CABO VERDE
DATA PROTECTION FACTSHEET
-
Population: 555,988
Capital: Praia
President: José Maria Neves
2021 Freedom House Score: 92/100
Data protection law? Yes, with data protection authority appointed.
-
Privacy enshrined in Constitution: Yes, major provisions in the data protection laws are effectively reproduced in the Constitution, which provides an additional layer of legitimacy. The constitutional right of habeas data grants the right to a citizen request, update or even to destruct any personal data, and Law No. 109 articulates the conditions by which a party may bring a habeas data case.
DPA legislation: Law No. 133-V-2001, passed in 2001, was Cabo Verde’s original data protection law, and make Cabo Verde the first African country to have enacted comprehensive data protection legislation. It closely mirrored European data protection laws at the time, as Cabo Verde’s legal system largely draws from that of Portugal. Law No. 41 was passed in 2013 to supplement and update Law No. 133, and Law No. 42 was subsequently passed in 2013 to detail the responsibilities of the Cabo Verdean data protection authority, known as the Comissão Nacional de Proteção de Dados Pessoais (CNPD).
Under Cabo Verdean law, an individual has the right to:
- be informed by any data controller if he holds personal data about that individual;
- access and know how personal data concerning them is being processed;
- object, for legitimate reasons, to the processing of personal data concerning them;
- oppose the processing of their personal data for marketing or advertising;
- have a data controller correct, supplement, update, lock, or delete personal data concerning them, if the data is inaccurate, incomplete, equivocal or out of date, or if its collection, use, communication, or conservation is prohibited; and
- not be subject to a decision made on the sole basis of an automated processing that would produce adverse legal ramifications for them.
-
ICCPR: Acceded
Council of Europe Convention 108: Acceded
Council of Europe Convention 185: Ratified
Malabo Convention: No
ECOWAS Supplementary Act on Personal Data Protection: Signed
Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): Ratified
-
Applies to natural persons: Yes
Applies to juristic persons: Yes
Applies to public entities: Yes
Domestic/personal purposes exclusion: Yes
National security exclusion: No
Law enforcement exclusion: No
Cabinet or Executive Council exclusion: No
Judicial functions exclusion: No
Journalistic, literary or artistic purposes exclusion: No
Temporary copies exclusion: No
Other exclusion(s): No
Broad or vague exclusions: No
Applies to foreign entities: Yes
Excludes foreign entities that only transit personal data through the country: Yes
-
Personal data is any information, regardless of its nature or the media on which it is stored, relating to an identifiable natural person.
Sensitive data is personal data about an individual’s:
- philosophical or political convictions;
- party or union affiliation;
- religious faith;
- private life;
- ethnic origin;
- health;
- sex life; or
- genetic information.
-
Personal data processing may only occur if there is consent from the data subject or if processing is necessary for:
- compliance with a legal obligation to which the controller is subject;
- the performance of a public interest mission or the exercise of public authority;
- the commencement or performance of a contract in the data subject’s interests or to which he is a party;
- safeguarding the interests or fundamental rights and freedoms of the data subject; or
- the pursuit of legitimate interests of the controller or third-party data processor, provided
these interests preserve the fundamental rights and freedoms of the data subject.
Personal data must be:
- processed legally, lawfully, and abiding by the principle of good faith;
- collected for specific, explicit, and legitimate purposes and may not be further processed in any manner incompatible with these purposes;
- adequate, relevant, and not excessive relative to those purposes in terms of collection and further processing;
- accurate and updated, if necessary;
- stored in such a way that allows for the identification of data subjects only for the period necessary for the purposes for which the data was collected or processed; and
- treated confidentially and be adequately protected, in particular where the processing includes data transmissions in a network.
Interconnection of personal data shall:
- be limited to what is necessary and appropriate to the pursuit of legal or statutory purposes and legitimate interests of those processing;
- not discriminate against or infringe on the fundamental rights, freedoms, and guarantees of holders of the data; and
- ensure the use of appropriate safety measures.
-
Notification that data is being processed: Yes
Notification to DPA in event of data breach: No
Notification to data subject in event of data breach: No
Timeframe for notification is specified: NA
Exceptions exist to breach notifications: NA
Requires a data processing register: Yes
Register is publicly available: Yes
Provides for terms of service icons: No
DPA must submit at least annual report: Yes
DPA report is made public: Unclear
-
Explicit provision for civil liability: Yes
Established/designates a Data Protection Authority: Yes
DPA is empowered to investigate: Yes
DPA is empowered to subpoena or request evidence: Yes
Law provides for criminal penalties: Yes
Law provides for administrative penalties: Yes
DPA is independently structured (does not exist within or receive instructions from another public body): No
DPA receives funding directly from the state budget/legislative body: Unclear
DPA may receive some forms of external funding/own revenue: Unclear
Adequate protections against undue removal: No
Number of members in DPA: 3
Maximum term length for members of the DPA (years): 12
-
Right of data subject to access a copy of their personal data: Yes
Right of data subject to request a correction of data: Yes
Right of data subject to request deletion of data: No
Justification required for a request for deletion: NA
Defines the requirements for consent: Yes
DPA is mandated to participate in policy formulation: Yes
-
The transfer of personal data outside of Cabo Verde may be carried out with respect to the provisions of applicable domestic data protection law and is only permissible if the foreign country ensures an adequate level of protection.
The transfer of personal data to a country which does not ensure an adequate level of protection may be permitted by CNPD if the data subject has given consent to the transfer or whether such transfer is:
- necessary for the commencement or performance of a contract between the data subject and the data controller, or at the data subject’s request;
- necessary for the execution or conclusion of a contract awarded or to be granted, in the interest of the data subject, or between the data controller and a third party;
- required for the protection of an important public interest, or for the declaration, exercise, or defence of a right in judicial proceedings;
- necessary to protect vital interests of the data subject; or
- made from a public register open to consultation with the general public or anyone who proves a legitimate interest, provided that that the conditions laid down by law for the consultation are met in the particular case.
-
Provides a right not to be subject to automated decision-making: Yes
Page last updated: 25 May 2022