Data Protection in Burkina Faso

Collection and processing in Burkina Faso

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. These include:

  • consent and legitimacy: unless otherwise provided by law, data controllers are obligated to obtain consent from the data subject;
  • purpose: personal data can only be collected and processed for a specific and legitimate purpose;
  • proportionality and relevance: personal data must only be processed in a relevant and necessary manner regarding the purpose and objectives of the processing;
  • lawfulness and fairness: data controllers must collect and process data in a fair, lawful, and not fraudulent manner
  • data retention: a specified period of time should be determined in advance depending on the purpose of processing to ensure that personal data is not stored indefinitely;
  • security and confidentiality: all responsible persons for processing personal data must not only ensure the security of data or files to prevent their destruction, or alteration; but also prevent unauthorised access to personal data contained in a file or intended to form part of the files;
  • preliminary formalities: without exception or exemption provided by law, all data controllers shall, depending on the nature of personal data processing, namely notify the CIL or ask his opinion or obtain approval, etc. 

Except where provided otherwise by the law, any processing of personal data shall be carried out with the express consent of the data subject(s). 

The processing of personal data can legally be carried out without the consent of the data subject(s), when it is necessary for:

  • the performance of a contract to which the data subject is a party; or
  • pre-contractual measures taken at the request of the data subject;
  • compliance with a legal obligation to which the controller is subject and when the processing is essential to protect the life of the data subject or that of a third party;
  • the purposes of preventive medicine, medical diagnosis, the administration of care or treatment, or the management of health services, provided that it is carried out by a member of a health profession or by another person who, by reason of his / her duties, is bound by professional secrecy;
  • the establishment of an offence, a right, or the exercise or defence of a right in a court of law and when the said processing relates to data made public by the data subject.

A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information about the how the data have been used by the controller. It may require inaccurate or incomplete personal data to be corrected or completed without undue delay. 

Data subjects may request erasure of their personal data. It has the right to object to processing on the legal basis of the legitimate interests of the data controller or where processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject. 

Unless an authorisation is required, the law provides that controllers should notify all processing to the CIL. The following are exempt from the notification requirement to CIL:

  • temporary copies that are made as part of the technical activities of transmission and provision of access to a digital network for the purpose of automatic intermediate and transitory storage of data for the sole purpose of allowing other recipients of the service the best possible access to the information;
  • processing carried out by a natural person for the exercise of exclusively personal or domestic activities;
  • disclosed to third parties and not used to support actions or decisions against an individual;
  • automated processing of personal data for the purpose of research in the field of health;
  • automated processing of personal data carried out on behalf of the State, a public institution, a local authority or a legal person under private law managing a public service. 

With respect to day-to-day processing of data which do not infringe on privacy or freedoms, the Law provides that the CIL establishes and publishes 'simplified norms,' which shall include certain information, including:

  • the date of the declaration;
  • the full name and address or the name and headquarters of the person making the request and the person who has the power to decide on the creation of the data processing (data controller) or, if he or she resides abroad, his or her representative in Burkina Faso;
  • the characteristics, purpose and, if applicable, the name of the data processing operation;
  • the department or departments responsible for carrying out the processing;
  • the department to which the right of access is to be exercised and the measures taken to facilitate the exercise of this right
  • the categories of persons who, by reason of their functions or for the needs of the service, have direct access to the information recorded;
  • the personal information processed, its origin and the length of time it is kept, as well as the recipients or categories of recipients authorized to receive this information;
  • the reconciliation, interconnection or any other form of linking of this information as well as its transfer to third parties;
  • the measures taken to ensure the security of data and information processing and the guarantee of secrets protected by law;
  • if the data processing is intended for the dispatch of personal data between the territory of Burkina Faso and abroad in any form whatsoever, including when it is the object of operations partially carried out on the territory of Burkina Faso from operations previously carried out outside Burkina Faso. 

When processing complies with a simplified norm issued by the CIL, no authorisation or notification is required, but only a 'simplified declaration of conformity,' to the said norm is required. The simplified declaration of conformity shall be sent to the CIL. Unless otherwise decided by the CIL, a receipt is issued without delay after the simplified declaration of conformity has been sent to the CIL. As from receiving this receipt, the applicant can start carrying out the processing. 

Except in cases where they are to be authorised by law, automated processing of personal data carried out on behalf of the State, or on behalf of any public institution, local authority, or on behalf of a private legal person operating a public service, must be authorised by decree after the CIL's approval. In the case of a negative opinion by the CIL, an appeal can be lodged to the Administrative Supreme Court (Conseil d’Etat).

Continue reading

  • no results

Previous topic
Back to top