Law: Law No. 03/2016 on the Protection of Personal Data (only available in Portuguese here) (the Law)

Regulator: National Data Protection Agency (ANPDP)

Summary: Law No. 03/2016 on the Protection of Personal Data (only available in Portuguese here) (the Law) of May 10, 2016, establishes a relatively comprehensive data protection framework and addresses matters such as data processing notifications, data protection principles, data processor agreements, and essential data subject rights.

Importantly, the Law requires notifications to the National Data Protection Agency (ANPDP) in relation to data transfers. However, it does not provide for data breach notifications, nor does it cover data protection officer appointments or impact assessments. In 2018, a series of Resolutions were issued by the ANPDP that generally exempted data processing notifications under certain circumstances, and primarily in relation to employment and employee's data.

On the international front, São Tomé and Príncipe has signed the African Convention on Cyber Security and Personal Data Protection (the Malabo Convention).