On June 17, 2011, the National Assembly of the Republic of Angola passed Law 22/11 on Personal Data Protection. The omnibus privacy legislation applies to the automated and non-automated processing of personal data by controllers based or operating in Angola, or subject to, or using equipment governed by, Angola’s laws. Some highlights of the law are listed below.
- The law establishes a Data Protection Agency and sets forth data processing principles, including transparency, lawfulness, proportionality, purpose, accuracy and length of retention period.
- The Data Protection Agency must approve international data transfers to countries that do not ensure an adequate level of protection, and data controllers must notify the Agency of personal data transfers to adequate countries.
- Processing personal data is permitted only with (1) the express consent of the data subject, and (2) notification to the Data Protection Agency. Additional restrictions apply to the processing of sensitive data (which includes genetic data), credit and solvency data, video surveillance data and phone call recordings.
- Data subjects may restrict the use of their personal data for certain postal mail and electronic advertising purposes.
- Data subjects have the right to access, object to, rectify, update and delete their personal data.
Willful or negligent failure to comply with the law may result in monetary penalties of up to $150,000 USD.