Population: 10,872,298
Capital: Porto-Novo
President: Patrice Talon
2019 Freedom House Score: 79/100
The data protection regime in Benin is governed by Book V of the 2017 Digital Code of the Republic of Benin: Protection of Personal Data, and Law No. 2009-09: Dealing with the Protection of Personally Identifiable Information (PII).
These laws have considerable overlap but differ slightly in their scope. Law No. 2009-09 pertains to the digital processing of personally identifiable information in digital files or manuals, as well as personal identification mechanisms based on nominative, personal, and biometric information processed alongside a national ID number.
Book V pertains to the collection, treatment, transmission, storage, and use of personal data by a person, the State, local authorities, and legal persons, as well as automated processing and non-automated processing of personal data contained in files, or any processing of data for public security, defense, research, prosecution of criminal offenses, or the security and essential interests of the State.
Under Beninese law, individuals have:
Personal data is any information regardless of its form, including sounds and images, related to an identified or identifiable natural person.
Sensitive data is all personal data related to a person’s personal opinions, philosophical or religious beliefs, political activities, trade union membership, sexual life, race, health, genetics, prosecutions, criminal or administrative sanctions.
Processing of sensitive data is prohibited barring certain exceptions.
Personal data processing is considered legitimate if there is consent from the data subject. This requirement may be waived where processing is necessary for:
Personal data should be:
Interconnection of personal data shall:
The Autorité de protection des données à caractère personnel (APDP) is tasked with ensuring the application of the provisions of Book V and respect for privacy in general. It is an independent administrative body with legal personality and full autonomy. Among other things, its responsibilities include:
Data controllers are required to file an annual report with the APDP concerning compliance with the processing principles.
Data controllers and processors are required to appoint a data protection officer if:
In cases other than those aforementioned, data controllers and processors may still designate a data protection officer. A group of companies or public bodies can designate a single data protection officer provided that the individual is easily accessible from each establishment, and that such an arrangement is appropriate given their organizational structure and size.
Transfer of personal data to another country is allowed only when that country provides a level of protection equivalent to that put in place by the provisions of Book V. Before any transfer of personal data to another country or an international organization, the controller must obtain prior authorization from the APDP.
The transfer of personal data to a country which does not ensure an adequate level of protection may be permitted if the data subject has given consent to the transfer or whether such transfer is:
A data controller must notify the Commissioner of any breach to the security safeguards of personal data without delay.
A data processor must, without delay, notify a data controller must notify the data controller of any breach to the security safeguards of personal data held on behalf of the data controller.
Remember to include as much information as possible in your complaint, including:
[wpforms id=\”2101\” title=\”false\” description=\”false\”]