Data Protection Act 2012 Ghana

• May 10, 2012: Law enacted.
• May 18, 2012: Law published in the Gazette.
• Three-month compliance window: Existing data controllers were required to register within three months of the Act’s commencement.

• All organizations processing personal data in Ghana, including public and private entities.
• Foreign businesses processing data of Ghanaian residents, provided they operate within Ghana or use local data processing infrastructure.
• Entities handling sensitive data, such as biometric, health, financial, or criminal records.

• Personal data processing for exclusively personal or household purposes.
• Government agencies processing data for national security, law enforcement, taxation, or crime prevention.
• Journalistic, literary, artistic, or academic research where ethical guidelines are followed.

• Lawful Processing: Data collection must have a legal basis such as consent, contractual necessity, or legal obligation.
• Purpose Limitation: Data must only be used for the purpose it was collected.
• Data Security: Organizations must implement technical and organizational measures to prevent data breaches.
• Accountability: Data controllers must maintain compliance records and appoint responsible officers where required.

• Cookie Consent: Websites must obtain consent before storing non-essential cookies.
• Privacy Notice: A clear and accessible privacy policy must be provided.
• User Rights Portal: Websites should offer an interface for users to exercise their data rights.
• Secure Data Transmission: Websites must encrypt personal data collected via forms.

• Cross-Border Data Transfers: Allowed only if the receiving country provides an adequate level of protection or specific safeguards are implemented.
• Data Protection Officer (DPO): Required for entities involved in large-scale or sensitive data processing.
• Impact Assessments: Mandatory for high-risk processing activities, including profiling and credit reporting.

• Access: Individuals can request copies of their personal data.
• Rectification: Right to correct inaccurate or incomplete data.
• Erasure: Right to request deletion of personal data under certain conditions.
• Portability: Right to obtain and transfer data in a structured format.
• Objection: Right to refuse data processing for direct marketing or other purposes.

Restriction: Right to limit processing in specific circumstances.

• Regulatory Body: The Data Protection Commission (DPC) oversees enforcement.
• Fines: Penalties range from up to 250 penalty units (~$4,000 USD) for minor violations to up to 5,000 penalty units (~$80,000 USD) for severe violations.
• Sanctions: In severe cases, businesses may face suspension of data processing activities, and responsible individuals may be subject to criminal penalties, including imprisonment for up to 10 years.