Law No. 2014-038 on the Protection of Personal Data Madagascar

Regulation Summary

December 16, 2014: Law adopted by the National Assembly.
January 9, 2015: Law promulgated by the President.
June 9, 2015: Official publication in the Official Gazette.
December 6, 2023: Decree No. 2023-1541 issued, defining CMIL's attributions and functioning.
June 21, 2024: Madagascar ratifies the Malabo Convention on Cyber Security and Personal Data Protection.

All organizations processing personal data in Madagascar, including both public and private entities.
Foreign businesses processing data of Malagasy residents, if they operate within Madagascar or use local infrastructure.
Entities handling sensitive data such as biometric, health, financial, or government-related information.

Personal or household use of personal data.
Government agencies processing data for national security, taxation, or law enforcement purposes.
Data processing for journalistic, artistic, or academic research purposes, provided it adheres to legal safeguards.

Lawful Processing: Businesses must obtain consent or rely on a valid legal basis for processing personal data.
Purpose Limitation: Data may only be collected and processed for a specific, legitimate purpose.
Data Security: Organizations must implement safeguards to prevent unauthorized access, leaks, or breaches.
Accountability: Businesses must document data processing activities, designate responsible personnel when required, and notify CMIL in the event of a data breach.

Cookie Consent: Websites must obtain user consent for non-essential cookies and tracking technologies.
Privacy Notice: Websites must provide a transparent and accessible privacy policy.
User Rights Portal: Individuals should be able to submit and manage data access, correction, and deletion requests.
Secure Data Transmission: Websites must ensure encryption and protective measures for handling personal data online.

Cross-Border Data Transfers: Permitted only if the recipient country ensures adequate protection, safeguards are applied, explicit consent is obtained, or CMIL approval is granted where required.
Data Protection Officer (DPO): Required for businesses engaging in large-scale or sensitive data processing.
Impact Assessments: Mandatory for businesses conducting high-risk data processing, including profiling and automated decision-making.
Sensitive Data Handling: Processing of racial origin, political opinions, religious beliefs, union membership, genetic and biometric data, health, and sexual life is prohibited unless specific legal exceptions apply.

Access: Individuals can request copies of their personal data.
Rectification: Right to correct inaccurate or incomplete data.
Erasure: Right to request deletion of personal data under certain conditions.
Portability: Right to obtain and transfer personal data.
Objection: Right to refuse processing for marketing or automated decision-making.
Restriction: Right to request limitations on data processing in specific cases.

Regulatory Body: The Commission Malagasy de l’Informatique et des Libertés (CMIL) oversees compliance and enforcement, though its operationalization has been delayed. Recent initiatives, including international support, aim to make CMIL fully functional.
Fines: Violations can result in fines ranging from 200,000 to 10,000,000 Ariary (~$50 to $2,500 USD) for minor infractions and up to 8,000,000 Ariary (~$2,000 USD) for more serious offenses.
Sanctions: Businesses may face suspension of data processing activities, and responsible individuals may be subject to criminal penalties, including imprisonment for severe breaches.