ti- EURKINA FASO
IVE REPUBLIC
UNITE-PROGRES-JUSTICE
THIRD LEGISLATURE
NATIONAL ASSEMBLY
LAW N ° 010-2004 / AN
DATA PROTECTION
PERSONAL CHARACTER
THE NATIONAL ASSEMBLY
Seen
the Constitution ;
resolution n ° 001-2002 / AN of June 5, 2002, validating the mandate of deputies;
deliberated at its meeting of April 20, 2004 and adopted the law, the content of which is as follows:
TITLE I: GENERAL PROVISIONS
Chapter 1:
Definitions
Article 1:
The purpose of this law is to protect, in Burkina Faso, the rights of individuals with regard to the processing of personal data, whatever their nature, method of execution or those responsible,
Article 2: Constitutes personal data, any information which allows, in any form whatsoever, directly or indirectly, the identification of natural persons, in particular by reference to an identification number or to several specific elements specific to their physical, psychological, psychological, economic, cultural or social identity.
Article 3: Processing of personal data is defined as any operation or set of operations carried out using automated or non-automated processes by a natural or legal person, and applied to personal data, such as collection, recording, retrieval, consultation, use, communication by transmission, dissemination or any other form of provision, reconciliation or interconnection, blocking, erasure or destruction.
Article 4: The controller is the natural or legal person, public or private, who has the power to decide on the creation of personal data The recipient of the processing of personal data is any natural or legal person, public or private, other than the data subject, authorized to receive communication of these data. The data subject is the identifiable person to whom the personal data relates.
Chapter 2 :
Fundamental principles
Article 5.
Any processing of personal data must have received the consent of the person (s) concerned, except for exceptions provided for by law.
Article 6: Everyone has the right to know and to challenge the information and reasoning used in processing, automated or not, the results of which are opposed to him
Article 7:
No court decision involving an assessment of human behavior can have as its sole basis an automated processing of information giving a definition of the profile or personality of the interested party intended to assess certain aspects of his personality. No administrative or private decision involving an assessment of human behavior can have as its sole basis an automated processing of information, giving a definition of the profile or personality of the person concerned.
Chapter 3:
Scope
Article 8:
This law applies to the automated or non-automated processing of personal data contained or called to appear in the files for which the person responsible is established on the territory of Burkina Faso, or, without being established there, resorts to means of processing located on the territory of Burkina Faso, excluding data which are only used for transit purposes.
Article 9:
The provisions of this law do not apply to temporary copies which are made within the framework of the technical activities of transmission and provision of access to a digital network with a view to the intermediate and transient automatic storage of data for the sole purpose of enabling to other recipients of the service the best possible access to information
Article 10:
The automated processing of personal data for the purpose of research in the field of health is subject to the provisions of this law, with the exception of articles 5, 13, 18, 20
The examination of the request for the implementation of these treatments by the Supervisory Authority provided for in Title III below, is subject to the favorable opinion of the Ethics Committee for health research.
Article 11:
Data processing for the purpose of individual therapeutic or medical monitoring of patients is not subject to the provisions of this law.The same applies to processing enabling studies to be carried out from the data thus collected if these studies are carried out. by the personnel ensuring this follow-up and intended for their exclusive use
TITLE II: IMPLEMENTATION OF DATA PROCESSING A
PERSONAL CHARACTER
Chapter 1: General conditions
Article 12 The person responsible for processing personal data has the obligation to collect and process data fairly, lawfully and not fraudulently.
Article 13.
The person in charge of the processing of personal data has the obligation to inform the data subject of the purpose of the processing, the recipients of the data, the obligatory or optional nature of the answers to the questions asked as well as the possible consequences of a failure to answer These provisions do not apply to the collection of data necessary for the establishment of an infringement.
+
- Article 14:
The processing of personal data can only be done under the following conditions:
data must be collected for specific, explicit and legitimate purposes. Consequently, the data cannot be used for purposes other than those for which they were collected; the data must be adequate, relevant and not excessive in relation to the purposes for which they are collected and for which they are subsequently processed;
the data must be kept for a period which does not exceed the period necessary for the purposes for which they are collected or processed. Beyond the necessary duration, the data can only be kept in a nominative form with a view to their processing for historical, statistical or research purposes.
Article 15:
The controller must implement all appropriate technical and organizational measures to preserve data security, in particular protect data against accidental or unlawful destruction, accidental loss, alteration, dissemination or unauthorized access. authorized.
Article 16: If information has been transmitted by mistake to a third party, its rectification or
be notified to this third party, unless dispensed with by the Supervisory Authority.
Data subjects have the right to object, for legitimate reasons, to the processing of personal data concerning them. This right does not apply to processing designated by regulatory act, provided for in Article 18 below.
Article 17: Data subjects have the right to know the stored data concerning them. They must be able to exercise this right without undue delay or excessive costs When the exercise of the right of access applies to information of a medical nature, this information can only be communicated to the interested party through a doctor. that he designates for this purpose.
If data is found to be incomplete or inaccurate, the data subjects may request its correction or rectification. In this case, the controller is required to make the correction or rectification and deliver, free of charge, a copy of the amended registration.
With regard to processing relating to State security, defense and public security, the request is addressed to the Supervisory Authority, which designates one of its members under the judiciary, to carry out the useful investigations and make make the necessary changes. The latter may be assisted by an agent of the Supervisory Authority. The registrant is notified that the verifications and any modifications have been carried out.
Article 18:
Apart from the case where they must be authorized, by law, the automated processing of personal data operated on behalf of the State, an establishment
a local authority or a legal person governed by private law managing a public service, are decreed by decree after reasoned assent from the Control Authority provided for in Title III below. In the event of an unfavorable opinion from the Supervisory Authority, an appeal may be brought before the Council of State.
Article 19:
The processing of personal data carried out on behalf of persons other than those subject to the provisions of Article 18 above must, prior to their implementation, be declared to the Authority. control.
partice 18 above
Chapter 2 :
Provisions specific to certain
data categories
Article 20:
Unless otherwise provided by law, it is prohibited to collect or process, without the express consent of the data subject, personal data relating to the health of the latter or which reveal racial, ethnic origins, political, philosophical or religious opinions, union membership or death.
Article 21: Personal data may be processed without the consent of the data subject, in the following cases:
- the processing is necessary for compliance with a legal obligation to
which the controller is subject to; the processing is necessary to protect the life of the data subject or that of a third party;
the processing relates to data made public by the data subject;
the processing is necessary, either for the performance of a contract to which the data subject is a party, or for pre-contractual measures taken at the latter's request;
the processing is necessary for the establishment of an infringement, a right, the exercise or defense of a legal right; the treatments necessary for the purposes of preventive medicine, medical diagnosis, administration of care or treatment, management of health services, provided that they are carried out by a member of a health profession or by another person to whom professional secrecy is required by reason of his or her duties.
Article 22. The following may process personal data relating to offenses, convictions and security measures only:
- jurisdictions and public authorities acting within the framework of their
legal powers; legal persons managing a public service, after obtaining the assent of the Supervisory Authority,
auxiliaries of justice, for the strict needs of the exercise of the missions entrusted to them.
Article 23: Any disclosure or commercial use of personal health data is prohibited.
Article 24: The transmission between Burkinabe territory and abroad, in any form whatsoever, of personal data subject to automated processing governed by Article 19 above, can only be carried out if the transmission takes place in accordance with the protection afforded by this law,
However, in exceptional circumstances, the transmission may be authorized by decree after obtaining the assent of the Supervisory Authority.
Article 25
The provisions of Articles 20, 22 and 24 do not apply to personal data processed by the written or audiovisual media within the framework of the laws which govern them, if their application would have the effect of limiting the exercise of the freedom of expression.
TITLE III: SUPERVISORY AUTHORITY
Chapter 1 :
Creation, composition and organization
Article 26: A supervisory authority called the Commission for Informatics and Freedoms (CIL) hereinafter referred to as the Commission is created. It is responsible for ensuring compliance with the provisions of this law, in particular by informing all the persons concerned of their rights and obligations and by controlling the applications of information technology to the processing of personal data. To this end, the Commission has regulatory power and a power of sanction which will be specified by decree,
Article 27: The Data Protection Commission is an independent administrative authority.
It is composed of nine (09) members as follows: - a magistrate, member of the Council of State, elected by his peers in
general assembly; a magistrate, member of the Court of Cassation, elected by his peers in a general assembly, two deputies appointed by the President of the National Assembly; two personalities appointed by national associations working in the field of human rights; two personalities appointed by the national associations of IT professionals; a personality appointed by the President of Faso because of his competence.
The members of the Data Protection Commission are appointed by decree in the Council of Ministers.
Article 28 The mandate of the members of the Commission is of five (05) years renewable one TOIS. With the exception of the president, the members of the Commission do not exercise a function on a permanent basis.
Members of the Commission are irremovable during their term of office.
Membership can only be terminated in the event of resignation, incapacity noted by the Commission under the conditions it defines or serious misconduct.
The members of the Commission are subject to professional secrecy in accordance with the texts in force.
Article 29:
The President of Faso appoints the President of the Commission from among the members of the Commission for Informatics and Freedoms. The president is assisted by a vice president elected by the Commission. The President shall exercise his functions on a permanent basis until the end of his mandate as member of the Commission
Article 30 Membership of the Commission is incompatible:
- with the quality of member of the Government,
with the functions of company directors contributing to the manufacture of equipment used in IT or telecommunications, to the provision of IT or telecommunications services; with the holding of a stake in the above-mentioned companies.
Article 31: If during the term of office, the president or a member of the Commission ceases to exercise his functions, he is replaced in accordance with the forms and quotas defined in articles 27 and 29. The mandate of the successor thus designated is limited to the remaining period
Article 32: The members of the Commission, before taking office, take before the Court of Appeal of Ouagadougou sitting in solemn hearing, the oath of which the content follows: "I solemnly swear well and faithfully fulfill my function of member of the Data Protection Commission, with complete independence and impartiality, in a dignified and loyal manner and to keep the deliberations secret ”
Articles 33: The members of the Commission enjoy total immunity for opinions expressed in the exercise or on the occasion of the exercise of their functions.
In the exercise of their attributions, the members of the Commission do not receive instructions from any authority. Computer scientists called upon either to give information to the Commission or to testify before it are released as necessary from their professional obligation of discretion.
Article 34:
The members of the Commission receive allowances fixed by decree in the Council of Ministers,
Article 35 The appropriations necessary for the Commission for the accomplishment of its mission are financed by the State budget or by any other resource which may be allocated to it.
The Commission can only receive funding from an individual, an organization or a foreign state through the cooperation structures of Burkina Faso. However, the fulfillment of certain formalities provided for in articles 17, 18, 19 and 41 of this law may give rise to the collection of fees,
Article 36: The Commission enjoys management autonomy. The President of the Commission is the budget authorizing officer. It applies the management rules of public accounting. The control of the financial accounts of the Commission is the responsibility of the Court of Auditors.
Chapter 2:
Responsibilities of the IT Commission
and freedoms
Article 37: For the exercise of its mission, the Commission:
a- takes individual or regulatory decisions in
cases provided for by this law; b- may, by special decision, appoint one or more of its
members or its agents, assisted if necessary by experts, to carry out, with regard to any data processing, on-site verifications and to obtain all
information and documents useful for its mission; C- issue, where appropriate, model rules in order to ensure the
system security; in exceptional circumstances, it may prescribe security measures consisting in particular of the destruction of media
information or by suspending the authorization: d- sends the interested parties warnings and denounces the
prosecution of offenses of which it is aware;
e- Ensure that the modalities of implementation of the right of access
and rectification indicated in the acts and declarations provided for in Articles 18 and 19 do not hinder the free exercise of this
law; f- receives complaints, petitions and plants, g- keeps abreast of industrial activities, services that
contribute to the implementation of IT,
h- keeps abreast of the effects of the use of IT on
the right to the protection of private life, the exercise of freedoms and the functioning of democratic institutions,
1- advises people and organizations who use the
automated processing of personal information or which carry out tests or experiments likely to lead to
such treatments; I respond to requests for advice from public authorities and, if
where appropriate, jurisdictions; k- proposes to the Government all legislative measures or
regulations likely to adapt the protection of freedoms to the evolution of IT processes and techniques.
Article 38
Ministers, public authorities, managers of public or private companies, heads of various groups and more generally holders or users of name files must take all necessary measures to facilitate the task of the Commission. They cannot oppose its action for any reason whatsoever
Article 39
The Commission may instruct the President or the Vice-President to exercise his or her powers with regard to the application of Articles 19 and 37 (d, e and f)
Article 40
The Data Protection Commission ensures that the processing, whether automatic or not, public or private, of nominative information is carried out in accordance with the provisions of the law. It can take all necessary measures for this purpose.
Article 41
For the most common categories of data processing of a public or private nature which clearly do not involve an infringement of privacy or freedoms, the Commission establishes and publishes simplified standards inspired by the characteristics mentioned in Article 42 above. below.
11
for data processing that meets these standards, only a simplified declaration of conformity with one of these standards is filed with the Commission
specific to this, the declaration receipt is issued without delay. Upon receipt of this receipt, the applicant can start the data processing. He is not exempt from any of his responsibilities.
Article 42: The request for an opinion or the declaration must specify:
a- the person who presents the request and the one who has the power to decide the
creation of the data processing or, if it resides abroad, its
representative in Burkina Faso; b- the characteristics, purpose and, if applicable, the name of the processing
of data; C- the service or services responsible for implementing it, the service to which the right of access is exercised as well as the measures
taken to facilitate the exercise of this right; e- the categories of persons who, by reason of their functions or for
service needs, have direct access to recorded information; fr the personal information processed, their origin and the duration of their
retention as well as their recipients or categories of recipients authorized to receive communication of this information;
g- reconciliations, interconnections or any other form of
relation of this information as well as its transfer to third parties; h- the measures taken to ensure the security of data processing
and information and the guarantee of secrets protected by law; - If the data processing is intended for the sending of information
tives between Burkinabé territory and abroad in any form whatsoever, including when it is the subject of operations partially carried out on Burkinabé territory from operations previously carried out outside Burkina Faso
Article 43 The regulatory act provided for the processing of data governed by article 18 C1 above specifies in particular.
- the name and purpose of the data processing, - the service to which the right of access is exercised,
the categories of personal information recorded as well as the recipients or categories of recipients authorized to receive communication of this information
Decrees may provide that regulatory acts relating to certain data processing relating to State security, defense and public security will not be published.
Article 44: The Commission shall make the list of data processing operations available to the public, which specifies for each of them:
- the law or regulatory act deciding its creation or the date of its
declaration; - its name and purpose;
the service to which the right of access is exercised,
the categories of personal information recorded as well as the recipients or categories of recipients authorized to receive
communication of this information. The decisions, opinions or recommendations of the Commission whose knowledge is useful for the application or the interpretation of this law are made available to the public, under the conditions fixed by decree.
Article 45:
The Commission presents each year to the President of Faso, to the President of the National Assembly and to the President of the Constitutional Council, a report giving an account of the execution of its mission. This report is made public.
TITLE IV: CRIMINAL SANCTIONS
Article 46:
The fact of carrying out or having carried out automated processing of nominative information without having complied with the formalities prior to their implementation provided for by law is punishable by imprisonment of three (03) months to five (05). ) years and a fine of five hundred thousand (500,000) to two 177illion (2,000,000) CFA francs.
Article 47
The fact of carrying out or having carried out an automated processing of nominative information without taking all the necessary precautions to preserve the security of said information, in particular preventing it from being distorted, damaged or communicated to unauthorized third parties is punt de imprisonment for three (03) months to five (05) years and a fine of five hundred thousand (500,000) to two million (2,000,000) CFA francs
3
Article 48 The fact of communicating to unauthorized third parties or of unauthorized or unlawful access to personal data is punishable by a prison sentence of three (03) months to five (05) years and one million (1,000,000) to three million (3,000,000) CFA francs in fines.
Article 49: Is punished with an imprisonment of three (03) months to five (05) years and from five hundred thousand (500,000) to two million (2,000,000) CFA francs fine, the diversion of purpose of '' collection or processing of personal data.
Article 50 The fact of collecting data by fraudulent, unfair or unlawful means, or of processing personal information concerning a natural person despite his opposition, when this opposition is based on legitimate reasons, is punished by three ( 03) months to five (05) years of imprisonment and from two million (2,000,000) to five million (5,000,000) CFA francs fine. In the event of automated processing of personal data for the purpose of research in the field of health, the same penalties apply to the fact of processing data:
1.without having previously informed individuals individually
concerned about their right of access, rectification and opposition, the nature of the information transmitted and the recipients of the data; despite the opposition of the person concerned or, when provided for by law, in the absence of the informed and express consent of the person, or, in the case of a deceased person, despite the expressed refusal by it during his lifetime.
Article 51: Except in the cases provided for by law, the fact of putting or keeping in computer memory, without the express consent of the interested party, personal data which, directly or indirectly, reveal the racial or ethnic origins or political, philosophical or religious opinions or union memberships or manners of people is punished by three (03) months to five (05) years of imprisonment and from five hundred thousand (500,000) to two million (2,000,000) of CFA francs fine. The same penalties shall apply to the fact, except in the cases provided for by law, of placing or keeping in computerized memory personal information concerning offenses, convictions or security measures.
Article 52: The fact, without the agreement of the Data Protection Commission, of keeping information in nominative form beyond the period provided for in the request for an opinion or in the declaration prior to the implementation of the computerized processing is punished by three (03) months to five (05) years of imprisonment and from five hundred thousand (500,000) to two million (2,000,000) CFA francs fine.
Article 53: The fact, by any person who has collected, during their recording, classification, transmission or other form of processing, personal information the disclosure of which would have the effect of undermining the honor and consideration of the interested party or the privacy of his private life, to bring, without the authorization of the interested party, this information to the knowledge of a third party who does not have the capacity to receive it, is punished by three (03) months to five (05) years of imprisonment and a fine of one million (1,000,000 to three million (3,000,000) CFA francs.
ation provided for in the preceding paragraph is punished by three (03) months to cina (05) years of imprisonment and from five hundred thousand (500,000) to two million (2,000,000) CFA francs fine when was committed through recklessness or negligence.
In the cases provided for in the two preceding paragraphs, the prosecution can only be exercised on the complaint of the victim, his legal representative or his dependents.
Article 54 Shall be punished by imprisonment of one (01) month to one (01) year and two hundred thousand (200,000) to one million (1,000,000) CFA francs fine, the fact of hindering the action by the Commission:
- either by opposing the on-the-spot checks,
either by refusing to communicate to its members or its agents, information and documents useful for the mission entrusted to them or by concealing or removing said documents,
either by communicating information which does not conform to the content of the recordings at the time the request was made or which does not present it in a directly intelligible form
Article 55
The provisions of Articles 46 to 54 are applicable to non-automated or mechanographic files the use of which does not fall exclusively within the exercise of the right to
private life
18
TITLE V: MISCELLANEOUS PROVISIONS
Article 56.
Notwithstanding the rules relating to professional secrecy, members of the health professions may transmit the personal data they hold within the framework of automated data processing authorized by the Commission.
When these data allow the identification of persons, they must be coded before their transmission. However, this obligation may be waived when the data processing is associated with pharmacovigilance studies or research protocols carried out within the framework of national or international cooperative studies; It may also be waived if a particularity of the research so requires, the authorization request includes the scientific and technical justification for the exemption and, except with a reasoned authorization from the Commission given after the opinion of the Ethics Committee for health research , the data transmitted cannot be kept in a nominative form beyond the period necessary for the research.
The presentation of the results of the data processing must in no case allow the direct identification of the persons concerned.
The data are received by the research manager appointed for this purpose by the natural or legal person authorized to carry out their processing.This manager ensures the security of the information and its processing, as well as respect for the purpose of the data. -this
The persons called upon to carry out the data processing as well as those who have access to the data to which it relates are bound by professional secrecy.
Article 57 : Les dispositions des articles 12, 13, 15, 18, 19, 22 et 25 relatives à la collecte, a l'enregistrement et à la conservation des donnees a caractere personnel sont applicables aux fichiers non automatises ou mécanographiques autres que ceux dont l'usage relève du strict exercice du droit à la vie privee
Article 58: Les dispositions de la présente los ne font pas obstacle à celles de la loi 770 040/96/ADP du 08 novembre 1996, portant obligation de reponse et de secret statistique.
TITRE VI: DISPOSITIONS TRANSITOIRES ET FINALES
Article 59 : A titre transitoire, les traitements de données régis par l'article 18 ci-dessus et déjà créés, ne sont soumis qu'à une déclaration auprès de la Commission dans les conditions prévues à l'article 42. La Commission peut toutefois, par décision spéciale, faire application des dispositions de l'article 18 et fixer le délai au terme duquel l'acte réglementant le traitement de données doit être pris.
Article 60 A compter de la promulgation de la présente loi, tous les traitements de données devront répondre aux prescriptions de cette loi, dans les délais ci-après :
- trois (03) ans pour les traitements de données régis par l'article 18,
• six (06) mois pour les traitements de données régis par l'article 19.
Article 61 : Des décrets pris en conseil des ministres détermineront les modalités d'application de la présente loi,
Article 62: La présente loi qui abroge toutes dispositions antérieures contraires sera exécutée comme loi de l'Etat.
Ainşi fait et délibéré en séance publique à Ouagadougou, le 20 avril 2004
Pour le Président de l'Assemblée nationale,
Le Deuxième Vice-President
Y
+
--- 3 S inil Dimfangodo Salifou SAWADOGO
Le Secrétaire de séance
Mamadou Christophe QUATTARA

