The protection of personal data is included in the law establishing the digital code N°23-010 of 13 March 2023 and published in the official journal on 11 April 2023 (the “Digital Code Law” or “Digital Code”). The Digital Code Law entered into force on the date of its approval (13 March 2023). Several implementing decrees referred to in the Digital Code Law have not yet been issued.
Definition of Personal Data
Personal data is defined in Article 183 of the Digital Code Law and listed in eight different categories:
- Personal identification data, in particular: first name, surname, middle name, date and place of birth, age, marital status, national identification number, valid official identity document or any other biometric data, in particular photographs, sound recordings, images, fingerprints and iris scans;
- Correspondence data: telephone numbers, physical, postal and e-mail addresses;
- Professional data: status, job held, employer, remuneration;
- Billing and payment data: invoice amounts and history, payment status, reminders, payment balances, direct debit date;
- Bank details: bank code, account and credit card number, bank name / address / contact details, transaction references;
- Data on legal entities under public or private law showing personal data;
- Data on family circumstances; and
- Data concerning court decisions.
Definition of Sensitive Personal Data
There is no separate definition of sensitive data, but the Digital Code prohibits, as a matter of principle, the processing of certain data which can be considered as sensitive, such as personal data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, the status of refugees or stateless persons, trade union membership, sex life or, more generally, data relating to the state of health.
For the purposes of this definition, “processing” is to be understood as the operation or set of operations which is performed upon personal data, whether by means of wholly or partly automated processes, such as collection, recording, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
There are several exceptions to this principle stated in the Digital Code. The processing of such data will be admissible should, for instance, one consents to such processing for a well determined purpose. The processing of such data for statistical analysis or health reasons will usually, and within the boundaries of the Law, be equally accepted.
APD (Autorité de Protection des Données) or the authority in charge of data protection.
According to Article 262 of the Digital Code provides that a decree from the Prime Minister will have to establish the APD and determine its organization, its functioning and regulatory powers. To date, no such decree has been adopted.
The Digital Code provides for a declaration regime and an authorisation regime with the APD (Autorité de Protection des Données).
The declaration regime is applicable to all actors processing data and such declaration is to be performed by the person or entity responsible for the processing of personal data.
The authorisation regime is applicable for the processing of certain (more sensitive) data, such as the processing of national identification numbers, genetic data, data regarding criminal records, etc. or whenever personal data will be transferred to a third country.
Considering that the APD has not yet been established, the declaration and authorisation regimes are not yet in practice complied with.
The Digital Code provides for the possibility to designate a "délégué à la protection des données à caractère personnelles", which is a person responsible for the protection of personal data or Data Protection Officer, without however regulating such role in detail. The Digital Code only provides for some of its duties, namely:
- to inform and advise the controller or processor and the employees who carry out the processing on their obligations under the data protection provisions of the Digital Code;
- monitoring compliance with the data protection provisions of the Digital Code and with the controller's or processor's internal rules on the protection of personal data, including with regard to the allocation of responsibilities, the awareness and training of staff involved in processing operations, and related audits;
- providing advice, on request, on data protection impact assessments and verifying that they are carried out in accordance with the Digital Code;
- cooperating with the APD;
- acting as a focal point for the authority responsible for the protection of personal data on matters.
As a matter of principle, the collection and processing of personal data (whether sensitive or not) is prohibited. It can be carried out with the prior and explicit consent of the person concerned or on the request of the public prosecutor's office, provided that the consent of the person concerned can always be proven. One’s consent can be withdrawn at all times.
The Digital Code distinguishes between the transmission and transfer of personal data.
The transmission of personal data, which refers to the transmission of personal data between persons responsible of transmitting personal data (without these being Data Protection Officers) whether private or public entities, is legal and permitted provided the person whose personal data are being transmitted granted his / her explicit and prior consent.
The transfer of personal data refers to the transfer of data to another country or a data service provider whose servers are located in another country. Such transfer is legal and accepted provided that the third country or international organization where the date will be effectively kept provides a level of security and protection equal or better as the level of security and protection provided by the Digital Code.
The person responsible for the data protection or Data Protection Officer, if one was designated, must notify the APD without delay of any personal data breach that has affected one’s personal data.
Any person who considers that his / her personal data have been misused or used without consent shall have the right to lodge a complaint with the APD. The APD shall inform the person lodging the complaint of the progress and outcome of the complaint, including the possibility of judicial remedy.
It is unclear at this stage how a notification must be performed as the decree organising the APD has not yet been drafted nor adopted.
Mandatory breach notification
No known cases as the Law is relatively new.
Administrative sanctions may apply and decided by the APD. Fines range from USD 3,000 to USD 70,000 for the entity that breached the Digital Code.