DATA PROTECTION FACTSHEET
Population: 8,278,737 million
President: Faure Gnassingbé
2021 Freedom House Score: 43/100
Data protection law? Yes, but data protection authority not yet appointed
Privacy enshrined in Constitution: Yes, the right to privacy is protected under Article 28 of the Togolese Constitution.
DPA legislation: Law No. 2019-014 (DPA Law) relating to the protection of personal data was published on 29 October 2019. It regulates the collection, processing, transmission, storage and use of personal data. It applies to natural persons, the state, local authorities, legal entities governed by public or private law, as well as automated or non-automated processing of data carried out in the territory of Togo or in any jurisdiction where Togolese Law applies.
Under the DPA Law, data subjects’ rights include the:
- right to information;
- right to access information;
- right to object;
- right to rectification and deletion of personal data; and
- right to erasure.
The Law mandated the establishment of the Instance de Protection des Données à Caractère Personnel (IPDCP), but it has yet to be established.
Council of Europe Convention 108: No
Council of Europe Convention 185: No
Malabo Convention: Signed
ECOWAS Supplementary Act on Personal Data Protection: No
Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No
Applies to natural persons: Yes
Applies to juristic persons: Yes
Applies to public entities: Yes
Domestic/personal purposes exclusion: Yes
National security exclusion: No
Law enforcement exclusion: No
Cabinet or Executive Council exclusion: No
Judicial functions exclusion: No
Journalistic, literary or artistic purposes exclusion: No
Temporary copies exclusion: Yes
Other exclusion(s): No
Broad or vague exclusions: No
Applies to foreign entities: Yes
Excludes foreign entities that only transit personal data through the country: Yes
Personal data refers to any information relating to an identified or identifiable natural person directly or indirectly, by reference to one or more identification elements, specific to his physical, physiological, genetic, psychic, cultural, social, or economic identity.
Personal data includes, but is not limited to:
- Genetic data – any data concerning the hereditary characteristics of an individual or groups of individuals who are related.
- Sensitive data – all personal data relating to racial or ethnic origin, opinions or religious affiliations, political activities, union, sex life, health, prosecution and criminal or administrative sanctions.
- Health data – any information concerning the physical and mental state of a person concerned, including genetic data.
The DPA Law sets out basic principles that govern the treatment of personal data:
- The principle of consent and legitimacy, which includes:
- The processing of personal data is considered legitimate if the data subject gives his consent.
- However, this requirement may be waived when the treatment is necessary for:
- compliance with a legal obligation;
- the execution of a public interest;
- the performance of a contract to which the person concerned is a party or the execution of pre-contractual measures taken at his request; or
- to safeguard the interest or fundamental rights and freedoms of the data subject.
- The principle of lawfulness and loyalty:
- The collection, recording, processing, storage, and transmission of personal data must take place lawfully, fairly, and not fraudulently.
- The principle of purpose, relevance, and conservation:
- The data must be collected for a specific purpose and cannot be processed later in a manner incompatible with this purpose.
- The processing of data must be adequate, relevant, and not excessive with regard to the purpose for which it was collected.
- The data must be kept for a period that does not exceed the period necessary for the purpose for which the data was collected or processed. Beyond this period data cannot be subject to conservation.
- The principle of accuracy:
- The data collected must be accurate and if necessary, must be updated.
- All reasonable steps must be taken so that the inaccurate or incomplete data, with regard to the purpose for which it is collected and processed, is deleted or corrected.
- The principle of confidentiality and security
- Personal data must be processed in a confidential and protected manner in accordance with the provisions of the Law.
- The principle of transparency:
- The party responsible for processing the data must inform the data subject of any processing of their personal data.
- The principle of choosing the subcontractor:
- When any processing is carried out on behalf of the person responsible for the processing, they must choose a sub-contractor that provides sufficient guarantees of compliance with security measures defined by the Law.
- The sub-contracting must be governed by a contract that provides in particular that the sub-contractor acts on the sole instruction of the person in charge of the processing.
- The principle of prohibition:
- It is prohibited to carry out the collection and any processing which reveal racial, ethnic origin, parentage, political opinions, religious or philosophical convictions, union membership, sex life, genetic data and data relating to the health condition of the data subject concerned.
- The prohibition is not applicable when:
- the processing of personal data carries on data manifestly made public by the data subject; the data subject has given his consent;
- the processing of personal data is necessary to safeguard the vital interests of the person concerned or another person in case the person concerned is incapacitated;
- the processing is necessary for the observation and the exercise or the defence of a legal claim;
- legal proceedings or criminal investigation is opened;
- the processing of personal data proves necessary for a reason of public interest, for historical purposes, scientific or cultural statistics;
- processing is necessary for the performance of a contract to which the person concerned is a party or to the execution of pre-contractual measures taken at the request of the data subject;
- the processing is necessary to comply with an obligation that the data controller has; or
- the processing is necessary for the performance of an assignment in the public interest or s carried out by a public authority.
Notification that data is being processed: Yes
Notification to DPA in event of data breach: No
Notification to data subject in event of data breach: No
Timeframe for notification is specified: NA
Exceptions exist to breach notifications: NA
Requires a data processing register: No
Register is publicly available: NA
Provides for terms of service icons: No
DPA must submit at least annual report: Yes
DPA report is made public: Unclear
Explicit provision for civil liability: No
Established/designates a Data Protection Authority: Yes
DPA is empowered to investigate: Yes
DPA is empowered to subpoena or request evidence: Yes
Law provides for criminal penalties: Yes
Law provides for administrative penalties: Yes
DPA is independently structured (does not exist within or receive instructions from another public body): Yes
DPA receives funding directly from the state budget/legislative body: Yes
DPA may receive some forms of external funding/own revenue: Yes
Adequate protections against undue removal: Yes
Number of members in DPA: 10
Maximum term length for members of the DPA (years): 6
Right of data subject to access a copy of their personal data: Yes
Right of data subject to request a correction of data: Yes
Right of data subject to request deletion of data: Yes
Justification required for a request for deletion: Yes
Defines the requirements for consent: Yes
DPA is mandated to participate in policy formulation: Yes
The controller cannot transfer personal data to a third country unless that state ensures an adequate level of protection of life, privacy, fundamental rights, and freedoms of individuals with regard to the processing of the data. Before any transfer of personal data to a third country is undertaken the controller must first inform the PDPA.
Provides a right not to be subject to automated decision-making: Yes