Data Protection in Benin

Collection and processing in Benin

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under these principles, personal data must be (Article 383):

  • processed lawfully, fairly and transparently;
  • collected for specific, explicit, and legitimate purposes and not subsequently processed in a manner inconsistent with those purposes;
  • processed appropriately, in a manner relevant and not excessive with regard to the purposes for which they are collected and processed;
  • accurate and, if necessary, updated. All reasonable steps must be taken to ensure that inaccurate or incomplete data is erased or corrected;
  • kept in a form that allows the identification of data subjects for a period not exceeding that necessary to achieve the purposes for which they are collected or for which they are processed;
  • processed in a manner that ensures appropriate security of personal data

Notwithstanding the above, the overriding principle governing the processing of personal data in Benin is the prior consent of the data subject (see Articles 6 of the Data protection Law and 389 of the Digital Code.)

There are some exceptions to this principle. The prior consent of a data subject is not required when processing the data is meant to:

  • comply with a legal obligation to which the controller is subject to;
  • perform a task in the public interest or a task falling within the exercise of public authority, which is entrusted to the controller or the third party to whom the data are shared;
  • perform a contract to which the data subject is a party or perform pre-contractual measures taken at the request of the data subject;
  • protect fundamental interests or rights;
  • perform certain activities in the framework of journalism, research or artistic or literary expression in compliance with the ethical rules of these professions.

When the processing is entrusted to a subcontractor, the controller or, where appropriate, his representative in the Republic of Benin, must:

  • choose a subcontractor providing sufficient guarantees sufficient guarantees with regard to technical and organizational security and organizational measures relating to the processing;
  • conclude a contract with the processor either in writing or via electronic means;
  • define among other things the responsibility of the processor with regard to the data controller and their incumbent obligations in the privacy and security of the data

Under the applicable data protection law in Benin, individuals possess the following rights:

  • right to obtain all their personal data in a clear format, as well as any available information as to their origin;
  • right to withdraw consent for personal data processing at any time;
  • the right to object, for lawful reasons, to the processing of their personal data;
  • right to oppose the processing of their personal data for marketing purposes;
  • right to rectify or erase personal data when it is deemed inaccurate or incomplete;
  • right to not be subject to decisions made on the sole basis of an automated processing that would produce significant risks or harm;
  • right to be forgotten, or to have information made public about themselves deleted from records; and
  • right to obtain damages from data controllers when a breach occurs, leading to a material or non-pecuniary damage to a person.

Right to be informed

Data controllers must provide data subjects with information describing, among other things:

  • the processing activities, such as data category;
  • the purpose of processing;
  • data recipients;
  • the existence of profiling activities; and
  • identification and contact details of the data controllers, or data subject rights.

Right to access

Any natural person whose personal data is processed may request from the controller information making it possible to know and contest the processing of their personal data, communication in intelligible form of data to personal character that concerns them as well as any available information as to their origin.

Right to rectification

Any natural person may require the data controller to correct, complete, update, block, or delete personal data concerning him, which is inaccurate, incomplete, ambiguous, out of date, or irrelevant, as the case may be, and as soon as possible, or whose collection, use, disclosure, or retention is prohibited. To exercise their right of rectification or deletion, the interested party sends a request, by post or electronically, dated and signed to the controller, or his representative.

Within 45 days following receipt of the request provided for in the previous paragraph, the controller communicates the rectifications or erasures of the data made to the data subject himself as well as to the persons to whom they are inaccurate, incomplete, equivocal, outdated, irrelevant or whose collection, use, communication, or storage is prohibited, have been communicated.

Right to erasure

See section above.

Right to object / opt-out

Any natural person has the right to object, at any time, for legitimate reasons, to the processing of personal data concerning him. It has the right, on the one hand, to be informed before data concerning it is communicated for the first time to third parties or used on behalf of third parties for purposes of prospecting, in particular commercial, charitable or political, and, on the other hand, to be expressly offered the right to oppose, free of charge, said communication or use.

Right to data portability

Data subjects have the right to receive the personal data concerning them that they have provided to a controller, in a structured, commonly used and machine-readable format, and have the right to transmit this data to another controller. processing without the controller to whom the personal data has been communicated obstructing it, when:

  • the processing is based on consent or on a contract; and
  • the processing is carried out using automated processes.

When the data subject exercises his right to data portability in application of the first paragraph, he has the right to obtain that the personal data are transmitted directly from one controller to another, when this is technically possible.

This right does not apply to processing necessary for the performance of a task of public interest or relating to the exercise of public authority vested in the controller. The right referred to in the first paragraph does not infringe the rights and freedoms of third parties.

Continue reading

  • no results

Previous topic
Back to top