Understanding Personal Data Protection in Burkina Faso

🔎 Everything you need to know about the CIL, personal data laws in Burkina Faso and the rights of citizens and dangers for companies.

Introduction

Declaring your personal data processing to the Commission de l’informatique et des libertés (“CIL“) is mandatory in Burkina Faso if your start-up processes personal data.

Law n°001-2021/AN on the protection of individuals with regard to the processing of personal data dated March 30, 2021 (the ” Law n°001-2021“ ) imposes obligations on you when you process personal or sensitive data. Its purpose is to protect the fundamental rights and freedoms of individuals with regard to the processing of their personal data.

What is personal data processing? Which form to fill in? What are my other obligations as a start-up under this Law n°001-2021 ? If you don’t know how to answer these questions, this article will considerably broaden your knowledge on the subject.

To whom does Law no. 2013-450 apply?

Law n°001-2021 applies:

• automated or non-automated processing of personal data, for which the controller or processor is established in Burkina Faso or, without being established there, is subject to Burkina Faso public international law.
  In other words, Law n°001-2021 applies to you if your data controller is based in Burkina Faso and processes personal data such as the names, addresses or telephone numbers of your customers. If it is not based in Burkina Faso, it may come under the jurisdiction of Burkina Faso by virtue of an international convention ratified by Burkina Faso, for example.
• the data controller or processor not established in Burkina Faso, who carries out processing operations from the national territory, excluding transit data.

To whom does Law no. 2013-450 not apply?

Law n°001-2021 does not apply:

• processing carried out by a natural personexclusively forpersonal or domestic purposes;
• at temporary copies made as part of the technical transmission and provision of access to a digital network for the automatic intermediate and transient data storage at for the sole purpose of enabling other recipients of the service to make the best possible access to information, except for updating and security ;
• at data processing personal information to the for literary purposes only and artistic or journalismThis is in line with the deontological and ethical rules of these professions, security measures to ensure the confidentiality of journalistic sources, and moderation rules applicable to discussion forums set up by publishers of journalistic information.

What is personal data protection?

What is personal data under Burkinabe law?

According to Article 5 of Law no. 001-2021, personal data refers to ” any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identification number, to one or more factors specific to his or her physical, physiological, genetic, mental, cultural, social or economic identity “.

This may include, for example, the following information: name, address, telephone number, e-mail address, date of birth, place of work, shopping habits, location data, etc.

How can I determine whether my startup is processing personal data in accordance with Law n°001-2021?

Under the terms of Article 5 of Law n°001-2021, processing of personal data means “. any operation or set of operations performed on personal data, whether or not by automated means, such as collection, organization, storage, adaptation, alteration, backup, copying, consultation, recording, retrieval, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, encryption, erasure or destruction. “.

You may therefore (subject to certain exceptions) be considered to be processing personal data if you carry out any of the above operations.

What obligations do I have to comply with with regard to Law n°001-2021 when processing personal data?

What categories of processing are exempt from prior formalities in Burkina Faso?

You are exempt from prior formalities with the CIL for the processing of personal data:

• whose specific purpose is limited to the preservation of archival documents;

implemented by an association or any non-profit-making body of a religious, philosophical, political or trade-union nature, provided that such processing corresponds to the purpose of the association or body, concerns only its members and is not to be communicated to third parties without their consent.

What are the formalities to be complied with in Burkina Faso before processing personal data?

The processing of personal data (subject to the above exemptions) is subject to prior:

• request for advice ;
• request for authorization ;
• normal declaration ;
• simplified declaration.

How do you determine which formality applies to your data processing?

You must either :

1. make a standard declaration if the planned data processing does not require (i) authorization (see point 2 below) or (ii) a legislative or regulatory act(see point 3 below) or does not fall within the scope of exempted processing (listed above).
2. obtain prior authorization if the proposed treatment concerns :

• genetic or biometric data in the private sector and on health research;
• data relating to offences, convictions or security measures in the private sector ;
• file interconnection;
• a national identification number or any other similar identifier in the public or private sector;
• biometric data in the private sector ;
• data for reasons of public interest, in particular for historical, statistical or scientific purposes;
• assistance in administrative or private decision-making, involving an assessment of human behavior, giving a definition of the profile or personality of the person concerned, or relying on artificial intelligence techniques for predictive purposes; and
• data transfers to foreign countries.

3. obtain a legislative or regulatory decision when data processing is carried out on behalf of a public body (State, public institution, local authority) or a private legal entity managing a public service. More specifically, these are treatments involving :

• State security, defense or public safety;
• the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal sentences or security measures;
• population census ;
• personal data revealing religious, philosophical, political, trade-union or ethnic beliefs or activities, sex life, race, health and morals, genetic or biometric data, social measures, prosecutions, criminal or administrative sanctions; and
• processing of salaries, pensions, taxes and other settlements.

Whichever approach is applicable to you, your startup must comply with the procedure put in place by the CIL.

What is the content of the prior declaration and how does it work?

The prior declaration can be sent to CIL electronically or on paper. It must specify the information that you will find on the CIL website.

How long does it take to obtain a receipt for your declaration?

Unless the company decides otherwise, the declaration receipt is issued immediately. On receipt of this receipt, the applicant may begin processing personal data. However, it is not exempt from any of its responsibilities under the Act.

Which authority is responsible for protecting personal data in Burkina Faso?

What is CIL?

In Burkina Faso, the protection of personal data is ensured by the CIL, created under Law n°001-2021.

The CIL is the supervisory authority responsible for ensuring compliance with the provisions of Law n°001-2021, in particular by informing all data subjects and data controllers of their rights and obligations, and by monitoring the use of information and communication technologies applied to the processing of personal data. CIL is an independent administrative authority with administrative and management autonomy.

CIL has regulatory and sanctioning powers.

What are CIL’s powers and responsibilities?

The CIL has a number of powers and duties to carry out its mission. It ensures that the use of information and communication technologies to process personal data poses no threat to individual or public freedoms and privacy.

The CIL may, if necessary, instruct its members, assisted by agents and, where appropriate, experts, to carry out on-site checks and controls on any personal data processing.

What measures can the CIL take in the event of non-compliance with Law n°001-2021?

In the event of violation of Law n°001-2021, the CDP may impose the following administrative sanctions:

• WARNING;
• formal notice ;
• injunction to cease data processing ;
• blocking of certain personal data ;
• fixed fine ;
• withdrawal of authorization.

Violations of the provisions of the Act are punishable under the provisions of the Penal Code dealing with offences relating to information and communication technologies.

In the event of serious and immediate infringement of the rights of the persons concerned, the Chairman of the CIL, or the person whose rights and freedoms have been infringed, may apply to the competent court for an interim injunction ordering, where appropriate and subject to a fine, any measure necessary to safeguard those rights. These people can claim compensation for the damage they have suffered.

The following acts constitute serious breaches:

• unfair collection or communication of personal data to an unauthorized third party ;
• collection of sensitive data in violation of legal requirements;

the collection or use of personal data resulting in a serious infringement of fundamental rights and freedoms, including the privacy of the data subject.

Who is responsible for protecting personal data within the startup?

Under Law n°001-2021, your startup acts as :
– controller if, alone or jointly with others, it takes the decision to collect and process personal data, determines the purposes and methods of implementation;
– processor, if it processes data on behalf of the controller.
It is the responsibility of both the data controller and the data processor to ensure compliance with the obligation of security and confidentiality.

Obligations and duties of the data controller

The data controller is subject to the following obligations and duties:

• Prior notification of personal data processing ;
• Obligation to obtain the consent of the person concerned;
• Legitimacy and lawfulness of personal data processing ;
• Duty to inform the person concerned ;
• Security of personal data processing.

To find out more, visit the CIL website.

Relationship between the controller and the processor

When processing is carried out on behalf of the controller, the latter must choose a subcontractor who provides sufficient guarantees of protection. He must sign an agreement with the customer, specifying the only authorized processing operations and the fate of the data at the end of the contract.

What is a Data Protection Officer?

Any data controller may appoint a Data Protection Officer (DPO) to ensure compliance with the obligations set out in this law.

What are the risks if I don’t comply with the law?

What fines apply?

The following is anon-exhaustive list of fines that may be imposed by the CIL on any data controller found to have breached the provisions of the Act:

In addition, the CIL can pronounce :

• confiscation of all material media containing the personal data in violation of the regulations (manual files, disks and magnetic tapes) or order the deletion of such data;
• banning the convicted controller from managing any personal data processing for up to two years.

It is therefore essential to comply with Law n°001-2021. This allows you to stand out from your competitors both nationally and internationally. This gives you an extremely positive competitive edge, in terms of your company’s reputation and brand image. This demonstrates exemplary management of personal data processed on behalf of your customers, as well as compliance with security and confidentiality measures.

For further information, please consult the following articles:

• Learn how to comply with Ivorian law on the protection of personal data;
• Declare your personal data processing in Morocco ;
• Understanding Personal Data Protection in Senegal ;
• Learn how to comply with the European RGPD regulation..