Generally, entities must obtain prior express consent from data subjects and provide prior notice to the APD to lawfully collect and process personal data. However, data subject consent is not required in certain circumstances provided by law.
To lawfully collect and process sensitive personal data, a legal provision must allow for processing and entities must obtain prior authorization from APD (please note that the authorization may only be granted in specific cases provided by law). If sensitive personal data processing results from a legal provision, APD must be provided with notice.
All data processing must follow these general principles: transparency, legality, good faith, proportionality, truthfulness and respect to private life as well as to legal and constitutional guarantees.
It is also mandatory that data processing is limited to the purpose for which the data is collected and that personal data is not held for longer than is necessary for that purpose.
There are specific rules applicable to the processing of personal data related to the following:
- Sensitive data on health and sexual life
- Illicit activities, crimes and administrative offenses
- Solvency and credit data
- Video surveillance and other electronic means of control
- Advertising by email
- Advertising by electronic means (direct marketing)
- Call recording
Specific rules for the processing of personal data within the public sector also apply.
Data Protection Principles
Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under these principles, personal data must be (Article 5):
- processed lawfully, fairly and in a transparent manner (the "lawfulness, fairness and transparency principle");
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the "purpose limitation principle");
- adequate, relevant and limited to what is necessary in relation to the purpose(s) (the "data minimization principle");
- accurate and where necessary kept up-to-date (the "accuracy principle");
- kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (the "storage limitation principle"); and
- processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (the "integrity and confidentiality principle").
The controller is responsible for and must be able to demonstrate compliance with the above principles (the "accountability principle"). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to demonstrate compliance perhaps years after a particular decision relating to processing personal data was taken. Record keeping, audit and appropriate governance will all form a key role in achieving accountability.
Legal Basis under Article 6
In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are (Article 6(1)):
- with the consent of the data subject (where consent must be "freely given, specific, informed and unambiguous", and must be capable of being withdrawn at any time);
- where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract;
- where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
- where necessary to protect the vital interests of the data subject or another person (generally recognised as being limited to 'life or death' scenarios, such as medical emergencies);
- where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller; or
- where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).
Special Category Data
Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an Article 6 basis):
- with the explicit consent of the data subject;
- where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and social protection law or a collective agreement;
- where necessary to protect the vital interests of the data subject or another natural person who is physically or legally incapable of giving consent;
- in limited circumstances by certain not-for-profit bodies;
- where processing relates to the personal data which are manifestly made public by the data subject;
- where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their legal capacity;
- where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to the aim pursued and with appropriate safeguards;
- where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
- where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of health care and of medical products and devices; or
- where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with restrictions set out in Article 89(1).
Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to processing genetic data, biometric data and health data.
Criminal Convictions and Offences data
Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an official public authority, or specifically authorised by Member State domestic law (Article 10).
Processing for a Secondary Purpose
Increasingly, organisations wish to 're-purpose' personal data - i.e. use data collected for one purpose for a new purpose which was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were initially collected (Article 6(4)). These include:
- any link between the original purpose and the new purpose
- the context in which the data have been collected
- the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is compatible)
- the possible consequences of the new processing for the data subjects
- the existence of appropriate safeguards, which may include encryption or pseudonymisation.
If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and proportionate measure in a democratic society).
Transparency (Privacy Notices)
The GDPR places considerable emphasis on transparency, i.e. the right for a data subject to understand how and why his or her data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.
Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using clear and plain language (Article 12(1)).
The following information must be provided (Article 13) at the time the data are obtained:
- the identity and contact details of the controller;
- the data protection officer's contact details (if there is one);
- both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate interests for processing;
- the recipients or categories of recipients of the personal data;
- details of international transfers;
- the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
- the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object to processing and data portability;
- where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
- the consequences of failing to provide data necessary to enter into a contract;
- the existence of any automated decision making and profiling and the consequences for the data subject; and
- in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that further processing, providing the above information.
Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.
Rights of the Data Subject
Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable, whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two months where the request is onerous.
Right of access (Article 15)
A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information about the how the data have been used by the controller.
Right to rectify (Article 16)
Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.
Right to erasure ('right to be forgotten') (Article 17)
Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s highest court ruled against Google (Judgment of the CJEU in Case C-131/12), in effect requiring Google to remove search results relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the search results had no legal basis to process that information.
The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise of the objection right, or of the withdrawal of consent.
Right to restriction of processing (Article 18)
Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of the data subject, or where the legitimate grounds for processing by the controller are contested.
Right to data portability (Article 20)
Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or have transmitted to another controller all personal data concerning him or her in a structured, commonly used and machine-readable format (e.g. commonly used file formats recognised by mainstream software applications, such as .xsl).
Right to object (Article 21)
Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.
In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at any time.
The right not to be subject to automated decision making, including profiling (Article 22)
Automated decision making (including profiling) "which produces legal effects concerning [the data subject] … or similarly significantly affects him or her" is only permitted where:
- necessary for entering into or performing a contract;
- authorized by EU or Member State law; or
- the data subject has given their explicit (ie, opt-in) consent.
Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain human intervention, to contest the decision, and to express his or her point of view.
The Data Protection Act adds only specificities to the general processing requirements. The age for consent of children for the purposes of article 8.1 GDPR is 13 year1. When processing genetic, biometric and health data, a controller needs to indicate who has access to these personal data, keep a list of the categories of people who have access to these data, keep this list at the disposal of the DPA, and ensure that these people are bound by a legal, statutory or contractual obligation of confidentiality2. The Data Protection Authority has adopted specific guidelines regarding the processing of biometric data3.
The Data Protection Act also provides a list of legal bases for processing data relating to criminal convictions and offences and requires an access management list and confidentiality duties (as described here above) for processing such data4.
Data subject rights
The Data Protection Act provides further exceptions to data subject’s rights, including the right to be informed when personal data is received from authorities under special regimes5 or when personal data is disclosed to these bodies6. With respect to the special regimes addressed in the Data Protection Act, the Data Protection Act also sets out the corresponding data subject rights (which are often more limited than those included in the GDPR)7.
The Data Protection Act clarifies that data subject rights, including the right to information in judicial proceedings/decisions, will be accommodated in accordance with the Judicial Code, the Code on Criminal proceedings and any specific laws related to criminal law procedure8.
Footnotes
1. Art. 7 Data Protection Act.
2. Art. 9 Data Protection Act.
3. Data Protection Authority, Recommendation on the processing of biometric data (No. 1-2021, 1 December 2021).
4. Art. 10 Data Protection Act.
5. Art. 11, Art. 13 and Art. 14 Data Protection Act.
6. Art. 12 Data Protection Act.
7. Art. 36 et seq, Art. 79, Art. 105 (9), Art. 113, Art. 145, Art. 173 Data Protection Act.
8. Art.16 Data Protection Act.
Angola regulates data privacy and protection issues under the Data Protection Law (Law no. 22/11, 17 June 2011), the Electronic Communications and Information Society Services Law (Law no. 23/11, 20 June 2011) and the Protection of Information Systems and Networks Law (Law no. 7/17, 16 February 2017).
Definition of personal data
The Data Protection Law defines personal data as any given information, regardless of its nature, including images and sounds related to a specific or identifiable individual.
An identifiable person is an individual directly or indirectly identified, notably, by reference to his or her identification number or to the combination of specific elements of his or her physical, physiological, mental, economic, cultural or social identity.
Definition of sensitive personal data
The Data Protection Law defines sensitive personal data as personal data related to:
- Philosophical or political beliefs
- Political affiliations or trade union membership
- Religion
- Private life
- Racial or ethnic origin
- Health or sex life (including genetic data)
The Data Protection Law establishes the Agência de Proteção de Dados (APD) as Angola’s data protection authority. APD’s Organic Statute was stablished by the Presidential Decree 214/2016 of October 10, and it’s board currently in office was nominated by the Presidential Decree 277/2019 September 6.
As provided by Law, entities shall provide prior notice to, or obtain prior authorization from, APD (depending on the type of personal data and purpose of processing) to process personal data. Please note that in the case of authorization, compliance with specific legal conditions is mandatory. APD has authority to exempt certain processing from notification requirements.
Generally, notification and authorization requests should include the following:
- The name and address of the controller and of its representative (if applicable)
- The purposes of the processing
- A description of the data subject categories and the personal data related to those categories
- The recipients or under which categories of recipient to whom the personal data may be communicated and respective conditions
- Details of any third party entities responsible for the processing
- The possible combinations of personal data
- The duration of personal data retention
- The process and conditions for data subjects to exercise their rights
- Any predicted transfers of personal data to third countries
- A general description (to allow APD to assess whether security measures adopted are suitable to protect personal data in its processing)
There is no requirement to appoint a data protection officer.
Generally, entities must obtain prior express consent from data subjects and provide prior notice to the APD to lawfully collect and process personal data. However, data subject consent is not required in certain circumstances provided by law.
To lawfully collect and process sensitive personal data, a legal provision must allow for processing and entities must obtain prior authorization from APD (please note that the authorization may only be granted in specific cases provided by law). If sensitive personal data processing results from a legal provision, APD must be provided with notice.
All data processing must follow these general principles: transparency, legality, good faith, proportionality, truthfulness and respect to private life as well as to legal and constitutional guarantees.
It is also mandatory that data processing is limited to the purpose for which the data is collected and that personal data is not held for longer than is necessary for that purpose.
There are specific rules applicable to the processing of personal data related to the following:
- Sensitive data on health and sexual life
- Illicit activities, crimes and administrative offenses
- Solvency and credit data
- Video surveillance and other electronic means of control
- Advertising by email
- Advertising by electronic means (direct marketing)
- Call recording
Specific rules for the processing of personal data within the public sector also apply.
International transfers of personal data to countries with an adequate level of protection require prior notification to the APD. An adequate level of protection is understood as a level of protection equal to the Angolan Data Protection Law. APD decides which countries ensure an adequate level of protection by issuing an opinion to this respect.
International transfers of personal data to countries that do not ensure an adequate level of protection are subject to prior authorization from the APD, which will only be granted if specific requirements are met. For transfers between companies in the same group, the requirement of an adequate level of protection may be reached through the adoption of harmonized and mandatory internal rules on data protection and privacy.
Please note that the communication of personal data to a recipient, a third party or a subcontracted entity is subject to specific legal conditions and requirements.
Data controllers must implement appropriate technical and organizational measures and adopt adequate security levels to protect personal data from accidental or unlawful total or partial destruction, accidental loss, total or partial alteration, unauthorized disclosure or access (in particular where the processing involves the transmission of data over a network) and against all other unlawful forms of processing.
Such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected, relative to the entities facilities and implementation costs. Specific security measures shall be adopted regarding certain type of personal data and purposes (notably, sensitive data, call recording and video surveillance).
Under the Protection of Information Systems and Networks Law, service providers, operators and companies offering information society services must: (i) guarantee the security of any device or set of devices used in the storage, processing, recovery or transmission of computer data on execution of a computer program and (ii) promote the registration of users as well as the implementation of technical measures in order to anticipate, detect and respond to risk situations. The Law requires an accident and incident management plan in case of a computer emergency.
There is no mandatory breach notification requirement under the Data Protection Law.
However, pursuant to the Electronic Communications and Information Society Services Law, companies offering electronic communications services accessible to the public shall, without undue delay, notify the APD and the Electronic Communications Authority, Instituto Angolano das Comunicações, (INACOM) of any breach of security committed with intent or that recklessly leads to destruction, loss, partial or total modification or non-authorized access to personal data transmitted, stored, retained or in any way processed under the offer of electronic communications services.
Companies offering electronic communications services accessible to the public shall also keep an accurate register of data breaches, indicating the concrete facts and consequences of each breach and the measures put in place to repair or prevent the breach.
The same applies under Protection of Information Systems and Networks Law.
Data protection
As mentioned above, the competent authority for the enforcement of Data Protection Law is the APD. However, considering that the APD was recently created, the level of enforcement is not significant at this stage.
Electronic communications
INACOM regulates and monitors compliance with the Electronic Communications and Information Society Services Law, and issues penalties for its violation. Presently, INACOM’s level of enforcement is not yet significant.
The dissemination of electronic communications for advertising purposes is generally subject to the prior express consent of its recipient (opt-in) and to prior notification to APD.
Entities may process personal data for electronic marketing purposes without data subject consent in specific circumstances, notably:
- When advertising is addressed to the data subject as representative employee of a corporate person, and
- When advertising communications are sent to an individual with whom the product or service supplier has already concluded a transaction, provided an opportunity to refuse consent was expressly provided to the customer at the time of the transaction at no additional cost.
The Electronic Communications and Information Society Services Law establishes the right of all Citizens to enjoy protection against abuse or violations of their rights through the Internet or other electronics means, such as:
- The right to confidentiality of communications and to privacy and non-disclosure of their data
- The right to security of their information by improvement of quality, reliability and integrity of the information systems
- The right to security on the Internet, specifically for minors
- The right not to receive spam
- The right to the protection and safeguarding of their consumer rights and as users of networks or electronic communications services
In view of the above, entities are generally prohibited from storing any kind of personal data without prior consent of the user. This does not prevent technical storage or access for the sole purpose of carrying out the transmission of a communication over an e-communication network or if strictly necessary in order for the provider of an information society service to provide a service expressly requested by the subscriber or user.
Traffic data
The processing of traffic data is allowed when required for billing and payment purposes, but processing is only permitted until the end of the period during which the bill may lawfully be challenged or payment pursued. Traffic data must be eliminated or made anonymous when no longer needed for the transmission of the communication.
The storage of specific information and access to that information is only allowed on the condition that the subscriber or user has provided his or her prior consent. The consent must be based on accurate, clear and comprehensive information, namely about the type of data processed, the purposes and duration of the processing and the availability of data to third parties in order to provide value added services.
Electronic communications operators may store traffic data only to the extent required and for the time necessary to market electronic communications services or provide value added services. Prior express consent is required and such consent may be withdrawn at any time.
Processing should be limited to those employees in charge of:
- Billing or traffic management
- Customer inquiries
- Fraud detection
- Marketing of electronic communications
- Services accessible to the public
- The provision of value added services
Notwithstanding the above, electronic communication operators should keep in an autonomous file all traffic and localization data exclusively for the purpose of:
- Investigation
- Detection, or
- Prosecution of criminal offenses on Information and Communication Technologies (ICT)
Location data
Location Data processing is only allowed if the data is made anonymous or to the extent and for the duration necessary for the provision of value added services, provided prior express consent is obtained. In this case, prior complete and accurate information must be provided on the type of data being processed, as well as the purposes and duration of processing and any possibility of disclosure to third parties for the provision of value added services.
Electronic communication operators must ensure that data subjects have the opportunity to withdraw consent, or temporarily refuse the processing of such data for each connection to the network or for each transmission of a communication, at any time. The withdrawal mechanism must be provided through simple means, free of charge to the user. Processing should be limited to those employees in charge of electronic communications services accessible to the public.
