Population: 20,903,278

Capital: Ouagadougou

President: Capt Ibrahim Traoré (interim)

2021 Freedom House Score: 54/100

Data protection law? Yes, with data protection authority appointed

Privacy enshrined in Constitution: Yes, the Constitution of Burkina Faso, 1991 provides for the right to privacy and confidentiality of correspondence

DPA legislation:

Law N°010- 2004/AN was passed to apply these rights to individuals’ personal data, and in 2007, Burkina Faso became the first French speaking country in sub-Saharan Africa with an operative data protection authority, the Commission de l’Informatique et des Libertés (CIL). As the body has been functioning for over a decade, it has had time to discover certain flaws in the law and in its implementation and highlight areas in need of reform. As a result, Law No. 001-2021 of March 30, 2021 on the protection of persons with regard to the processing of personal data was passed to update and augment the legal framework on data protection.

A number of decrees and orders have also been issued relating to the protection of personal information, notably Decree No. 2007-283/PRES/PM/MPDH of 18 May 2007 regarding the organisation and functioning of the CIL; Decree No. 2007-757/PRES/PM/MPDH/MEF appointing the members of the CIL; and Order No. 2008/001/CIL fixing the internal regulations of the CIL.

Under Law N°010- 2004/AN, individuals have the right to:

• be informed at the time of collection of the purposes for which the data are used and the identity of the data controller;
• access their personal data without delay or excessive costs;
• oppose, for legitimate reasons, the processing of personal data concerning them;
• oppose the processing of personal data for marketing or advertising;
• correct personal data being held about them if it is inaccurate or incomplete; and
• not be subject to decisions made on the sole basis of an automated processing that would produce adverse legal ramifications for them.

ICCPR: Acceded

Council of Europe Convention 108: No

Council of Europe Convention 185: No

Malabo Convention: No

ECOWAS Supplementary Act on Personal Data Protection: Signed

Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No

Applies to natural persons: Yes

Applies to juristic persons: Yes

Applies to public entities: Yes

Domestic/personal purposes exclusion: No

National security exclusion: Yes

Law enforcement exclusion: No

Cabinet or Executive Council exclusion: No

Judicial functions exclusion: No

Journalistic, literary or artistic purposes exclusion: Yes

Temporary copies exclusion: Yes

Other exclusion(s): Yes

Broad or vague exclusions: No

Applies to foreign entities: Yes

Excludes foreign entities that only transit personal data through the country: Yes

Personal data is information in any form that allows, directly or indirectly, for the identification of persons, in particular by reference to an identification number, or to elements specific to their physical, psychological, philosophical, economic, cultural, or social identities.

Unless otherwise provided by law, it is forbidden to collect or process personal data related to a data subject’s health, racial or ethnic origins, political, philosophical or religious opinions, union membership, morals, or behaviours, without his, her or their consent, as well as information relating to the investigation and prosecution of offenders, criminal or administrative penalties, or security measures.

The data protection principles in Law N°010- 2004/AN reflect those found elsewhere in the Convention of the African Union and the ECOWAS Supplementary Act. These principles include:

• consent and legitimacy: unless otherwise provided by law, data controllers are obligated to obtain consent from the data subject;
• purpose: personal data can only be collected and processed for a specific and legitimate purpose;
• proportionality and relevance: personal data must only be processed in a relevant and necessary manner regarding the purpose and objectives of the processing;
• lawfulness and fairness: data controllers must collect and process data in a fair, lawful, and not fraudulent manner;
• data retention: a specified period of time should be determined in advance depending on the purpose of processing to ensure that personal data is not stored indefinitely;
• security and confidentiality: all responsible persons for processing personal data must not only ensure the security of data or files to prevent their destruction, or alteration; but also prevent unauthorised access to personal data contained in a file or intended to form part of the file; and
• preliminary formalities: without exception or exemption provided by law, all data controllers shall, depending on the nature of personal data processing, notify the CIL or ask his opinion or obtain approval, etc.

Collection must be carried out only with the consent of the data subject(s), unless an exception applies, and controllers should notify the CIL of all processing except in a number of exceptions. When processing complies with a ‘simplified norm’ published by the CIL, authorisation from the CIL is not required, but only a ‘simplified declaration of conformity’ to the norm.

Notification that data is being processed: Yes

Notification to DPA in event of data breach: No

Notification to data subject in event of data breach: No

Timeframe for notification is specified: NA

Exceptions exist to breach notifications: No

Requires a data processing register: Yes

Register is publicly available: No

Provides for terms of service icons: No

DPA must submit at least annual report: Yes

DPA report is made public: Yes

Explicit provision for civil liability: No

Established/designates a Data Protection Authority: Yes

DPA is empowered to investigate: Yes

DPA is empowered to subpoena or request evidence: Yes

Law provides for criminal penalties: Yes

Law provides for administrative penalties: No

DPA is independently structured (does not exist within or receive instructions from another public body): Yes

DPA receives funding directly from the state budget/legislative body: Yes

DPA may receive some forms of external funding/own revenue: Yes

Adequate protections against undue removal: Unclear

Number of members in DPA: 9

Maximum term length for members of the DPA (years): 10

Right of data subject to access a copy of their personal data: Yes

Right of data subject to request a correction of data: Yes

Right of data subject to request deletion of data: No

Justification required for a request for deletion: NA

Defines the requirements for consent: No

DPA is mandated to participate in policy formulation: Yes

The controller must request the authorisation of the CIL for the international transfer of personal information and must implement technical and organisational security measures. The controller must verify that the host country either has comprehensive personal data protection legislation or its legal system otherwise provides adequate protection, and must sign a confidentiality clause and a data reversibility clause with the contracting party. The CIL recognises the binding corporate rules (BCR) of the Association francophone des autorités de protection des données (AFAPDP) as an alternative to the contractual process.

Provides a right not to be subject to automated decision-making: Yes