Population: 555,988

Capital: Praia

President: José Maria Neves

2021 Freedom House Score: 92/100

Data protection law? Yes, with data protection authority appointed.

Privacy enshrined in Constitution: Yes, major provisions in the data protection laws are effectively reproduced in the Constitution, which provides an additional layer of legitimacy. The constitutional right of habeas data grants the right to a citizen request, update or even to destruct any personal data, and Law No. 109 articulates the conditions by which a party may bring a habeas data case.

DPA legislation: Law No. 133-V-2001, passed in 2001, was Cabo Verde’s original data protection law, and make Cabo Verde the first African country to have enacted comprehensive data protection legislation. It closely mirrored European data protection laws at the time, as Cabo Verde’s legal system largely draws from that of Portugal. Law No. 41 was passed in 2013 to supplement and update Law No. 133, and Law No. 42 was subsequently passed in 2013 to detail the responsibilities of the Cabo Verdean data protection authority, known as the Comissão Nacional de Proteção de Dados Pessoais (CNPD).

Under Cabo Verdean law, an individual has the right to:

• be informed by any data controller if he holds personal data about that individual;
• access and know how personal data concerning them is being processed;
• object, for legitimate reasons, to the processing of personal data concerning them;
• oppose the processing of their personal data for marketing or advertising;
• have a data controller correct, supplement, update, lock, or delete personal data concerning them, if the data is inaccurate, incomplete, equivocal or out of date, or if its collection, use, communication, or conservation is prohibited; and
• not be subject to a decision made on the sole basis of an automated processing that would produce adverse legal ramifications for them.

ICCPR: Acceded

Council of Europe Convention 108: Acceded

Council of Europe Convention 185: Ratified

Malabo Convention: No

ECOWAS Supplementary Act on Personal Data Protection: Signed

Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): Ratified

Applies to natural persons: Yes

Applies to juristic persons: Yes

Applies to public entities: Yes

Domestic/personal purposes exclusion: Yes

National security exclusion: No

Law enforcement exclusion: No

Cabinet or Executive Council exclusion: No

Judicial functions exclusion: No

Journalistic, literary or artistic purposes exclusion: No

Temporary copies exclusion: No

Other exclusion(s): No

Broad or vague exclusions: No

Applies to foreign entities: Yes

Excludes foreign entities that only transit personal data through the country: Yes

Personal data is any information, regardless of its nature or the media on which it is stored, relating to an identifiable natural person.

Sensitive data is personal data about an individual’s:

• philosophical or political convictions;
• party or union affiliation;
• religious faith;
• private life;
• ethnic origin;
• health;
• sex life; or
• genetic information.

Personal data processing may only occur if there is consent from the data subject or if processing is necessary for:

• compliance with a legal obligation to which the controller is subject;
• the performance of a public interest mission or the exercise of public authority;
• the commencement or performance of a contract in the data subject’s interests or to which he is a party;
• safeguarding the interests or fundamental rights and freedoms of the data subject; or
• the pursuit of legitimate interests of the controller or third-party data processor, provided

these interests preserve the fundamental rights and freedoms of the data subject.

Personal data must be:

• processed legally, lawfully, and abiding by the principle of good faith;
• collected for specific, explicit, and legitimate purposes and may not be further processed in any manner incompatible with these purposes;
• adequate, relevant, and not excessive relative to those purposes in terms of collection and further processing;
• accurate and updated, if necessary;
• stored in such a way that allows for the identification of data subjects only for the period necessary for the purposes for which the data was collected or processed; and
• treated confidentially and be adequately protected, in particular where the processing includes data transmissions in a network.

Interconnection of personal data shall:

• be limited to what is necessary and appropriate to the pursuit of legal or statutory purposes and legitimate interests of those processing;
• not discriminate against or infringe on the fundamental rights, freedoms, and guarantees of holders of the data; and
• ensure the use of appropriate safety measures.

Notification that data is being processed: Yes

Notification to DPA in event of data breach: No

Notification to data subject in event of data breach: No

Timeframe for notification is specified: NA

Exceptions exist to breach notifications: NA

Requires a data processing register: Yes

Register is publicly available: Yes

Provides for terms of service icons: No

DPA must submit at least annual report: Yes

DPA report is made public: Unclear

Explicit provision for civil liability: Yes

Established/designates a Data Protection Authority: Yes

DPA is empowered to investigate: Yes

DPA is empowered to subpoena or request evidence: Yes

Law provides for criminal penalties: Yes

Law provides for administrative penalties: Yes

DPA is independently structured (does not exist within or receive instructions from another public body): No

DPA receives funding directly from the state budget/legislative body: Unclear

DPA may receive some forms of external funding/own revenue: Unclear

Adequate protections against undue removal: No

Number of members in DPA: 3

Maximum term length for members of the DPA (years): 12

Right of data subject to access a copy of their personal data: Yes

Right of data subject to request a correction of data: Yes

Right of data subject to request deletion of data: No

Justification required for a request for deletion: NA

Defines the requirements for consent: Yes

DPA is mandated to participate in policy formulation: Yes

The transfer of personal data outside of Cabo Verde may be carried out with respect to the provisions of applicable domestic data protection law and is only permissible if the foreign country ensures an adequate level of protection.

The transfer of personal data to a country which does not ensure an adequate level of protection may be permitted by CNPD if the data subject has given consent to the transfer or whether such transfer is:

• necessary for the commencement or performance of a contract between the data subject and the data controller, or at the data subject’s request;
• necessary for the execution or conclusion of a contract awarded or to be granted, in the interest of the data subject, or between the data controller and a third party;
• required for the protection of an important public interest, or for the declaration, exercise, or defence of a right in judicial proceedings;
• necessary to protect vital interests of the data subject; or
• made from a public register open to consultation with the general public or anyone who proves a legitimate interest, provided that that the conditions laid down by law for the consultation are met in the particular case.

Provides a right not to be subject to automated decision-making: Yes