Population: 20,250,834

Capital: Bamako

President: Ibrahim Boubacar Keïta

2021 Freedom House Score: 33/100

Data protection law? Yes, with data protection authority appointed

Privacy enshrined in Constitution: Yes, the right to privacy is protected under the Constitution of Mali.

DPA legislation: Law No. 2013/015 was created in order to ensure that Malians have the right to privacy, as well as their other fundamental rights, protected in the course of personal data processing. The Autorité de protection des données à caractère personnel (APDP) was formed under this law and was launched in 2016.

On 31 March every year, the Supreme Court reviews the law, and makes revisions, if necessary. It was subsequently amended by Law No. 2017-070 of 18 December 2017 which relates to the functioning of the APDP. Law No. 2019-056 of 5 December 2019 on the Repression of Cybercrime also contains some provisions relevant to data protection.

Under Law No. 2013/015, individuals have the right to:

• obtain all of their personal data in an understandable form, as well as any available information as to the origin;
• object, for legitimate reasons, to the processing of personal data concerning them;
• oppose the processing of their personal data for prospecting purposes;
• correct, supplement, update, lock, or delete personal data, where it is inaccurate or incomplete; and
• obtain the information and reasoning used in data processing.

ICCPR: Acceded

Council of Europe Convention 108: No

Council of Europe Convention 185: No

Malabo Convention: No

ECOWAS Supplementary Act on Personal Data Protection: Signed

Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No

Applies to natural persons: Yes

Applies to juristic persons: Yes

Applies to public entities: Yes

Domestic/personal purposes exclusion: Yes

National security exclusion: No

Law enforcement exclusion: No

Cabinet or Executive Council exclusion: No

Judicial functions exclusion: No

Journalistic, literary or artistic purposes exclusion: No

Temporary copies exclusion: Yes

Other exclusion(s): No

Broad or vague exclusions: No

Applies to foreign entities: Yes

Excludes foreign entities that only transit personal data through the country: Yes

Personal data is information in any form that allows, directly or indirectly, for the identification of persons by reference to an identification number, or to elements specific to their physical, physiological, biometric, genetic, philosophical, economic, cultural, or social identities.

Sensitive data is defined as personal data related to a data subject’s health, racial origins, sexual life, ethical, political, philosophical or religious opinions, union membership, behaviours, judicial proceedings, or criminal or administrative sanctions.

Processing of sensitive data is prohibited if it is deemed to pose a risk of discrimination or jeopardise the freedoms or human rights of the data subject.

Personal data should be:

• collected and processed fairly, lawfully, and not fraudulently, for specific and legitimate purposes;
• not utilised for other purposes;
• processed adequately, proportionately, and in a relevant manner in relation to those purposes;
• accurate and updated, if necessary;
• kept in a form that allows for the identification of data subjects for no longer than the period necessary to achieve the aforementioned purposes; and
• adequately protected against damage or unauthorised access.

Notification that data is being processed: Yes

Notification to DPA in event of data breach: No

Notification to data subject in event of data breach: No

Timeframe for notification is specified: NA

Exceptions exist to breach notifications: NA

Requires a data processing register: No

Register is publicly available: NA

Provides for terms of service icons: No

DPA must submit at least annual report: Yes

DPA report is made public: Yes

Explicit provision for civil liability: No

Established/designates a Data Protection Authority: Yes

DPA is empowered to investigate: Yes

DPA is empowered to subpoena or request evidence: Yes

Law provides for criminal penalties: Yes

Law provides for administrative penalties: Yes

DPA is independently structured (does not exist within or receive instructions from another public body): Yes

DPA receives funding directly from the state budget/legislative body: Yes

DPA may receive some forms of external funding/own revenue: Yes

Adequate protections against undue removal: Unclear

Number of members in DPA: 15

Maximum term length for members of the DPA (years): 7

Right of data subject to access a copy of their personal data: Yes

Right of data subject to request a correction of data: Yes

Right of data subject to request deletion of data: Yes

Justification required for a request for deletion: Yes

Defines the requirements for consent: Yes

DPA is mandated to participate in policy formulation: Yes

Transfer of personal data to another country is allowed only when that country provides sufficient legal protection for privacy, freedoms, and fundamental rights of individuals regarding the processing of personal data.

Provides a right not to be subject to automated decision-making: No