Law No. 2019-014 Relating to the Protection of Personal Data (‘the Law’) was published, on 29 October 2019, in the Official Gazette of the Togolese Republic. In particular, the purpose of the Law is to regulate the collection, processing, transmission, storage, and use of personal data in Togo. The Law seeks to ensure that data processing, in any form, protects the freedoms and fundamental rights of individuals. Moreover, the Law applies to natural persons, the State, local authorities, legal entities governed by public or private law, as well as to any automated or non-automated processing of data carried out in the territory of Togo or in any jurisdiction where Togolese law applies. In addition, the Law establishes the Togolese data protection authority (‘IPDCP’) which is provided with enforcement powers as an independent administrative body.
Furthermore, the Law includes several key principles which serve as the basis for the collection and processing of data. According to Article 14 of the Law, processing of personal data is considered legitimate if the person concerned gives his/her consent, unless processing is required, among other things, to fulfil a legal obligation, and to perform a contract to which the data subject is party to or to perform pre-contractual measures taken at his/her request. Under Article 16 of the Law, data must be collected for specific, legitimate purposes. The data collected must be relevant, adequate and not excessive with regard to the purposes for which they are collected and processed. The Law also requires the retention period not to exceed the period necessary for the purposes for which they were collected or processed.
In addition, the Law contains certain provisions for the transfer of data to third countries. In particular, Article 28 of the Law provides that a controller cannot transfer personal data to a third country unless the recipient State ensures a sufficient level of protection of privacy, fundamental rights and freedoms in respect to the processing. Controllers must notify the IPDCP prior to transferring data to a third country by providing a reasoned opinion. Moreover, pursuant to Article 29 of the Law, controllers can transfer data to a non-complying third country if the transfer is timely, not excessive and the data subject concerned has expressly consented to it, or if the transfer is necessary for one the conditions laid out in the article, such as to protect the life of the data subject. If the controller provides sufficient safeguards, the IPDCP may authorise the transfer to third countries that lack an adequate level of protection.
The Law also provides for the appointment of a data protection officer (‘DPO’) and the latter must be reported to the IPDCP. The tasks of a DPO include, among other things, informing and consulting the controller or processor on their obligations under the Law, and ensuring compliance with the same. Lastly, the Law includes penalties for failure to comply with security measures, illegal processing of sensitive data, unauthorised disclosure of data, and failure to respect the statutory period of data retention, which are punishable by a term of imprisonment of one year to five years and/or a fine of XAF 1 million (approx. €1,525) to XAF 10 million (approx. €15,245), while misuses as to the purposes of collection and processing are punishable by a term of imprisonment of one year to five years and/or a fine of XAF 5 million (approx. €7,622) to XAF 25 million (approx. €38,112).
PETRA MOLNAR Privacy Analyst