Data Protection in Gabon

Transfer in Gabon

Data transfers to another country are prohibited unless the other country ensures an adequate level of privacy protection and protection of fundamental rights and freedoms of individuals with regard to the processing operation.

The list of countries that comply with this adequate level of protection shall be published by APDPVP (article 171 in fine of the law on personal data). As far as we are aware, this list has not yet been published. However, the Data Protection Law of 2023 in its article 171 does identify the criteria which must be considered by the APDPVP in order to determine adequacy:

  • the legal provisions existing in the country in question;
  • the security measures enforced;
  • the specific circumstances of the processing (such as the purpose and duration thereof); and
  • the nature, origin, and destination of the data.

As an alternative to the 'adequacy' criteria, Article 76 of the aforementioned law allows those  data controllers to transfer data if:

  • the data subject has consented expressly to its transfer;
  • the transfer is necessary to save that person's life;
  • the transfer is necessary to safeguard a public interest;
  • the transfer is necessary to ensure the right of defence in a court of law; or
  • the transfer is necessary for the performance of a contract between the data subject and the data controller, at the request of the data subject, or for the performance of a contract between the data controller and a third party in the interest of the data subject.

Please kindly note that, except in very specific circumstances, the international transfer of non-encrypted personal data for the purpose of investigation in the health sector is not possible, given the sensitivity of the data at stake.

In relation to outsourcing, the Data Protection Law of 2023  does not provide for specific provisions, except:

  • the obligations applicable to the relationship with data processors;
  • when data processors are located outside the country, the provisions applicable to international data transfers; and
  • general security obligations, which vary depending on the nature of the data at stake (Articles 168 et seq. of the aforementioned law).

No references are included to specific concerns regarding, for example, outsourcing to the cloud or to data centres.

Continue reading

  • no results

Previous topic
Back to top