Privacy Law at Madagascar
Madagascar's primary legislation governing data protection is Law No. 2014-038 on the Protection of Personal Data, enacted on December 16, 2014. This law establishes comprehensive requirements for the collection, processing, storage, and transfer of personal data to safeguard individuals' privacy rights.
📘 Key Provisions of Law No. 2014-038
1. Scope and Applicability
Entities Covered: Applies to all organizations processing personal data within Madagascar, including both public and private entities
Exemptions: Excludes personal data processing for personal or household activities, and certain government functions related to national security, taxation, or law enforcement
2. Definitions
Personal Data: Any information relating to an identified or identifiable natural person, including name, identification number, or other specific elements
Sensitive Data: Includes racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data, health information, and sexual life
3. Data Processing Principles
Lawfulness and Fairness: Personal data must be processed lawfully and fairly
Purpose Limitation: Data should be collected for specified, legitimate purposes and not further processed in a manner incompatible with those purposes
Data Minimization: Only data necessary for the intended purpose should be collected
Accuracy: Data should be accurate and kept up to date
Storage Limitation: Data should not be kept longer than necessary
Integrity and Confidentiality: Data should be processed in a manner that ensures its security
4. Rights of Data Subjects
Access: Individuals have the right to access their personal data
Rectification: Right to correct inaccurate or incomplete data
Erasure: Right to request deletion of data under certain conditions
Portability: Right to obtain and reuse personal data
Objection: Right to object to data processing
Restriction: Right to request limitation of data processing
5. Data Controllers and Processors
Responsibilities: Entities that determine the purposes and means of processing personal data (controllers) and those who process data on their behalf (processors) must ensure compliance with the law
Data Protection Officer (DPO): Mandatory for organizations engaged in large-scale processing of sensitive data
Prior Authorization: Certain high-risk processing activities require prior authorization from the regulatory authority
6. Cross-Border Data Transfers
Conditions: Transfers of personal data outside Madagascar are permitted if the recipient country ensures an adequate level of data protection or if appropriate safeguards are in place
7. Enforcement and Penalties
Regulatory Authority: The Commission Malagasy de l’Informatique et des Libertés (CMIL) is responsible for overseeing compliance with the law
Penalties: Violations can result in administrative fines, suspension of data processing activities, and criminal penalties for severe breaches
🛡️ Implementation and Challenges
While the legal framework is established, the operationalization of the CMIL has faced delay. Recent efforts, including international support, aim to make CMIL fully functional. Organizations are encouraged to proactively comply with the law's provisions to avoid potential penalties and ensure the protection of individuals' privacy right.
RELATED Blog
0 comments