Population: 20,061,644

Capital: Bamako

President: Ibrahim Boubacar Keïta

2019 Freedom House Score: 44/100

Data protection law? Enforced

The right to privacy is protected under the Constitution of Mali, and Law No. 2013/015 was created in order to ensure that Malians have this right, as well as their freedom other fundamental rights, protected in the course of personal data processing. The Autorité de protection des données à caractère personnel (APDP) was formed under this law and was launched in 2016.

On 31 March every year, the Supreme Court reviews the law, and makes revisions, if necessary.

Under Law No. 2013/015, individuals have the right to:

• obtain all of their personal data in an understandable form, as well as any available information as to the origin;
• object, for legitimate reasons, to the processing of personal data concerning them;
• oppose the processing of their personal data for prospecting purposes;
• correct, supplement, update, lock, or delete personal data, where it is inaccurate or incomplete; and
• obtain the information and reasoning used in data processing.

Personal data is information in any form that allows, directly or indirectly, for the identification of persons by reference to an identification number, or to elements specific to their physical, physiological, biometric, genetic, philosophical, economic, cultural, or social identities.

Sensitive data is defined as personal data related to a data subject’s health, racial origins, sexual life, ethical, political, philosophical or religious opinions, union membership, behaviours, judicial proceedings, or criminal or administrative sanctions.

Processing of sensitive data is prohibited if it is deemed to pose a risk of discrimination or jeopardise the freedoms or human rights of the data subject.

Personal data should be:

• collected and processed fairly, lawfully, and not fraudulently, for specific and legitimate purposes;
• not utilised for other purposes;
• processed adequately, proportionately, and in a relevant manner in relation to those purposes;
• accurate and updated, if necessary;
• kept in a form that allows for the identification of data subjects for no longer than the period necessary to achieve the aforementioned purposes; and
• adequately protected against damage or unauthorised access.

The APDP is tasked with ensuring that personal data protection in Mali is realised and contributes to the regulation of the sector. Its responsibilities include:

• setting the norms for the collection, processing, and protection of personal data;
• authorising or denying requests for interconnection of data / databases;
• conducting necessary inspections regarding personal data processing, and obtaining all information and documents needed;
• informing and advising individuals and data controllers about their rights and obligations under the law regarding data processing;
• imposing administrative sanctions in the case of non-compliance with regulations or instructions;
• informing the public prosecutor of offences committed under the law;
• receiving complaints about the misuse of personal data;
• keeping a public register of personal data processing operations;
• issuing public opinions on the state of data protection law; and
• proposing that the Government modify data protection legislation, where necessary.

Transfer of personal data to another country is allowed only when that country provides sufficient legal protection for privacy, freedoms, and fundamental rights of individuals regarding the processing of personal data.

No breach notification protocol is stipulated under Malian law.

Remember to include as much information as possible in your complaint, including:

• the name of the party that processed the data;
• their contact details, if known;
• a brief description of the violation; and
• the specific remedy that you are requesting.

E-mail your complaint to the APDP: [email protected]