SOMALIA
DATA PROTECTION FACTSHEET
![Somalia flag By 1001gece Somalia flag By 1001gece](https://dataprotection.africa/wp-content/uploads/2022/10/Somalia-flag-By-1001gece-1024x576-258x140.png)
-
Population: 15,893,219
Capital: Mogadishu
President: Hassan Sheikh Mohamud
2021 Freedom House Score: 7/100
Data protection law? Yes, data protection authority appointed in 2023
-
Privacy enshrined in Constitution: Yes, Article 19 of the Provisional Constitution of 2012 provides for the inviolability of the home and other dwellings and prohibits their entry, search, or surveillance without a judicial order.
DPA legislation: Yes, the Data Protection Act, 005, was passed in March 2023.
-
ICCPR: Acceded
Council of Europe Convention 108: No
Council of Europe Convention 185: No
Malabo Convention: No
ECOWAS Supplementary Act on Personal Data Protection: No
Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No
-
Applies to natural persons: Yes
Applies to juristic persons: Yes
Applies to public entities: Yes
Domestic/personal purposes exclusion: Yes
National security exclusion: Yes
Law enforcement exclusion: Yes
Cabinet or Executive Council exclusion: No
Judicial functions exclusion: No
Journalistic, literary or artistic purposes exclusion: Yes
Temporary copies exclusion: No
Other exclusion(s): No
Broad or vague exclusions: No
Applies to foreign entities: Yes
Excludes foreign entities that only transit personal data through the country: No
-
Personal data is defined as any information relating to an individual who can be identified or is identifiable, directly or indirectly by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, cultural, social or economic identity of that individual.
-
A data controller must ensure that personal data is processed fairly, in a transparent manner and that at least one of the following requirements are met:
- consent has been given and not revoked by the data subject;
- processing is necessary for the entering into or performance of a
contract with the data subject; - processing is necessary for compliance with a legal obligation;
- processing is necessary for the establishment, exercise or defence
of a legal claim, obtaining legal advice or conduct of a legal
proceeding; - processing is authorised by law and carried out by a competent
public authority; - processing is necessary in order to save the life of any person;
- processing is carried out for purposes of medical care or
community welfare; - processing is necessary to respond to a specific public health or
humanitarian emergency and it is not reasonably possible to establish
another legal basis for processing within a
reasonable period of time; - processing is necessary for the performance of a task carried out
in the public interest and in the exercise of official authority vested in the data controller; - processing is necessary for the purposes of the legitimate interests
of the data controller or by a third party to which the personal data is
validly disclosed, except where such interests are overridden by the
interests of fundamental rights and freedoms of the data subject; - processing is necessary for archiving purposes in the public
interest, or for the purpose of historical, statistical or scientific
research; or - the data subject has intentionally made such personal data public.
-
Notification that data is being processed: Yes
Notification to DPA in event of data breach: Partial
Notification to data subject in event of data breach: Partial
Timeframe for notification is specified: No
Exceptions exist to breach notifications: Yes
Requires a data processing register: No
Register is publicly available: NA
Provides for terms of service icons: No
DPA must submit at least annual report: No
DPA report is made public: No
-
Explicit provision for civil liability: Yes
Established/designates a Data Protection Authority: Yes
DPA is empowered to investigate: Yes
DPA is empowered to subpoena or request evidence: Yes
Law provides for criminal penalties: Partial
Law provides for administrative penalties: Yes
DPA is independently structured (does not exist within or receive instructions from another public body): Partial
DPA receives funding directly from the state budget/legislative body: Yes
DPA may receive some forms of external funding/own revenue: Yes
Adequate protections against undue removal: Yes
Number of members in DPA: 9
Maximum term length for members of the DPA (years): 8
-
Right of data subject to access a copy of their personal data: Yes
Right of data subject to request a correction of data: Yes
Right of data subject to request deletion of data: Yes
Justification required for a request for deletion: Yes
Defines the requirements for consent: Yes
DPA is mandated to participate in policy formulation: Yes
-
A data controller may not transfer personal data to a country outside the country unless one of the following conditions is met:
- the personal data will be received solely in country/ies that provide an adequate level of protection;
- the recipient is an international organisation whose policies and administrative and technical measures afford an adequate level of protection;
- the recipient is subject to a law, binding corporate rules, contractual clauses, code of conduct, certification mechanism or other measure that affords an adequate level of protection; or
- the transfer meets one of the several criteria in s 31, which include, for example, consent or that the processing is necessary for the entering into or performance of a contract with the data subject.
-
Provides a right not to be subject to automated decision-making: Yes
Page last updated: 1 February 2024