DATA PROTECTION FACTSHEET
President: Andry Rajoelina
2021 Freedom House Score: 60/100
Data protection law? Yes, but data protection authority not yet appointed
Privacy enshrined in Constitution: Yes, Madagascar’s 2010 Constitution grants individuals the inviolability of their persons, domiciles, and of the secrecy of their correspondence.
DPA legislation: In 2015, the country’s comprehensive data protection regulation called Law No. 2014-038 (DP Law) came into force upon publication in the Madagascan Official Gazette on 20 July. The DP Law draws upon the EU Data Protection Directive (95/46/EC) as well as advice from other Francophone countries belonging to the Association francophone des autorités de protection des donnés personnelles (AFAPDP). Despite the fact that the law is technically in effect, the data protection authority, the Commission Malagasy sur l’Informatique et des Libertés (CMIL), has not yet been established, and not all sections of the law are yet in force.
Some of the rights of data subjects under the DP Law include:
- the right to object to data processing;
- the right to access one’s personal data;
- the right to rectification of one’s personal data; and
- the right to get information about a data controller and processing of personal data relating to a person.
Council of Europe Convention 108: No
Council of Europe Convention 185: No
Malabo Convention: No
ECOWAS Supplementary Act on Personal Data Protection: No
Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No
Applies to natural persons: Yes
Applies to juristic persons: Yes
Applies to public entities: Yes
Domestic/personal purposes exclusion: Yes
National security exclusion: No
Law enforcement exclusion: No
Cabinet or Executive Council exclusion: No
Judicial functions exclusion: No
Journalistic, literary or artistic purposes exclusion: Yes
Temporary copies exclusion: No
Other exclusion(s): No
Broad or vague exclusions: No
Applies to foreign entities: Yes
Excludes foreign entities that only transit personal data through the country: Yes
Personal data consists of any information relating to a natural person, whereby that person is or can be identified by reference to a name, an identification number or to one or more physical, physiological, psychic, economic, cultural or social elements specific to that person.
Sensitive personal data may not be processed unless strict requirements are met, and includes information relating to:
- racial origin;
- biometric and genetic information;
- political opinion;
- religious beliefs or other convictions;
- trade union affiliation; or
- health or sexual life.
Personal data processing must abide by the following principles:
- Personal data must be processed fairly and lawfully and be for an explicit and legitimate purpose.
- The amount of personal data to be processed must be adequate, relevant, and not excessive regarding the purposes for which they are collected or used.
- Personal data must be accurate, complete, and current; inaccurate or incomplete data should be erased or rectified.
- Personal data must be kept in a form that allows data subjects to be identified only for the requisite period for the purposes for which they are collected or used.
- Given the nature of the data and the associated risks, a data controller must take all necessary precautions to ensure security of personal data.
Personal data processing must be based on the data subject’s prior consent or fulfil one of the following conditions:
- compliance with a legal obligation of the data controller;
- protection of the individual’s life;
- carrying out a public service;
- commencing or performing a contract to which the concerned individual is a party; or
- realising of the legitimate interest of the data controller or the data recipient, subject to the interests and fundamental rights and liberties of the concerned individual.
Notification that data is being processed: Yes
Notification to DPA in event of data breach: No
Notification to data subject in event of data breach: No
Timeframe for notification is specified: NA
Exceptions exist to breach notifications: NA
Requires a data processing register: No
Register is publicly available: NA
Provides for terms of service icons: No
DPA must submit at least annual report: Yes
DPA report is made public: Yes
Explicit provision for civil liability: No
Established/designates a Data Protection Authority: Yes
DPA is empowered to investigate: Yes
DPA is empowered to subpoena or request evidence: Yes
Law provides for criminal penalties: Yes
Law provides for administrative penalties: Yes
DPA is independently structured (does not exist within or receive instructions from another public body): Yes
DPA receives funding directly from the state budget/legislative body: Yes
DPA may receive some forms of external funding/own revenue: Yes
Adequate protections against undue removal: Unclear
Number of members in DPA: 9
Maximum term length for members of the DPA (years): 8
Right of data subject to access a copy of their personal data: Yes
Right of data subject to request a correction of data: Yes
Right of data subject to request deletion of data: Yes
Justification required for a request for deletion: Yes
Defines the requirements for consent: Yes
DPA is mandated to participate in policy formulation: Yes
A data subject’s personal data may only be transferred out of Madagascar if the country provides an adequate level of protection for privacy and fundamental rights and liberties. If a country does not offer sufficient protection, a data controller may only transfer personal data if:
- the data subject consents and is informed of the absence of adequate protection; or
- the transfer is necessary:
- for the commencement or performance of a contract between the data controller and the individual, or the conclusion or performance of a contract in the interest of the individual between the data controller and a third party;
- to protect the public interest;
- for consultation of a public register intended for the public’s information; or
- to assist with the acknowledgment, exercise, or defence of a legal right.
The data recipient in the receiving country cannot transfer personal data to another country without the authorisation of the original data controller and CMIL.
Provides a right not to be subject to automated decision-making: Partial