SÃO TOMÉ AND PRÍNCIPE
DATA PROTECTION FACTSHEET
Capital: São Tomé
President: Carlos Vila Nova
2021 Freedom House Score: 84/100
Data protection law? Yes, with data protection authority appointed
Privacy enshrined in Constitution: Yes, São Tomé and Principe’s Constitution is unique in protecting not just a general right to privacy, but also personal identity, in Article 24. Article 25 further protects the privacy of the home and correspondence.
DPA legislation: Law No. 03/2016 on the Protection of Personal Data establishes a comprehensive data protection framework in São Tomé and Principe. It establishes the National Data Protection Agency (ANPDP) which is operational and relatively active in providing authorisations, resolutions, and opinions.
Council of Europe Convention 108: No
Council of Europe Convention 185: No
Malabo Convention: Signed
ECOWAS Supplementary Act on Personal Data Protection: No
Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No
Applies to natural persons: Yes
Applies to juristic persons: Yes
Applies to public entities: Yes
Domestic/personal purposes exclusion: Yes
National security exclusion: No
Law enforcement exclusion: No
Cabinet or Executive Council exclusion: No
Judicial functions exclusion: No
Journalistic, literary or artistic purposes exclusion: Yes
Temporary copies exclusion: No
Other exclusion(s): Yes
Broad or vague exclusions: No
Applies to foreign entities: Yes
Excludes foreign entities that only transit personal data through the country: Yes
Personal data is defined as any information, of any nature, regardless of its format, including sound and image, that relates to an identified or identifiable natural person, which means a person who can be identified directly or indirectly, in particular by reference to an identification number or to one or more specific elements of their physical, physiological, psychological, economic, cultural or social identity.
Sensitive personal data is defined as personal data referring to philosophical or political beliefs, membership of a political or trade union association, religious faith, private life and racial or ethnic origin, as well as the processing of data relating to health and sex life, including genetic data.
Except in certain circumstances provided by law, entities must obtain prior consent from data subjects and give prior notice to the ANPDP to lawfully collect and process personal data.
All data processing must be done lawfully, collected for specific purposes, must be adequate, relevant, and not excessive, must be accurate and kept up to date, and must be kept in an identifiable format only for so long as necessary for the purposes for which it was collected.
Notification that data is being processed: Yes
Notification to DPA in event of data breach: Yes
Notification to data subject in event of data breach: Yes
Timeframe for notification is specified: No
Exceptions exist to breach notifications: Yes
Requires a data processing register: Yes
Register is publicly available: No
Provides for terms of service icons: No
DPA must submit at least annual report: Yes
DPA report is made public: Yes
Explicit provision for civil liability: No
Established/designates a Data Protection Authority: Yes
DPA is empowered to investigate: Yes
DPA is empowered to subpoena or request evidence: Yes
Law provides for criminal penalties: Yes
Law provides for administrative penalties: Yes
DPA is independently structured (does not exist within or receive instructions from another public body): Yes
DPA receives funding directly from the state budget/legislative body: Yes
DPA may receive some forms of external funding/own revenue: Unclear
Adequate protections against undue removal: Yes
Number of members in DPA: 3
Maximum term length for members of the DPA (years): 10
Right of data subject to access a copy of their personal data: Yes
Right of data subject to request a correction of data: Yes
Right of data subject to request deletion of data: Yes
Justification required for a request for deletion: Yes
Defines the requirements for consent: Yes
DPA is mandated to participate in policy formulation: No
Under Article 19 and 20, the Law restricts the transfer of personal data to a location outside the national territory, which is permitted only if the respective legal system to which they are transferred ensures an adequate level of protection.
The transfer of personal data to a legal system that does not guarantee an adequate level of protection may be carried out by means of notification to the ANPDP, if the data subject has unequivocally authorised the transfer or in a number of specific circumstances. Alternatively, the ANPDP may authorise the transfer to a legal system that does not provide an adequate level of protection provided that the person responsible for the processing ensures sufficient mechanisms are in place to guarantee the protection of private life and the fundamental rights and freedoms of individuals, as well as their exercise, namely, through appropriate contractual clauses.
Provides a right not to be subject to automated decision-making: Yes