MAURITANIA
DATA PROTECTION FACTSHEET
-
Population: 4,161,925 (2022 est.)
Capital: Nouakchott
Chief of State: President Mohamed Ould Cheikh el Ghazouani
2021 Freedom House Score: 34/100
Data protection law? Yes, with data protection authority appointed
-
Privacy enshrined in Constitution: Yes, Article 13 of the Constitution provides that the honor and the private life of the citizen, the inviolability of the human person, of his
domicile and of his correspondence are guaranteed by the StateDPA legislation: Yes, Law No. 2017-020 on the protection of the personal data was adopted by the National Assembly in 2017, but has not yet come into effect.
According to the law, data subjects have the right to request:
- Information permitting them to know and contest the processing;
- Confirmation that their personal information is the object of processing;
- Communication of the information in an accessible and intelligible form;
- Information about the purpose of the processing, the category of information being processed, and the recipients of the information;
- If relevant, information about any planned transfer of the information to a different country.
-
ICCPR: Acceded
Council of Europe Convention 108: No
Council of Europe Convention 185: No
Malabo Convention: Ratified
ECOWAS Supplementary Act on Personal Data Protection: No
Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No
-
Applies to natural persons: Yes
Applies to juristic persons: Yes
Applies to public entities: Yes
Domestic/personal purposes exclusion: Yes
National security exclusion: No
Law enforcement exclusion: No
Cabinet or Executive Council exclusion: No
Judicial functions exclusion: No
Journalistic, literary or artistic purposes exclusion: Yes
Temporary copies exclusion: Yes
Other exclusion(s): No
Broad or vague exclusions: No
Applies to foreign entities: Yes
Excludes foreign entities that only transit personal data through the country: Yes
-
Personal data is defined as any information, no matter the type or nature, including the sound and image, relating to a natural person that is identified or identifiable either directly or indirectly, by reference to an identification number or one or multiple elements unique to their person such as physical, physiological, genetic, psychic, cultural, social or economic identity and information qualifying as sensitive information.
Sensitive personal data is defined as all information relating to religious, philosophical, political, or trade union opinions or activities, sex life, race, health, social measures, prosecution or administrative or penal sanctions.
-
Personal information may only be processed with the consent of the data subject, with some exceptions.
The collection, recording, processing, storage and transmission of personal data must be done in a lawful, fair and non-fraudulent manner, and personal information must be collected for predetermined purposes that are explicit and legitimate and may not be processed in a manner that is incompatible with those purposes. The information must be adequate, relevant and not excessive with regard to the purposes for which they were collected and must be retained for a period that does not exceed the necessary period for the purposes for which they were collected. Beyond that period, the information may only be stored in order to respond specifically to processing for historical, statistical or research purposes under legal provisions.
-
Notification that data is being processed: Yes
Notification to DPA in event of data breach: No
Notification to data subject in event of data breach: No
Timeframe for notification is specified: No
Exceptions exist to breach notifications: NA
Requires a data processing register: No
Register is publicly available: NA
Provides for terms of service icons: No
DPA must submit at least annual report: Yes
DPA report is made public: Unclear
-
Explicit provision for civil liability: No
Established/designates a Data Protection Authority: Yes
DPA is empowered to investigate: Yes
DPA is empowered to subpoena or request evidence: Yes
Law provides for criminal penalties: Yes
Law provides for administrative penalties: Yes
DPA is independently structured (does not exist within or receive instructions from another public body): No
DPA receives funding directly from the state budget/legislative body: Unclear
DPA may receive some forms of external funding/own revenue: Unclear
Adequate protections against undue removal: Unclear
Number of members in DPA: Unclear
Maximum term length for members of the DPA (years): 8
-
Right of data subject to access a copy of their personal data: Yes
Right of data subject to request a correction of data: Yes
Right of data subject to request deletion of data: Yes
Justification required for a request for deletion: Yes
Defines the requirements for consent: Yes
DPA is mandated to participate in policy formulation: Yes
-
Responsible parties may not transfer personal information to another country unless that country provides an adequate level of protection for the right to privacy, freedoms, and fundamental rights with regard to the purpose for which the information is processed.
The Authority is responsible for publishing and keeping up to date a list of states that it considers offers an adequate level of protection for personal information. Before any transfer of personal information to another country that is not on the list, the responsible party must provide prior notification to the Authority and the transfer may only be made if the conditions and rules set by the Authority are complied with. A responsible party may transfer personal information to a country that does not satisfy these requirements if the transfer is punctual, not of significant scale, and the data subject has given their express consent to the transfer or if the transfer is necessary for a number of specified reasons, such as the safeguarding of the public interest.
The Authority may also authorise an international transfer on the basis of a motivation and request from the responsible party, provided the responsible party offers sufficient guarantees for protecting the personal information.
-
Provides a right not to be subject to automated decision-making: Yes
Page last updated: 24 May 2022