ALF - Legal services in Africa > Articles > Ivory Coast > Ivorian startups: learn how to comply with Ivorian personal data protection law

Ivorian startups: learn how to comply with Ivorian personal data protection law

23 January 2024
Posted by: Annick IMBOUA-NIAVA
Category: Ivory Coast Personal data

No Comments

IVORIAN STARTUPS, LEARN HOW TO COMPLY WITH THE IVORIAN LAW ON THE PROTECTION OF PERSONAL DATA

Declaring your personal data processing to the Autorité de Régulation des Télécommunications de Côte d’Ivoire (ARTCI) is mandatory if your startup processes personal data. In addition, law no. 2013-450 of June 19, 2013 (” Law no. 2013-450 “) on the protection of personal data lays down other obligations when you process personal data or sensitive data.

What is personal data processing? Which form to fill in? What other obligations do I have as a startup under this law? If you don’t know how to answer these questions, this article will considerably broaden your knowledge on the subject.

STEP 1: DETERMINE WHETHER YOUR STARTUP PROCESSES PERSONAL DATA

The first step is for the startup to determine whether it is processing personal data.

Under Law 2013-450, personal data processing means any operation carried out or not using automated or non-automated processes and applied to data such as the collection, exploitation, recording, organization, conservation, adaptation, modification, saving, copying […], erasure or destruction of personal data. Personal data means any information relating to an identified or identifiable natural person, directly or indirectly, by reference to an identification number or to one or more factors specific to that person’s physical, physiological, generic, psychological, cultural, social or economic identity.

In fact, startups need to process personal data as part of their day-to-day activities, for example when managing employee payroll, developing an e-commerce site or running marketing campaigns. These activities require the processing of personal data, for example: surname, first name, date of birth, connection log, e-mail, photo, telephone number, bank details, IP address.

This data, which identifies or makes identifiable the persons concerned (e.g. employees, customers or suppliers), must be protected by implementing security and confidentiality measures.

Below are some examples of personal data processing:

recruitment management ;
personnel administration ;
prospect and customer database management (e.g. CRM software);
sending email campaigns;
IP address retention ;
video surveillance recording.

What geographical scope? Law n°2013-450 is applicable to any collection, processing, transmission, storage and use of personal data by a natural person or legal entity under private or public law on Ivorian territory. Such data processing may or may not be automated, and must be carried out in France.
>> So, if you process personal data listed above, your startup must be, in the geographical scope designated above, then you must a priori comply with the obligations set out in Law n°2013-450.

STEP 2: UNDERSTANDING AND MEETING MY OBLIGATIONS TO ARTCI

What do I have to do vis-à-vis ARTCI if I process personal data in Côte d’Ivoire?

Law n°2013-450 stipulates that all processing of personal data must be declared to ARTCI prior to implementation. If your startup has not yet begun operations, you will need to make a prior declaration.

The startup makes this declaration in compliance with the procedure set up by ARTCI. In particular, the latter must include an undertaking that the processing complies with the requirements of the law.

ARTCI issues its decision within one month of receipt of the declaration or authorization, by electronic means if necessary. This period may be extended by a further month by reasoned decision of the protection authority. The startup can start processing as soon as it receives its receipt.

Please note: For the most common personal data processing operations, ARTCI provides standards and procedures designed to simplify or exempt the data controller from the obligation to make a prior declaration. When processing sensitive data, i.e. data relating to offences and convictions, national identification numbers including telephone numbers, transfer of personal data to a third country, processing of personal data relating to genetic or medical data, prior authorization must be obtained from ARTCI.

STEP 3: IDENTIFY MY LEGAL QUALIFICATION

Does your startup act as a controller or processor?

Under Law no. 2013-450, your startup can act either as a personal data controller or as a personal data processor.
Your startup acts as a data controller if, alone or jointly with others, it takes the decision to collect and process personal data and determines the purposes for which it is to be used.
Your startup acts as a processor, if it processes personal data on behalf of the data controller as defined above.
This qualification is important because depending on your qualification, your obligations under Law 2013-450 differ.

WHY DO YOU NEED TO COMPLY WITH LAW 2013-450?

To avoid the substantial financial penalties provided for by Law 2013-450!
Violation of this Data Protection Act is punishable, after formal notice has been given to the controller or processor, by one of the following penalties:

temporary withdrawal of data protection authorization, if necessary;
definitive withdrawal of authorization, if applicable; and
a fine.

The amount of the fine is proportional to the seriousness of the breach and the benefits that can be derived from it. It may not exceed 10,000,000 FCFA.

However, if a previous fine has been pronounced in the 5 years preceding the breach, in which case the fine can be up to 5% of a company’s sales, capped at 500,000,000 FCFA.

Although capped, these fines can in practice represent a percentage of your startup’s sales.

But that’s not all: complying with the requirements of Law 2013-450 sets you apart from your competitors both nationally and internationally. This gives you an extremely positive competitive edge, in terms of your company’s reputation and brand image. This demonstrates exemplary management of personal data processed on behalf of your customers, as well as compliance with security and confidentiality measures.

Reference:

Compliance with Law 2013-450 in Côte d’Ivoire: our e-learning course

You can consult our free training course to learn how to comply with law 2013-450 in Côte d’Ivoire at the following link:

Initiation e-learning : mise en conformité des Données Personnelles en Côte d’Ivoire

On completion of this course, you will be able to :

Understand how personal data is processed in Côte d’Ivoire;
find out about your obligations when processing personal data in Côte d’Ivoire;
make your website compliant.

Form : I would like to be assisted in my personal data protection compliance project

En remplissant ce formulaire de contact, African Legal Factory recueille et traite vos données à caractère personnel en tant que responsable de traitement afin de répondre à toutes vos interrogations. Vous disposez sur vos données d’un droit d’accès, de rectification, d’opposition, à l’effacement, à la limitation, à la portabilité et de donner des directives sur le sort de vos données après votre décès. Pour plus d’information relative au traitement de vos données personnelles veuillez consulter notre Politique de Confidentialité. [Privacy Policy]

Cookie	Duration	Description
__stripe_mid		Stripe sets this cookie to process payments.
__stripe_sid		Stripe sets this cookie to process payments.
_abck		This cookie is used to detect and defend against replay attempts. This cookie manages interaction with online robots and takes appropriate action.
ak_bmsc		This cookie is used by Akamai to optimize site security by distinguishing between humans and robots.
bm_sz		This cookie is set by the Akamai Bot Manager provider. This cookie is used to manage interaction with online bots. It also contributes to fraud prevention.
cookielawinfo-checkbox-analytics		Defined by the GDPR Cookie Consent plugin, this cookie is used to record user consent for cookies in the "Analytics" category .
cookielawinfo-checkbox-functional		Defined by the GDPR Cookie Consent plugin, this cookie is used to store user consent for cookies in the "Functional" category.
cookielawinfo-checkbox-indispensable		The cookie is set by the GDPR cookie consent plugin to record the user's consent for cookies in the "Indispensable" category.
cookielawinfo-checkbox-necessary		Defined by the GDPR Cookie Consent plugin, this cookie is used to record the user's consent for cookies in the "Necessary" category .
cookielawinfo-checkbox-others		Defined by the GDPR Cookie Consent plugin, this cookie is used to store user consent for cookies in the "Other" category.
CookieLawInfoConsent		Saves the state of the default button for the corresponding category and the state of the CCAC. It only works in coordination with the primary cookie.
redux_blast		This cookie is necessary for the operation of certain WordPress theme elements that make the website appear in the most optimal way for the visitor's device.

Cookie	Duration	Description
_ga		The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also tracks site usage for the site analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_5BN1MYEN2Y		This cookie is set by Google Analytics.
_gat_gtag_UA_157972103_1		Defined by Google to distinguish users.
_gid		Installed by Google Analytics, the _gid cookie stores information about how visitors use a website, while creating an analytical report of site performance. The data collected includes the number of visitors, where they come from and the pages they visit anonymously.
CONSENT		YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
last_pys_landing_page		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.
last_pysTrafficSource		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.
pys_first_visit		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.
pys_landing_page		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.
pys_session_limit		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.
pys_start_session		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.

Cookie	Duration	Description
_mcid		This is a Mailchimp functionality cookie used to evaluate UI/UX interaction with its platform.
bm_sv		This cookie is required for Akamai's cache function. A cache is used by the website to optimize the response time between the visitor and the website. The cache is usually stored on the visitor's browser. User bandwidth results are stored in this cookie to ensure that the bandwidth test is not repeated for the same user multiple times for the Akamai cache function.
cookies.js		No description available.
m		This cookie is set by stripe.
mailchimp_landing_site		This cookie is set by MailChimp to record the page the user visited for the first time.
pysTrafficSource		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.
stm_lms_courses_watched		No description
wmc_current_currency		save currency settings.
wp_woocommerce_session_b80c8f798ec84ed7476594d4acafc57c		Contains a unique code for each customer, so you know where to find the basket data in the database for each customer.