Page 1

Draft Bill on the Protection of Personal Data

Version
Final

PRELIMINARY LEADING PROJECTPERSONAL DATA PROTECTION

REPUBLIC OF ANGOLA
NATIONAL ASSEMBLY

LAW No. _____ / 2011
from _____ to _______

The protection of personal data, confidentiality and
reserve of private life assumes a fundamental relevance in the
context of safeguarding the fundamental rights of citizens,
recognized by the Universal Declaration of Human Rights and
the African Charter on Human and Peoples' Rights.

The consecration, in the Constitution of the Republic of Angola, of the
the reserve of private life and the possibility of recourse to
providence “ habeas data” clearly represents a
major step forward in adopting a legislative framework in this area.

The right to privacy is also reflected in respect for the
reserve of the private life of citizens in the face of the treatment of
personal data concerning them. Even though
treatment has a relevant role in improving the well-being
V-IV

www.mtti.gov.ao

Page 1

Page 2

Draft Bill on the Protection of Personal Data

Version
Final

for citizens and for economic progress in a context
dynamisation and development of a greater variety
services, namely in the scope of technologies and
information society, care must be taken to ensure that it is
carried out in a context of respect for your privacy.

The National Assembly approves, by mandate of the people, under
of no. 2 of article 165 and of no. d) of no. 2 of article 166, both
of the Constitution of the Republic of Angola, the following:

LEIDA PROTECTION OF PERSONAL DATA
Original text
LEIDA PROTECÇÃODEDADOSPESSOAIS
CHAPTER I
Contribute a better translation

GENERAL PROVISIONS

Article 1
(Object)
The purpose of this law is to establish the legal rules
applicable to the processing of personal data for the purpose of
guarantee respect for public freedoms and the rights and
fundamental guarantees of natural persons.

Article 2
(Objective scope)
This law applies to the processing of personal data
carried out by fully or partially automated means, as well as

V-VI

www.mtti.gov.ao

Page 2

Page 3

Draft Bill on the Protection of Personal Data

Version
Final

as to the processing by non-automated means of data
personal files contained in or intended for manual files.

Article 3
(Scope of subjective and territorial application)
1. Data processing is subject to this law
personal data made by any person and entity in the
public, private or cooperative sector.
2. This law applies to the processing of personal data
carried out:
a) By the person responsible for the treatment based in the Republic
from Angola;
b) In the scope of the activities of the person responsible for
treatment established in the Republic of Angola, still
that the person responsible does not have his / her headquarters in
Angolan territory;
c) Outside the Republic of Angola, in a place where the legislation
Angola is applicable under international law
public or private;
d) By the controller who, not being
established in the Republic of Angola, resort, for the
processing of personal data, to means located in
Angolan territory.
3. For the purposes of paragraph d) of paragraph 2, it is considered that the
controller uses means located in
Angolan territory when the treatment operations of the
Personal data is carried out with, or personal data is

V-VI

www.mtti.gov.ao

Page 3

Page 4

Draft Bill on the Protection of Personal Data

Version
Final

housed in, facilities located in Angolan territory,
suffice, for the purposes of this law, the mere use of
such means for the collection, registration or transit of data
personal data in the territory of the Republic of Angola.
4. In the case of paragraph d) of paragraph 2, the controller
shall designate, by means of a communication to the
Data Protection, a representative established in the
Republic of Angola to replace it in all its
rights and obligations, without prejudice to their own
responsibility.

Article 4
(Exclusions)
1. This law does not apply to the processing of personal data
carried out by a natural person in the exercise of activities
exclusively personal or domestic.
2. Without prejudice to the provisions of special legislation, it is still
excluded from this law the processing of personal data in
following circumstances:
a) The processing of personal data under the rules
applicable to State secrecy and security, as well as
as to the secret of justice;
b) The processing of personal data of members of the Forces
Angolan armed forces by units, establishments and
military or other bodies under the supervision of the department
ministerial responsible for the Armed Forces.

V-VI

www.mtti.gov.ao

Page 4

Page 5

Draft Bill on the Protection of Personal Data

Version
Final

Article 5
(Definitions)
For the purposes of this law, the following definitions apply:
a) Consent of the data subject : any manifestation
free, specific, explicit and informed will,
regardless of the medium, on which the data subject
authorizes its treatment;
b) Personal Data : any information, whatever your
nature or medium, including image and sound, relating to a
identified or identifiable natural person ( holder of
data ). An identifiable person is a person who can be
identified, directly or indirectly, namely by
reference to an identification number or combination of
specific elements of your physical, physiological identity,
psychic, economic, cultural or social;
c) Sensitive Data: personal data related to convictions
philosophical or political, party or union affiliation, faith
religious, private life, racial or ethnic origin, health and life
sexual, including genetic data;
d) Recipient : the natural or legal person, the competent authority
public authority or any other body to which they are
personal data are communicated, regardless of whether it is
whether or not from a third party;
e) Personal data file ( file ): any set
structured set of personal data, regardless of their
form or modality of creation, organization, conservation and

V-VI

www.mtti.gov.ao

Page 5

Page 6

Draft Bill on the Protection of Personal Data

Version
Final

access to data, whether centralized, decentralized or
functionally or geographically distributed;
f) Publicly accessible sources : files that are intended
information to the public and are open to consultation
public or third party with a legitimate interest, and whose consultation
is not subject to restrictions except for the payment of an amount
affordable cash. Accessible sources are considered
publicly, without prejudice to other files that bring together the
requirements indicated, official diaries and bulletins, the means of
media, telephone guides under the terms of the
applicable legislation and lists of persons belonging to a Member
particular professional group and that contain only the
your name, title, profession, activity, academic degree and
address;
g) Data interconnection : form of data processing
which consists of the possibility of relationships between
data from a file with data from other file (s),
maintained by other responsible person (s) or by the same
responsible for other purposes;
h) Advertising messages : any form of communication
made by persons or entities from the public or private sector,
as part of a commercial, industrial, artisanal activity
or liberal, with the direct or indirect objective of promoting,
with a view to their sale or sale, any assets
services or to promote ideas, principles, initiatives or
institutions;

V-VI

www.mtti.gov.ao

Page 6

Page 7

Draft Bill on the Protection of Personal Data

Version
Final

i) Data controller : the natural or legal person,
public authority or any other body that,
individually or together with others, determine the
purposes and means of processing personal data.
Whenever the purposes and means of treatment are
determined by laws, regulations or administrative
others, the controller must be indicated in the
respective diploma;
j) Cooperative sector : cooperatives and entities of a nature
mutualist, as well as others indicated in its own legislation;
k) Private sector : natural and legal persons;
l) Public sector : the State, government bodies
public health, prevention, investigation and repression bodies
criminal and the courts;
m) Subcontractor : the natural or legal person, the authority
public authority or any other body that handles data
personal data on behalf of the data controller under
a contractual relationship established with him;
n) Third party : the natural or legal person, the public authority
or any other body which, not being the holder of the
data, the controller, the subcontractor or
another person under the direct authority of the person
treatment or subcontractor, has access to and is
empowered to process data;
o) Processing of personal data ( processing ): any operation
or set of operations carried out on personal data, with
or without autonomous means, such as the collection, registration,

V-VI

www.mtti.gov.ao

Page 7

Page 8

Draft Bill on the Protection of Personal Data

Version
Final

organization, conservation, adaptation or alteration,
retrieval, consultation, use, communication by
transmission, broadcasting or any other form of
availability, with comparison or interconnection, as well as
like blocking or destruction.

CHAPTER II
PROCESSING OF PERSONAL DATA

Section I
GENERAL PRINCIPLES

Article 6
(Principle of Transparency)
1. The processing of personal data must be carried out in a
transparent and in strict compliance with the principle of
privacy as well as rights, freedoms and
fundamental public guarantees provided for in the Constitution of
Republic of Angola and the present law.
2. For the purposes of the preceding paragraph, the data
In particular, personal data must be kept in such a way
allow the exercise of access rights to their holders,
information, rectification, cancellation and opposition,
as provided for in this law.

V-VI

www.mtti.gov.ao

Page 8

Page 9

Draft Bill on the Protection of Personal Data

Version
Final

Article 7
(Principle of lawfulness)
1. The processing of personal data must be carried out in
lawful and loyal manner, with respect for the principle of good faith.
2. The processing of personal data that leads to a
arbitrary and unlawful discrimination in relation to its owner is
considered contrary to the principle of good faith.

Article 8
(Principle of Proportionality)
Personal data subject to processing must be relevant,
adequate and not excessive in relation to the purposes
legitimized its collection and treatment.

Article 9
(Principle of Purpose)
1. Personal data must be collected and processed for
determined, explicit and legitimate purposes.
2. The processing of personal data for purposes is prohibited
distinct or incompatible with those that originated their
collection and treatment, unless:
a) The data subject has given his consent
express;
b) the treatment has historical or statistical purposes and the
data to be anonymized for this purpose;
c) The treatment has the objective of preventing,
criminal investigation and prosecution, or security

V-VI

www.mtti.gov.ao

Page 9

Page 10

Draft Bill on the Protection of Personal Data

Version
Final

national level, under the terms allowed by specific legislation,
provided that the rights, freedoms and
guarantees of the data subjects.

Article 10
(Principle of Veracity)
1. Personal data subject to processing must be accurate.
2. Appropriate measures must be taken to ensure that
that the data is totally or partially inaccurate or
incomplete documents are erased or rectified, so that
correspond to the current and concrete situation of the holder.

Article 11
(Principle of the duration of the conservation period)
1. Personal data must be kept in such a way that
allow the identification of its holders only during the
necessary period for the pursuit of the objectives that
originated its collection or treatment, and must be
subsequently deleted or made anonymous.
2. The preservation of personal data for historical purposes,
statistical, criminal investigation and national security
may be authorized by the Data Protection Agency by
superior period upon request of the person in charge
for treatment.

V-VI

www.mtti.gov.ao

Page 10

Page 11

Draft Bill on the Protection of Personal Data

Version
Final

SECTION II
REQUIREMENTS FOR THE PROCESSING OF PERSONAL DATA

Article 12
(General requirements for the processing of personal data)
1. Unless otherwise provided by law, the processing of data
personal checks can only be carried out if the following
circumstances:
a) Unequivocal and express consent from the holder; and
b) Notification to the Data Protection Agency.
2. Without prejudice to the provisions of article 25, the consent of the
data holder is not necessary when processing is carried out.
required to:
a) Execution of contracts or contracts in which the holder of the
data is part of or due diligence prior to the formation of the
contract or business declaration made at your request;
b) Compliance with the legal obligation to which the responsible
treatment is subject;
c) Protection of vital interests of the data subject, if
he is physically or legally unable to give his
consent;
d) Execution of a mission of public interest or in the
exercise of public authority in which the
controller or a third party to whom the data
data are communicated;
e) Pursuit of legitimate interests of the person responsible for
processing or third party to whom the data are

V-VI

www.mtti.gov.ao

Page 11

Page 12

Draft Bill on the Protection of Personal Data

communicated, provided that the
interests or rights, freedoms and guarantees of the holder
of the data.

Article 13
(Specific requirements for the processing of sensitive data)

Version
Final

1. Unless otherwise specified, data processing
personal checks can only be carried out if the following
circumstances:
a) Legal provision that allows such treatment; or
b) Authorization from the Data Protection Agency, which only
can be granted verified at least one of the
following conditions:
i. Data processing must be carried out with the
unequivocal, express and written consent of the
its holder;
ii. Data processing must be carried out with the
unequivocal and express consent of the holder by
foundation, association or non-profit organizations
profitable political, philosophical, religious or
union, within the scope of its legitimate activities,
provided that the treatment concerns only those
members of that body or to persons with
they maintain periodic contacts linked to their
purposes, and that data is not communicated to
third parties without unambiguous consent and
of its holders;

V-VI

www.mtti.gov.ao

Page 12

Page 13

Draft Bill on the Protection of Personal Data

Version
Final

iii. Need to protect the holder's vital interests
of the data or of or of another person and the holder
data is physically or legally incapable of
give your consent;
iv. The data concerned is manifestly made
by its holder, provided that it is possible to
legitimately deduct from their statements the
consent for their treatment;
v. Data processing is necessary for the declaration,
exercise or defense of a right in process
judicial procedure and is carried out exclusively with that
goal;
saw. The processing of the data is, for reasons of
public interest, indispensable to the exercise of
legal or statutory attributions of the responsible person,
including for the exercise of the activities of
investigation by the judicial, police and
administrative activities within the scope of its competences.
2. The processing of sensitive data that arises from disposal
must be notified to the Data Protection Agency.
3. The processing of sensitive data must be carried out with
guarantees of non-discrimination and by adopting the
special security measures.

V-VI

www.mtti.gov.ao

Page 13

Page 14

Draft Bill on the Protection of Personal Data

Version
Final

Article 14
(Specific requirements for the processing of sensitive data from
health and sex life)
1. Without prejudice to the provisions of the previous article and to legislation
in particular, the processing of personal data relating to health
and sexual life, including genetic data, which are
considered to be sensitive data, can only be carried out
the following circumstances are verified:
a) Unequivocal, express and written consent from your
holder; and
b) Authorization by the Data Protection Agency.
2. The treatment of the data indicated in the previous number is
allowed without the consent of the data subject,
when necessary for the purpose of preventive medicine,
medical diagnosis, medical care,
management and statistics of health services or when
dealing with a medical emergency or justified by
public interest.
3. The processing of health and sexual life data should be
carried out by a health professional obliged to comply
the duty of professional secrecy or by another person who, under the
management, is also subject to secrecy
professional.

V-VI

www.mtti.gov.ao

Page 14

Page 15

Draft Bill on the Protection of Personal Data

Version
Final

Article 15
(Specific requirements for the processing of data relating to
illegal activities, crimes and misdemeanors)
1. The processing of personal data relating to persons
suspected illegal activities, criminal offenses,
misdemeanors and the application of penalties,
security, fines and ancillary sanctions, which are
considered to be sensitive data, can only be carried out
the following circumstances are verified:
a) Legal provision that allows such treatment for
authorities with specific competence, respecting
procedural and data protection standards
provided for by law and with the prior opinion of the
Data Protection; or
b) Authorization from the Data Protection Agency, which only
be granted when such treatment is necessary
the execution of legitimate purposes of its responsible and
data protection and data protection standards are observed.
information security.
2. Without prejudice to the provisions of specific legislation, the
processing of personal data for research purposes
police should be limited to what is necessary for the fulfillment of
purposes of general and special prevention or repression of
determined offense, under the terms of the present law and
special legislation.

V-VI

www.mtti.gov.ao

Page 15

Page 16

Draft Bill on the Protection of Personal Data

Version
Final

Article 16
(Specific requirements for the processing of credit data and
solvency)
1. Without prejudice to paragraph 2, the processing of data
personal information relating to credit and solvency can only be
the following circumstances have been verified, unless the
information is obtained from publicly accessible sources at
respect of their conditions of consultation and use:
a) Unequivocal and express consent from the holder of the
Dice; and
b) Authorization by the Data Protection Agency.
2. The processing of credit and solvency data relating to
compliance with and non-compliance with credit obligations
responsible is subject to:
a) Notification to the holder that his data is included in the
the debtor's file of the person in charge, and such
notification be made within a period of 60 (sixty) days
after inserting the data in such files;
b) Authorization by the Data Protection Agency.

Article 17
(Specific requirements for data processing in systems
video surveillance and other means of electronic control)
1. The processing of personal data in connection with the installation of
video surveillance systems and other forms of capture,
treatment and diffusion of sounds and images that allow
identify people, including surveillance systems

V-VI

www.mtti.gov.ao

Page 16

Page 17

Draft Bill on the Protection of Personal Data

Version
Final

electronic road network, is subject to the provisions of
13th.
2. The controller must make available, in the
locations with video surveillance systems, information on
their existence, the capture of sound and image and
the name of the person responsible for processing the data,
address, phone number and email.
3. The rules applicable to the installation of
video surveillance and the processing of data collected in this
scope will be contained in special legislation.

Article 18
(Specific requirements for the processing of data for the purpose of
advertising by post)
1. The processing of personal data for the purpose of sending
advertising messages addressed to the home, for example
by post or by direct distribution, is permitted upon
notification to the Data Protection Agency, except
when the recipient has expressly opposed the
processing and using your data for this purpose.
2. For the purposes of the provisions of the previous number, the
must have access to means that enable him to
refuse, free of charge, free of charge and
regardless of just cause, the sending of that
advertising for the future.
3. In case of opposition, the entities that promote the sending
advertising messages to the home by post or

V-VI

www.mtti.gov.ao

Page 17

Page 18

Draft Bill on the Protection of Personal Data

Version
Final

through direct distribution must maintain a list of holders
who expressed their opposition to the sending of such
posts.
4. The processing of data for the purposes provided for in paragraph 2
above does not require notification to the Data Protection Agency
Data or consent of the data subjects.
5. With a view to making the provisions of paragraph 2 more effective, the
Data Protection will support the establishment of lists of
holders who have expressed their opposition to the sending of
advertising messages.
6. The person responsible for the processing of personal data for
purposes of this article must inform the recipient:
a) About the origin of your personal data, in the case of
they originate from sources accessible to the
public;
b) That your data will be communicated to recipients
for advertising purposes, if the data subject has
consent, observing in this case the requirements
applicable to the communication of data contained in
21st;
c) About the identity of the controller,
advertising is not allowed by post or
direct distribution by hiding or concealing the
identity of the person on whose behalf the
Communication.

V-VI

www.mtti.gov.ao

Page 18

Page 19

Draft Bill on the Protection of Personal Data

Version
Final

Article 19
(Specific requirements for the processing of data for the purpose of
electronic advertising)
1. The processing of personal data for the purpose of sending
advertising messages addressed by media
electronic devices, namely by means of electronic
automatic calling, facsimile machines or by mail
is subject to the following requirements:
a) Unequivocal and express consent of the recipient of
such messages; and
b) Notification to the Data Protection Agency.
2. The processing of personal data for the purposes provided for in
previous paragraph may be made without the consent
the data subject in the following circumstances:
a) When the messages are sent to the holder of the
data as a representative, worker or
collaborator of a legal person;
b) When messages are sent by the
Public Administration through the governance system
electronic information of the Angolan Executive;
c) When messages are sent to people
individuals with whom the product supplier or the
service provider has previously entered into
transactions, if the one has been explicitly offered
the possibility of refusing it at the time of the transaction
carried out and if it does not imply expenditure for the recipient
additional to the cost of the telecommunications service.

V-VI

www.mtti.gov.ao

Page 19

Page 20

Draft Bill on the Protection of Personal Data

Version
Final

7. In the case provided for in the preceding paragraph, the data subject
has the right to object to its treatment for the purposes
contained in this article.
8. For the purposes of the preceding paragraph, the holder
must have access to means that enable him to
refuse, free of charge, free of charge and
regardless of just cause, the sending of that
advertising for the future.
9. In case of opposition, the entities that promote the sending
of advertising messages should maintain a list
updated by you or by bodies representing them,
of holders who have expressed their opposition to the sending of
such messages.
10. The processing of data for the purposes provided for in paragraph 2
above does not require notification to the Data Protection Agency
Data or consent of the data subjects.
11. With a view to making the provisions of paragraph 2 more effective, the
Data Protection will support the establishment of lists of
holders who have expressed their opposition to the sending of
advertising messages.
12. The person responsible for the processing of personal data for
purposes of this article must inform the recipient:
a) About the origin of your personal data, in the case of
they originate from sources accessible to the
public;
b) That your data will be communicated to recipients
for direct marketing purposes or used on behalf of

V-VI

www.mtti.gov.ao

Page 20

Page 21

Draft Bill on the Protection of Personal Data

Version
Final

third parties, if the data subject has consented,
observing in that case the requirements applicable to the
communication of data contained in article 21;
c) About the identity of the controller,
advertising is prohibited, concealing or
concealing the identity of the person on whose behalf
communication takes place.

Article 20
(Specific requirements for recording calls)
1. Call recording is supported when performed on the
within the scope of lawful commercial practices, for the purpose of
commercial transaction, provided that:
a) The data subject has previously given his / her
express and unambiguous consent to recording,
it should start with the registration of consent;
b) The Data Protection Agency has authorized such
treatment.
2. Except for the need for the consent of the holder of the
data and prior authorization from the Data Protection Agency
Data, recordings of communications to and from services
services designed to provide emergency situations of
any nature.
3. In the case foreseen in the previous number, the treatment of
data is subject to prior notification to the
Data Protection.

V-VI

www.mtti.gov.ao

Page 21

Page 22

Draft Bill on the Protection of Personal Data

Version
Final

SECTION III
COMMUNICATION AND INTERCONNECTION OF PERSONAL DATA

Article 21
(Data communication)
The communication of personal data by the person responsible to a
recipient is subject to the following rules:
a) If personal data is communicated to the recipient for
purposes of pursuing its own purposes, the
recipient will also be held responsible for the
treatment thereof, and must comply with the provisions
applicable to it;
b) If personal data is communicated to the recipient for
purposes of pursuing the purposes of the person responsible
communicates the data, treating the recipient the data in
name and on behalf of the person responsible, the recipient is
considered a subcontractor and must comply with the
legal provisions that apply to it;
c) If personal data is communicated to the recipient, it is not
none of the conditions in the points
previous nor is it under the direct authority of the
responsible for processing or subcontracting, the
recipient will be considered a third party.

V-VI

www.mtti.gov.ao

Page 22

Page 23

Draft Bill on the Protection of Personal Data

Article 22
(Communication of data to the controller or to
third)
1. The communication of data to a recipient who is also
controller or who is a third party only
the following circumstances can be carried out:
a) Unequivocal and express consent from the holder of the
Dice; and
b) Notification to the Data Protection Agency.
2. The communication of data is not subject to the prior
consent of the holder when:
a) The communication arises from a law or a judicial decision;
b) the data has been collected from accessible sources
publicly respecting their conditions of
consultation and use, applicable to such sources;
c) Data communication is necessary for the execution
contract or contracts in which the data subject is
part or due diligence prior to the formation of the contract or
business declaration made at your request;

Version
Final

d) Data communication is necessary for the
compliance with a legal obligation that the person responsible for
processing that transmits the data or the recipient
subject, as is the case if the communication has
purpose of carrying out the activities assigned to the
Courts (including the Court of Cons), the Ministry of
Public Prosecutor, the Ombudsman and the defense and
security of the Angolan State;

V-VI

www.mtti.gov.ao

Page 23

Page 24

Draft Bill on the Protection of Personal Data

Version
Final

e) The conditions that legitimize the treatment are verified
personal data without the consent of the holder in
terms of articles 12 to 20 of this law.
3. The communication of credit and solvency data between
banking institutions and judicial and tax authorities
criminal investigation and investigation can be done without the prior
consent of the data subject, with authorization
prior approval of the Data Protection Agency.

Article 23
(Communication of data to subcontractors)
1. Communication of data to a subcontractor can only be
the following circumstances are verified:
a) Conclusion of contract or other document with value
reduced to writing, the content of which establishes the
obligation of the subcontractor to comply with the
this law and act in accordance with the instructions of the
responsible for the treatment; and
b) Notification to the Data Protection Agency.
2. Unless the controller instructs the
subcontracted to the contrary, it is subject to the following
obligations:
a) Obligation not to communicate personal data to others
recipients;
b) Obligation to comply with security measures and levels
established in this law;

V-VI

www.mtti.gov.ao

Page 24

Page 25

Draft Bill on the Protection of Personal Data

Version
Final

c) Obligation to destroy personal data or to return it
them to the controller after the relationship ends
contractual.
3. The subcontractor cannot process personal data for
own purposes, nor can you communicate them to others
recipients in disregard of the preceding paragraph, under penalty of
of, if I do, be held responsible for the
treatment.
4. The provisions of this article are applicable to any
processing of personal data carried out by a subcontractor.

Article 24
(Interconnection of personal data)
1. The interconnection of personal data can only be carried out
with authorization from the Data Protection Agency,
unless it is provided for in a legal provision.
2. The Data Protection Agency only authorizes interconnection
data if the interconnection:
a) It is adequate for the pursuit of legal purposes or
statutory and legitimate interests of those responsible
for treatment;
b) It does not imply discrimination, injury or reduction of
fundamental rights, freedoms and guarantees of
data holders; and
c) It is surrounded by adequate measures and levels of
safety.

V-VI

www.mtti.gov.ao

Page 25

Page 26

Draft Bill on the Protection of Personal Data

Version
Final

SECTION IV
RIGHTS OF DATA HOLDERS

Article 25
(Right to information)
1. Without prejudice to the provisions of other articles of this law,
the controller must make available to the
data subjects at least the following information:
a) The identity and address of the controller;
b) The purposes of the processing and the creation of a file
for that purpose;
c) The recipients or categories of recipients of the
Dice;
d) The mandatory or optional nature of the response, as well as
as the possible consequences of not responding;
e) The existence and conditions of the right of access and
rectification, updating, elimination and opposition;
f) The consequences of collecting data without the
consent of the holder;
g) Other information necessary to guarantee the
lawful processing of such personal data.
2. When personal data is collected directly
the data subject, the information must be provided in the
time of collection, unless it has already been provided in
previous moment.
3. If personal data is not collected directly
the data subject, the controller should

V-VI

www.mtti.gov.ao

Page 26

Page 27

Draft Bill on the Protection of Personal Data

Version
Final

provide you with the information referred to at the time of registration
data or no later than 30 (thirty) days after
its collection, unless it is already known about it.
4. Information must be provided in a clear, accurate and
particular when it is addressed to
minors and people with special needs.
5. The obligation to provide information may be waived by
legal provision or resolution of the Data Protection Agency
Data, in the following cases:
a) For reasons of State security and prevention or
criminal investigation;
b) When the provision of information to the data subject
proves impossible or implies efforts
disproportionate, in particular in the case of
data processing for statistical purposes,
historical or scientific research; or
c) When the law expressly determines the registration of
data or their dissemination.
6. The information obligation, under the terms of the previous number,
does not apply to the processing of data carried out for
exclusively journalistic or artistic expression or
literary.
7. In the case of data collection on open networks, it is considered
the right of information is provided through the publication and
availability of privacy policies that are of
easy access and include:
a) The information described in paragraph 1 of this article; and

V-VI

www.mtti.gov.ao

Page 27

Page 28

Draft Bill on the Protection of Personal Data

Version
Final

b) Information that your personal data can be
circulate in the network without security conditions, running
risk of being seen and used by third parties is not
authorized.

Article 26
(Right of access)
1. The data subject has the right to obtain from the data controller
for the treatment, freely, without restrictions, delays or
excessive costs, information on whether or not they are treated
data concerning you, the purposes of this
treatment, the categories of data concerned and the
recipients or categories of recipients to whom they are
communicated the data.
2. The controller must also communicate to the controller
the specific data subject to processing, as well as the
as any information available about the source
of that data.
3. Without prejudice to the provisions of specific legislation,
processing of personal data relating to the security of the
State, criminal prevention or investigation and secrecy
of justice, the right of access is exercised through the Agency
Data Protection.
4. In the processing of personal data carried out for
exclusively journalistic, the right of access is exercised
through the Data Protection Agency with safeguard
applicable constitutional rules, namely those

V-VI

www.mtti.gov.ao

Page 28

Page 29

Draft Bill on the Protection of Personal Data

Version
Final

that guarantee freedom of expression and freedom of
press.
5. In the cases provided for in paragraphs 3 and 4, if access to data by
holder may jeopardize the security of the State, the
prevention or criminal investigation, the secret of justice
or even freedom of expression and freedom of
press, the Data Protection Agency confines itself to
inform the data owner of the steps taken.
6. The law may restrict the right of access to verified
following circumstances:
(a) the data are not used to take action or
decisions with respect to determined people, but
exclusively for the purpose of scientific research or
kept in the form of personal data for a period of
period that does not exceed what is necessary for the purpose
exclusive to compile statistics; and
b) There is no danger of violation of rights,
fundamental freedoms and guarantees of the data subject
personal rights, namely the right to private life.
7. The data subject's right of access to information about
health and sex life data, including data
genetic factors, is exercised through a chosen doctor
by the data subject or his legitimate representative.

Article 27
(Right of opposition)
The data subject has the right to:

V-VI

www.mtti.gov.ao

Page 29

Page 30

Draft Bill on the Protection of Personal Data

Version
Final

a) Unless otherwise provided by law, and at least in
situations referred to in paragraphs d) and e) of paragraph 2 of article
12, to oppose at any time the data that tell you
respect are treated when there are reasonable reasons
legitimate and legitimate questions related to your situation
particular, in which case the responsible person shall exclude
processing such data;
b) Oppose the processing of your data in other
circumstances provided for in this law and other legislation
specific.

Article 28
(Right to rectify, update and delete)
1. The holder of personal data is guaranteed the rights to
rectification, updating or deletion of your data
whose treatment does not comply with the provisions of
this law, namely due to the incomplete nature
or inaccurate of that data.
2. The controller is obliged, under the terms of the
this law and special legislation, to ensure the right to
rectification, updating and deletion of data in a
60 (sixty) working days.
3. If the data subject to rectification, updating or
disposal have been previously communicated to
recipient, the controller is obliged to
notify such rectification, update or deletion,

V-VI

www.mtti.gov.ao

Page 30

Page 31

Draft Bill on the Protection of Personal Data

Version
Final

unless this is proven to be impossible, and the
recipient to act accordingly.
4. In the case provided for in paragraph 3 above, the addressee who
the data for their own purposes or for the purposes of a
third party may not proceed with the deletion of the data,
in this case, the recipient must inform the holder of the
data on this situation and confirm that it also intends to
rectify, update or delete your data from files
related.
5. The controller should however block and / or
keep personal data in the following cases:
a) Legal provision or order of competent authority
that compels the controller to block
and / or retain data for a specified period of time
time;
b) If the blocking and / or retention of data is
necessary for the pursuit of a legitimate interest in the
responsible for the treatment, namely for the
exercise of a right or for the fulfillment of
legal obligations;
c) If the data are being used for the purposes of
criminal investigation;
d) If the data are data relating to credit and
solvency, while the creditworthiness of the holder
is not regularized.

V-VI

www.mtti.gov.ao

Page 31

Page 32

Draft Bill on the Protection of Personal Data

Version
Final

Article 29
(Automated individual decisions)
1. Anyone has the right not to be subject to a
decision having an effect on its legal sphere or that the
affect it in a significant way, taken exclusively with
on the basis of automated data processing designed to
evaluate certain aspects of your personality,
namely, their professional capacity, their
credit, the confidence that it deserves it or its
behavior.
2. Without prejudice to compliance with the remaining provisions of
this law, a person may be subject to a decision
taken pursuant to paragraph 1 of this article, provided that
takes place within the framework of the conclusion or
contract and on condition that your request to conclude or
performance of the contract has been satisfied, or there are
appropriate measures to guarantee the defense of its
legitimate interests, in particular their right to
representation and expression.
3. A decision may also be allowed, in accordance with
pursuant to paragraph 1 of this article, when the Protection Agency
Authorize it, defining measures to guarantee the
defense of the legitimate interests of the data subject.

V-VI

www.mtti.gov.ao

Page 32

Page 33

Draft Bill on the Protection of Personal Data

Version
Final

SECTION V
SECURITY MEASURES

Article 30
(Security of treatment)
1. The controller must put into practice the
technical and organizational measures, and establish levels of
adequate security measures to protect personal data
against total or partial, accidental or unlawful destruction, the
accidental loss, total or partial alteration, diffusion or
unauthorized access, fundamentally when the
treatment entails its network transmission, and against
any other form of illicit treatment.
2. Security measures must ensure, taking into account
available technical knowledge and the resulting costs
application, an adequate level of security in terms of
relation to the risks that the treatment presents and the nature
of the data to be protected.
3. The controller must draw up a
document with the measures, standards and procedures of
security rules applicable to the processing of personal data,
detailing security levels, resources to protect and
the roles and obligations of people with access to data,
according to safety rules.

V-VI

www.mtti.gov.ao

Page 33

Page 34

Draft Bill on the Protection of Personal Data

Version
Final

Article 31
(Special security measures)
1. The data controller must,
with respect to the data indicated in Articles 13 to 17 and
in Article 20, take appropriate measures to:
a) Prevent unauthorized persons from accessing files and
the facilities used for the processing of such data;
b) Prevent personal data carriers from being able to be
read, copied, altered or removed by a person not
authorized;
c) Prevent unauthorized introduction, as well as
acknowledgment, alteration or deletion
unauthorized use of personal data entered;
d) Prevent automated treatment systems from
data can be used by unauthorized persons
through data transmission facilities;
e) Ensure that only authorized persons can access
the data covered by the authorization;
f) Guarantee the verification of the entities to whom they may be
personal data are transmitted through
data transmission;
g) To ensure that it can be verified a posteriori , within a
appropriate to the nature of the treatment as set out in
regulations applicable to each sector, what data
personal details introduced, when and by whom;
h) Prevent, in the transmission of personal data, as well
as in the transport of your support, the data can be

V-VI

www.mtti.gov.ao

Page 34

Page 35

Draft Bill on the Protection of Personal Data

Version
Final

read, copied, altered or deleted in a nonauthorized;
2. The systems must guarantee the logical separation between the
data relating to health and sexual life, including
genetic data, other personal data.
3. The Data Protection Agency may determine that, under
cases where the network circulation of personal data
referred to in Articles 12 and 13 to 17 may put at risk
rights, freedoms and guarantees of the respective holders, the
transmission is encrypted.

Article 32
(Professional secrecy)
1. Those responsible for processing personal data, as well as
as people who, in the exercise of their functions, have
knowledge of the processed personal data, are obliged to
professional secrecy, even after the end of their duties.
2. The provisions of the preceding paragraph apply to members of the
Data Protection Agency, as well as employees,
agents or technicians who perform advisory functions to the
Data Protection Agency, even after the expiry of the
mandate.
3. The provisions of the preceding paragraphs do not exclude the
provision of mandatory information, in accordance with
legal, except when they appear in files organized
for statistical purposes.

V-VI

www.mtti.gov.ao

Page 35

Page 36
Version
Final

Draft Bill on the Protection of Personal Data

SECTION VI
INTERNATIONAL TRANSFER OF PERSONAL DATA

Article 33
(Transfer of data to countries that ensure a level of
adequate protection)
1. The international transfer of data to countries that
ensuring an adequate level of protection is subject to
notification to the Data Protection Agency.
2. It is understood that a country provides a level of protection
appropriate when it ensures at least a high level of
protection equal to that established in the present law.
3. It is up to the Data Protection Agency to decide whether a State
ensures an adequate level of protection through the
issuing opinions in this regard.
4. The adequacy of the level of data protection in a State is
assessed by the Data Protection Agency in the light of
all the circumstances surrounding the transfer or the
set of data transfers, taking into account in particular
the nature of the data, the purpose and duration of the
planned treatment or treatments, countries of
final destination and the rules of law, general or sectoral, in
force in the State concerned, including professional rules and
the security measures that are respected in that State.

V-VI

www.mtti.gov.ao

Page 36

Page 37
Version
Final

Draft Bill on the Protection of Personal Data

Article 34
(Transfer of data to countries that do not guarantee a
adequate level of protection)
1.

The international transfer of data to a country that
does not ensure an adequate level of protection is subject
authorization from the Data Protection Agency, which only
one of the following can be granted verified
circumstances or other constants of legislation
specific:
a) If the data subject has given his consent
unambiguous, expressed and written;
b) If the international transfer of data results from the
application of international treaties or agreements in which
the Republic of Angola is a party;
c) If the data transfer is for the purpose of
exclusive response or request for humanitarian aid;
d) If the transfer of data is necessary for the
execution of a contract between the data subject and the
responsible for processing or prior diligence to the
formation of the contract decided at the request of the
Dice;
e) If the transfer of data is necessary for the
performance or conclusion of a contract, in the
data subject, between the data controller
treatment and a third;
f) If data transfer is necessary or
legally required for the protection of an interest

V-VI

www.mtti.gov.ao

Page 37

Page 38
Version
Final

Draft Bill on the Protection of Personal Data

important public, or for the declaration, exercise or
the defense of a right in a judicial process;
g) If data transfer is necessary to protect
the vital interests of the data subject, or to
prevention, diagnosis or medical treatment and the
holder is physically or legally unable to give his
consent;
h) If the data transfer is carried out from a
publicly accessible source;
i) If the recipient of the data is contractually insured,
before the controller, a level of
adequate protection for transferred data
two.

It is up to the Data Protection Agency to determine the
specific conditions that must be included in the contract
referred to in paragraph i) of the previous number.

3.

In the case of international data transfer between
companies of the same business group, the guarantee of
compliance with an adequate level of protection can be
achieved through the adoption of uniform internal rules
concerning privacy and data protection whose
compliance is mandatory.

V-VI

www.mtti.gov.ao

Page 38

Page 39
Version
Final

Draft Bill on the Protection of Personal Data

SECTION VII
FORMALITIES FOR NOTIFICATION AND OBTAINING
AUTHORIZATION WITH THE DATA PROTECTION AGENCY

Article 35
(Obligation to notify or obtain authorization)
1. Without prejudice to the provisions of this law, the treatment of
Personal data is subject to prior notification to the
Data Protection or its authorization.
2. If mere notification is required, the Protection Agency
of Data must comment on the request of the person responsible
treatment within 30 days of receipt,
after which it is understood that the treatment was duly
notified.
3. The Data Protection Agency may authorize the
simplification or exemption from notification for certain
treatment categories that, given the specificity
data, are not likely to call into question the data
fundamental rights, guarantees and freedoms of the holders
data, and taking into account the criteria of speed,
economy and efficiency.
4. The exemption authorization must, among other aspects,
specify the purposes of the processing, the data or
categories of data to be processed, the category or categories of data
data subjects, recipients or categories of data
recipients to whom data and information can be communicated
data retention period.

V-VI

www.mtti.gov.ao

Page 39

Page 40
Version
Final

Draft Bill on the Protection of Personal Data

5. Treatments whose only remedy is exempt from notification
purpose is the maintenance of records that are intended to
information to the public and can be consulted by the public
in general or by anyone who proves an interest
lawful.
6. It is not necessary to obtain authorization from the
Data Protection if processing is the result of a diploma
legal, in which case it is sufficient to proceed with mere notification,
if indicated otherwise in specific legislation.

Article 36
(Content of notifications and requests for authorization)
1. Notifications and requests for authorization sent to the
Data Protection Agency must contain the following
information:
(a) the name and address of the controller and, if
as the case may be, of its representative;
b) Purposes of the treatment;
c) Description of the category or categories of data subjects and
of the data or categories of personal data given to them
respect it;
d) Recipients or categories of recipients to whom
data can be communicated and under what conditions;
e) Entity in charge of information processing
if you are not the person responsible for the treatment;
f) Possible interconnections of data processing
personal;

V-VI

www.mtti.gov.ao

Page 40

Page 41

Draft Bill on the Protection of Personal Data

Version
Final

g) Time of retention of personal data;
h) Form and conditions in which data subjects can
exercise their rights;
i) planned data transfers to third countries;
j) General description that allows a preliminary assessment
the appropriateness of the measures taken to ensure
treatment safety.

Article 37
(Mandatory information)
1. The registers of personal data processing and the
Authorizations of the Data Protection Agency should at least
less indicate:
a) The person responsible and, where applicable, his representative;
b) The categories of personal data processed;
c) The purposes for which the data are intended and the
categories of entities to whom they can be
transmitted;
d) The form of exercising the right of access,
rectification, updating and cancellation;
e) Possible interconnections of data processing
personal;
(f) planned data transfers to third countries;
2. Any change in the indications in paragraph 1 is subject to
subject to the procedures provided for in Article 35.

V-VI

www.mtti.gov.ao

Page 41

Page 42

Draft Bill on the Protection of Personal Data

Version
Final

Article 38
(Advertising of treatments)
1. The processing of personal data, when it should be
authorized or notified, is registered with the
Data Protection, open to public consultation.
2. The register contains the information listed in points a)
ad) and i) of article 36.
3. The controller who is not subject to notification is
obliged to provide, in an appropriate manner, to any person
upon request, at least the information indicated in paragraph 1
Article 37
4. The provisions of this article do not apply to the treatment
data in publicly accessible sources.

Section VIII
SPECIFIC PROVISIONS APPLICABLE TO THE TREATMENT OF
PERSONAL DATA IN THE PUBLIC SECTOR

Article 39
(Applicable rule)
The processing of data by the public and cooperative sector is
subject:
a) The provisions of the present Law;
b) The provisions of the specific rules contained in this Section and
special legislation.

V-VI

www.mtti.gov.ao

Page 42

Page 43

Draft Bill on the Protection of Personal Data

Version
Final

Article 40
(Creation, modification and deletion)
1. The creation, modification and deletion of files in the
Public Administration and Courts can only be
carried out under a legal provision, which must contain,
expressly or by reference to an autonomous diploma, the
following information:
a) The controller is responsible for the processing;
b) The purposes of the treatment;
c) Data collection and processing processes
personal;
d) The basic structure of the file;
e) The types of personal data included in the file;
f) Data communications to recipients, if applicable;
(g) the transfer of data to third countries, if
applicable;
h) The services or units before which the holders of the
data can exercise their rights;
i) The applicable security measures, including by means of
indication of discriminated access criteria, if
applicable.
2. The legal provisions that dictate the elimination of files
indicate the destination of the data or their data and the
measures to be taken for its destruction.

V-VI

www.mtti.gov.ao

Page 43

Page 44

Draft Bill on the Protection of Personal Data

Version
Final

Article 41
(Communication of data in the public sector)
1. Personal data processed by Administration bodies
Public, cannot be communicated to other entities,
bodies, services or others that have competences
different materials, except in the following circumstances:
a) Such communication is permitted by legal provision or
authorization by the Data Protection Agency;
b) The communication has as its object the further processing
data for historical or statistical purposes.

Section IX
SPECIFIC PROVISIONS APPLICABLE TO THE TREATMENT OF
PERSONAL DATA IN THE PRIVATE AND COOPERATIVE SECTOR

Article 42
(Applicable rule)
The processing of data by the private and cooperative sectors is
subject:
a) The provisions of this Law, with the exception of that contained in
Section VIII;
b) The provisions of specific legislation that regulates the
processing of personal data in certain sectors of
activity.

V-VI

www.mtti.gov.ao

Page 44

Page 45

Draft Bill on the Protection of Personal Data

Version
Final

Article 43
(File types)
Personal data files of controllers
private sector include, but are not limited to, the following:
a) Workers' files;
b) Occupational medicine files;
c) Customer management files;
d) Input and output files;
e) Video surveillance files.

CHAPTER III
DATA PROTECTION AGENCY
Article 44
( Nature and legal regime)
1. The Data Protection Agency is a legal person of
public law, endowed with legal personality, with
administrative, financial and patrimonial autonomy, to whom
in particular:
a) The monitoring of the application of the provisions of this law;
b) Issue recommendations, guidelines and instructions on the
best practices in the processing of personal data;
c) Issue an opinion on access to documents
nominative;
d) Issuing an opinion on the rating system of
documents;

V-VI

www.mtti.gov.ao

Page 45

Page 46

Draft Bill on the Protection of Personal Data

e) Appreciate and decide on the complaints that are
addressed and guarantee the exercise of the right of access,
rectification, updating and cancellation of data;
f) Register and publish the registration of personal data files;
g) To guarantee the holders of personal data the obtaining of
accurate information about your rights under the
processing of your data;
h) Guide the application of technical and security measures
necessary and appropriate;
i) Cooperate with international authorities in matters of
protection of personal data and to monitor movements
international personal data;
j) To exercise its sanctioning function in matters of
protection of personal data, under the terms of this law;

Version
Final

k) Elaborate and forward annually to the holder of the
Executive a report on the state of application of the
this law and its activity;
l) Issue an opinion on the application of this law and other
complementary acts.
Article 45
(Organization and operation)
The organization and functioning of the Agency for the Protection of
Data are established by diploma of the holder of the Power
Executive.

V-VI

www.mtti.gov.ao

Page 46

Page 47

Draft Bill on the Protection of Personal Data

Version
Final

CHAPTER IV
ADMINISTRATIVE AND JURISDICTIONAL GUARANTEE

Section I
GENERAL PROVISIONS

Article 46
(Administrative and jurisdictional protection)
1. Without prejudice to the right to complain to the Agency
Data Protection Act, any person may, under the terms of the
law, resort to administrative or jurisdictional means to
ensure compliance with legal provisions on
protection of personal data.
2. Appeals against the decisions of the Data Protection Agency
administrative litigation.

Article 47
(Civil liability in the processing of personal data)
Anyone who has suffered injury as a result of
unlawful processing of data or any other act that violates
legal provisions on the protection of personal data
has the right to obtain compensation from the person responsible for the damage
suffered.

V-VI

www.mtti.gov.ao

Page 47

Page 48

Draft Bill on the Protection of Personal Data

Version
Final

Section II
COUNTERVAILS AND FINES

Article 48
(Misdemeanors)
The sanctioning regime established in the present law does not
prejudices the application of the sanctioning regimes in force in
special legislation.

Article 49
(Compliance with omitted duty)
Whenever the misdemeanor results from the omission of a duty
applicable to the processing of personal data, the application of the penalty
and the payment of the fine do not release the offender from his
compliance when possible.

Article 50
(Misdemeanors and Fines)
1. Without prejudice to other sanctions that may be applicable,
constitutes a misdemeanor punishable by fines in an amount
equivalent to the national currency indicated below the practice of
following acts:
a) USD 75,000.00 to USD 150,000.00, in the case of:
i. Non-compliance with the obligations established in the
articles 14, 15, 16, 17, 20, 30, 31 and 32;
ii. Non-compliance with negligence of the obligation to
notification to the Data Protection Agency or its

V-VI

www.mtti.gov.ao

Page 48

Page 49

Draft Bill on the Protection of Personal Data

Version
Final

compliance with the provision of false information or
with non-compliance with the provisions of the present law;
iii. Non-compliance with order by the Data Protection Agency
Data to cease access to open networks of
transmission of data to officials who do not comply
the provisions of this law;
b) USD 65,000.00 to USD 130,000.00, in case of non-payment
compliance with the principles set out in Articles 6 to
11, of not obtaining the consent of the holder of the
data for treatment except by checking the
circumstances that excuse it, as well as
non-compliance with the provisions of articles 18, 19 and 21 to
24th;
2. In the case of legal persons, societies and mere
de facto associations, the misdemeanors provided for in
above are aggravated at three times the respective limits.
3. Attempt and negligence are punishable.

Article 51
(Neglect and attempt)
1. Negligence is punished for the contraventions provided for in point
ii. of paragraph a) of article 50 of this law.
2. The attempt is always punishable in the misdemeanors provided for in
Article 50.

V-VI

www.mtti.gov.ao

Page 49

Page 50

Draft Bill on the Protection of Personal Data

Version
Final

Article 52
(Application of fines)
1. The application of the fines provided for in this law is incumbent on the
Data Protection Agency.
2. The decision of the Data Protection Agency, after
homologated by its responsible, it constitutes an enforceable title,
if not challenged within the legal period.
3. The deliberations of the Data Protection Agency are
public.

Article 53
(Recipes)
1. The amount of the sums charged, as a result of the
application of fines, reverts, in equal parts, to the State
and for the Data Protection Agency.
2. The fines to be applied by the Data Protection Agency
should be periodically updated.

SECTION III
CRIMES
Article 54
(Failure to comply with data protection obligations
personal)
1. Without prejudice to the other obligations regulated in this
law, incurs a crime punishable by imprisonment from 3 to 18
months or corresponding fine, who:

V-VI

www.mtti.gov.ao

Page 50

Page 51

Draft Bill on the Protection of Personal Data

Version
Final

a) Omitting the application for authorization from the Protection Agency
of Data;
b) Provide false information in the notification or in
requests for authorization for the processing of data
personal data, or in this case make modifications
allowed by the present diploma;
c) Promote or carry out an illegal interconnection of
personal data;
d) After the period that has been given to them has passed
set by the Data Protection Agency for
compliance with the obligations provided for in this law
or subsidiary legislation, fail to comply with them;
2. The penalty is increased to double its limits when
dealing with personal data referred to in Articles 13 to
16 of this law.

Article 55
(Improper access)
1. Whoever, without authorization, has access to personal data whose access
is forbidden, incurs a crime punishable by imprisonment
from 6 months to 2 years or corresponding fine.
2. Without prejudice to the preceding paragraph, undue access occurs
When:
a) It is achieved through violation of technical rules
of security;
b) Has made it possible for the agent or third parties to
knowledge of personal data;

V-VI

www.mtti.gov.ao

Page 51

Page 52

Draft Bill on the Protection of Personal Data

Version
Final

c) Has provided the agent or third parties with a benefit
or equity advantage.
3. Criminal procedure depends on a complaint.

Article 56
(Addiction or destruction of personal data)
1. Whoever, without proper authorization, erases, destroys, damages,
delete or modify personal data, making it
unusable or affecting their ability to use, incurs
in crime punishable by 18 months to 3 years imprisonment
or corresponding fine.
2. The penalty is doubled in its limits if the damage
produced is particularly serious.
3. If the controller is negligent, the
penalty is imprisonment up to 2 years or corresponding fine.

Article 57
(Qualified disobedience)
1. Whoever, after being notified to do so, does not interrupt,
cease or block the processing of personal data is punished
with a prison sentence of up to 3 years or a corresponding fine.
2. Without prejudice to the preceding paragraph, disobedience is incurred
qualified, who:
a) Refuse, without just cause, the collaboration that
concretely required of it by the Agency for
Data Protection;

V-VI

www.mtti.gov.ao

Page 52

Page 53

Draft Bill on the Protection of Personal Data

Version
Final

b) Do not proceed with the erasure, total destruction or
partial personal data;
c) Do not proceed with the destruction of personal data, after the
established conservation period.

Article 58
(Violation of the duty of secrecy)
1. Who, being bound by professional secrecy, under the terms of
law, without just cause and without due consent, reveal or
disclosing in whole or in part personal data is punished with
imprisonment up to 18 months or a corresponding fine.
2. The penalty is imprisonment up to 2 years or a corresponding fine in
following cases:
a) When the crime is committed by an official
public or equivalent;
b) When the information is revealed with the intention of
obtain any equity or other advantage
illegitimate benefit; or
c) When the revealed information endangers the
reputation, honor and consideration or the intimacy of
privacy of the data subject.
3. Outside the cases provided for in paragraph 2, the criminal procedure
depends on complaint.

V-VI

www.mtti.gov.ao

Page 53

Page 54

Draft Bill on the Protection of Personal Data

Version
Final

Article 59
(Punishment of the attempt)
In the crimes provided for in the previous provisions, the attempt is
always punishable by imprisonment for up to 6 months or a fine
corresponding.

Article 60
(Accessory penalty)
1. In conjunction with the fines imposed,
incidentally, be ordered:
a) The temporary or definitive prohibition of treatment, the
blocking, erasure or total or partial destruction
of the data;
b) Publicity of the condemnatory sentence;
c) The public warning or censure of the person responsible for
treatment.
2. Publication of the condemnatory decision is made at the expense of the
condemned, in the periodical publication of greater circulation,
as well as through the posting of a public notice in support
appropriate, for a period of not less than 30 (thirty) days.
3. The publication is made by an extract containing the
elements of the offense and the sanctions applied, as well as the
agent identification.

V-VI

www.mtti.gov.ao

Page 54

Page 55

Draft Bill on the Protection of Personal Data

Version
Final

Article 61
(Infringement contest)
1. If the same fact constitutes, simultaneously, a crime and
misdemeanor, the agent is always punished as a crime.
2. The penalties applied to contraventions in competition are
always cumulated materially.

CHAPTER IV
FINAL DISPOSITIONS

Article 62
(Codes of Conduct)
1. The Data Protection Agency encourages the creation of
codes of conduct in the field of data protection that
establish the following.
2. The participation of rights representatives is encouraged
data subjects in the elaboration and application of the codes of
conduct.
3. Codes of conduct must be registered with the Agency for
Data Protection.
4. The Data Protection Agency may reject the registration of
codes of conduct when considering the same contrary
the provisions of this law and other legislation
applicable.
5. The Data Protection Agency is responsible for issuing opinions and
recommendations so that those responsible for creating
codes of conduct make the necessary corrections.

V-VI

www.mtti.gov.ao

Page 55

Page 56

Draft Bill on the Protection of Personal Data

Version
Final

Article 63
(Legalization of existing supports)
Data processing existing at the date of entry into force
of this law must be notified to the Agency for the Protection of
Data within a maximum period of 2 years from the entry into force
of law.

Article 64
(Revocation)
All legislation that contravenes this law is revoked.

Article 65
(Regulation)
The present law must be regulated, by the Executive, within the
120 (one hundred and twenty) days from the date of their
Publication.

Article 66
(Doubts and omissions )
The doubts and omissions resulting from the interpretation and application of the
this law are resolved by the National Assembly.

Article 67
(Implementation)
This law enters into force on the date of its publication.

V-VI

www.mtti.gov.ao

Page 56

Page 57

Draft Bill on the Protection of Personal Data

Seen and approved by the National Assembly, in Luanda, at ____
of _______ of ______.
The President of the National Assembly, António Paulo Kassoma
Enacted to ____ of ______ of ________
Publish yourself.
The President of the Republic, J OSÉ AND DUARDO DOS S ANTOS

Version
Final

V-VI

www.mtti.gov.ao

Page 57

