Understanding Personal Data Protection in Côte d'Ivoire

Introduction

Declaring your personal data processing activities to the Telecommunications/ICT Regulatory Authority of Côte d'Ivoire ("ARTCI") is mandatory if your startup processes personal data.

Law No. 2013-450 of 19 June 2013 ("Law No. 2013-450") imposes obligations on you when you process personal or sensitive data. The purpose of this law is to protect the fundamental rights and freedoms of natural persons in relation to the processing of their personal data.

What constitutes personal data processing? Which form should you complete? What other obligations does Law No. 2013-450 impose on your startup? If you are unsure how to answer these questions, this article will significantly broaden your knowledge on the subject.

Who does Law No. 2013-450 apply to?

In general terms, Law No. 2013-450 applies to the protection of personal data.

More specifically, it applies to:

• any collection, processing, transmission, storage, or use of personal data by a natural person, the State, local authorities, public law entities, or private law entities;
• any automated or non-automated processing of data contained or to be contained in a file;
• any processing of data carried out on national territory;
• any processing of data relating to public safety, defence, the investigation and prosecution of criminal offences, or state security, subject to any exemptions defined by specific provisions established by other laws in force.

Who does Law No. 2013-450 not apply to?

Law No. 2013-450 does not apply to:

• processing carried out by a natural person solely in the course of personal, domestic, or family activities, provided that the data is not intended for systematic communication to third parties or for public dissemination;
• temporary copies made in the context of technical transmission activities and the provision of access to a digital network, for the purpose of intermediate and transitory automatic storage of data solely to allow other service recipients the best possible access to information.

1. What is personal data protection?

Personal data: definition under Ivorian law

Under Article 1 of Law No. 2013-450, personal data means "any information of any nature and regardless of its medium, including sound and image, relating to an identified or identifiable natural person, directly or indirectly, by reference to an identification number or to one or more elements specific to their physical, physiological, genetic, psychological, cultural, social, or economic identity."

This may include information such as: name, address, telephone number, email address, date of birth, place of work, purchasing habits, location data, and so on.

How do I determine whether my startup is processing personal data under Law No. 2013-450?

Under Article 1 of Law No. 2013-450, processing of personal data means "any operation or set of operations, carried out with or without automated means, applied to personal data, such as collection, use, recording, organisation, storage, adaptation, modification, extraction, saving, copying, consultation, use, communication by transmission, dissemination or any other form of making available, alignment or interconnection, as well as locking, encryption, erasure, or destruction of personal data."

2. What obligations must you comply with under Law No. 2013-450 when processing personal data?

Which categories of processing are exempt from prior formalities in Côte d'Ivoire?

An exemption from ARTCI formalities applies to personal data processing:

• used by a natural person solely in the course of personal, domestic, or family activities, provided that the data is not intended for systematic communication to third parties or for public dissemination;
• relating to a natural person whose publication is required by a statutory or regulatory provision;
• whose sole purpose is to maintain a register intended exclusively for private use;
• for which the data controller has appointed a personal data protection officer responsible for independently ensuring compliance with the Law's obligations, unless a transfer of personal data to a third country is envisaged.

What prior formalities must be completed before processing personal data in Côte d'Ivoire?

First, personal data processing (subject to the exemptions above) must first be declared to the ARTCI.

The ARTCI issues an acknowledgement of receipt in response to the declaration, where applicable by electronic means. Your startup may only begin processing once the acknowledgement has been received.

Second, processing of certain categories of data requires prior authorisation from the ARTCI. This applies to processing involving:

• genetic, medical data, and scientific research in those fields;
• data relating to offences, convictions, or security measures imposed by courts;
• a national identification number or any other identifier of the same nature, including telephone numbers;
• biometric data;
• data serving a public interest purpose, including for historical, statistical, or scientific purposes;
• transfers of data to a foreign country.

It is important to carry out an inventory of the data your startup collects from data subjects in order to determine whether a simple declaration or an authorisation request is required.

Finally, whichever procedure applies, your startup must follow the process established by the ARTCI.

How do you file an authorisation request or a prior declaration?

The request is submitted by the data controller or their legal representative. It is addressed to the President of the ARTCI Regulatory Council either by postal mail to: ARTCI – Marcory Anoumanbo – B.P. 2203 – Abidjan 18, or by any other means with acknowledgement of receipt.

Which forms must be completed for a prior declaration or an authorisation request?

Several forms are available depending on the nature of your request. These forms are accessible on the ARTCI website and cover the following procedures:

• prior declaration;
• authorisation request for a biometric device;
• prior authorisation request for personal data processing;
• authorisation request for a video surveillance system;
• request to transfer personal data outside the ECOWAS area;
• accreditation request for personal data processing audits;
• accreditation request for personal data protection trainers.

You may also refer to the explanatory fact sheets provided by the ARTCI when completing the forms.

What is the processing time for your file?

The ARTCI issues its decision within one month of receiving the declaration or authorisation request, unless this period is extended by one month by a reasoned decision of the ARTCI.

In all cases, the ARTCI verifies that your file (declaration or authorisation request) is complete and that the processing complies with the requirements of the law.

It then issues:

• an acknowledgement of declaration if you filed a declaration; or
• an authorisation decision notified by postal mail if you filed an authorisation request.

Note also that if a previously authorised processing operation is modified, the modification must be notified to the ARTCI by simple postal or electronic mail, stating the authorisation decision number and your contact details to ensure your file is processed promptly. Similarly, if you discontinue an authorised processing operation, this must be reported to the ARTCI.

3. Which authority oversees personal data protection in Côte d'Ivoire?

What is the ARTCI?

In Côte d'Ivoire, personal data protection is overseen by the ARTCI, established in 2012 under Law No. 2013-450.

The ARTCI is an independent administrative authority with legal personality and financial autonomy. It is the supervisory authority responsible for ensuring compliance with the provisions of Law No. 2013-450. In this capacity, it ensures that personal data processing operations are carried out in accordance with the law.

It also ensures that the use of Information and Communication Technologies does not infringe upon or pose a threat to the freedoms and privacy of users located in Côte d'Ivoire.

The ARTCI holds both regulatory powers and sanctioning powers.

What measures may the ARTCI take in the event of non-compliance with Law No. 2013-450?

The ARTCI may impose the following administrative sanctions:

• a warning addressed to the data controller;
• a formal notice;
• suspension of the processing operation;
• locking of certain personal data being processed;
• a temporary or permanent prohibition of processing that is contrary to the Law;
• temporary or permanent withdrawal of the authorisation;
• a financial penalty.

Breaches of the Law's provisions are also punishable under the Ivorian Criminal Code.

4. Who is responsible for personal data protection within the company?

Under Law No. 2013-450, your startup acts as:

• data controller if, alone or jointly with others, it decides to collect and process personal data and determines the purposes and means of processing;
• processor, if it processes data on behalf of the data controller.

Both the data controller and the processor are responsible for ensuring compliance with the Law.

Obligations of the data controller

In addition to complying with the principles governing the lawfulness of personal data collection, the data controller must respond to requests for access, rectification, objection, deletion, and erasure of data submitted by data subjects.

The data controller must also comply with the following obligations:

• Security obligations: the data controller must take all necessary precautions regarding the data, including ensuring their security and preventing them from being distorted, damaged, or accessed by unauthorised third parties;
• Informing persons whose personal data is being processed;
• Obtaining the consent of data subjects;
• Responding to requests from persons whose personal data is being processed.

The data controller must take all appropriate measures to ensure that the personal data being processed can be used regardless of the technical medium employed.

For further information, you may consult the FAQ published by the ARTCI.

Relationship between the data controller and the processor

The data controller may delegate all or part of the processing activities to an external organisation. The processor is therefore, on the one hand, a natural or legal person distinct from the data controller, and on the other hand, a natural or legal person who processes personal data on behalf of the data controller, without being able to carry out any processing that the data controller has not expressly authorised in advance.

The processor's role is to carry out tasks on the instructions and under the responsibility of the data controller, as data exporter.

Where a processor is used, the data controller must select a processor that provides sufficient guarantees with regard to the technical and organisational security measures applicable to the personal data processing operations to be carried out.

5. What are the risks of non-compliance?

What fines may be imposed?

The fines that may be imposed by the ARTCI on any data controller found to have breached the provisions of the Law are proportionate to the seriousness of the breach and the benefits derived from it. The amount of the sanction may not exceed 10,000,000 CFA francs.

In the event of a repeated breach within five years of the date on which a previously imposed financial penalty became final, the fine may not exceed 100,000,000 CFA francs or, in the case of a company, may not exceed 5% of the turnover excluding tax of the last closed financial year, up to a maximum of 500,000,000 CFA francs.

Compliance with Law No. 2013-450 is therefore essential. It allows you to stand out from competitors at both national and international level, providing a highly positive competitive advantage in terms of reputation and brand image. It demonstrates exemplary management of personal data processed on behalf of your clients, as well as adherence to security and confidentiality measures.

For further reading:

• Declaring your personal data processing in Morocco;
• Understanding Personal Data Protection in Senegal;
• How to comply with European GDPR regulation.

Contact form: I would like to declare my personal data processing in Côte d'Ivoire

We support you in declaring your personal data processing in Côte d'Ivoire. Complete this online form to be contacted by our team promptly.

By completing this contact form, African Legal Factory collects and processes your personal data as data controller in order to respond to your enquiries. You have the right to access, rectify, object to, erase, restrict, and port your data, as well as to provide instructions regarding the fate of your data after your death.

For more information on the processing of your personal data, please consult our Privacy Policy.