MOZAMBIQUE
DATA PROTECTION FACTSHEET

-
Population: 31,255,435
Capital: Maputo
President: Filipe Nyusi
2021 Freedom House Score: 43/100
Data protection law? No, with no data protection authority yet appointed
-
Privacy enshrined in Constitution: Yes, the Constitution of the Republic of Mozambique entitles all citizens to the protection of their private life and grants them the right to honour, good name, reputation, protection of their public image, and privacy. The Constitution also acknowledges the need to legislate on access, generation, protection, and use of computerised personal data, but such legislation has not yet been enacted.
Similarly, the Constitution also provides that all individuals shall have the right to access data collected on them and have it rectified, but this right has not yet been defined. Nonetheless, a data subject is entitled to demand the correction and the update of any inaccurate, incomplete, or wrong personal information related to them.
DPA legislation: Aside from the Constitution, provisions within the Civil Code, the Penal Code, the Labour Law, and the Electronic Transactions Law grant Mozambican persons a limited degree of data protection, but the country has no comprehensive data protection law. In November 2022, a new Cybersecurity Law was also proposed by the Instituto Nacional de Tecnologias de Informação (INTIC), which makes some references to personal data protection.
-
ICCPR: Acceded
Council of Europe Convention 108: No
Council of Europe Convention 185: No
Malabo Convention: Ratified
ECOWAS Supplementary Act on Personal Data Protection: No
Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No
-
Applies to natural persons: No law
Applies to juristic persons: No law
Applies to public entities: No law
Domestic/personal purposes exclusion: No law
National security exclusion: No law
Law enforcement exclusion: No law
Cabinet or Executive Council exclusion: No law
Judicial functions exclusion: No law
Journalistic, literary or artistic purposes exclusion: No law
Temporary copies exclusion: No law
Other exclusion(s): No law
Broad or vague exclusions: No law
Applies to foreign entities: No law
Excludes foreign entities that only transit personal data through the country: No law
-
The Constitution places limits on the use of individually identifiable information about a person’s political, philosophical or ideological beliefs, religious beliefs, political affiliation, trade union membership, and particulars related to the person’s privacy.
-
Individually identifiable information concerning political, philosophical or ideological beliefs, religious beliefs, membership in a political party or trade union and particulars related to the person’s privacy may not be stored or processed in a database.
Accessing a database for the purpose of obtaining the personal data of third parties, as well as transferring personal data from one computerised file to another that belongs to a different service or institution, is forbidden unless specifically permitted by law or by judicial decision.
-
Notification that data is being processed: No law
Notification to DPA in event of data breach: No law
Notification to data subject in event of data breach: No law
Timeframe for notification is specified: No law
Exceptions exist to breach notifications: No law
Requires a data processing register: No law
Register is publicly available: No law
Provides for terms of service icons: No law
DPA must submit at least annual report: No law
DPA report is made public: No law
-
Explicit provision for civil liability: No law
Established/designates a Data Protection Authority: No law
DPA is empowered to investigate: No law
DPA is empowered to subpoena or request evidence: No law
Law provides for criminal penalties: No law
Law provides for administrative penalties: No law
DPA is independently structured (does not exist within or receive instructions from another public body): No law
DPA receives funding directly from the state budget/legislative body: No law
DPA may receive some forms of external funding/own revenue: No law
Adequate protections against undue removal: No law
Number of members in DPA: No law
Maximum term length for members of the DPA (years): No law
-
Right of data subject to access a copy of their personal data: No law
Right of data subject to request a correction of data: No law
Right of data subject to request deletion of data: No law
Justification required for a request for deletion: No law
Defines the requirements for consent: No law
DPA is mandated to participate in policy formulation: No law
-
While the Constitution does restrict disclosures of personal data to third parties, cross-border transfers of personal data are not specifically addressed in the law. The Labour Law includes a provision safeguarding employee personal data, mandating employee consent for an employer to transfer such data to third parties. This same provision also subjects computer files and access to personal data of a job applicant to specific legislation, but such legislation does not yet exist.
-
Provides a right not to be subject to automated decision-making: No law
Page last updated: 23 May 2022