Data Protection in Angola — Lei 22/11
Angola’s data protection framework is governed by Lei 22/11 (Lei de Proteccao de Dados Pessoais), enacted in June 2011. The law establishes rules for the collection, processing, storage, and transfer of personal data, drawing on principles similar to the EU’s data protection framework.
Scope and Application
Lei 22/11 applies to:
- All natural and legal persons that process personal data in Angola
- Data processing activities conducted by Angolan entities abroad
- Foreign entities processing data of Angolan residents
The law covers both automated and manual processing of personal data, including data held by financial institutions, telecommunications companies, healthcare providers, and government agencies.
Key Principles
| Principle | Description |
|---|---|
| Lawfulness | Data must be collected and processed lawfully with a valid legal basis |
| Purpose Limitation | Data may only be used for the specific purposes for which it was collected |
| Data Minimization | Only data necessary for the stated purpose may be collected |
| Accuracy | Data controllers must ensure personal data is accurate and up to date |
| Storage Limitation | Data must not be retained longer than necessary |
| Security | Appropriate technical and organizational measures must protect personal data |
| Transparency | Data subjects must be informed about how their data is processed |
Data Subject Rights
Individuals have the right to:
- Access their personal data held by any controller
- Request correction of inaccurate data
- Object to data processing in certain circumstances
- Request deletion of data that is no longer necessary
- Be informed of any data breaches affecting their personal information
APD — Data Protection Authority
The Agencia de Proteccao de Dados (APD) is the supervisory authority responsible for enforcing Lei 22/11. The APD has the power to conduct investigations, issue orders to data controllers, and impose administrative fines for non-compliance.
Data controllers must register their data processing activities with the APD before commencing operations. Cross-border data transfers require prior APD authorization unless the receiving country provides an adequate level of data protection.
Implications for Financial Services
Financial institutions, including banks, brokers, and CMC-licensed entities, must comply with Lei 22/11 in addition to sector-specific data requirements imposed by the BNA and CMC. Key obligations include:
- Obtaining explicit consent for marketing communications
- Implementing data breach notification procedures
- Ensuring secure storage of KYC documentation
- Restricting cross-border transfers of client financial data
GDPR Alignment
While Lei 22/11 predates the EU’s General Data Protection Regulation, it shares several foundational principles. However, Angola’s framework lacks some GDPR provisions, including the right to data portability and the requirement for data protection officers. Ongoing regulatory reform may bring further alignment with international standards.