Population: 25,789,024
Capital: Luanda
President: João Manuel Gonçalves Lourenço
2019 Freedom House Score: 31/100
Data protection law? Exists, not enforced
The Data Protection Law (Law 22/11) was drafted to meet Angola’s unique challenges and cultural realities. It draws on guidance from the EU and Portuguese legal regimes for the protection of personal data. While the law was signed in 2011, the enforcement authority, known as the Agência de Proteção de Dados (APD), has not yet been created, and so the provisions and penalties have yet to take effect.
Data subjects have the right to:
Personal data is any given information, regardless of its nature, including images and sounds related to a specific or identifiable individual.
Sensitive personal data is personal data related to:
To lawfully collect and process sensitive personal data, a legal provision must allow for processing and entities must obtain prior authorisation from the APD. If sensitive personal data processing results from a legal provision, the APD must be provided with notice.
Except in certain circumstances provided by law, entities must obtain prior consent from data subjects and give prior notice to the APD to lawfully collect and process personal data.
All data processing must follow these general principles: transparency, legality, good faith, proportionality, truthfulness, respect to private life and legal and constitutional guarantees.
Data processing must be limited to the purpose for which the data is collected, and personal data must not be held for longer than is necessary for that purpose.
There are specific rules applicable to the processing of personal data related to:
Specific rules for the processing of personal data within the public sector also apply.
Law 22/11 establishes the APD as Angola’s data protection authority. Presidential Decree 214/16 approved the APD’s Organic Statute in October 2016, but the APD has still not been created. Law 22/11 creates no requirement for data controllers to appoint data protection officers.
The APD must be notified prior to any international transfers of personal data to countries deemed to have an adequate level of protection.
International transfers of personal data to countries that do not ensure an adequate level of protection are subject to prior authorisation from the APD, which will only be granted if specific requirements are met. For transfers between companies in the same group, an adequate level of protection may be found through the adoption of harmonised and mandatory internal rules on data protection and privacy.
The communication of personal data to a recipient, a third party or a subcontracted entity is subject to specific legal conditions and requirements.
There is no mandatory breach notification requirement under Law 22/11. However, the Electronic Communications and Information Society Services Law mandates that companies offering electronic communications services accessible to the public shall, as soon as possible, notify the APD and the Instituto Angolano das Comunicações, (INACOM) of any security breach that jeopardizes personal data.
Companies offering electronic communications services to the public shall also keep an accurate register of data breaches, containing the concrete facts and consequences of each breach, and the measures put in place to remedy or prevent the breach.
This protocol is also required under the Protection of Information Systems and Networks Law 7/17.