Law No. 025/2023 Gabon

    Overview

    Gabon’s Personal Data Protection Law, Loi No. 025/2023, establishes a legal framework for collecting, processing, storing, and transferring personal data within the country. It applies to public and private entities processing personal data and introduces principles to protect individual privacy, including specific measures for children’s data. The law mandates compliance with rigorous data protection standards, imposes penalties for violations, and establishes the Autorité pour la Protection des Données Personnelles et de la Vie Privée (APDPVP) as the supervisory authority.

     

    Regulation Summary

    Timeline
    • July 9, 2023: adopted.
    • July 15, 2023: published in the Official Journal.
    • Implementation Date: The law took effect upon publication, with transition periods for compliance to be determined by regulatory guidelines.
    What Businesses Are Affected
    • All organizations processing personal data in Gabon, including both public and private entities.
    • Foreign businesses processing Gabonese residents’ data or using local data processing infrastructure.
    • Entities handling sensitive data such as biometric, health, and financial information.
    Exemptions
    • Personal data processing for exclusively personal or household purposes.
    • Processing by government authorities for national security, defense, or public safety.
    • Media, journalistic, artistic, or academic research conducted under ethical guidelines.
    Responsibilities for Businesses
    • Lawful Processing: Data must be collected with consent or another legal basis.
    • Purpose Limitation: Data must only be used for its specified purpose.
    • Data Security: Businesses must implement measures to prevent unauthorized access, loss, or alteration.
    • Accountability: Organizations must document their data processing activities and designate responsible officers.
    Specific Responsibilities for Website Owners
    • Cookie Consent: Websites must obtain user consent for non-essential cookies.
    • Privacy Notice: A clear privacy policy must be accessible to users.
    • User Rights Portal: Websites should provide an interface for individuals to exercise their data rights.
    • Secure Data Transmission: Personal data collected online must be encrypted.
    Additional Requirements
    • Cross-Border Data Transfers: Allowed only if the receiving country ensures an adequate level of protection or appropriate safeguards.
    • Data Protection Officer (DPO): Mandatory for organizations engaged in large-scale or sensitive data processing.
    • Impact Assessments: Required for high-risk data processing activities, including profiling and automated decision-making.
    Data Subject Rights
    • Access: Individuals can request copies of their personal data.
    • Rectification: Right to correct inaccurate or incomplete data.
    • Erasure: Right to request deletion of personal data under specific conditions.
    • Portability: Right to obtain and transfer personal data.
    • Objection: Right to refuse data processing for marketing or other purposes.
    • Restriction: Right to limit processing under certain circumstances.
    Enforcement
    • Regulatory Body: The Authority for the Protection of Personal Data and Privacy (APDPVP) oversees enforcement.
    • Fines: Penalties range from 1 million to 100 million CFA francs (~$1,650 to $165,000 USD), with additional fines up to 10 million CFA francs (~$16,500 USD) for severe violations.
    • Sanctions: In severe cases, businesses may face suspension of data processing activities, and responsible individuals may be subject to criminal penalties, including imprisonment.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596