Law: Law No. 22/11 on the Protection of Personal Data (only available in Portuguese here) (the Law)

Regulator: The President of Angola passed, on 10 October 2016, Decree No. 214/16 that establishes the organisational framework of the data protection authority. The Ministry of Telecommunications and Information Technology (MTTI) announced, on 9 October 2019, that the National Database Protection Agency (APD) had become operational.

Summary: On June 17, 2011, Law No. 22/11 on the Protection of Personal Data (only available in Portuguese here) (the Data Protection Law) was enacted and entered into effect on the same date. The Data Protection Law establishes general data protection requirements in Angola, and addresses, among other things, data processing notifications, data subject rights, direct marketing, and data transfers. The Data Protection Law provides for penalties of up to $150,000 for the violation of its provisions. The rules governing the regulatory authority are enshrined in the Decree of October 10, 2016, No. 214/16 (only available in Portuguese here) that establishes the organizational framework of the data protection authority (the Presidential Decree). Moreover, the data protection authority, the National Database Protection Agency (APD), only became operational in 2019, but it has not had significant actions and there is little information released publicly on the enforcement of data protection or official guidance on compliance in Angola.

In addition, the regulation of personal data protection has been supplemented through Law No. 23/11 of June 20, 2011, on Electronic communications and Information Society Services (only available in Portuguese here) (the Electronic Communications Law), and Law No. 7/17 of February 16, 2017 (only available in Portuguese here) (the Protection of Information Systems and Networks Law). Angola deposited its ratification instrument for the African Union Convention on Cyber Security and Personal Data Protection (the Malabo Convention) on May 11, 2020.