Page 1

1214 Series I - N O 48 "BO" REPUBLIC OF CAPE VERDE - 17 SEPTEMBER 2013
Law No. 41/VIII/2013
of September 17th

By mandate of the People, the National Assembly decrees,
pursuant to paragraph b ) of article 175 of the Constitution,
the next:
CHAPTER I
General provisions
Article 1
(Object)

This law changes the general legal regime of protection
of personal data of natural persons, approved by the
Law No. 133/V/2001, of 22 January.
Article 2
(Changes)

3.(...)
4. The processing of personal data relating to health
and sexual life, including genetic data, is allowed
when necessary for the purposes of preventive medicine.
medical diagnosis, care or
medical treatments or health services management,
provided that the processing of these data is carried out by
a health professional bound by professional secrecy.
or by another person equally subject to an obligation
of equivalent secrecy, has been notified to the CNPD
pursuant to Article 23, and measures are guaranteed.
appropriate information security measures.
(...)
Article 12
(Access right)

1. (...)

Articles 2, 6, 8, 12, 14, 16, 18, 19, 20, 22, 23,
2. In the cases provided for in paragraphs 4 and 5 of article 8,
24th, 25th, 26th, 27th, 29th, 30th, 33rd, 37th, 39th, 40th, 43rd, 47th and 48th the right of access is exercised through the CNPD.
of Law No. 133/V/2001, of 22 January, now have the
following wording:
3. In the case provided for in number 6 of the previous article,
the right of access is exercised through the CNPD, with the
Article 2
safeguarding the applicable constitutional norms, de(Scope of application)
namely those that guarantee freedom of expression.
and information, press freedom and independence
1. (...)
and professional secrecy of journalists.
two. (...)
3. (...)
4. In the case referred to in subparagraph c) of number 2, the
responsible for the treatment must designate, through cocommunication to the National Data Protection Commission,
hereinafter referred to as CNPD, an established representative
in national territory, to be replaced in all
its rights and obligations, without prejudice to its own
responsibility.

4. In the cases provided for in numbers 2 and 3 of this article, if
the communication of data to the holder could harm
state security, prevention or investigation
criminal or even freedom of expression and information
or press freedom, the CNPD is limited to informing
the holder of the data of the investigations carried out.
(...)
Article 14
(Not subject to automated individual decisions)

(...)

1. (...)

Article 6

two.(...)

(Data quality)

1. (...)
2. Further processing of data for historical purposes,
statistical or scientific as well as their conservation
for the same purposes for a period longer than the aforementioned
in line e) of the previous number, may be authorized
by the CNPD in case of legitimate interest of the responsible
for the treatment, as long as the rights do not prevail,
freedoms and guarantees of the data subject.
(...)

3. It may still be allowed to make a decision
pursuant to number 1, when authorized by the CNPD
and provided that measures are taken to guarantee the defense
the legitimate interests of the data subject.
Article 16
(Special security measures)

1. (...)
2. Taking into account the nature of the responsible entities.
due to the treatment and the type of facilities in which it is carried out,
the CNPD may waive the existence of certain measures of
security, ensuring that respect for rights is shown,
freedoms and guarantees of data subjects.

Article 8
(Processing of sensitive data)

1. (...)

3. (...)

two.(...)

Page 2
SERIES I — N O 48 «BO» OF THE REPUBLIC OF CAPE VERDE — SEPTEMBER 17, 2013 1215
4. The CNPD may determine that the transmission is
encrypted, in cases where the circulation of data in a network
persons referred to in Articles 8 and 9 may endanger
rights, freedoms and guarantees of the respective holders.
Article 18
(Professional secrecy)

1. (...)
2. The same obligation falls on the members of the CNPD,
even at the end of the term.

2. Without prejudice to the provisions of number 1, it may be
authorized by the CNPD a transfer or a set
of transfers of personal data to a country that does not
ensure an adequate level of protection within the meaning of the
number 2 of the previous article, provided that the person responsible for
treatment provides sufficient guarantees of protection
of private life and fundamental rights and freedoms
of people, as well as their exercise, namely,
through appropriate contractual clauses.
(...)
Article 22

3. (...)
4. Personnel exercising advisory functions to the CNPD
or members are subject to the same confidentiality obligation.
professional.
Article 19
(Principles)

(Nature of inspection)

1. The supervision of the protection of personal data is ensured.
held by an independent administrative authority,
the CNPD, which works with the National Assembly.
2. The CNPD is regulated by its own law.

1. (...)
Article 23

two. (...)
(Notification obligation)

3. It is up to the CNPD to decide whether a foreign State
ensures an adequate level of protection.
Article 20
(Derogations)

1. The transfer of personal data to a country that
does not ensure an adequate level of protection in the meaning
of number 2 of the previous article may be permitted by the
CNPD if the data subject has given inemisunderstand your consent to the transfer or if this
transfer:
a ) It is necessary for the execution of a contract
between the data subject and the person responsible
for the processing or due diligence prior to the
formation of the contract decided at the request of the
data holder;
b ) Is necessary for the execution or celebration
of a contract awarded or to be granted,
in the interest of the data subject, between the
controller and a third party;
c ) Is necessary or legally required for the
protection of an important public interest,
or for declaration, exercise or defense
of a right in a judicial process;
d ) Is necessary to protect vital interests
of the data subject;
e ) Is carried out from a public register
which, in terms of legislative provisions
or regulatory, is intended for information
of the public and is open to consultation by the
general public or anyone who
can prove a legitimate interest, provided
that the conditions established by law for the
consultation are fulfilled in the specific case.

1. The controller or, where applicable, the
your representative must notify the CNPD before the performance
of a treatment or set of treatments, total or
partially automated, intended for prosecution
of one or more interlinked purposes.
2. The CNPD may authorize simplification or exemption
of notification for certain categories of treatment.
which, given the data to be processed, are not
likely to jeopardize rights and freedoms.
of data subjects and take into account criteria of
speed, economy and efficiency.
(...)
Article 24
(Prior control)

1. Unless authorized by law, they lack
authorization from the CNPD;
a ) The processing of personal data to which they refer
subparagraphs a ) and c ) of number 1 of article 8 and the
paragraph 2 of article 9;
b ) The processing of personal data relating to the
credit and solvency of its holders;
c ) The interconnection of personal data, under the terms
provided for in article 10;
d ) The use of personal data for nondeterminants of collection.
2. The legal diploma authorizing the treatments
referred to the previous number requires the prior opinion of the CNPD.

Page 3
1216 SERIES I — N O 48 «BO» OF THE REPUBLIC OF CAPE VERDE — SEPTEMBER 17, 2013
Article 25

Article 27

(Content of requests for opinion or authorization and
notification)

Requests for opinion or authorization, as well as
notifications, sent to the CNPD must contain the following
this information:
a ) The name and address of the person responsible for the
treatment and, if applicable, of its representative;
b ) The purpose (s ) of the processing;
c ) The description of the category or categories of holders of
data or categories of personal data
respect them;
d ) The recipients or categories of recipients
to whom the data can be communicated and in
what conditions;
e ) The entity in charge of processing the
information, if you are not responsible
of the treatment;
f) Any interconnections of treatments of
personal data;
g ) The retention time of personal data;
h ) The form and conditions as the holders of
data can have knowledge or do
correct personal data concerning them;
i) Planned data transfers to countries
the 3rd;
j) The general description that allows to evaluate
preliminary the adequacy of the measures taken
to ensure the safety of treatment in
application of Articles 15 and 16.
Article 26

(Advertising of treatments)

1. The processing of personal data, when it is not
subject to a legal diploma and must be authorized or notified.
is registered in the CNPD, open for consultation by
anyone.
two. (...)
3. (...)
4. (...)
5. The CNPD must indicate in its annual report all
the opinions and authorizations prepared or granted to the
under this law, namely authorizations
provided for in the sub-paragraphs of number 1 of article 8 and in the
Article 10(2).
Article 29
(CNPD intervention)

1. The CNPD supports the development of a code of conduct.
2. Professional associations and other organizations
representatives of categories of caregivers.
data processing that have prepared draft codes.
of conduct may submit them to the appreciation of the CNPD.
3. The CNPD can declare the conformity of the projects
with the legal and regulatory provisions in force in
on the protection of personal data.
Article 30
(Legal appeals)

Without prejudice to the right to file a complaint or
complaint to the CNPD, anyone can, under the terms
of the law, appeal in court for violation of rights
guaranteed by this law.

(Mandatory indications)
Article 33

1. The legal diplomas referred to in paragraph b ) of number
1 of article 8 and in number 1 of article 9 as well as the
CNPD authorizations and treatment records
personal data must at least indicate:
a ) The person responsible for the file and, if applicable, the
your representative;
b ) The categories of personal data processed;
c ) The purpose or purposes for which the data are intended and
the categories of entities who can be
transmitted;
d ) The form of exercising the right of access and
rectification;
e ) Any interconnections of treatments of
personal data;
f) Data transfers provided to others
countries.
(...)

(Omission or defective fulfillment of obligations)

1. Entities that, through negligence, do not comply with the
obligation to notify the CNPD of data processing
personnel referred to in paragraphs 1 and 5 of article 23,
provide false information or fulfill the obligation to
notification with failure to comply with the terms provided for in the
article 25, or even when, after being notified by the
Commission, maintain access to open networks.
transmission of data to controllers
of personal data that do not comply with the provisions of the
present law, practice an administrative offense punishable by the
following fines:
a ) In the case of a natural person, at least
50,000$00 and a maximum of 500,000$00;
b ) In the case of a legal person or entity
without legal personality, at least
300,000$00 and a maximum of 3,000,000$00.
(...)

Page 4
SERIES I — N O 48 «BO» OF THE REPUBLIC OF CAPE VERDE — SEPTEMBER 17, 2013 1217
b ) Do not proceed with the deletion, total destruction
or partial personal data;

Article 37
(Application of fines)

1. The application of the fines provided for in this law
ask the president of the CNPD, under its prior deliberation.
2. The resolution of the CNPD, constitutes an executive title,
in case it is not challenged within the legal period.

c ) Not to destroy personal data,
at the end of the conservation period provided for in the
article 6.
Article 47
(Existing manual files)

Article 39
(Destination of collected revenue)

The amount of amounts collected as a result
of the application of the fines, reverts to the CNPD.

1. Data treatments in files
manuals at the date of entry into force of this law
must comply with the provisions of articles 8, 9, 11 and 12 in the
within six months.
two. (...)

Article 40

3. The CNPD may authorize that the data existing in
(Non-compliance with obligations relating to the protection of
manual files and kept for the sole purpose of
Dice)
historical research requirements do not have to comply.
the provisions of articles 8, 9 and 10, provided that they are not,
1. Is punishable by imprisonment for up to one year or a fine of up to 120
in no case reused for a different purpose.
days who intentionally:
Article 48

a ) Omit the notification or request for authorization to
referred to in Articles 23 and 24;
b ) Provide false information in the notification
or in the authorization requests for the
processing of personal data or in this
make changes not consented to by the
legalization instrument;
c ) Divert or use personal data, in a way
incompatible with the determining purpose of the
collection or with the instrument of legalization;
d ) Promote or carry out illegal interconnection
of personal data;
e ) After the deadline that you have
been fixed by the CNPD for compliance
of the obligations provided for in this law or
in other data protection legislation, the
not comply;

(Existing automated files)

The holders of existing automated files to
date of entry into force of this law must comply
rigorously what is contained in it, namely
adapt such files within six months.
Article 3
(Republication)

1. The changes resulting from this law will be
considered to be part of Law No. 133/V/2001,
of January 22, and will be inserted in it, through
replacing, respectively, the items, numbers and
the articles changed.
2. Law No. 133/V/2001, of 22 January, in its new
text, is republished together with this law.
Article 4
(Implementation)

f ) After being notified by the CNPD for the no
do, maintain access to open networks
of data transmission to responsible
for the processing of personal data that
comply with the provisions of this law.

This law enters into force thirty days after its
Publication.
Approved on July 23, 2013.
The President of the National Assembly, Basilio Mosso
branches

(...)
Article 43

Enacted on September 10, 2013.

(Qualified disobedience)

Publish yourself.

1. (...)
2. Whoever, after being notified, incurs the same penalty:

The President of the Republic, JORGE CARLOS DE
ALMEIDA FONSECA
Signed on September 11, 2013.

a ) Refuse, without just cause, the collaboration that
specifically required by the CNPD,
under the law;

The President of the National Assembly, Basilio Mosso
branches

Page 5
1218 SERIES I — N O 48 «BO» OF THE REPUBLIC OF CAPE VERDE — SEPTEMBER 17, 2013
REPUBLICATION
Law No. 133/V/2001
of January 22

national defense and state security, without prejudice to the
provided for in special rules contained in instruments
of international law to which Cape Verde is bound and of
specific legislation for the respective sectors.
Article 3

Establishes the general legal regime of protection
of personal data of natural persons
CHAPTER I
General provisions

(Exclusion from the scope)

This law does not apply to data processing
personnel carried out by natural persons in the financial year.
exclusively personal or domestic activities.

Article 1
Article 4
(Object)
(General principles)

This law establishes the general legal regime of
protection of personal data protection of individuals
singular.
Article 2

The processing of personal data must be processed from
transparently and in strict respect for the reservation of the
intimacy of private and family life, as well as
fundamental rights, freedoms and guarantees of the citizen.

(Scope of application)

1. This law applies to data processing
personal by fully or partially automated means,
as well as the treatment by non-automated means of
personal data contained in or to manual files
intended.
2. This law applies to data processing
personal carried out:
a ) Within the scope of establishment activities
of the controller located in
National territory;
b ) Outside national territory, in a place where the
Cape Verdean legislation is applicable by
strength of international law;
c ) By a responsible person who, not being established in the
national territory, resort to treatment
of personal data, to means, automated or
no, located in the national territory, unless
these means are only used for transit.
3. This law applies to video surveillance and other
ways of capturing, treating and diffusing sounds and
images that allow you to identify people whenever the
responsible for the treatment is domiciled or based
in national territory or use a supplier of
access to computer and telematic networks established there.

Article 5
(Definitions)

1. For the purposes of this law, the following definitions apply:
a ) «Personal data»: any information, of
any nature is regardless of
respective support, including sound and image
relating to an identified natural person
or identifiable, “data subject”;
b ) "Processing of personal data" or "Processing":
any operation or set of operations
on personal data made, total or
partially, with or without authorized means,
such as collecting, registering, organizing,
conversation, adaptation or change,
the recovery, the consultation, the use, the
broadcast communication
or by any other form of placement to the
disposition, with comparison or interconnection,
as well as blocking, deleting or
undoing;
c ) «Personal data file» or «File»:
any structured set of data
personal, accessible by criteria
determined, whether centralized,
decentralized or distributed
functional or geographic;

4. In the case referred to in subparagraph c) of number 2, the
responsible for the treatment must designate, through cocommunication to the National Data Protection Commission,
hereinafter referred to as CNPD, an established representative
in national territory, to be replaced in all
its rights and obligations, without prejudice to its own
responsibility.

d ) «Processor»: the person
singular or collective, the public authority
the service or any other body that,
individually or together with others,
determine the purposes and means of
processing of personal data;

5. The provisions of the previous number apply in the case of the
controller is covered by statute.
of extraterritoriality, immunity or any
another that prevents criminal proceedings.

e ) «Subcontractor»: the natural or legal person,
the public authority, the service, or any
another body that handles personal data
on behalf of the controller;

6. This law applies to data processing
personnel who have the objective of public safety, the

f ) «Third Party»: the natural or legal person, the
public authority, the service or any

Page 6
SERIES I — N O 48 «BO» OF THE REPUBLIC OF CAPE VERDE — SEPTEMBER 17, 2013 1219
another body that, not being the holder
of the data, the controller,
the subcontractor or other person under authority
directly from the controller or the
subcontractor, is authorized to process the data;
g ) «Recipient»: the natural or legal person, the
public authority, the service or any
other body to which they are communicated
personal data, regardless of whether
whether or not to deal with a third party, without prejudice
of not being considered recipients the
authorities to whom data is communicated
under a legal provision;
h ) «Consent of the data subject»: any
expression of will, free, specific and
informed, under which the holder
your personal data are objects of
treatment;
i) "Data interconnection": form of treatment that
consists in the possibility of relationship
of the data of a file with the data of a
file or files held by another or
others responsible for, or maintained by the same
responsible for another purpose.
2. For the purposes of paragraph a ) of number anis considered identifiable the person who may be
identified, directly or indirectly, namely
by reference to an identification number or a
or more specific elements of your physical identity,
physiological, psychic, economic, cultural or social.
3. For the purposes of paragraph d ) of number
above, whenever the purposes and means of treatment
are determined by legislative provisions.
or regulatory, the controller must
be indicated in the law of organization and functioning or
in the statute of the legal entity or statutorily withto process the personal data in question.
CHAPTER II
processing of personal data
Section I
Qualities of data and legitimacy of its processing
Article 6
(Data quality)

d ) Accurate and, if necessary, updated, and
appropriate measures be taken to
ensure that they are erased or rectified.
inaccurate or incomplete, taking into account the
purposes for which they were not collected or
what they are treated for later;
e ) Store in a way that allows identification
of its holders only during the period
necessary for the pursuit of the purposes
collection or further processing.
2. Further processing of data for historical purposes,
statistical or scientific as well as their conservation
for the same purposes for a period longer than the aforementioned
in line e ) of the previous number, may be authorized
by the CNPD in case of legitimate interest of the responsible
for the treatment, as long as the rights do not prevail,
freedoms and guarantees of the data subject.
3. It is up to the data controller to ensure the
compliance with the provisions of the previous numbers.
Article 7
(Conditions of legitimacy of data processing)

The processing of personal data can only be carried out
if the holder has unequivocally given his
consent or if treatment is necessary for:
a ) Execution of a contract in which the data subject
is part or of prior investigations carried out
upon your request;
b ) Compliance with a legal obligation to which the
controller is subject;
c ) Protection of vital interests of the holder of
data, if it is physically or legally
unable to give consent;
d ) Execution of a public interest mission
or in the exercise of public authority in
that the person responsible for the
processing or a third party to whom the data
are communicated;
e ) Pursuit of the legitimate interests of the
controller or third party to
to whom the data is communicated, provided that
interests or rights do not prevail,
freedoms and guarantees of the data subject.

1. Personal data must be:

Article 8

a ) Treated legally, lawfully and with respect
by the principle of good faith;
b ) Collected for certain purposes,
explicit and legitimate, and cannot
be further treated in ways
incompatible with these purposes;
c ) Adequate, relevant and not excessive
regarding the purposes for which
are collected and further processed;

(Processing of sensitive data)

1. The processing of personal data relating to
to political, philosophical or ideological convictions or punishments.
to religious faith, party or union affiliation,
racial or ethnic origin, private life, health and life
sexual, including genetic data, except:
a ) With the express consent of the holder,
with guarantees of non-discrimination and with the
adequate security measures;

Page 7
1220 SERIES I — N O 48 «BO» OF THE REPUBLIC OF CAPE VERDE — SEPTEMBER 17, 2013
b ) Upon authorization provided for by law, with
guarantees of non-discrimination and with the
adequate security measures;
c ) When intended for processing
statistical data not individually
identifiable, with security measures
appropriate.
2. In the granting of authorization provided for in subparagraph b )
of the preceding paragraph, the law must adhere, namely,
the indispensability of the processing of personal data
referred to in number 1 for the exercise of the attributions
legal or statutory of its responsible, for reasons
of important public interest.
3. The processing of the data referred to in number 1 is
still allowed when one of the following
conditions:
a ) Be necessary to protect the vital interests of the
owner of the data or of another person and the
data holder is physically or legally
unable to give consent;
b ) Be carried out, with the consent of the holder,
by foundation, association or body without
political, philosophical,
religious or union, within the scope of their
legitimate activities, provided that the
treatment respect only members
of this foundation, association or that
organism or to the people with whom he
keep regular contacts connected to
its legitimate purposes, and of the data
not be communicated to third parties without
consent of its holders;
c ) Concerning data manifestly rendered
public by its holder, as long as it is possible to
legitimately deduct from your statements
consent to their treatment;
d ) Be necessary for the declaration, exercise or defense of
a right in court proceedings and is carried out
exclusively for that purpose.
4. The processing of personal data relating to health
and sexual life, including genetic data, is allowed
when necessary for the purposes of preventive medicine.
medical diagnosis, care or
medical treatments or health services management,
provided that the processing of these data is carried out by
a health professional bound by professional secrecy.
or by another person equally subject to an obligation
of equivalent secrecy, has been notified to the CNPD
pursuant to Article 23, and measures are guaranteed.
appropriate information security measures.
5. The processing of the data referred to in number 1 may
still be carried out, with adequate safety measures.
proof of information, when it proves to be indispensable.
to the protection of the security of the State, the defense of security.
public race and prevention, investigation or repression
of criminal offences.

Article 9
(Records of unlawful activities, criminal convictions,
security measures, infractions and administrative offences)

1. The creation and maintenance of central registries
relating to persons suspected of illegal activities,
criminal convictions, decisions that apply measures of
security, fines and ancillary sanctions and infractions and
administrative offenses can only be maintained by services
public with this legal competence, observing norms
procedural and data protection provided for in
legal diploma.
2. The processing of personal data relating to suspects.
illicit activities, criminal convictions, decisions
involving security measures, fines and sanctions
accessories and infractions and administrative offenses can be
authorized, subject to data protection rules
and information security, when such treatment
necessary for the performance of legitimate purposes of the
its responsible, as long as the rights do not prevail,
freedoms and guarantees of the data subject.
3. The processing of personal data for information purposes.
police investigation should be limited to what is necessary for the
prevention of a concrete danger or repression of a
determined offense, for the exercise of competence
provided for in the respective organic statute or other legal
legal position and under the terms of agreement, treatment
or international international convention that Cabo
Green be part.
Article 10
(Interconnection of personal data)

1. Without prejudice to the express prohibition in the law, the interconnection of personal data that is not established in
legal provision is subject to Commission authorization.
Parliamentary of Inspection requested by the person in charge
or jointly by the correspondents responsible for the
treatments, pursuant to Article 23.
2. The interconnection of personal data must be necessary
and adequate for the pursuit of legal or strategic purposes.
statutory and legitimate interests of those responsible for
treatments, do not imply discrimination or reduction.
of the fundamental rights, freedoms and guarantees of the
data holders, take into account the type of data subject
of interconnection and be surrounded by adequate measures of
safety.
Section II
Data Subject Rights
Article 11
(Right of information)

1. When collecting personal data directly from your
holder, the controller or his representative.
must pay him, unless they are already known to him,
The following information:
a ) Identity of the controller and, if
where applicable, from your representative;

Page 8
SERIES I — N O 48 «BO» OF THE REPUBLIC OF CAPE VERDE — SEPTEMBER 17, 2013 1221
b ) Purposes of treatment;

Article 12
(Access right)

c ) Recipients or categories of recipients
of the data;
d ) The mandatory or optional character of the answer,
as well as the possible consequences if not

1. The data subject has the right to obtain from the resresponsible for the treatment, freely and without restrictions,
with reasonable frequency and without delay or cost
excessive:

Dice;
e ) The existence and conditions of the right of access and
of rectification, as long as they are necessary,
taking into account the specific circumstances
of data collection, to ensure your
entitled to fair treatment of them;
f ) The decision to communicate your data
personal for the first time to third parties to
the purposes provided for in subparagraph b ) of article 13,
previously and with the express indication of
that you have the right to object to this communication;
g ) The decision that your personal data are
used on behalf of third parties, previously
and with the express indication that he has the
right to object to such use.
2. The documents that serve as a basis for the collection of
personal data must contain the information contained
of the previous number.
3. If the data is not collected from the owner
and unless they are already known to him, the person responsible for the
treatment, or its representative, must provide
the information provided for in number 1 at the time of the
recording of data or, if communication is foreseen
to third parties, at the latest at the time of the first communication.

a ) Confirmation of data processing or not
that concern you, as well as information
about the purposes of this treatment, the
categories of data on which it focuses and the
recipients or recipient categories
to whom the data is communicated;
b ) The communication, in an intelligible form, of its
data subject to processing and any
available information about the origin
of these data;
c ) Knowledge of the logic underlying the
automated processing of the data
respect, with regard to decisions
automated systems referred to in number 1 of the
article 14;
d ) Correction, payment or blocking
of data whose processing does not respect the
provided for in this law, namely
due to incomplete or inaccurate character
of these data;
e ) Notification to third parties to whom the data
have been communicated from any
rectification, deletion or blocking
carried out pursuant to subparagraph d), unless
this is demonstrably impossible or
imply a disproportionate effort.

of these data.
4. In the case of data collection on open networks, the
data holder must be informed, unless this is already
you are aware that your personal data may
circulate on the network without safety conditions, running
the risk of being seen and used by third parties does not
authorized.
5. The obligation to provide information is waived for reasons of
state security, crime prevention and investigation, and
well, when, namely in the case of treatment,
data for statistical, historical or
scientific research, data subject information
proves impossible or involves disproportionate efforts.
or when the law expressly determines
the recording of data or its dissemination.
6. The information obligation does not apply to the processing
data made for journalistic purposes only.
cos or of artistic or literary expression, except when
the rights, freedoms and guarantees of the
data holders.

2. In the cases provided for in paragraphs 4 and 5 of article 8,
the right of access is exercised through the CNPD.
3. In the case provided for in number 6 of the previous article,
the right of access is exercised through the CNPD, with the
safeguarding the applicable constitutional norms, denamely those that guarantee freedom of expression.
and information, press freedom and independence
and professional secrecy of journalists.
4. In the cases provided for in numbers 2 and 3 of this article, if
the communication of data to the holder could harm
state security, prevention or investigation
criminal or even freedom of expression and information
or press freedom, the CNPD is limited to informing
the holder of the data of the investigations carried out.
5. The right to access information relating to data
of health, including genetic data, is exercised by
intermediary doctor chosen by the data subject.
6. In case the data is not used to take
measures or decisions in relation to particular people,
the law may restrict the right of access in cases where

Page 9
1222 Series I - N O 48 "BO" REPUBLIC OF CAPE VERDE - 17 SEPTEMBER 2013
there is clearly no danger of violation.
of the rights, freedoms and guarantees of the data subject,
namely the right to privacy of life.
private, and said data are exclusively used.
used for scientific research purposes or conserved.
in the form of personal data for a period that does not
exceeds what is necessary for the sole purpose of preparing
Statistics.
Article 13
(Right of opposition)

The data subject has the right to:
a ) Unless otherwise provided by law, and at least
in the cases referred to in subparagraphs d) and e) of article
7, to object at any time, for reasons
powerful and legitimate
your particular situation, the data that
are subject to treatment,
in case of justified opposition, the
treatment performed by the responsible leave
to be able to focus on these data;
b ) Oppose, at your request and free of charge, the
processing of personal data that you
concern provided by the responsible
by treatment for marketing purposes
direct or any other form of prospecting;
c ) Oppose, without expense, that your data
personal are communicated first
to third parties for the purposes set out in paragraph
previous or used on behalf of third parties.
Article 14
(Not subject to automated individual decisions)

1. Anyone has the right not to be subject to
a decision that produces effects in its legal sphere
or that significantly affects it, taking exclusivemind based on automated data processing
to assess certain aspects of your personality.
purpose, namely their professional capacity,
your credit, the confidence that you are deserving or your
behavior.
2. Without prejudice to compliance with the other provisions.
provisions of this law, a person may consent to be
subject to a decision taken pursuant to paragraph 1,
provided that this occurs within the scope of the execution or the execution.
execution of a contract, and subject to your request for
conclusion or performance of the contract has been satisfied, or
that there are adequate measures to guarantee the defense.
of their legitimate interests and to make their point of
view, namely their right of representation and
expression.
3. It may still be allowed to make a decision
pursuant to number 1, when authorized by the CNPD
and provided that measures are taken to guarantee the defense
the legitimate interests of the data subject.

Section III
Security and confidentiality of treatment
Article 15
(Safety of treatment)

1. The controller must implement
the appropriate technical and organizational measures to proprotect personal data against destruction, accidental or
unlawful, accidental loss, alteration, dissemination or access
unauthorized, particularly when processing
imply its transmission over the network, and against any
another form of illicit treatment.
2. The measures provided for in the preceding paragraph shall
ensure, given the technical knowledge available.
available and the costs resulting from its application, a
adequate level of safety in relation to the risks that the
treatment presents and the nature of the data to be protected.
3. The controller, in case of treatment.
on your own, you must choose a subcontractor who
offer sufficient guarantees in relation to the measures of
technical and organizational security of the treatment to be carried out.
act, and shall ensure compliance with these measures.
4. The performance of treatment operations in subcontact must be governed by a contract or act
linking the subcontractor to the person in charge.
for the treatment and that stipulates, inter alia, that the
subcontractor only acts upon instructions from the outsourcer.
responsible for the treatment and which is also responsible for the
fulfillment of the obligations referred to in numbers 1 and 2.
5. For the purpose of preserving evidence, the elements
of the business declaration, contract or legal act
concerning data protection, as well as requirements.
relating to the measures referred to in paragraphs 1 and 2 are
signed in writing or in equivalent media,
reference, with legally recognized evidential value.
Article 16
(Special security measures)

1. Data controllers
in the paragraphs of number 1, in numbers 2 and 5 of the article
8 and in paragraph 1 of article 9 shall take the measures
adequate and increased information security,
namely for:
a ) Prevent unauthorized person access to the
facilities used for the treatment of these
data (control of entry to the premises);
b ) Prevent data carriers from being read,
copied, altered by unauthorized person
(control of data carriers);
c ) Prevent unauthorized entry, as well as
knowledge, alteration or
unauthorized deletion of personal data
inserted (insertion control);
d ) Prevent treatment systems
automated data can be used

Page 10
SERIES I — N O 48 «BO» OF THE REPUBLIC OF CAPE VERDE — SEPTEMBER 17, 2013 1223
by unauthorized persons through
data transmission facilities (control
of use);
e ) Ensure that authorized persons only
may have access to the data covered by the
authorization (access control);
f ) Ensure verification of the entities to whom
personal data may be transmitted
through the transmission facilities of
data (transmission control);
g ) Ensure that it can be verified, a posteriori, in
period appropriate to the nature of the treatment,
to be established in the regulations applicable to each
sector, what personal data have been entered,
when and by whom (introduction control);
h ) Prevent, in the transmission of personal data,
as well as transporting your support, the
data can be read, copied, changed or
deleted in an unauthorized manner (control
of transportation).
2. Taking into account the nature of the responsible entities
by the treatment and the type of facilities in which it is carried out,
the CNPD may waive the existence of certain measures of
security, ensuring that respect for rights is shown,
freedoms and guarantees of data subjects.

CHAPTER III
Transfer of personal data
Article 19
(Principles)

1. Without prejudice to the provisions of the following article, the
transfer of personal data subject to
treatment or intended to be, can only performif in compliance with the provisions of this law and others
applicable data protection law
personal and, in the case of transference abroad,
for the country that ensures a level of protection.
adequate.
2. The adequacy of the level of protection is assessed in
function of all the circumstances surrounding the transor the set of data transfers, in
particular, the nature of the data, the purpose and the duration
of the treatment or treatments planned, the countries of
origin and final destination, general rules of law
or sectoral, in force in the country concerned, as well as the
professional rules and safety measures that are
respected in that country.
3. It is up to the CNPD to decide whether a foreign State
ensures an adequate level of protection.
Article 20

3. Systems must ensure logical separation between
data relating to health and sexual life, including
of the other personal data.
4. The CNPD may determine that the transmission is
encrypted, in cases where the circulation of data in a network
persons referred to in Articles 8 and 9 may endanger
rights, freedoms and guarantees of the respective holders.
Article 17
(Confidentiality of treatment)

Anyone acting under the authority of the
controller or subcontractor as well
as the subcontractor itself, have access to data
personal, you cannot process them without
responsible for the treatment, except by force
of legal obligations.
Article 18
(Professional secrecy)

1. Those responsible for the processing of personal data,
as well as people who, in the exercise of their functions,
are aware of the processed step data,
obligated to professional secrecy, even after the end of the
their functions.
2. The same obligation falls on the members of the CNPD,
even at the end of the term.
3. The provisions of the previous numbers do not exclude the duty
the provision of mandatory information, under the terms
legal, except when contained in organized files
for statistical purposes.
4. Personnel exercising advisory functions to the CNPD
or members are subject to the same confidentiality obligation.
professional.

(Derogations)

1. The transfer of personal data to a country that
does not ensure an adequate level of protection in the meaning
of number 2 of the previous article may be permitted by the
CNPD if the data subject has given inemisunderstand your consent to the transfer or if this
transfer:
a ) It is necessary for the execution of a contract
between the data subject and the person responsible
for the processing or due diligence prior to the
formation of the contract decided at the request of the
data holder;
b ) Is necessary for the execution or celebration
of a contract awarded or to be granted,
in the interest of the data subject, between the
controller and a third party;
c ) Is necessary or legally required for the
protection of an important public interest,
or for declaration, exercise or defense
of a right in a judicial process;
d ) Is necessary to protect vital interests
of the data subject;
e ) Is carried out from a public register
which, in terms of legislative provisions
or regulatory, is intended for information
of the public and is open to consultation by the
general public or anyone who
can prove a legitimate interest, provided
that the conditions established by law for the
consultation are fulfilled in the specific case.

Page 11
1224 SERIES I — N O 48 «BO» OF THE REPUBLIC OF CAPE VERDE — SEPTEMBER 17, 2013
2. Without prejudice to the provisions of number 1, it may be
authorized by the CNPD a transfer or a set
of transfers of personal data to a country that does not
ensure an adequate level of protection within the meaning of the
number 2 of the previous article, provided that the person responsible for
treatment provides sufficient guarantees of protection
of private life and fundamental rights and freedoms
of people, as well as their exercise, namely,
through appropriate contractual clauses.

category or categories of recipients who can
the data and the period of conservation to be communicated
of the data.
4. Treatments whose
only purpose is to keep records that,
terms of legislative or regulatory provisions, if
are intended for public information and can be consulted.
by the general public or anyone who
prove a legitimate interest.

3. The transfer of personal data that constitutes menecessary to protect the security of the State,
defense, public safety and prevention, investigation
and prosecution of criminal offenses is governed by provisions
specific legal documents or by conventions, treaties and agreements
to which Cape Verde is a party.

5. Unauthorized processing of personal data
provided for in paragraph 1 of article 8 are subject to notification.
when treated under sub-paragraph a ) of paragraph
3 of the same article.

CHAPTER IV

(Prior control)

National supervisory authority
of personal data protection
Section I
General provisions

Article 24

1. Unless authorized by law, they lack
CNPD authorization:
a ) The processing of personal data to which they refer
subparagraphs a ) and c ) of number 1 of article 8 and the
paragraph 2 of article 9;

Article 21
(Inspection objectives)

The supervision of the protection of personal data aims
monitor, evaluate and control the activity of the bodies
or legally competent services for your treatment.
ensuring compliance with the Constitution and the
law, particularly the regime of rights, freedoms and
fundamental guarantees of citizens.
Article 22

b ) The processing of personal data relating to the
credit and solvency of its holders;
c ) The interconnection of personal data, under the terms
provided for in article 10;
d ) The use of personal data for nondeterminants of collection.
2. The legal diploma authorizing the treatments
referred to the previous number requires the prior opinion of the CNPD.

(Nature of inspection)

1. The supervision of the protection of personal data is ensured.
held by an independent administrative authority,
the CNPD, which works with the National Assembly.
2. The CNPD is regulated by its own law.
Section II
Notification

Article 25
(Content of requests for opinion or authorization
and notification)

Requests for opinion or authorization, as well as
notifications, sent to the CNPD must contain the following
information:
a ) The name and address of the person responsible for the
treatment and, if applicable, of its representative;

Article 23

b ) The purpose (s ) of the processing;
(Notification obligation)

1. The controller or, where applicable, the
your representative must notify the CNPD before the performance
of a treatment or set of treatments, total or
partially automated, intended for prosecution
of one or more interlinked purposes.
2. The CNPD may authorize simplification or exemption
of notification for certain categories of treatment.
which, given the data to be processed, are not
likely to jeopardize rights and freedoms.
of data subjects and take into account criteria of
speed, economy and efficiency.
3. The authorization must specify the purposes of the
processing, the data or categories of data to be processed, the

c ) The description of the category or categories of holders of
data or categories of personal data
respect them;
d ) The recipients or categories of recipients
to whom the data can be communicated and in
what conditions;
e ) The entity in charge of processing the
information, if you are not responsible
of the treatment;
f ) Any interconnections of treatments of
personal data;
g ) The retention time of personal data;

Page 12
SERIES I — N O 48 «BO» OF THE REPUBLIC OF CAPE VERDE — SEPTEMBER 17, 2013 1225
h ) The form and conditions as the holders of
data can have knowledge or do
correct personal data concerning them;
i ) Data transfers planned for countries
the 3rd;
j ) The general description that allows to evaluate
preliminary the adequacy of the measures taken
to ensure the safety of treatment in
application of Articles 15 and 16.

CHAPTER V
codes of conduct
Article 28
(Purposes)

Codes of conduct are intended to contribute in
depending on the characteristics of the different sectors, for
the proper execution of the provisions of this law.
Article 29

Article 26
(Mandatory indications)

(CNPD intervention)

1. The CNPD supports the development of a code of conduct.

1. The legal diplomas referred to in paragraph b ) of number
1 of article 8 and in number 1 of article 9 as well as the
CNPD authorizations and treatment records
personal data must at least indicate:
a ) The person responsible for the file and, if applicable, the
your representative;
b ) The categories of personal data processed;
c ) The purpose or purposes for which the data are intended and
the categories of entities who can be
transmitted;
d ) The form of exercising the right of access and
rectification;

2. Professional associations and other organizations
representatives of categories of caregivers.
data processing that have prepared draft codes.
of conduct may submit them to the appreciation of the CNPD.
3. The CNPD can declare the conformity of the projects
with the legal and regulatory provisions in force in
on the protection of personal data.
CHAPTER VI
Judicial appeals, civil liability,
infractions and sanctions
Section I

e ) Any interconnections of treatments of
personal data;

Judicial appeals and civil liability
Article 30

f ) Data transfers provided to others
countries.
2. Any change to the indications contained in the
number 1 is subject to the procedures provided for in the
Articles 23 and 24.
Article 27

(Legal appeals)

Without prejudice to the right to file a complaint or
complaint to the CNPD, anyone can, under the terms
of the law, appeal in court for violation of rights
guaranteed by this law.

(Advertising of treatments)

1. The processing of personal data, when it is not
subject to a legal diploma and must be authorized or notified.
is registered in the CNPD, open for consultation by
anyone.
2. The register contains the information listed in the
subparagraphs a ) to d ) and i ) of article 25.
3. Data controller not subject to
notification is required to provide, in an appropriate manner,
to anyone who asks for at least the information.
mentioned in number 1 of article 26.

Article 31
(Civil responsability)

1. Anyone who has suffered a loss due
to illicit data processing or any other act
that violates laws or regulations in
matters of personal data protection have the right to
obtain from the person responsible and compensation for the damage suffered.
2. The controller can be partial or
fully exonerated from this responsibility if it proves
that the fact that caused the damage is not attributable to him.
Section II

4. The provisions of this article do not apply to
the sole purpose of which is to maintain
registers that, pursuant to legislation or
regulations, are intended to inform the public and
are open to consultation by the general public or
anyone who can prove a legitimate interest.
5. The CNPD must indicate in its annual report all
the opinions and authorizations prepared or granted to the
under this law, namely authorizations
provided for in the sub-paragraphs of number 1 of article 8 and in the
Article 10(2).

Infractions and sanctions
Subsection
Administrative offenses
Article 32
(Subsidiary legislation)

The infractions provided for in this subsection are subjointly applicable the regime of administrative offenses,
with the adaptations contained in the following articles.

Page 13
1226 Series I - N O 48 "BO" REPUBLIC OF CAPE VERDE - 17 SEPTEMBER 2013
Article 33
(Omission or defective fulfillment of obligations)

1. Entities that, through negligence, do not comply with the
obligation to notify the CNPD of data processing
personnel referred to in paragraphs 1 and 5 of article 23,
provide false information or fulfill the obligation to
notification with failure to comply with the terms provided for in the
article 25, or even when, after being notified by the
Commission, maintain access to open networks.
transmission of data to controllers
of personal data that do not comply with the provisions of the
present law, practice an administrative offense punishable by the
following fines:
a ) In the case of a natural person, at least
50,000$00 and a maximum of 500,000$00;
b ) In the case of a legal person or entity
without legal personality, at least
300,000$00 and a maximum of 3,000,000$00.
2. The fine is increased to double its limits
in the case of data subject to prior control,
pursuant to Article 24.

Article 37
(Application of fines)

1. The application of the fines provided for in this law
ask the president of the CNPD, under its prior deliberation.
2. The resolution of the CNPD, constitutes an executive title,
in case it is not challenged within the legal period.
Article 38
(Fulfillment of duty omitted)

Whenever the administrative offense results from the omission of
a duty, the application of the sanction and the payment of the fine
do not exempt the offender from compliance, if he
is still possible.
Article 39
(Destination of collected revenue)

The amount of amounts collected as a result
of the application of the fines, reverts to the CNPD.
Subsection II
Crimes

Article 34
(Other offences)

1. Practice an administrative offense punishable by a fine
minimum of 100,000$00 and maximum of 1,000,000$00, the
entities that do not comply with any of the following provisions.
positions of this law:
a ) Appoint a representative under the terms provided for in
number 4 of article 2;
b ) Comply with the obligations established in the articles
6th, 11th, 12th, 13th, 14th, 16th, 17th and 27th, number 3.
2. The fine is increased to double its limits
when the constant obligations are not fulfilled
of articles 7, 8, 9, 10, 19 and 20.
Article 35
(Infringement competition)

1. If the same fact constitutes, simultaneously,
crime and misdemeanor, the agent is always punished for
crime title.
2. Sanctions applied to administrative offenses
course are always materially cumulated.
Article 36
(Punishment of negligence and attempt)

1. Negligence is always punished in administrative offenses
provided for in article 34.
2. The attempt is always punishable in administrative offenses
provided for in articles 33 and 34.

Article 40
(Non-compliance with obligations relating to the protection of
Dice)

1. Is punishable by imprisonment for up to one year or a fine of up to 120
days who intentionally:
a ) Omit the notification or request for authorization to
referred to in Articles 23 and 24;
b ) Provide false information in the notification
or in the authorization requests for the
processing of personal data or in this
make changes not consented to by the
legalization instrument;
c ) Divert or use personal data, in a way
incompatible with the determining purpose of the
collection or with the instrument of legalization;
d ) Promote or carry out illegal interconnection
of personal data;
e ) After the deadline that you have
been fixed by the CNPD for compliance
of the obligations provided for in this law or
in other data protection legislation, the
not comply;
f) After being notified by the CNPD for the no
do, maintain access to open networks
of data transmission to responsible
for the processing of personal data that
comply with the provisions of this law.
2. The penalty is aggravated to double its limits
when it comes to personal data to which the
Articles 8 and 9.

Page 14
SERIES I — N O 48 «BO» OF THE REPUBLIC OF CAPE VERDE — SEPTEMBER 17, 2013 1227
Article 41
(Improper access)

1. Who, without proper authorization, in any way,
accessing personal data that you are not allowed to access is
punishable by imprisonment of up to one year or a fine of up to 120 days.
2. The penalty is aggravated to double its limits
when access:
a ) Is achieved through violation of rules
security techniques;
b ) It has enabled the agent or third parties to
knowledge of personal data;
c ) Has provided to the agent or third parties
property benefit or advantages.

2. The penalty is increased by half of its limits if the
agent:
a ) Are civil servants or similar,
under criminal law;
b ) Is determined by the intention to obtain any
equity advantage or other benefit
illegitimate;
c ) endanger reputation, honor and
consideration or intimacy of private life
of someone else.
3. Negligence is punishable by imprisonment for up to six months
or fine up to 120 days.
4. Outside the cases provided for in paragraph 2, the procedure
criminal depends on complaint.

3. In the case provided for in number 1, the criminal procedure
nal depends on complaint.
Article 42
(Victation or destruction of personal data)

1. Who, without proper authorization, deletes, destroys,
damage, delete or modify personal data;
rendering them unusable or affecting their usability,
is punishable by imprisonment for up to two years or a fine of up to 240 days.
2. The penalty is increased to double its limits if
the damage produced is particularly severe.
3. If the agent acts negligently, the penalty is, in amin good cases, imprisonment for up to one year or a fine of up to 120 days.
Article 43
(Qualified disobedience)

1. Who, after being notified to the effect, does not
terminate cease or block data processing
personal is punished with the corresponding prison sentence.
to the crime of qualified disobedience.
2. Whoever, after being notified, incurs the same penalty:
a ) Refuse, without just cause, the collaboration that
specifically required by the CNPD,
under the law;
b ) Do not proceed with the deletion, total destruction
or partial personal data;
c ) Not to destroy personal data, after
the retention period provided for in article 6.
Article 44

Article 45
(Punishment of the attempt)

In the crimes provided for in the previous provisions, the
attempt is always punishable.
Article 46
(Additional sanctions)

1. Together with the fines or penalties applied
can additionally be ordered:
a ) The temporary or permanent prohibition of the
treatment, blocking, deletion or
total or partial destruction of data;
b ) The publicity of the condemnatory sentence;
c ) The public warning or censorship of the responsible
by the treatment.
2. The publicity of the condemnatory decision is made to the exdo you think of the convict, in a major periodical publication
edited expansion in the region of the practice of the
infringement, or failing that, in periodic publication of
further expansion of the nearest county, as well as
by posting the notice in an appropriate support, by
period not less than 30 days.
3. The publication is made by extract containing the
elements of the offense and the sanctions applied, as well as
the agent's identification.
CHAPTER VII
Transitional and Final Provisions
Article 47

(Violation of the duty of confidentiality)

(Existing manual files)

1. That, under the obligation of professional secrecy, under the terms of the law,
without just cause and without due consent, reveal
1. Data treatments in files
or disclosing all or part of personal data is punishable.
manuals at the date of entry into force of this law
with imprisonment from six months to three years or a fine
must comply with the provisions of articles 8, 9, 11 and 12 in the
from eighty to two hundred days, if the most serious penalty does not
within six months.
is applicable, regardless of the disciplinary measure
2. In any case, the data subject can obtain,
corresponding to the seriousness of your fault, which may
go until the termination of the bond that links him to the position or function. at their request and, in particular, when exercising the

Page 15
1228 SERIES I — N O 48 «BO» OF THE REPUBLIC OF CAPE VERDE — SEPTEMBER 17, 2013
right of access, rectification, deletion or blocking
filling of incomplete, inaccurate or preserved data
in a way incompatible with the legitimate purposes pursued
by the controller.
3. The CNPD may authorize that the data existing in
manual files and kept for the sole purpose of
historical research requirements do not have to comply.
the provisions of articles 8, 9 and 10, provided that they are not,
in no case reused for a different purpose.
Article 48
(Existing automated files)

The holders of existing automated files to
date of entry into force of this law must comply
rigorously what is contained in it, namely
adapt such files within six months.

Article 3
Legal regime

The CNPD is governed by the provisions of these Bylaws,
by the legal provisions that are specifically
applicable and, alternatively, by the regime applicable to
independent regulatory authorities in the economic sector.
mic and financial.
Article 4
territorial scope

1. The CNPD exercises its powers throughout the
National territory.
2. The CNPD may be asked to exercise its powers
by a data protection supervisory authority
from another State, under the terms of agreements and conventions.
of which Cape Verde is a party.

Article 49
(Implementation)

This law enters into force thirty days after its
Publication.
Approved on December 20, 2000.
The President of the National Assembly, António do
Espírito Santo Fonseca .
Enacted on January 10, 2001.

3. The CNPD cooperates with the control authorities of
protection of personal data from other States in the dissemination
of law in this matter, as well as in defense and exercise.
rights of persons residing abroad.
Article 5
Thirst

The CNPD is headquartered in Praia, being able to create
delegations in other parts of the country.
Article 6

Publish yourself.
Collaboration from other entities

The President of the Republic, ANTÓNIO MANUEL
MASCARENHAS GOMES MONTEIRO.
Signed on January 13, 2001.
The President of the National Assembly, António do
Espírito Santo Fonseca .

––––––
Law No. 42/VIII/2013
of September 17th

By mandate of the People, the National Assembly decrees,
pursuant to paragraph b ) of article 175 of the Constitution,
the next:
CHAPTER I
General provisions
Article 1
Object

This law regulates the composition, competence, the
organization and functioning of the National Commission
of Data Protection (CNPD), as well as the statute of
its members.
Article 2
Nature

CNPD is an independent administrative entity,
which works with the National Assembly, whose offices
skills and competences relating to data protection
are defined in this law.

1. Public and private entities must provide the
your collaboration to the CNPD, providing all the information
requested by it, in the exercise of its powers.
2. The duty of collaboration is ensured, designated
mind, when the CNPD needs it, for the full
exercise of its functions, to examine the information system.
and the personal data files, as well as the entire
documentation relating to the processing and transmission of
personal data.
3. The courts must communicate to the CNPD a certificate or
copy of the judgments or judgments given in the matter
of the right to the protection of personal data, namely
on crimes or appeals against decisions of the CNPD.
Article 7
Access to computer support systems for treatment
of data

The CNPD or its members, as well as the technicians by
mandated, have the right to access information systems.
to support the processing of data
as well as the documentation referred to in the article.
above, within the scope of its attributions and competences.
CHAPTER II
Attributions and competences
Article 8
assignments

1. The CNPD is the national authority responsible for
control and monitor compliance with legal provisions.

