Understanding Personal Data Protection in Côte d’Ivoire

🔎 All you need to know about ARTCI, personal data laws in Côte d’Ivoire and citizens’ rights and dangers for businesses

Introduction

Declaring your personal data processing to the Autorité de Régulation des Télécommunications/TIC de Côte d’Ivoire (” ARTCI “) is mandatory if your start-up processes personal data.

Act no. 2013-450 of June 19, 2013 (the “Law no. 2013-450“) imposes obligations on you when you process personal or sensitive data. The purpose of this law is to protect the fundamental rights and freedoms of individuals with regard to the processing of their personal data.

What is personal data processing? Which form to fill in? What other obligations do I have as a start-up under this law? If you don’t know how to answer these questions, this article will considerably broaden your knowledge on the subject.

To whom does Law no. 2013-450 apply?

In general, Law no. 2013-450 applies to the protection of personal data.

More specifically, it applies to :

• any collection, processing, transmission, storage or use of personal data by a natural person, the State, local authorities, legal entities governed by public or private law;
• any automated or non-automated processing of data contained or intended to be contained in a file;
• any data processing carried out on national territory;

any processing of data relating to public security, defense, the investigation and prosecution of criminal offenses or State security, subject to exemptions defined by specific provisions set out in other applicable legislation.

To whom does Law no. 2013-450 not apply?

Law no. 2013-450 does not apply:

• processing carried out by a natural person exclusively in the context of his or her personal or domestic activities, provided that the data are not intended for systematic communication to third parties or for dissemination ;

temporary copies made as part of the technical activities of transmitting and providing access to a digital network with a view to the automatic intermediate and transitory storage of data for the sole purpose of enabling other recipients of the service to have the best possible access to the information.

What is personal data protection?

Personal data: definition in Côte d’Ivoire

According to Article 1 of Law 2013-450, personal data means “. any information of any kind whatsoever and irrespective of its medium, including sound and image, relating to a natural person who is identified or indentifiable directly or indirectly, by reference to an identification number or to one or more factors specific to his or her physical, physiological, genetic, mental, cultural, social or economic identity. “.

This may include the following information: name, address, telephone number, e-mail address, date of birth, place of work, purchasing habits, location data, etc.

How can I determine whether my startup is processing personal data in accordance with Law 2013-450?

According to Article 1 of Law no. 2013-450, personal data processing means “. any operation or set of operations performed on personal data, whether or not by automated means, such as collection, use, recording, organization, storage, adaptation, modification, retrieval, saving, copying, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, or the blocking, encryption, erasure or destruction of personal data. “.

You may therefore (subject to a few exceptions) be considered to be processing personal data if you carry out any of the above operations.

What obligations do I have to comply with under Law 2013-450 when processing personal data?

Which categories of processing are exempt from prior formalities in Côte d’Ivoire?

Personal data processing is exempt from ARTCI formalities:

• used by a natural person exclusively in the course of his or her personal, domestic or family activities; provided, however, that the data are not intended for systematic communication to third parties or for dissemination ;
• concerning a natural person whose publication is required by law or regulation;
• whose sole purpose is to keep a register for exclusively private use;
• for which the data controller has appointed a personal data protection correspondent responsible for ensuring, in an independent manner, compliance with the obligations set out in the Act, except where a transfer of personal data to a third country is envisaged.

What are the formalities to be complied with in Côte d’Ivoire before processing personal data?

In Morocco, companies have several options for domiciling their headquarters. Here are the main domiciliation options for companies in Morocco:

• Domiciliation in commercial premises: companies can choose to domicile their head office in commercial premises, such as offices or stores. This option is generally chosen by companies needing a physical space in which to operate.
• Domiciliation in business centers: business centers offer shared workspaces and domiciliation services for companies. This option is often chosen by companies requiring flexible workspace and administrative support.
• Domiciliation with a domiciliary: companies can also domicile their head office with a domiciliary. The domiciliataire is a specialized company that provides domiciliation services, including mail and telephone call management. This option is often chosen by companies wishing to outsource their administrative management.
• Domiciliation in free trade zones: companies can also choose to domicile their head office in a free trade zone. Free trade zones offer companies tax and customs advantages, as well as access to high-quality infrastructure.

What are the advantages and disadvantages of domiciliation in Morocco?

Firstly, the processing of personal data (subject to the above exemptions) is subject to prior declaration to ARTCI.

ARTCI issues a receipt in response to the declaration, by electronic means if necessary. Only after you have obtained the receipt can your startup implement the processing.

Secondly, the processing of certain data requires prior authorization from ARTCI. This concerns processing relating to :

• genetic and medical data and scientific research in these fields;
• data relating to offences, convictions or security measures handed down by the courts ;
• a national identification number or any other similar identifier, including telephone numbers;
• biometric data;
• data for reasons of public interest, in particular for historical, statistical or scientific purposes;
• data transfers to foreign countries;

It’s important to take stock of the data your startup collects from data subjects to determine whether you need to make a simple declaration or request authorization.

Finally, whatever approach is applicable to you, your startup must comply with the procedure put in place by ARTCI.

How do I submit a request for prior authorization or declaration?

The request is submitted by the data controller or his/her legal representative. It is addressed to the Chairman of the ARTCI Regulatory Council either by post to the following address: ARTCI – Marcory Anoumanbo – B.P. 2203 – Abidjan 18 or by any other means against receipt.

What forms do I need to fill out for a prior declaration or authorization request?

There are several forms to fill in, depending on the nature of your request. These forms are accessible via the ARTCI website and concern the following procedures:

• prior declaration ;
• biometric device authorization request ;
• request for prior authorization to process personal data ;
• request for authorization for a video surveillance system ;
• request for transfer of personal data outside the ECOWAS zone ;
• request for approval to audit personal data processing ;
• application for approval as a personal data protection trainer.

You can also use the information sheets provided by ARTCI to help you fill in the forms.

How long does it take to process your application?

The ARTCI makes its decision within one month of receipt of the declaration or application for authorization, except in the case of an extension of one month by reasoned decision of the ARTCI.

In all cases, ARTCI checks that your file (declaration or request for authorization) is complete and that processing complies with legal requirements.

It then delivers :

• a declaration receipt if you have made a declaration; or
• an authorization decision notified by post if you have applied for authorization.

Caution
The processing of personal data can only be carried out once the receipt or authorization has been received.

Note also that in the event of modification of an authorized processing operation, the purpose of the modification should be specified by notifying ARTCI by simple letter or e-mail. Be sure to quote your authorization number and contact details, so that we can process your application as quickly as possible. Similarly, if you delete an authorized treatment, this should be reported to ARTCI.

Which authority is responsible for personal data protection in Côte d’Ivoire?

What is ARTCI?

In CI, the protection of personal data is ensured by ARTCI, created in 2012, under Law no. 2013-450.

ARTCI is an independent administrative authority with legal personality and financial autonomy. It is the supervisory authority responsible for ensuring compliance with the provisions of Law no. 2013-450. As such, it ensures that personal data processing is carried out in accordance with the law. It also ensures that the use of Information and Communication Technologies does not infringe or threaten the freedoms and privacy of users located in CI.

ARTCI has regulatory and sanctioning powers.

What measures can ARTCI take in the event of non-compliance with Law no. 2013-450?

ARTCI may impose the following administrative sanctions:

• a warning to the controller;
• formal notice ;
• interruption of treatment ;
• the blocking of certain processed personal data ;
• temporary or permanent prohibition of treatment contrary to the law;
• temporary or permanent withdrawal of authorization;
• a financial penalty.

Note that breaches of the provisions of the Act are also punishable under the Ivorian penal code.

Who in the company is responsible for protecting personal data?

Under Law No. 2013-450, your startup acts as :

• controller if, alone or jointly with others, it takes the decision to collect and process personal data, determines the purposes and methods of implementation;
• processor, if it processes data on behalf of the controller.

It is the responsibility of both the controller and the processor to ensure compliance with the Act.

The data controller’s obligations

In addition to complying with the principles relating to the lawfulness of personal data collection, the data controller is obliged to comply with requests for access, rectification, opposition, deletion and erasure of data made by the persons concerned.

The data controller must also comply with the following obligations:

• Security obligations: the customer is obliged to take every precaution with regard to data, in particular to ensure their security, and to prevent them from being distorted, damaged or accessed by third parties;
• Informing people whose personal data is processed ;
• Obligation to obtain the consent of the persons concerned ;
• Responding to requests from people whose personal data is processed.

The data controller is required to take all necessary steps to ensure that the personal data processed can be used regardless of the technical medium used.

For further information, please consult
ARTCI’s frequently asked questions
.

Relationship between the controller and the processor

The data controller may delegate all or part of the processing activities to an external organization. The processor is therefore, on the one hand, a natural or legal person distinct from the controller and, on the other hand, a natural or legal person who processes personal data on behalf of the controller, without being able to carry out any processing whatsoever that the controller has not expressly authorized beforehand. Its role is to carry out tasks on the instructions and under the responsibility of the data controller, the exporter of the data.

When using a subcontractor, the data controller must choose a subcontractor who provides sufficient guarantees in terms of technical and organizational security measures relating to the processing of personal data to be carried out.

What are the risks if I don’t comply with the law?

What fines apply?

The fines that may be imposed by ARTCI on any data controller found to have breached the provisions of the Act are proportional to the seriousness of the breaches and the benefits derived from the breach. The amount of the penalty may not exceed 10,000,000 CFA francs.

In the event of repeated breaches within five years of the date on which the financial penalty previously imposed became final, it may not exceed 100,000,000 CFA francs or, in the case of a company, it may not exceed 5% of pre-tax sales for the last closed financial year, subject to a limit of 500,000,000 CFA francs.

It is therefore essential to comply with Law no. 2013-450. This allows you to stand out from your competitors both nationally and internationally. This gives you an extremely positive competitive edge, in terms of your company’s reputation and brand image. This demonstrates exemplary management of personal data processed on behalf of your customers, as well as compliance with security and confidentiality measures.

For further information, please consult the following articles:

• Declare your personal data processing in Morocco ;
• Understanding Personal Data Protection in Senegal ;
• Learn how to comply with the European RGPD regulation..