Privacy Law at Cape Verde
Cape Verde's data protection framework is primarily governed by Law No. 133/V/2001, which has been amended over time to strengthen privacy protections. The most recent amendment, Law No. 121/IX/2021, enacted on March 17, 2021, introduced significant updates to align with international standards and enhance individual privacy rights.
Key Provisions of Cape Verde's Data Protection Law
1. *Expanded Territorial Scope
The 2021 amendment extended the law's applicability to data controllers and processors outside Cape Verde who process personal data of individuals located within the country. This aligns with global trends, such as the European Union's General Data Protection Regulation (GDPR), ensuring that international entities handling Cape Verdean residents' data are subject to local regulation.
2. *Opt-In Consent Requirement
Consent must now be obtained through a clear affirmative action, such as a statement or an unambiguous affirmative ac. This means pre-ticked checkboxes are not permissible. Exceptions to this requirement include situations where processing is necessary for contract performance or legitimate interests of the data controlled.
3. *Enhanced Data Subject Rights
The amendment introduced rights similar to those in the GDPR, including: Right to Access* Right to Rectification **Right to Erasure Right to Restriction of Processing* Right to Data Portability* Additionally, the law clarifies that deceased individuals' personal data can be managed by their estate.
4. *Data Protection Impact Assessments (DPIAs)
Organizations are required to conduct DPIAs when processing activities are likely to result in high risks to individuals' rights and freedoms, such as profiling or large-scale processing of sensitive data.
5. *Data Breach Notification
Data controllers must notify the Comissão Nacional de Proteção de Dados (CNPD) of any personal data breaches within 72 hours of becoming aware, unless the breach is unlikely to result in a risk to individuals' rights and freedom. Affected data subjects must be informed "without undue delay" if the breach is likely to result in a high risk to their right.
6. *Appointment of Data Protection Officers (DPOs)
Organizations are required to appoint a DPO under certain conditions, and the contact details of the DPO must be communicated to the CNP.
7. *Special Categories of Personal Data
The law has expanded the definition of sensitive data to include biometric data and sexual orientation. Processing of such data is subject to stricter conditions and safeguard.
🏛️ Regulatory Authority
The Comissão Nacional de Proteção de Dados (CNPD) is the national authority responsible for overseeing compliance with data protection laws in Cape Vere Established in 2015, the CNPD is empowered to receive and review data processing notifications, issue authorizations for certain processing activities, and enforce sanctions for non-compliance.
🌍 International Engagement
Cape Verde has demonstrated a commitment to international data protection standards by:
Acceding to Convention 108 in 2018, the only binding international treaty aimed at protecting individuals' personal data.
Signing the Amending Protocol (Convention 108+) in 2023, enhancing its alignment with modern data protection principes.
Joining the African Union's Malabo Convention on cybersecurity and personal data protection, reinforcing its commitment to regional data protection standards.
📌 Summary
Cape Verde's data protection law, particularly following the 2021 amendments, aligns closely with international standards such as the DR. It emphasizes individual rights, transparency, and accountability in data processing activities. Organizations operating in or with Cape Verde should ensure compliance with these regulations to safeguard personal data and uphold individuals' privacy rights.
RELATED Blog
0 comments