Law

In Mozambique there is no specific legislation on data protection or privacy. However, there are other sources of law that impose some privacy obligations, including:

• The Civil Code (Decree-Law no. 47344, of November 25, 1966, in force in Mozambique through Edict no. 22869, dated September 4, 1967);
• The Penal Code (Law no. 24/2019, of December 24, as amended by Law no. 17/2020 of 23 December);
• The Labour Law (Law no. 23/2007, of August 1); and
• The Electronic Transactions Law (Law no. 3/2017, of January 9).

In addition, the Constitution of the Republic of Mozambique provides that all citizens are entitled to the protection of their private life and have the right to honor, good name, reputation, protection of their public image and privacy. Further, Article 71 of the Constitution identifies the need to legislate on access, generation, protection and use of computerized personal data (either by public or private entities); however, implementing legislation has not yet been approved.

Definition of personal data

The Electronic Transactions Law defines personal data as being any information in relation to a natural person which can be directly or indirectly identified by reference to an identification number or one or more factors.

Definition of sensitive personal data

There is no law defining sensitive personal data. However, the Constitution of the Republic of Mozambique imposes restrictions on recording and handling any individually identifiable information concerning a person’s political, philosophical or ideological beliefs, religious beliefs, membership in a political party or trade union and (particulars) related to the person’s privacy.

There is no data protection authority in Mozambique but the National Institute of Information and Communications Technology (Instituto Nacional de Tecnologia de Informação e Comunicação – “INTIC”) has some competencies in this regard.

There is no data protection registration requirement in Mozambique.

The Electronic Transactions Law requires the data processor to appoint someone responsible for compliance of the provisions related to electronic personal data protection.

Under the Constitution of the Republic of Mozambique, individually identifiable information, concerning political, philosophical or ideological beliefs, religious beliefs, membership in a political party or trade union and (particulars) related to the person’s privacy may not be stored or processed in a database.

The law does not generally restrict cross-border transfers of personal information. The Constitution of the Republic of Mozambique imposes restrictions on disclosures of personal information to third parties, unless prior consent from the data subject is obtained.

Under the Electronic Transactions Law (Law n.° 3/2017, of January 9), the person / entity responsible for processing electronic data, must protect personal data against risks, losses, unauthorized access, destruction, use, modification or disclosure.

There is no breach notification requirement in Mozambique.

Under the Electronic Transactions Act, a violation of the data protection duty or the duties of a data processor is subject to a fine of between 30 to 90 minimum wage salaries in effect in the public administration sector, in the absence of a more serious punishment.

The Penal Code (Law no. 24/2019 of December 24, as amended by Law no. 17/2020 of December 23) provides for certain cybercrimes, such as intrusion of automatized database, which is subject to imprisonment of up to two years and corresponding fine. There are also other cybercrimes such as fraud through electronic means and unauthorized use of data resulting in unjust enrichment, which is subject to imprisonment generally from a year up to five years and a corresponding fine. The new Penal Code attempts to bridge the gap by identifying cybercrimes related to data protection which are punishable.

However, given that Mozambique does not have specific data protection laws nor a specific authority responsible for overseeing data protection matters, enforcement of data protection-related matters is minimal.

The rules applicable to electronic advertisement and marketing are provided under the Advertisement Code (Decree no. 38/2016, of August 31) and the Electronic Transactions Law (Law no. 3/2017, of January 9).

Under the Electronic Transactions Law, express consent from a recipient is required prior to sending direct marketing communications via automated dialing systems, fax machines and email, unless one of the following applies

• If the sender obtained the contact details of the recipient during the sale or negotiations for the sale of a product or service to the recipient;
• The direct marketing refers to similar products or services to those of the recipient;
• At the moment of initial collection of the data, the recipient was offered the option to refuse of use of his contact details, and decided not to refuse;
• If the recipient did not refuse the use of its data in any subsequent communications.

Under the Advertisement Code, electronic marketing messages should be clearly identified and include sufficient information, so as to allow the common recipient to easily understand all of the following:

• The nature of the message;
• The advertiser;
• The promotional offers, such as discounts, prizes, gifts and promotional contests and games, as well as the conditions to which they are bound (if applicable).

All direct marketing message must provide recipients with information about how to opt out of further marketing communications, as well as the identity details of the source from which the contact details of the consumer have been obtained.

Other than the above general rule, there are no other rules applicable to online privacy.