Population: 12,123,198

Capital: Porto-Novo

President: Patrice Talon

2021 Freedom House Score: 65/100

Data protection law? Yes, with data protection authority appointed

Privacy enshrined in Constitution: Yes, the Constitution of Benin protects privacy under Article 21.

DPA legislation: The data protection regime in Benin is governed by Book V of the 2017 Digital Code of the Republic of Benin: Protection of Personal Data, and Law No. 2009-09: Dealing with the Protection of Personally Identifiable Information (PII).

These laws have considerable overlap but differ slightly in their scope. Law No. 2009-09 pertains to the digital processing of personally identifiable information in digital files or manuals, as well as personal identification mechanisms based on nominative, personal, and biometric information processed alongside a national ID number.

Book V pertains to the collection, treatment, transmission, storage, and use of personal data by a person, the state, local authorities, and legal persons, as well as automated processing and non-automated processing of personal data contained in files, or any processing of data for public security, defence, research, prosecution of criminal offences, or the security and essential interests of the state.

Under Beninese law, individuals have:

• the right to obtain all of their personal data in an understandable form, as well as any available information as to their origin;
• the right to withdraw consent for personal data processing at any time;
• the right to object, for legitimate reasons, to the processing of personal data concerning them;
• the right to oppose the processing of their personal data for prospecting purposes;
• the right to rectify or erase personal data where it is inaccurate or incomplete;
• the right to not be subject to decisions made on the sole basis of an automated processing that would produce significant risks or harm;
• the right to be forgotten, or to have information made public about themselves deleted from record; and
• the right to obtain compensation from data controllers who, in violating the law, cause material or moral damage to a person.

ICCPR: Acceded

Council of Europe Convention 108: No

Council of Europe Convention 185: No

Malabo Convention: Signed

ECOWAS Supplementary Act on Personal Data Protection: Signed

Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No

Applies to natural persons: Yes

Applies to juristic persons: Yes

Applies to public entities: Yes

Domestic/personal purposes exclusion: Yes

National security exclusion: No

Law enforcement exclusion: No

Cabinet or Executive Council exclusion: No

Judicial functions exclusion: Yes

Journalistic, literary or artistic purposes exclusion: Yes

Temporary copies exclusion: No

Other exclusion(s): No

Broad or vague exclusions: No

Applies to foreign entities: Yes

Excludes foreign entities that only transit personal data through the country: No

Personal data is any information regardless of its form, including sounds and images, related to an identified or identifiable natural person.

Sensitive data is all personal data related to a person’s personal opinions, philosophical or religious beliefs, political activities, trade union membership, sexual life, race, health, genetics, prosecutions and criminal or administrative sanctions.

Processing of sensitive data is prohibited barring certain exceptions.

Personal data processing is considered legitimate if there is consent from the data subject. This requirement may be waived where processing is necessary for:

• compliance with a legal obligation to which the controller is subject;
• the performance of a public interest mission or the exercise of public authority;
• the commencement or performance of a contract in the data subject’s interests or to which they are a party; or
• safeguarding the interests or fundamental rights and freedoms of the data subject.

Personal data should be:

• processed legitimately;
• collected, recorded, processed, and stored fairly, lawfully, transparently, and not fraudulently;
• collected for specific and legitimate purposes, and not subsequently processed for other purposes inconsistent with those originally stated;
• adequate, relevant, and not excessive in relation to the purposes for which personal data is collected and processed;
• accurate and updated, if necessary;
• kept in a form that allows for the identification of data subjects for no longer than the period necessary to achieve the aforementioned purposes; and
• processed to ensure adequate safety, including protection against damage, destruction, or unauthorised processing.

Interconnection of personal data shall:

• not discriminate against or infringe on the fundamental rights, freedoms, and guarantees of holders of the data;
• ensure the use of appropriate safety measures; and
• take into account the principle of relevance.

Notification that data is being processed: Yes

Notification to DPA in event of data breach: Yes

Notification to data subject in event of data breach: Partial

Timeframe for notification is specified: No

Exceptions exist to breach notifications: Yes

Requires a data processing register: Partial

Register is publicly available: No

Provides for terms of service icons: Yes

DPA must submit at least annual report: Yes

DPA report is made public: Yes

Explicit provision for civil liability: Yes

Established/designates a Data Protection Authority: Yes

DPA is empowered to investigate: Yes

DPA is empowered to subpoena or request evidence: Yes

Law provides for criminal penalties: Yes

Law provides for administrative penalties: Yes

DPA is independently structured (does not exist within or receive instructions from another public body): Yes

DPA receives funding directly from the state budget/legislative body: Yes

DPA may receive some forms of external funding/own revenue: Yes

Adequate protections against undue removal: No

Number of members in DPA: 11

Maximum term length for members of the DPA (years): 10

Right of data subject to access a copy of their personal data: Yes

Right of data subject to request a correction of data: Yes

Right of data subject to request deletion of data: Yes

Justification required for a request for deletion: Yes

Defines the requirements for consent: Yes

DPA is mandated to participate in policy formulation: Yes

Transfer of personal data to another country is allowed only when that country provides a level of protection equivalent to that put in place by the provisions of Book V. Before any transfer of personal data to another country or an international organization, the controller must obtain prior authorization from the APDP.

The transfer of personal data to a country which does not ensure an adequate level of protection may be permitted if the data subject has given consent to the transfer or where such transfer is:

• necessary for the commencement or performance of a contract between the data subject and the data controller, or at the data subject’s request;
• necessary for the execution or conclusion of a contract awarded in the interest of the data subject, or between the data controller and a third party;
• required for the protection of an important public interest, or for the declaration, exercise, or defence of a right in judicial proceedings;
• necessary to protect vital interests of the data subject; or
• made from a public register open to consultation with the general public or anyone who proves a legitimate interest, provided that the conditions laid down by law for the consultation are met in the particular case.

Provides a right not to be subject to automated decision-making: Yes