Ivorian startups: complying with the personal data protection law
Declaring your personal data processing activities to the ARTCI is mandatory if your startup processes personal data. Here are the key steps to understanding your obligations.
IVORIAN STARTUPS — LEARN HOW TO COMPLY WITH THE IVORIAN LAW ON THE PROTECTION OF PERSONAL DATA
Declaring your personal data processing activities to the Telecommunications Regulatory Authority of Côte d'Ivoire (ARTCI) is mandatory if your startup processes personal data. In addition, Law No. 2013-450 of June 19, 2013 (the "Law No. 2013-450") on the protection of personal data sets out further obligations when you process personal data or sensitive data.
What is personal data processing? Which form should you complete? What are your other obligations as a startup under this law? If you cannot answer these questions, this article will significantly broaden your knowledge on the subject.
STEP 1: DETERMINING WHETHER YOUR STARTUP CARRIES OUT PERSONAL DATA PROCESSING
The first step for the startup is to determine whether it carries out personal data processing activities.
Under Law 2013-450, the processing of personal data means any operation carried out whether or not by automated or non-automated means, applied to data such as the collection, use, recording, organization, storage, adaptation, modification, backup, copying, erasure or destruction of personal data.
Personal data means any information relating to an identified or identifiable natural person, directly or indirectly, by reference to an identification number or to one or more elements specific to their physical, physiological, genetic, psychological, cultural, social or economic identity.
Startups are in fact regularly required to process personal data in the course of their day-to-day activities, in particular when managing employee payroll, developing an e-commerce website, or running marketing campaigns. These activities require processing personal data such as: first and last name, date of birth, connection logs, email, photo, phone number, bank details, IP address.
This data — which makes it possible to identify or render identifiable the persons concerned (e.g., employees, customers or suppliers) — must be protected through the implementation of security and confidentiality measures.
Below are examples of personal data processing activities:
- recruitment management;
- administrative HR management;
- prospect and customer database management (e.g., CRM software);
- email campaign delivery;
- IP address storage;
- video surveillance recording.
Geographical scope: Law No. 2013-450 applies to any collection, processing, transmission, storage and use of personal data by a natural person or private or public legal entity on Ivorian territory. Such data processing may be automated or non-automated, and must be carried out on national territory.
Accordingly, if you process the personal data listed above and your startup falls within the geographical scope described above, you are in principle required to comply with the obligations set out under Law No. 2013-450.
Need help with your ARTCI compliance in Côte d'Ivoire?
Prior declaration, authorization, data controller/processor qualification, privacy policy, contracts and data security: get support from African Legal Factory.
STEP 2: UNDERSTANDING AND COMPLYING WITH MY OBLIGATIONS TOWARDS THE ARTCI
What must I do with respect to the ARTCI if I carry out personal data processing in Côte d'Ivoire?
Law No. 2013-450 provides that all personal data processing must be declared in advance to the ARTCI before implementation. A prior declaration must therefore be filed if the startup's activity has not yet commenced.
The startup makes this declaration by following the procedure established by the ARTCI. It must include, in particular, a commitment that the processing meets the requirements of the law.
The ARTCI issues its decision within one month of receiving the declaration or authorization request, where applicable by electronic means. This period may be extended by one additional month by a reasoned decision of the data protection authority. The startup may implement the processing upon receipt of its acknowledgment of receipt.
Please note: for the most common personal data processing activities, the ARTCI makes available standards and procedures designed to simplify or exempt the data controller from the obligation to file a prior declaration.
When it comes to the processing of sensitive data — meaning data relating to criminal offenses and convictions, national identification numbers including phone numbers, transfers of personal data to a third country, and the processing of genetic or medical personal data — prior authorization from the ARTCI must be obtained.
STEP 3: IDENTIFYING MY QUALIFICATION UNDER THE LAW
Does your startup act as a data controller or a processor?
Under Law No. 2013-450, your startup may act either as a data controller or as a processor.
Your startup acts as a data controller if, alone or jointly with others, it decides to collect and process personal data and determines the purposes thereof.
Your startup acts as a processor if it processes personal data on behalf of the data controller as defined above.
This qualification is important because your obligations under Law 2013-450 differ depending on whether you act as a data controller or a processor.
WHY IS IT ESSENTIAL TO COMPLY WITH LAW 2013-450?
To avoid the significant financial penalties provided for under Law 2013-450!
Violations of this personal data protection law are subject to sanctions, following a formal notice issued to the data controller or its processor, consisting of one of the following:
- provisional withdrawal of the data protection authorization, where applicable;
- permanent withdrawal of the authorization, where applicable; and
- a financial penalty.
The amount of the penalty is proportionate to the seriousness of the breach and any benefits derived therefrom. It may not exceed 10,000,000 CFA francs.
However, if a previous penalty has been imposed within the 5 years preceding the breach, the fine may reach up to 5% of the company's turnover, capped at 500,000,000 CFA francs.
Although capped, these penalties may in practice represent a significant percentage of your startup's turnover.
But that is not all: complying with the requirements of Law 2013-450 allows you to stand out from your competitors at both national and international level. In doing so, you gain an extremely positive competitive advantage in terms of reputation and brand image for your company. This demonstrates, in particular, exemplary management of personal data processed on behalf of your clients, as well as adherence to security and confidentiality measures.
References
- Law No. 2013-450 of June 19, 2013 on the protection of personal data;
- Decree No. 2015-79 of February 4, 2013 setting out the procedures for filing declarations, submitting requests, and granting and withdrawing authorizations for the processing of personal data.
I would like support with my personal data protection compliance
Fill in the form to be contacted by the African Legal Factory team regarding your ARTCI declarations, authorizations, contracts, privacy policy or obligations under Ivorian Law No. 2013-450.
By completing this contact form, African Legal Factory collects and processes your personal data as data controller in order to respond to your enquiries. You have the right to access, rectify, object to, erase, restrict, port your data, and to provide instructions regarding its handling after your death.
For more information on the processing of your personal data, please consult our Privacy Policy.
