DATA PROTECTION FACTSHEET
Capitals: Yamoussoukro (political), Abidjan (economic)
President: Alassane Ouattara
2021 Freedom House Score: 44/100
Data protection law? Yes, with data protection authority appointed
Privacy enshrined in Constitution: Yes, the Constitution of Côte d’Ivoire protects privacy under Article 8.
DPA legislation: Yes, data protection in Ivory Coast is governed by Law No. 2013-450, which details enforcement responsibilities for the Autorité de régulation des télécommunications/TIC de Cote d’Ivoire (ARTCI).
Under Law No. 2013-450, individuals have the right to:
- obtain all of their personal data in an understandable form, as well as any available information as to the origin;
- object, for legitimate reasons, to the processing of personal data concerning them;
- oppose the processing of their personal data for prospecting purposes;
- correct, supplement, update, lock, or delete personal data where it is inaccurate or incomplete; and
- not be subject to decisions made on the sole basis of an automated processing that would produce significant or detrimental legal repercussions for them.
Council of Europe Convention 108: No
Council of Europe Convention 185: No
Malabo Convention: No
ECOWAS Supplementary Act on Personal Data Protection: Signed
Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No
Applies to natural persons: Yes
Applies to juristic persons: Yes
Applies to public entities: Yes
Domestic/personal purposes exclusion: Yes
National security exclusion: No
Law enforcement exclusion: No
Cabinet or Executive Council exclusion: No
Judicial functions exclusion: No
Journalistic, literary or artistic purposes exclusion: Yes
Temporary copies exclusion: Yes
Other exclusion(s): No
Broad or vague exclusions: No
Applies to foreign entities: Yes
Excludes foreign entities that only transit personal data through the country: No
Personal data is information in any information of any kind or media, including sounds or images, that directly or indirectly relate to an identified or identifiable, by reference to an identification number, or to one or more specific cultural, social, and economic factors specific to physical, physiological, genetic, or psychological identity.
Sensitive data is all personal data concerning a data subject’s philosophical opinions or religious activities, health, race, sexual life, political opinions, union membership, behaviours, judicial proceedings, or criminal or administrative sanctions.
The processing of sensitive data requires prior authorisation from ARTCI.
Personal data processing is considered legitimate if there is consent from the data subject. This requirement may be waived where processing is necessary for:
- compliance with a legal obligation to which the controller is subject;
- the performance of a public interest mission or the exercise of public authority;
- the commencement or performance of a contract in the data subject’s interests or to which he is a party; or
- safeguarding the interests or fundamental rights and freedoms of the data subject.
Personal data must be:
- collected, recorded, processed, stored, transmitted, and interconnected in a fair and lawful manner;
- collected for specified, explicit, and legitimate purposes and not further processed in a way incompatible with these purposes;
- adequate, relevant, and not excessive in relation to those purposes for which it is collected and further processed;
- accurate and updated, if necessary;
- kept for no longer than the period necessary to achieve the purposes for which it was collected and processed; and
- processed confidentially and protected especially when being transmitted over a network.
Interconnection of personal data shall:
- not discriminate against or infringe on the fundamental rights, freedoms, and guarantees of holders of the data;
- ensure the use of appropriate safety measures; and
- take into account the principle of relevance.
Notification that data is being processed: Yes
Notification to DPA in event of data breach: No
Notification to data subject in event of data breach: No
Timeframe for notification is specified: NA
Exceptions exist to breach notifications: NA
Requires a data processing register: Yes
Register is publicly available: Yes
Provides for terms of service icons: No
DPA must submit at least annual report: Yes
DPA report is made public: Unclear
Explicit provision for civil liability: No
Established/designates a Data Protection Authority: Yes
DPA is empowered to investigate: Yes
DPA is empowered to subpoena or request evidence: No
Law provides for criminal penalties: No
Law provides for administrative penalties: Yes
DPA is independently structured (does not exist within or receive instructions from another public body): No
DPA receives funding directly from the state budget/legislative body: Yes
DPA may receive some forms of external funding/own revenue: Unclear
Adequate protections against undue removal: Yes
Number of members in DPA: 7
Maximum term length for members of the DPA (years): 6
Right of data subject to access a copy of their personal data: Yes
Right of data subject to request a correction of data: Yes
Right of data subject to request deletion of data: Yes
Justification required for a request for deletion: Yes
Defines the requirements for consent: Yes
DPA is mandated to participate in policy formulation: Yes
Transfer of personal data to another country is allowed only when that country provides a higher or equivalent level of protection for privacy, freedoms, and fundamental rights of individuals regarding the processing of personal data.
Provides a right not to be subject to automated decision-making: No