Angola's data protection framework is defined by Law 22/11 on the Protection of Personal Data. which regulates all forms of personal data processing related to identifiable natural persons. Additionally, Presidential Decree 214/16, issued on October 10, 2016, outlines the structure and operational guidelines for the National Personal Information Low in angola (APD), the regulatory authority in this domain.  

Scope and Applicability. 

Territorial scope 

The Data Protection Law applies in the following cases: 

1. The data controller's headquarters are in Angola (Article 3(2)(a)). 

2. Data processing is linked to the activities of a controller established in Angola, even if headquartered elsewhere (Article 3(2)(b)). 

3. Processing occurs outside Angola but under Angolan law via international agreements (Article 3(2)(c)). 

4. The data controller uses means located in Angola for processing (Article 3(2)(d)). 

Material scope 

The Data Protection Law does not apply to: 

1. Data processing by individuals for strictly personal or domestic purposes (Article 4(1)). 

2. Processing related to state secrets, security, judicial confidentiality (Article 4(2)(a)). 

3. Processing of personal data by Angolan Armed Forces units under the oversight of the relevant ministerial department (Article 4(2)(b)). 

Legal bases 

1. Consent 

2. Contract with the Data Subject 

3. Legal Obligation 

4. Public Interest. 

5. Interest of the Data Subject. 

6. Legitimate Interests of the Data Controller. 

7. Legal Bases in Other instances 

8. Direct Marketing  

9. Electronic advertising  

Principles 

Under Angola's Data Protection Law, data controllers, responsible for determining the purpose and means of processing personal data, must ensure adequate technical and organizational measures to protect data from breaches. Key principles include: 

• Transparency and Privacy: Processing must respect privacy, constitutional rights, and public freedoms (Article 6). 

• Access and Control: Data must be stored to allow rights like access, correction, deletion, and objection. 

• Lawfulness and Fairness: Processing must be lawful, fair, and avoid arbitrary discrimination. 

• Proportionality: Data must be relevant, appropriate, and not excessive for its intended purpose. 

The principle of accuracy

(Article 10) mandates that data be kept correct, with measures in place to rectify inaccuracies promptly  

Controller and Processor Obligation. 

Data processing notification 

Under Article 35(1) of the Data Protection Law, data processing requires either prior notification to or authorization from the APD. For notifications, the APD has 30 days to respond. If no response is received within this timeframe, the processing operation is deemed duly notified and may proceed (Article 35(2)).  

Data transfers Third Party Transfer. 

Under Article 21 of the Data Protection Law, transferring personal data to a third party for its own purposes makes the recipient a data controller. Such transfers require the data subject's express prior consent and notification to the APD. However, consent is not needed if: 

1. The data was lawfully obtained from public sources. 

2. The transfer is essential for fulfilling a contract involving the data subject. 

3. The transfer is necessary for pre-contractual steps with the data subject. 

 Cross- Broder Transfer 

International data transfers under Section VI of the Data Protection Law depend on the recipient country's level of data protection as assessed by the APD: 

• If deemed to provide an adequate level of protection (at least equivalent to Angola's), only notification to the APD is required. 

• If not, the data controller must secure prior authorization from the APD. 

 Data processing records 

The Data Protection Law does not explicitly require data controllers or processors to maintain records of data processing activities. However, keeping such records is strongly recommended to facilitate compliance in the event of an APD audit. 

Data protection impact assessment 

There are no such requirements in the Data Protection Law. 

Data Protection Officer appointment 

The Data Protection Law does not mandate appointing a Data Protection Officer (DPO). However, under Article 3(4), data controllers must designate a representative in Angola to act as a point of contact with the APD and manage rights and obligations under the law. This representative is not equivalent to a DPO. 

Data Breach notification. 

There is no mandatory breach notication under the Data Protection Law.  

Data Retention 

The Data Protection Law does not specify timeframes for data retention. Personal data should only be kept as long as necessary for the purposes for which it was collected or processed and must be erased or anonymized afterward. 

Children's data 

The Data Protection Law does not include specific provisions for processing children's data. However, Article 25(4) requires that information about data subjects' rights be communicated clearly, precisely, and objectively, especially when directed at minors or individuals with special needs. 

Special categories of personal data 

Article 13 of the Data Protection Law establishes that sensitive data may only be processed when the following requirements are met: 

1. a legal provision permitting such processing;  

2. and authorization from the APD. 

Data Subject Rights 

Right to be informed  Right to Access  Right to rectification  

Right to erasure  Right to object/opt-out Right not to be subject to automated decision-making.  

Penalties 

The Data Protection Law imposes both criminal and civil liability, along with additional sanctions for violations. Non-compliance may result in fines, and paying the fine does not exempt the offender from ensuring future compliance. Fines include: 

• $75,000 to $150,000 for failing to meet obligations in Articles 14, 15, 16, 17, 20, 30, 31, and 32, failing to notify the APD, or disobeying an APD order. 

• $65,000 to $350,000 for violations of principles in Articles 6 to 11, failing to obtain data subject consent, or non-compliance with Articles 18, 19, and 21 to 24.