Population: 25,789,024

Capital: Luanda

President: João Manuel Gonçalves Lourenço

2019 Freedom House Score: 31/100

Data protection law? Exists, not enforced

The Data Protection Law (Law 22/11) was drafted to meet Angola’s unique challenges and cultural realities. It draws on guidance from the EU and Portuguese legal regimes for the protection of personal data. While the law was signed in 2011, the enforcement authority, known as the Agência de Proteção de Dados (APD), has not yet been created, and so the provisions and penalties have yet to take effect.

Data subjects have the right to:

• access their personal data;
• have their personal data corrected or deleted;
• ask a responsible party to limit the activities for which their data is used;
• not be subject to decisions based solely on automatic processing that would significantly affect them; and
• object to the use of their personal data for advertising purposes.

Personal data is any given information, regardless of its nature, including images and sounds related to a specific or identifiable individual.

Sensitive personal data is personal data related to:

• philosophical or political beliefs;
• political affiliations or trade union membership;
• religion;
• private life;
• racial or ethnic origin; or
• health or sex life (including genetic data).

To lawfully collect and process sensitive personal data, a legal provision must allow for processing and entities must obtain prior authorisation from the APD. If sensitive personal data processing results from a legal provision, the APD must be provided with notice.

Except in certain circumstances provided by law, entities must obtain prior consent from data subjects and give prior notice to the APD to lawfully collect and process personal data.

All data processing must follow these general principles: transparency, legality, good faith, proportionality, truthfulness, respect to private life and legal and constitutional guarantees.

Data processing must be limited to the purpose for which the data is collected, and personal data must not be held for longer than is necessary for that purpose.

There are specific rules applicable to the processing of personal data related to:

• sensitive data on health and sexual life;
• illicit activities, crimes and administrative offenses;
• solvency and credit data;
• video surveillance and other electronic means of control;
• advertising by email;
• advertising by electronic means (direct marketing); and
• call recording.

Specific rules for the processing of personal data within the public sector also apply.

Law 22/11 establishes the APD as Angola’s data protection authority. Presidential Decree 214/16 approved the APD’s Organic Statute in October 2016, but the APD has still not been created. Law 22/11 creates no requirement for data controllers to appoint data protection officers.

The APD must be notified prior to any international transfers of personal data to countries deemed to have an adequate level of protection.

International transfers of personal data to countries that do not ensure an adequate level of protection are subject to prior authorisation from the APD, which will only be granted if specific requirements are met. For transfers between companies in the same group, an adequate level of protection may be found through the adoption of harmonised and mandatory internal rules on data protection and privacy.

The communication of personal data to a recipient, a third party or a subcontracted entity is subject to specific legal conditions and requirements.

There is no mandatory breach notification requirement under Law 22/11. However, the Electronic Communications and Information Society Services Law mandates that companies offering electronic communications services accessible to the public shall, as soon as possible, notify the APD and the Instituto Angolano das Comunicações, (INACOM) of any security breach that jeopardizes personal data.

Companies offering electronic communications services to the public shall also keep an accurate register of data breaches, containing the concrete facts and consequences of each breach, and the measures put in place to remedy or prevent the breach.

This protocol is also required under the Protection of Information Systems and Networks Law 7/17.