Population: 219,161

Capital: São Tomé

President: Carlos Vila Nova

2021 Freedom House Score: 84/100

Data protection law? Yes, with data protection authority appointed

Privacy enshrined in Constitution: Yes, São Tomé and Principe’s Constitution is unique in protecting not just a general right to privacy, but also personal identity, in Article 24. Article 25 further protects the privacy of the home and correspondence.

DPA legislation: Law No. 03/2016 on the Protection of Personal Data establishes a comprehensive data protection framework in São Tomé and Principe. It establishes the National Data Protection Agency (ANPDP) which is operational and relatively active in providing authorisations, resolutions, and opinions.

ICCPR: Ratified

Council of Europe Convention 108: No

Council of Europe Convention 185: No

Malabo Convention: Signed

ECOWAS Supplementary Act on Personal Data Protection: No

Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No

Applies to natural persons: Yes

Applies to juristic persons: Yes

Applies to public entities: Yes

Domestic/personal purposes exclusion: Yes

National security exclusion: No

Law enforcement exclusion: No

Cabinet or Executive Council exclusion: No

Judicial functions exclusion: No

Journalistic, literary or artistic purposes exclusion: Yes

Temporary copies exclusion: No

Other exclusion(s): Yes

Broad or vague exclusions: No

Applies to foreign entities: Yes

Excludes foreign entities that only transit personal data through the country: Yes

Personal data is defined as any information, of any nature, regardless of its format, including sound and image, that relates to an identified or identifiable natural person, which means a person who can be identified directly or indirectly, in particular by reference to an identification number or to one or more specific elements of their physical, physiological, psychological, economic, cultural or social identity.

Sensitive personal data is defined as personal data referring to philosophical or political beliefs, membership of a political or trade union association, religious faith, private life and racial or ethnic origin, as well as the processing of data relating to health and sex life, including genetic data.

Except in certain circumstances provided by law, entities must obtain prior consent from data subjects and give prior notice to the ANPDP to lawfully collect and process personal data.

All data processing must be done lawfully, collected for specific purposes, must be adequate, relevant, and not excessive, must be accurate and kept up to date, and must be kept in an identifiable format only for so long as necessary for the purposes for which it was collected.

Notification that data is being processed: Yes

Notification to DPA in event of data breach: Yes

Notification to data subject in event of data breach: Yes

Timeframe for notification is specified: No

Exceptions exist to breach notifications: Yes

Requires a data processing register: Yes

Register is publicly available: No

Provides for terms of service icons: No

DPA must submit at least annual report: Yes

DPA report is made public: Yes

Explicit provision for civil liability: No

Established/designates a Data Protection Authority: Yes

DPA is empowered to investigate: Yes

DPA is empowered to subpoena or request evidence: Yes

Law provides for criminal penalties: Yes

Law provides for administrative penalties: Yes

DPA is independently structured (does not exist within or receive instructions from another public body): Yes

DPA receives funding directly from the state budget/legislative body: Yes

DPA may receive some forms of external funding/own revenue: Unclear

Adequate protections against undue removal: Yes

Number of members in DPA: 3

Maximum term length for members of the DPA (years): 10

Right of data subject to access a copy of their personal data: Yes

Right of data subject to request a correction of data: Yes

Right of data subject to request deletion of data: Yes

Justification required for a request for deletion: Yes

Defines the requirements for consent: Yes

DPA is mandated to participate in policy formulation: No

Under Article 19 and 20, the Law restricts the transfer of personal data to a location outside the national territory, which is permitted only if the respective legal system to which they are transferred ensures an adequate level of protection.

The transfer of personal data to a legal system that does not guarantee an adequate level of protection may be carried out by means of notification to the ANPDP, if the data subject has unequivocally authorised the transfer or in a number of specific circumstances. Alternatively, the ANPDP may authorise the transfer to a legal system that does not provide an adequate level of protection provided that the person responsible for the processing ensures sufficient mechanisms are in place to guarantee the protection of private life and the fundamental rights and freedoms of individuals, as well as their exercise, namely, through appropriate contractual clauses.

Provides a right not to be subject to automated decision-making: Yes