Similar to other ECOWAS member states such as Senegal, Burkina Faso, Cape Verde and Mali, Côte d’Ivoire has implemented a personal data protection legal framework in line with the ECOWAS Supplementary Act A/SA.1/01/10 on Personal Data Protection (2010).
In Côte d’Ivoire, personal information processing is governed by Law No. 2013-450. This law establishes rules relating to the protection of individuals with regard to the processing of their personal data and the rules relating to the circulation of such data.
The law is accompanied by Decree No. 2015-79, which establishes the procedures for filing declarations, submitting applications, and granting and withdrawing authorisations for the processing of personal data.
The term personal data refers to personal information of any kind that can be used to locate or identify a person, either directly or indirectly. Such information includes name, postal or geographical address, telephone number, national identity card or passport, email address, bank account references, fingerprints, biological data, and so on.
The data is regularly processed, notably in the event of commercial transactions or administrative paperwork during which this information is requested and voluntarily submitted or retrieved without prior authorisation from the person.
The term processing refers to any operation that aims to collect, use, store and transform data for a specific purpose. Processing includes automated processing as well as manual processing of data, as long as it falls within the scope of legally protected data.
According to Law No. 2013-450, there are four principal fundamentals governing personal data processing:
• The legality principle relating to Article 15 of the law, according to which processing must follow licit and loyal principles;
• The finality principle, related to the responsible collection of data to be processed for a pre-determined, explicit and legitimate purpose. The data collected must not be treated at a later date in a manner that is incompatible with the initial agreement;
• The proportionality principle results from Article 16 and 27 of the law: data must be adequate, relevant and non-excessive with regard to the finality for which they are collected and processed at a later date. Furthermore, file interconnection is unauthorised unless it presents a “legitimate interest”, under the condition of the “relevance principle” of data sets subject to interconnection; and
• The legitimacy principle, mentioned in Article 14 and according to which the person in question must have expressed their consent prior to data processing. Compliance to these principles is ensured by the Telecommunications/ICT Regulatory Authority of Côte d’Ivoire (Autorité de Régulation des Télé communications/TIC de Côte d’Ivoire, ARTCI), an independent administrative authority responsible for ensuring the processing of personal data is implemented in accordance with the legal provisions.
As part of its mission, ARTCI carries out an information campaign to raise public awareness on the obligations of data controllers, as well as the rights of those who have communicated their information to other parties. Specifically, the public has the right to be informed, to access the data, to oppose data processing and to rectify the data provided.
ARTCI has the power to pronounce the following measures against those who contravene the legal requirement of the pursuant law:
• Temporary or definitive withdrawal of the authorisation to process personal data; and/or
• A financial penalty, the amount of which is proportional to the seriousness of the breaches committed.
The amount can not exceed CFA10m (€15,000).