September 2024

1. Governing Texts

The Gambia does not currently have a data protection legislation. However, data protection provisions are included in both sectoral national legislation and policies and continental conventions and acts.

1.1. Key acts, regulations, directives, bills

The Gambia has yet to enact a Data Protection Act. However, The Gambia enacted the Information and Communications Act (the ICA) in 2009, a piece of legislation which aims to provide for the restructuring, development, and regulation of the information and communications sector in The Gambia and for related matters. Data protection/privacy rules stipulated in the ICA relate primarily to information and communications service providers.

In addition, the Public Utilities Regulation Authority (PURA) issued, in May 2019, its Draft Data Protection and Privacy Policy Strategy 2019 (the Draft Policy Strategy); however, it should be noted that this policy document does not currently have the status of law.

The Gambia Information and Communications Technology Agency Act 2019 (the ICTA Act) was enacted in 2019 and is a piece of legislation that aims to encourage the optimum use of information and communication technologies, the introduction of new technologies, and the investment in infrastructure and services. The ICTA Act seeks to establish and empower an agency focused primarily on the objectives of the main Act. However, the agency advances some form of a policy on data protection by including provisions on data gathering and assessment. This is a notable initiative and first step towards more comprehensive data protection legislation in the near future.

Furthermore, The Gambia is a signatory to the 2010 Economic Community of West African States (ECOWAS) Supplementary Act A/SA.1/01/10 on Personal Data Protection within ECOWAS (the ECOWAS Act). The ECOWAS Act requires each ECOWAS Member State to establish a data protection authority that will be responsible for ensuring that personal data is processed in compliance with the provisions of the ECOWAS Act. However, The Gambia has yet to transpose the ECOWAS Act domestically and establish a data protection authority. Once the ECOWAS Act has been transposed and comes into force domestically, any entity that intends to collect and process the personal data of a private individual shall be required to make a formal request to the data protection authority.

1.2. Guidelines

The Gambia has yet to enforce the authority that issues data protection guidance. See the section on key acts, regulations, directives, bills above.

1.3. Case law

The Gambia is yet to deal with case law on data protection.

2. Scope of Application

2.1. Personal scope

The ICA applies to all information and communications services and systems as defined in the ICA, other than those specifically exempted under the ICA (Section 3(1) of the ICA).

Furthermore, the Draft Policy Strategy stipulates that it applies to:

• the processing of personal data in the private and public sectors, whether by automated or non-automated means and irrespective of the nationality or place of residence of the data subject;
• personal data or special categories of data about living individuals; and
• data processing undertaken within the jurisdiction of The Gambia.

2.2. Territorial scope

Not applicable.

2.3. Material scope

The ICA does not apply to information and communication equipment (particularly radio systems and information and communications terminal equipment) manufactured and used exclusively for national defence purposes (Section 3(2) of the ICA).

Furthermore, the Draft Policy Strategy stipulates that it does not apply to:

• the processing of personal data made for personal or household purposes; and
• data concerning deceased persons.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The ICTA Act provides for the establishment of The Gambia Information and Communication Technology Agency (GICTA), which is empowered to provide guidance on information technology audit services to the government and the establishment of an infrastructure for data and information sharing by the government and related stakeholders; implement policies to guide cloud service providers for cloud computing in the public sector especially where data on its citizens and government are kept; and design, deploy, and manage infrastructure, processes, systems, connectivity, and technology including the establishment of data centers, manages and operates them, and promotes their use for government, subject to regulatory guidelines and approval.

3.2. Main powers, duties and responsibilities

Under the Draft Policy Strategy, the supervisory authority would be empowered by a Data Protection Act (the Act) as an independent administrative body. Under the Act, the supervisory authority would be mandated to ensure the protection of the rights of the individuals and their personal data, determine the process by which data is processed, and ensure compliance with the provisions of the African Union Convention on Cyber Security and Personal Data Protection (the Malabo Convention) and Council of Europe Convention for the protection of individuals with regard to the processing of personal data (Convention 108+). Specifically, the supervisory authority would:

• have powers of investigation and intervention;
• perform the function of authorizing and approving standardized safeguards relating to transborder data flows;
• make determinations relating to violations of the Act and impose the necessary administrative sanctions;
• instigate legal proceedings;
• issue opinions and approve statutory codes of conduct or guidelines relating to the processing of personal data; and
• publishing reports of their activities.

Under the ICTA Act, the GICTA's powers include the commission of expert evaluations, conduct of studies, collection of data related to the e-government service delivery, and overall issuance of guidelines that are conducive to the achievement of its objectives and the discharge of its functions.

4. Key Definitions

Data controller: A person who electronically requests, collects, collates, processes, or stores personal information from or in respect of a data subject.

Data processor: A natural or legal person, public authority, service, agency, or any other body which processes personal data on behalf of the controller.

Personal data: Any information relating to an identified or identifiable person.

Sensitive data: The Draft Strategy Policy defines the following categories of data as 'special categories of data,' the processing of which is only to be allowed provided that appropriate additional safeguards are ensured:

• genetic data;
• personal data relating to offenses, criminal proceedings and convictions, and related security measures;
• biometric data uniquely identifying a person; and
• information revealing racial or ethnic origin, political opinions, trade union membership, religious or other beliefs, health, or sexual life.

Health data: No definition is provided under national legislation.

Biometric data: Service which uniquely identifies a person.

Pseudonymisation: No definition is provided under national legislation.

5. Legal Bases

5.1. Consent

Section 6.1 of the Draft Policy Strategy provides that the processing of personal data may be carried out based on the data subject's consent. Such consent must be freely given, specific, informed, and unambiguous.

5.2. Contract with the data subject

Section 6.2 of the Draft Policy Strategy provides that the processing of personal data may be carried out when necessary for the fulfillment of a contract with the data subject.

5.3. Legal obligations

Section 6.4 of the Draft Policy Strategy provides that the processing of personal data may be carried out.

5.4. Interests of the data subject

Section 6.3 of the Draft Policy Strategy provides that the processing of personal data may be carried out when necessary to protect the vital interests of the data subject or of another person.

5.5. Public interest

Section 6.5 of the Draft Policy Strategy provides that the processing of personal data may be carried out on the basis of grounds of public interest.

5.6. Legitimate interests of the data controller

Section 6.6 of the Draft Policy Strategy provides that the processing of personal data may be carried out to override the legitimate interests of the controller or a third party.

5.7. Legal bases in other instances

Not applicable.

6. Principles

The Draft Policy Strategy outlines principles based on international best practices, taking into consideration the Malabo Convention and the Protocol amending the Convention 108+. In particular, the Draft Policy Strategy requires that personal data and special categories of data are processed fairly, lawfully, and transparently in a manner that is proportionate in relation to the legitimate purpose(s) pursued and reflects at all stages of the processing a fair balance between all interests concerned, whether public or private and the rights and freedoms of individuals at stake (Section 4 of the Draft Policy Strategy).

Furthermore, the Draft Strategy Policy outlines the following principles (Section 5 of the Draft Strategy Policy):

• fair, transparent, and lawful processing: Personal data must be processed fairly, transparently, and lawfully in accordance with the legal bases set out in the section on legal bases above.
• specific legitimate purpose and purpose limitation: Personal data must be processed for explicit, specified, and legitimate purposes, and the processing of that particular data must serve those purposes and shall not be incompatible with them. Further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes may be considered compatible with those purposes, subject to appropriate safeguards.
• data minimization: Personal data undergoing processing should be adequate, relevant, and not excessive in relation to the purposes for which they are processed. This requirement not only refers to the quantity but also to the quality of personal data.
• accuracy: Personal data undergoing processing should be accurate and, where necessary, kept up to date.
• storage limitation: Personal data undergoing processing should be preserved in a form which permits identification of data subjects for no longer than is necessary for the purposes for which those data are processed. Personal data should be deleted once the purpose for which it was processed has been achieved, or should only be kept in a form that prevents any direct or indirect identification of the data subject.
• data security and security breach notification: The controller and, where applicable, the processor shall take appropriate security measures against risks such as accidental or unauthorized access to, destruction, loss, use, modification, or disclosure of personal data. The controller shall notify, without delay, at least the competent supervisory authority of those data breaches which may seriously interfere with the rights and fundamental freedoms of data subjects.
• accountability: Controllers (and, where applicable, processors), shall take all appropriate measures to comply with the provisions set out in this policy and applicable data protection and privacy law, and be able to demonstrate that the data processing under their control complies with them.

7. Controller and Processor Obligations

7.1. Data processing notification

Not applicable.

7.2. Data transfers

Section 9 of the Draft Strategy Policy outlines that it is essential to ensure that at least the same level of protection is afforded to personal data when transferring across borders that is foreseen and guaranteed within the jurisdiction of The Gambia. The cross-border transfer of personal data, therefore, may only take place where an appropriate level of protection is guaranteed.

According to Section 9.1 of the Draft Policy Strategy, an appropriate level of protection can, after a thorough assessment by the data controller, be secured by:

• the law of the receiving country or international organization, including the applicable international treaties or agreements; or
• ad hoc or approved standardized safeguards provided by legally binding and enforceable instruments adopted and implemented by the persons involved in the transfer and further processing.

Notwithstanding the above, Section 9.2 of the Draft Policy Strategy foresees that the transfer of personal data may also take place if:

• the data subject has given explicit, specific, and free consent after being informed of risks arising in the absence of appropriate safeguards;
• the specific interests of the data subject require it in the particular case;
• in response to prevailing legitimate interest, in particular, an important public interest, if it is provided for by law and such transfer constitutes a necessary and proportionate measure in a democratic society; or
• it constitutes a necessary and proportionate measure in a democratic society for the freedom of expression.

7.3. Data processing records

Not applicable.

7.4. Data protection impact assessment

Not applicable.

7.5. Data protection officer appointment

Not applicable.

7.6. Data breach notification

Section 5.6.2 of the Draft Policy Strategy would require controllers to notify, without delay, at least the competent supervisory authority of those data breaches which may seriously interfere with the rights and fundamental freedoms of data subjects.

7.7. Data retention

Section 181(1) of the ICA requires that certain documents, records, or information be retained in the form of electronic records provided the following conditions are satisfied:

• the information contained in them remains accessible so as to be usable for subsequent reference;
• the electronic record is retained in the format in which it was originally generated, sent, or received, or in a format which can be demonstrated to represent accurately the information originally generated, sent, or received;
• such information, if any, as enables the identification of the origin and destination of an electronic record, and the date and time when it was sent or received, is retained; and
• consent has been obtained from the department of the government, organ of state or statutory body, which has supervision over the requirement for retention of the records.

However, pursuant to Section 181(2) of the ICA, an obligation to retain documents, records, or information in accordance with Subsection 181(1)(c) of the ICA, as above, does not extend to any information necessarily and automatically generated solely for the purpose of enabling a record to be sent or received.

Furthermore, Section 181(3) of the ICA stipulates that a person using the services of any other person may satisfy the requirement referred to in Section 181(1) of the ICA if the conditions in Sections 181(1)(a) to 181(1)(d) of the ICA are met.

7.8. Children's data

Section 3.5 of the Draft Policy Strategy declares that it is an objective of the Draft Policy Strategy to ensure additional protections with regard to the processing of personal data about children in accordance with Article 10 of the African Charter on the Rights and Welfare of the Child. In addition, Section 12.5 of the Draft Policy Strategy provides that the supervisory authority to be established by the Act would be responsible for promoting awareness of controllers and processors and their legal obligations under the Act, especially in processing special category data such as that of children and other vulnerable individuals.

7.9. Special categories of personal data

Section 7 of the Draft Policy Strategy states that the processing of special categories of data (as defined in the section on key definitions above) may lead to encroachments on the interests, rights, and freedoms of individuals and therefore provides that the processing of special categories of data will only be allowed where appropriate safeguards that are complementing those that are enshrined in the Act are ensured.

The safeguards shall guard against risks that the processing of such data may present for the interests, rights, and freedoms of the data subject, notably the risk of discrimination.

7.10. Controller and processor contracts

Not applicable.

8. Data Subject Rights

8.1. Right to be informed

The Draft Policy Strategy stipulates that every individual shall have the right to:

• obtain, upon request, at reasonable intervals, and without excessive delay or expense, confirmation of the processing of personal data relating to them, the communication in an intelligible form of the data processed, all available information on their origin, on the preservation period, as well as any other information that the controller is required to provide in order to ensure the transparency of processing; and
• obtain, on request, knowledge of the reasoning underlying the processing of personal data about them.

8.2. Right to access

The Draft Policy Strategy stipulates that every individual shall have the right to obtain, upon request, at reasonable intervals and without excessive delay or expense, the communication in an intelligible form, of the data processed, all available information on their origin, on the preservation period, as well as any other information that the controller is required to provide in order to ensure the transparency of processing.

8.3. Right to rectification

The Draft Policy Strategy stipulates that every individual shall have the right to obtain, upon request, free of charge and without excessive delay, the rectification of such data processed contrary to the provisions of this policy and the proposed law.

8.4. Right to erasure

The Draft Policy Strategy stipulates that every individual shall have the right to obtain, upon request, free of charge and without excessive delay, the erasure of such data processed contrary to the provisions of this policy and the proposed law.

8.5. Right to object/opt-out

The Draft Policy Strategy stipulates that every individual shall have the right to object at any time to the processing of personal data concerning them unless the controller demonstrates legitimate grounds for the processing that override their interests or rights and fundamental freedoms.

8.6. Right to data portability

Not applicable.

8.7. Right not to be subject to automated decision-making

The Draft Policy Strategy stipulates that every individual shall have the right not to be subject to a decision significantly affecting them based solely on the automated processing of data without having their views taken into consideration. It should be noted that the right not to be subject to a decision significantly affecting individuals based solely on the automated processing of data without having their views taken into consideration does not apply if the decision is authorized by a law to which the controller is subject, and which also lays down suitable measures to safeguard the data subject's rights, freedoms, and legitimate interests.

8.8. Other rights

The Draft Policy Strategy stipulates that every individual shall have the right to:

• obtain, upon request, free of charge, and without excessive delay, judicial and non-judicial remedies for violations of the law; and
• benefit, whatever their nationality or residence, from the assistance of the supervisory authority in exercising their rights.

9. Penalties

The Draft Strategy Policy does not stipulate penalties for non-compliance. However, Section 12.1 of the Draft Policy Strategy sets out that a key objective of the policy is to identify an independent and impartial national supervisory authority appropriately empowered to oversee, monitor, and enforce compliance and safeguarding of the data protection and privacy rights of individuals.

9.1 Enforcement decisions

Not applicable.