DLA Piper Intelligence

Data Protection
Laws of the World

Law

Equatorial Guinea
Equatorial Guinea

The applicable law is the Personal Data Protection Law Num. 1/2016 dated 22 July.

Last modified 10 Jan 2022
Law
Equatorial Guinea

The applicable law is the Personal Data Protection Law Num. 1/2016 dated 22 July.

Last modified 10 Jan 2022
Definitions

Definition of Personal Data

The Personal Data Protection Law under art.4 defines personal data as "any information, testimony or review concerning a person specifically identified or identifiable".

Definition of Sensitive Personal Data

The law does not provide a definition of sensitive personal data. However, art.41(d) consider as a mayor infringement the treatment or given out of personal data in relating to conscience liberty, affiliation or political ideology, health, sex life, race, tribe, religion or any other discrimination form without the express authorization of the owner.

Last modified 10 Jan 2022
Authority

The Governing Data Protection Body.

Last modified 10 Jan 2022
Registration

The General Data Protection Registry (art. 33) is the organ responsible for registration under its Technical Secretariat which takes charge of the registration of public and private personal data files and of carrying out all actions entailing the modification, creation or suppression of personal data through authorised books.

Last modified 10 Jan 2022
Data Protection Officers

The Governing Data Protection Body through its Technical Secretariat is responsible for ensuring the administration of personal data files, regardless of their ownership, is done in due  compliance with the provisions of the law.

Last modified 10 Jan 2022
Collection & Processing

Arts. 6 and 9 of the applicable law determines that only personal data that are adequate, accurate, truthful, complete and not excessive in relation to the scope and purpose of their collection may be used, prohibiting the collection of such data by fraudulent and unlawful means.

In this regard, an interested parties to whom personal data are requested must be previously expressly informed in a concise and unequivocal manner and must be informed about the purpose and consequences of the collection, the destination and the recipients of the information, about the mandatory or optional nature of their response to the questions asked, about the effects of the refusal to provide them, as well as the identity and address of the person responsible for the processing or its representative. 

The processing of data by third parties according the law must be subject to a contractual agreement under which a third parties must agree in writing to process the data solely and in accordance with the instructions authorised  by the owner, that is,  the data must not be used or applied for a different purpose or communicated to third parties (art.8).

Last modified 10 Jan 2022
Transfer

Art. 21 is to the effect that: 

  • Personal data obtained by the General administration of the state cannot  be communicated or given out unless it is for historic or, statistics of scientific purposes. However, personal data could be communicated between the public administration and other public organs or institutions.
  • Private holders of personal data cannot communicate or give out personal data found in their possession unless by a court order instructed by a competent court.
  • For the performance of any of the above, the holders of the data have to be notified of the purpose for which their data is to be communicated or given out.  Notwithstanding, consent will not be needed from the owner of the data unless the data was made available to the public, and it is likely to be communicated to other public or private files.
Last modified 10 Jan 2022
Security

Art. 11 determines that, the data controller or data processor must adopt the necessary technical and organisational measures to ensure the security of the personal data processed, ensuring their preservation and avoiding their alteration, loss, unauthorised processing or access. In this sense, personal data must not be recorded in files, systems or processing centres that do not meet the security conditions for the integrity, confidentiality and guarantee of the same.

Last modified 10 Jan 2022
Breach Notification

The breach of notification constitutes a minor infringement when the data was obtained from the person concerned (art. 39 C) and a major infringement when the data was not obtained from the person concerned (art. 40 C).

Mandatory breach notification

The law does provide for a mandatory breach duty. Notwithstanding, it provides that in the  case of a severe or major breach likely to affect a fundamental right or personal data the sanctioning organ may require the person responsible to restrain the use, communication, give out, or the  illegal transfer.

Last modified 10 Jan 2022
Enforcement

The enforcement process applied to determine and impose the sanctions is adjusted to the principles, rules and norms of administrative procedure at the request of an audience by the interested party. During the audience, other enforcement measures can be adopted by the sanctioning organ to ensure compliance of the final resolution and to secure the application of the sanctions. However, these measures have a provisional character (art.45). 

Where the infringement is committed in a public file, the sanctioning organ has to pass a resolution ordering the dismissal or correction of the infringement, as well as propose the application of disciplinary proceedings against the offenders (art.45). 

The resolution of the sanctioning organ is elevated to a higher authority, which must then verify and determine the applicable sanctions against the infringement.

Last modified 10 Jan 2022
Electronic Marketing

Not regulated by the personal data protection law. However, art. 22 of the Internet Communication Law Num. 1/2017 dates January is to the effect that commercial electronic communications such as adverts and promotions must conform with the data protection laws in relation to the abstention, creation and maintenance of files. More also, data used for such purposes must be clear and identifiable.

Last modified 10 Jan 2022
Online Privacy

Not regulated by the law.

Last modified 10 Jan 2022
Contacts
Maria Cheswa Alogo Django
Maria Cheswa Alogo Django
Junior Associate
Centurion Law Group
T 00240 222 378 493
Pablo Mitogo
Pablo Mitogo
Associate
Centurion Law Group
T 00240 222 762 410
Last modified 10 Jan 2022