Gabon

DATA PROTECTION FACTSHEET

DATA PROTECTION LAW IN PLACE

DATA PROTECTION AUTHORITY APPOINTED

Download the Act

Fast Facts
Domestic Law
Privacy enshrined in Constitution: Yes, privacy is protected in the Constitution of Gabon under Articles 1 and 47.

DPA legislation: Data protection in Gabon is governed by Law No. 001/2011, which aims to set up a system to fight invasions of privacy and details enforcement responsibilities for the Commission nationale de protection des données à caractère personnel (CNPDCP). Data protection is also dealt with in part under various other pieces of legislation, including Law No. 26/2018 of 22 October 2018 regarding the Regulation of Electronic Communications in Gabon and Order No. 15-PR-2018 on the Regulation of Cybersecurity and the Fight against Cybercrime.

Under Law No. 001/2011, individuals have the right to:
- obtain all of their personal data in an understandable form, as well as any available information as to the origin;
- oppose, for legitimate reasons, the processing of personal data concerning them;
- oppose the processing of their personal data for prospecting purposes;
- rectify, complete, update, lock, or delete personal data concerning them, where it is inaccurate, incomplete, equivocal, out of date, or if collection, use, communication or conservation is prohibited; and
- not be subject to decisions made on the sole basis of an automated processing that would produce significant or detrimental legal repercussions for them.
International Commitments
Scope of Application

Applies to natural persons: Yes

Applies to juristic persons: Yes

Applies to public entities: Yes

Domestic/personal purposes exclusion: Yes

National security exclusion: No

Law enforcement exclusion: No

Cabinet or Executive Council exclusion: No

Judicial functions exclusion: No

Journalistic, literary or artistic purposes exclusion: Yes

Temporary copies exclusion: Yes

Other exclusion(s): No

Broad or vague exclusions: No

Applies to foreign entities: Yes

Excludes foreign entities that only transit personal data through the country: Yes
Personal Data

Personal data is any information related to an identified or identifiable natural person, directly or indirectly referencing an identification number, or one or more elements specific to his, her or their physical, physiological, genetic, psychological, cultural, social, or economic identity.

Sensitive data is defined as all personal data relating to religious or philosophical opinions or activities, political affiliation, trade union membership, sex life, race, health, prosecutions, and criminal or administrative sanctions.

The processing of sensitive data is prohibited barring certain exceptions.
Collection and Processing
Personal data must be:
- processed confidentially, only by people who act under the authority of the data controller and only on his, her or their instructions;
- protected to prevent it from being distorted, damaged, or accessed by unauthorised third parties;
- collected for specified, explicit, and legitimate purposes and not further processed in a way incompatible with these purposes;
- adequate, relevant, and not excessive in relation to those purposes for which it is collected and further processed; and
- kept for no longer than the period necessary to achieve the purposes for which it was collected and processed.
Interconnection of personal data shall:
- not discriminate against or infringe on the fundamental rights, freedoms, and guarantees of holders of the data;
- ensure the use of appropriate safety measures; and
- take into account the principle of relevance.
Transparency

Notification that data is being processed: Yes

Notification to DPA in event of data breach: No

Notification to data subject in event of data breach: No

Timeframe for notification is specified: NA

Exceptions exist to breach notifications: NA

Requires a data processing register: No

Register is publicly available: NA

Provides for terms of service icons: No

DPA must submit at least annual report: Yes

DPA report is made public: Yes
Accountability

Explicit provision for civil liability: No

Established/designates a Data Protection Authority: Yes

DPA is empowered to investigate: Yes

DPA is empowered to subpoena or request evidence: Yes

Law provides for criminal penalties: Yes

Law provides for administrative penalties: Yes

DPA is independently structured (does not exist within or receive instructions from another public body): Yes

DPA receives funding directly from the state budget/legislative body: Yes

DPA may receive some forms of external funding/own revenue: Yes

Adequate protections against undue removal: Yes

Number of members in DPA: 9

Maximum term length for members of the DPA (years): 10
Participation
Cross-border Transfer
Transfer of personal data to another country is allowed only when that country provides a sufficient level of protection for privacy, freedoms and fundamental rights of individuals regarding the processing of personal data.

The transfer of personal data to a country which does not ensure an adequate level of protection may be permitted if the data subject has given consent to the transfer or where such transfer is:
- necessary for the commencement or performance of a contract between the data subject and the data controller, or at the data subject’s request;
- necessary for the execution or conclusion of a contract awarded in the interest of the data subject, or between the data controller and a third party;
- required to safeguard the public interest;
- required to safeguard the data subject’s life;
- necessary to ensure recognition, exercise or defend a right to justice; or
- necessary for the consultation of a public register intended for public information.
Automated Processing

LEARN MORE ABOUT THE METHODOLOGY

Page last updated: 23 May 2022