Population: 26,163,479

Capitals: Yamoussoukro (political), Abidjan (economic)

President: Alassane Ouattara

2019 Freedom House Score: 51/100

Data protection law? Enforced

Data protection in Ivory Coast is governed by Law No. 2013-450, which details enforcement responsibilities for the Autorité de régulation des télécommunications/TIC de Cote d’Ivoire (ARTCI).

Under Law No. 2013-450, individuals have the right to:

• obtain all of their personal data in an understandable form, as well as any available information as to the origin;
• object, for legitimate reasons, to the processing of personal data concerning them;
• oppose the processing of their personal data for prospecting purposes;
• correct, supplement, update, lock, or delete personal data where it is inaccurate or incomplete; and
• not be subject to decisions made on the sole basis of an automated processing that would produce significant or detrimental legal repercussions for them.

Personal data is information in any information of any kind or media, including sounds or images, that directly or indirectly relate to an identified or identifiable, by reference to an identification number, or to one or more specific cultural, social and economic factors specific to physical, physiological, genetic, or psychological identity.

Sensitive data is all personal data concerning a data subject’s philosophical opinions or religious activities, health, race, sexual life, political opinions, union membership, behaviours, judicial proceedings, or criminal or administrative sanctions.

The processing of sensitive data requires prior authorisation from ARTCI.

Personal data processing is considered legitimate if there is consent from the data subject. This requirement may be waived where processing is necessary for:

• compliance with a legal obligation to which the controller is subject;
• the performance of a public interest mission or the exercise of public authority;
• the commencement or performance of a contract in the data subject’s interests or to which he is a party; or
• safeguarding the interests or fundamental rights and freedoms of the data subject.

Personal data must be:

• collected, recorded, processed, stored, transmitted, and interconnected in a fair and lawful manner;
• collected for specified, explicit, and legitimate purposes and not further processed in a way incompatible with these purposes;
• adequate, relevant, and not excessive in relation to those purposes for which it is collected and further processed;
• accurate and updated, if necessary;
• kept for no longer than the period necessary to achieve the purposes for which it was collected and processed; and
• processed confidentially and protected especially when being transmitted over a network.

Interconnection of personal data shall:

• not discriminate against or infringe on the fundamental rights, freedoms, and guarantees of holders of the data;
• ensure the use of appropriate safety measures; and
• take into account the principle of relevance.

ARTCI ensures that the use of Information and Communication Technologies (ICTs) is fully compatible with the freedom and privacy guaranteed to Ivorian users. Among other things, its responsibilities include:

• informing the public and data handlers of their respective rights and responsibilities surrounding the processing of personal data;
• responding to requests for advice on processing personal data;
• establishing bylaws that articulate the rules for the presentation, investigation, and proceedings of cases;
• receiving and investigating complaints about the misuse of personal data and responding to these complaints;
• conducting audits on personal data processing, and obtaining all information and documents needed;
• informing data controllers of alleged violations of the law and issuing mandatory measures for remedying these violations;
• imposing administrative sanctions and pecuniary penalties on data controllers in the case of non-compliance;
• promptly informing the relevant judicial authority of offences committed under the law;
• keeping a public register of personal data processing operations;
• issuing public opinions on the state of data protection laws;
• proposing amendments to simplify and improve data protection legislation, where necessary; and
• cooperating with international data protection authorities to share information and assistance, as well as participating in international negotiations.

The processing of personal data is subject to prior notification to ARTCI. If a data controller appoints a data protection officer, notification is unnecessary unless personal data is being transferred across national borders.

Transfer of personal data to another country is allowed only when that country provides a higher or equivalent level of protection for privacy, freedoms and fundamental rights of individuals regarding the processing of personal data.

No breach notification protocol is stipulated under Ivorian law.

Remember to include as much information as possible in your complaint, including:

• the name of the party that processed the data;
• their contact details, if known;
• a brief description of the violation; and
• the specific remedy that you are requesting.

E-mail your complaint to ARTCI: [email protected]