Data Protection Act (Loi n° 005 de 2023 sur la protection des données)

!img-0.jpeg

LAW NO. [005] OF [2023] DATA PROTECTION ACT

2

# ARRANGEMENT OF ARTICLES

CHAPTER I—PRELIMINARY

Article 1: Name of the Law

Article 2: Definitions

Article 3: Objectives

Article 4: Scope of the Law

Article 5: Exemptions

CHAPTER II—ADMINISTRATION

Article 6: The Data Protection Authority

Article 7: Mandate, powers and functions of the Authority

Article 8: The Board of the Authority

Article 9: Members of the Board

Article 10: General Manager and staff of the Authority

Article 11: Removal of a Board member or General Manager

Article 12: Conflicts of interest

CHAPTER III—PRINCIPLES GOVERNING PROCESSING OF PERSONAL DATA

Article 13: Establishment of the Data Protection Authority

Article 14: Lawfulness of processing of personal data

Article 15: Purpose specification, data minimisation, retention and accuracy

Article 16: Children and other persons lacking legal capacity

Article 17: Establishing data subject consent

Article 18: Provision of information to a data subject

Article 19: Responsibility for data processors

CHAPTER IV—RIGHTS OF A DATA SUBJECT

Article 20: Rights of confirmation, access, correction and deletion

Article 21: Right to withdraw consent

Article 22: Right to object

Article 23: Right not to be subject to a decision based solely on automated processing

CHAPTER V—DATA SECURITY AND DATA IMPACT ASSESSMENTS

Article 24: Security, integrity and confidentiality of personal data

Article 25: Data breach notifications

Article 26: Contents of data breach notifications and communications

Article 27: Records of data breaches

Article 28: Guidance from the Authority

Article 29: Data protection impact assessments

CHAPTER VI—CROSS-BORDER TRANSFERS OF PERSONAL DATA

Article 30: Adequate level of protection for cross-border transfers of personal data

Article 31: Cross-border transfers in the absence of adequate protection

4

# CHAPTER VII—REGISTRATION AND FEES

Article 32: Registration of data controllers of major importance

Article 33: Fees and levies

Article 34: Designation of data protection officers

# CHAPTER VIII—ENFORCEMENT

Article 35: Complaints

Article 36: Investigations

Article 37: Orders of the Authority

Article 38: Failure to comply with an order of the Authority

Article 39: Appeal of an order of the Authority

Article 40: Civil remedies

# CHAPTER IX—MISCELLANEOUS

Article 41: Power to issue regulations

Article 42: Repeal

Article 43: Coming into force

5

# CHAPTER I—PRELIMINARY PROVISIONS

Article 1: Name of the Law

This Law shall be cited as the “Data Protection Act.”

Article 2: Definitions

In this Law, unless the context otherwise requires, the following words shall have their respective meaning as below:

1. “Authority” means the Data Protection Authority, as established in article 6;
2. “Binding corporate rules” means personal data protection policies and procedures adhered to by the members of a group of firms under common control with respect to the transfer of personal data among such members;
3. “Biometric data” means personal data resulting from specific technical processing relating to an individual’s body or behaviour, which allow or confirm the unique identification of that individual, including without limitation by physical measurements, facial images, blood typing, fingerprinting, retinal scanning, voice recognition and deoxyribonucleic acid (DNA) analysis;