Collection & Processing

Law n° L/2016/037/AN dated July 28, 2016, on Cybersecurity and Personal Data Protection in the Republic of Guinea regulates personal data.

Definition of personal data 

Article 1 of Law No. L/2016/037/AN defines personal data as any information of any kind and regardless of its medium, including sound and image, relating to an identified or identifiable natural person directly or indirectly, by reference to an identification number or to one or more factors specific to his or her physical, physiological, genetic, mental, cultural, social or economic identity. 

Definition of sensitive personal data 

According to Article 1 of Law No. L/2016/037/AN, sensitive data is all personal data, relating to religious, philosophical, political, trade union opinions or activities, sexual or racial life, health, social measures, prosecution, criminal and administrative sanctions.

It is provided for by Article 47 of Law on Cybersecurity and Personal Data Protection in the Republic of Guinea that the authority in charge of personal data protection shall be established by regulatory means. The establishment of this authority is still not effective.

Law on Cybersecurity and Personal Data protection in the Republic of Guinea provides that the processing of personal data is subject to a prior declaration or request for authorisation of the competent authority designated by regulation. 

The declaration or request for authorisation may be sent to the authority in charge of personal data protection by post, in person at the premises of the said authority or by any other means against the delivery of an acknowledgment of receipt in due form. 

The authority in charge of personal data protection has a period of two months to decide on any declaration or request submitted or addressed to it. This period may be extended by two additional months provided that the personal data protection authority can justify its decision or the extension. 

The declaration or request for authorisation must include the commitment that the protection meets the requirements of the law on Cybersecurity and Protection of Personal Data and any other regulations or laws in the Republic of Guinea relating to personal data protection.  

At the end of this declaration, the competent authority issues a receipt and, if necessary, by electronic means. 

The applicant may then implement the processing operation upon receipt of the receipt. However, the applicant is not relieved of any responsibility. 

Processing operations carried out by the same organisation and having identical or related purposes may be subject to a single declaration. The information required under the declaration shall be provided for each of the processing operations only insofar as it is specific to said declaration. 

Law on Cybersecurity and Personal Data Protection also provides that the modalities for filing declarations or request for authorisation for the processing of personal data shall be determined by presidential decree. This decree has not yet been implemented.

A data controller will have the option to appoint a data protection officer. According to article 14 and following of Law on Cybersecurity and Personal Data Protection, the data protection officer must be a person qualified to perform such tasks. He must keep a list of the processing operations carried out which is immediately accessible to any person who requests it, and may not be subject to any sanction by his employer as a result of the performance of his duties.  

The appointment of a data protection officer by the data controller must be notified to the authority responsible for personal data protection. This appointment must also be brought to the attention of the employer's staff representative bodies. 

Law on Cybersecurity and Personal Data Protection exempts the processing of personal data from the formalities of declaration, notably in the case of: 

• Processing of data used by a natural person exclusively in the course of his or her personal, domestic or family activities;
• Processing of data concerning a natural person, the publication of which is prescribed by a legal or regulatory provision;
• Processing of data whose sole purpose is the keeping of a register which is intended for exclusively private use; etc. 

Furthermore, it is also provided that certain matters or actions are subject to prior authorisation by the competent authority before being implemented, these include: 

• Processing of personal data relating to genetic and medical data and scientific research in these fields;
• Processing of personal data relating to offences, convictions and security measures pronounced by the competent courts;
• Processing of personal data relating to a national identification number or any other identifier of the same kind, in particular telephone numbers;
• Processing of personal data containing biometric data;
• Processing of personal data for reasons of public interest, in particular for historical, statistical or scientific purposes;
• The proposed transfer of personal data to a third country. 

Requests for processing shall be submitted by the controller or his/her legal representative. However, the authorisation does not exempt its holder (data controller) or his representative from their responsibility towards third parties.

The data controller may be authorised to transfer such data to a third country only if the State ensures a higher or equivalent level of protection of the privacy, fundamental rights and freedoms of individuals with regard to the processing to which such data is or may be subject.

Before any effective transfer of personal data to the third country, the data controller must obtain prior authorisation from the personal data protection authority. Any transfer of personal data to a third country is subject to strict and regular control by the personal data protection authority, in the light of its purpose. 

According to Law on Cybersecurity and Personal Data Protection, the processing of personal data is confidential, it must be carried out exclusively by persons acting under the authority of the Data controller, and only on his instructions. 

The Data controller is required to take all necessary precautions, in view of the nature of the data, and in particular to prevent it from being distorted, damaged or accessed by unauthorised third parties. 

Law on Cybersecurity and Personal Data Protection provides that the authority in charge of personal data protection may pronounce the following measures against the Data controller: 

• A warning to the said controller who does not comply with the obligations resulting from the Law on cybersecurity and Personal Data Protection to which he is subject;
• A formal notice or summons to cease or to cease the breaches noted, within the time limit set by said protection authority.

Law on cybersecurity and Personal Data Protection sets out administrative, criminal, recidivism and civil liability as well as additional publication of sanctions for breaches of the provisions of said statute.

Law L/2016/035/AN on electronic transactions in the Republic of Guinea provides that any advertisement, whatever its form, as soon as it is accessible or likely to be accessible by electronic communications, must be clearly identified as an advertisement. It must also allow the identification and identifiability of the natural or legal person on whose behalf it is made. 

Advertisements and notably promotional offers, such as discounts, premiums or gifts, as well as competitions or promotional games, sent by electronic mail, must be clearly, precisely and unequivocally identifiable on the subject of the mail as soon as they are received by the addressee or, if technically impossible, in the body of the message. 

The conditions for taking advantage of promotional offers, as well as for participating in promotional courses or games, when offered by e-mail, should be clearly specified and easily accessible to the public. 

Pursuant to Law on electronic transactions in the Republic of Guinea, direct marketing by sending messages through an automatic calling machine or SMS, fax or e-mail or any other electronic means of communication using, in whatever form, the contact details of a natural person who has not expressly given his or her prior consent to receive direct marketing through these channels or means is prohibited. 

However, direct marketing by e-mail, regardless of the means used, is permitted if:  

• The contact details of the recipient of the mail have been collected, with full knowledge of the facts, directly from him/her;
• The direct prospecting is addressed to subscribers or customers of a natural or legal person whose details have been  collected with their full knowledge of the facts, for similar products and services that it offers them.

The Law on Cybersecurity and Personal Data Protection does not provide any specific rules governing online privacy. 

However, the law prohibits and punishes with a prison sentence of one (1) to five (5) years and a fine of 30,000,000 to 200,000,000 Guinean francs for carrying out or attempting to carry out direct prospecting by any means of communication using, in any form whatsoever, the personal data of a natural person who has not expressed his/her prior written consent. 

In particular, it provides that any person has the right to object, on request and free of charge, to the processing of personal data concerning him or her and intended for prospecting purposes.