DATA PROTECTION FACTSHEET
President:Mamady Doumbouya (interim)
2021 Freedom House Score: 38/100
Data protection law? Yes, with data protection authority appointed
Privacy enshrined in Constitution: Yes, Article 12 of Guinea’s Constitution protects the right to privacy.
DPA legislation: The Law No. L/2016/037/AN governs the protection of personal data as well as the regulation of cybersecurity in the Republic of Guinea. The law was passed in 2016 and provides for the creation of a national data protection authority, although it has not yet been established. Part 1 of the law deals specifically with cybercrimes while part 2 deals with the protection of personal information.
Council of Europe Convention 108: No
Council of Europe Convention 185: No
Malabo Convention: Ratified
ECOWAS Supplementary Act on Personal Data Protection: No
Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No
Applies to natural persons: Yes
Applies to juristic persons: Yes
Applies to public entities: Yes
Domestic/personal purposes exclusion: Yes
National security exclusion: No
Law enforcement exclusion: No
Cabinet or Executive Council exclusion: No
Judicial functions exclusion: No
Journalistic, literary or artistic purposes exclusion: Yes
Temporary copies exclusion: Yes
Other exclusion(s): No
Broad or vague exclusions: No
Applies to foreign entities: Yes
Excludes foreign entities that only transit personal data through the country: No
Personal data is defined as any information of whatsoever nature and regardless of its medium, including sound and image, related to an identified or identifiable natural person, directly or indirectly referencing an identification number, or one or more elements specific to their physical, physiological, genetic, psychological, cultural, social, or economic identity.
Sensitive personal data is defined as all data if a personal nature relating to religious, philosophical, political or trade union opinions or activities, sex life, race, health, social measures, prosecutions, or penal or administrative sanctions.
The processing of personal data is subject to a prior declaration being made to the competent authority and may only be carried out after receiving a receipt from the authority. Certain types of processing are exempt from the notification requirement, including processing for personal, domestic or familial use and processing in accordance with legal obligations.
Processing is considered legitimate if the data subject has given their express prior consent, a requirement which may be derogated from in certain circumstances. Personal data must be collected for specific, explicit and legitimate purposes and may not be processed in a manner incompatible with those purposes. The data must be adequate, pertinent and not excessive relative to those purposes, and must be retained for a period that does not exceed the period necessary for the purposes. After such period, the data must not be retained unless for specific historical, statistical or research purposes.
The data collected must be accurate and up to date, if necessary, and every reasonable measure must be taken to ensure that they remain so, or else are rectified or deleted.
Notification that data is being processed: Yes
Notification to DPA in event of data breach: No
Notification to data subject in event of data breach: No
Timeframe for notification is specified: NA
Exceptions exist to breach notifications: NA
Requires a data processing register: No
Register is publicly available: NA
Provides for terms of service icons: No
DPA must submit at least annual report: No
DPA report is made public: Yes
Explicit provision for civil liability: No
Established/designates a Data Protection Authority: Yes
DPA is empowered to investigate: Yes
DPA is empowered to subpoena or request evidence: Yes
Law provides for criminal penalties: Yes
Law provides for administrative penalties: Yes
DPA is independently structured (does not exist within or receive instructions from another public body): Unclear
DPA receives funding directly from the state budget/legislative body: Unclear
DPA may receive some forms of external funding/own revenue: Unclear
Adequate protections against undue removal: Unclear
Number of members in DPA: Unclear
Maximum term length for members of the DPA (years): Unclear
Right of data subject to access a copy of their personal data: Yes
Right of data subject to request a correction of data: Yes
Right of data subject to request deletion of data: Yes
Justification required for a request for deletion: Yes
Defines the requirements for consent: Yes
DPA is mandated to participate in policy formulation: Yes
A responsible party may not be authorised to transfer personal information to another country outside the ECOWAS community unless that state provides a level of protection that is superior or equivalent with regard to the right to privacy and fundamental rights and freedoms. Before any transfer to another country, the responsible party must obtain prior authorisation from the authority.
Article 7 of the law also provides that the authority is responsible for receiving and providing authorisation for any transfer of personal information to another country.
Provides a right not to be subject to automated decision-making: Yes