Guinea
Summary
Law: Law No. L/2016/037/AN on Cybersecurity and Personal Data Protection Law (only available in French here) (Law on Cybersecurity and Personal Data)
Regulator: The establishment of an authority for personal data protection in Guinea is provided for under Article 47 of the Law on Cybersecurity and Personal Data.
Summary: Law No. L/2016/037/AN on Cybersecurity and Personal Data Protection Law (only available in French here) (the Law on Cybersecurity and Personal Data) functions as the overarching data protection law in Guinea. Although the Law on Cybersecurity and Personal Data provides for the creation of a data protection authority, it has not yet been established. Notably, the processing of personal data is considered legitimate if the data subject gives their express prior consent. However, the requirement for prior consent is waived when the processing is necessary for compliance with a legal obligation, in performance of a task of public interest or in the exercise of public authority, necessary for the execution of a contract to which the data subject is a party or for pre-contractual measures, or to safeguard the interest or fundamental rights and freedoms of the data subject.
In addition, the Law on Cybersecurity and Personal Data establishes a range of principles for processors of personal data. These require that personal data is collected for specified, explicit, and legitimate purposes, that such personal data be adequate, relevant, and not excessive with regard to the purposes for which it was collected, and the data is not kept for a period which exceeds the period necessary for the purposes for which it was collected. Further principles regarding the processing of personal data under the Law on Cybersecurity and Personal Data include confidentiality, transparency, and accuracy.
Likewise, personal data controllers are required to take all necessary precautions with regard to personal data, and must take such a requirement into account when contracting with sub-processors. Moreover, the Law of Cybersecurity and Personal Data adds that data controllers and processors are required to ensure sub-processors compliance with the stated obligations.
Furthermore, the Law of Cybersecurity and Personal Data sets out a range of data subject rights, including the right to be informed, object, rectification, access, erasure, and not to be subject to automated decision-making.
In addition to the above, Article 12 of the Constitution of Guinea also provides for a constitutional right to privacy. In addition, Law L/2016/035/AN on electronic transactions in the Republic of Guinea (only available in French here) provides requirements for digital advertisements to individuals and accompanying provisions relating to privacy.
Guinea has also ratified the Convention on Cyber Security and Personal Data Protection (the Malabo Convention).