data to a recipient, a third party or a subcontracted entity is subject to specific legal conditions and requirements.

Provides a right not to be subject to automated decision-making: Yes