Page 1

Contact

About

Mailing List

Legal Informatics Magazine

Law nº 41/VIII/2013 General Legal Regime for the Protection of Personal Data of Individuals

Legal Information > Law > Cape Verde > Law nº 41/VIII/2013 General Legal Regime for the Protection of Personal Data of Individuals

Law nº 41/VIII/2013 General Legal Framework for Data Protection
Personal of Individuals
July 10, 2018

Cape Verde, ley

Computer Legislation

Computer Jurisprudence
amended by Law No. 41/VIII/2013, approved by Law No. 133/V/2001 , of 17 September. ,

Computer Law, Cape Verde Legislation , Law nº 41/VIII/2013 General Legal Regime for the Protection of Personal Data of
Individual People. General legal regime for the protection of personal data to natural persons

Seminars
Jose Cuervo

Master and Post-Grade
Law nº 41/VIII/2013 General Legal Regime for the Protection of Personal Data of Individuals. regimen
general legal protection of personal data to individuals, approved by Law No. 133/V/2001, amended
by Law No. 41/VIII/2013, of 17 September.

Trabajos

Elements
CHAPTER I.- GENERAL PROVISIONS
Access to public information Argentina
2020
Article 1.- (Object)
Share
This law establishes the general legal regime for the protection of personal data of individuals.

Colombia

awake
Argentina

Article 2 (Scope of application)

1. This law applies to the processing of personal data by fully or partially automated means,

act

as well as the processing by non-automated means of personal data contained in manual or

Communate Economique des Etats de

to these destined.

2. This law applies to the processing of personal data carried out:

l'Afrique de l'Ouest (ECOWAS)

I agree

a) Within the scope of the activities of establishment of the data controller located in national territory;

Costa Rica

b) Outside national territory, in a place where Cape Verdean legislation is applicable under international law.

Ecuador

national;
Spain
c) By a responsible person who, not being established in the national territory, resorts to personal data processing.

Catalonia

personal, to means, automated or not, located in the national territory, unless these means are only used
for transit.

Mexico
3. This law applies to video surveillance and other forms of capturing, processing and diffusing sounds and images.
Peru

gens that allow the identification of people whenever the person responsible for the treatment is domiciled or
in national territory or use a provider of access to computer and telematic networks established there.
acid.

Attachments

4. In the case referred to in subparagraph c) of paragraph 2, the controller shall designate, by means of communication.

Preliminary design

tion to the National Data Protection Commission, hereinafter referred to as CPND, an established representative

Honduras

in national territory, which replaces it in all its rights and obligations, without prejudice to its own
responsibility.

Ley's draft
5. The provisions of the preceding paragraph shall apply in case the controller is covered by this

Argentina

extraterritoriality, immunity or any other that prevents criminal proceedings.
Brazil
6. This law applies to the processing of personal data for the purpose of public security,
State of São Paulo

national defense and the security of the State, without prejudice to the provisions of special rules contained in the
ments of international law to which Cape Verde is bound and of speciac legislation relating to the respective

Decree

sectors.
Letter
African of Human Right
Article 3 (Exclusion from the scope)
center
This law does not apply to the processing of personal data carried out by a natural person in the exercise of
exclusively personal or domestic activities.

Magazine Certificates

Chile
Article 4 (General principle)

Circular
Colombia

The processing of personal data must be carried out in a transparent manner and in strict compliance with the reservation of the
intimacy of private and family life, as well as the fundamental rights, freedoms and guarantees of the citizen.

Spain

give.

Mexico

Peru

Article 5 (Denitions)

1. For the purposes of this law, the following definitions apply:

Code
Chile

a) «Personal data»: any information, of any nature and regardless of its support,
including sound and image, relating to an identified or identifiable natural person, “data subject”;

Ecuador

b) "Processing of personal data" or "Processing": any operation or set of operations on data.
U.S

personnel, carried out, in whole or in part, with or without automated means, such as collection, reregistration, organization, conservation, adaptation or alteration, recovery, consultation, use, communication.

Mexico

nication by transmission, broadcast or any other form of making available, with
ration or interconnection, as well as blocking, erasure or destruction;

collaborator
c) "Personal data file" or "File": any structured set of personal data, accessible if
according to determined criteria, whether centralized, decentralized or functionally or geo-

Colombia

graphic;
Communication European Commission
d) «Processor»: the natural or legal person, the public authority, the service or any
another body that, individually or together with others, determines the purposes and means of

Conference

processing of personal data;
Congresses
e) "Subcontractor": the natural or legal person, the public authority, the service or any other body.
who processes personal data on behalf of the data controller;

Constitution
Algeria

f) "Third": the natural or legal person, the public authority, the service or any other body that,
not being the data subject, the controller, the subcontractor or other person under
directly from the controller or the processor, is authorized to process the data;

bhutan

g) «Recipient»: the natural or legal person, the public authority, the service or any other body to

Cape Green

to whom personal data is communicated, regardless of whether or not it is a third party, without prejudice to
zo that authorities to whom data are communicated within the scope of

Cuba

a legal provision;
Egypt

h) «Consent of the data subject»: any expression of will, free, speciac and informed, in the
terms under which the holder accepts that his/her personal data be processed;

State of Palestine
i) "Data interconnection": form of treatment consisting in the possibility of data linkage
france

of an acheiro with the data of an acheiro or acheiros maintained by another or other responsibles, or maintained
From

morocco
2. For the purposes of the provisions of subparagraph a) of the preceding paragraph, the person who may be
Mexico

directly or indirectly, namely by reference to an identification number or a
or more specific elements of their physical, asiological, psychological, economic, cultural or social identity.

Serbia
3. For the purposes of paragraph d) of the preceding paragraph, whenever the purposes and means of treatment
to be determined by law or regulation, the controller must be

Syria

indicated in the organization and functioning law or in the statute of the legal or statutorily competent entity.
try to process the personal data in question.

convention

Health insurance
European Union

CHAPTER II.- PROCESSING OF PERSONAL DATA

Course

Section I.- Quality of data and legitimacy of its processing

decision
Argentina

Andean Community
Article 6 (Data Quality)
france

1. Personal data must be:

Qatar

a) Treated legally, lawfully and with respect for the principle of good faith;

Rumania

b) Collected for specific, explicit and legitimate purposes, and cannot be further processed
in a way incompatible with these purposes;

Declaration
c) Adequate, relevant and not excessive in relation to the purposes for which they are collected and latermind treated;

Decree
Argentina

d) Accurate and, if necessary, updated, and appropriate measures must be taken to ensure that
Inaccurate or incomplete data are deleted or rectified, taking into account the purposes for which they were

Bolivia

were collected or for which they are further processed;
Brazil

e) Kept in order to allow the identification of its holders only for the necessary period
to pursue the purposes of collection or further processing.

Chile
2. Further processing of data for historical, statistical or scientic years, as well as its maintenance.
Colombia

tion for the same years for a period longer than that referred to in subparagraph e) of the preceding paragraph, may be authorized
by the CNPD in case of legitimate interest of the controller, provided that the
rights, freedoms and guarantees of the data subject.

Costa Rica

3. It is up to the person responsible for the processing to ensure compliance with the provisions of the previous numbers.

Cuba

Denmark

Article 7 (Conditions for the legitimacy of data processing)

Ecuador

The processing of personal data can only be carried out if the holder has unequivocally given their

france

consent or if treatment is necessary for:
Honduras
a) Execution of a contract in which the data subject is a party or of prior investigations carried out upon its request.
of;

Mexico

b) Compliance with a legal obligation to which the controller is subject;

Paraguay

c) Protection of vital interests of the data subject, if he is physically or legally incapable of giving his

Peru

consent;
Uruguay

d) Execution of a mission of public interest or in the exercise of public authority in which it is invested
the controller or a third party to whom the data is communicated;

Venezuela
e) Pursuit of legitimate interests of the controller or third party to whom the data is
communicated, provided that the interests or rights, freedoms and guarantees of the holder of the data do not prevail.

Emergency Decree

From.

Peru

Executive Decree
Article 8 (Processing of sensitive data)

Costa Rica

1. The processing of personal data relating to political, philosophical or ideological beliefs or opinions is prohibited.

Ecuador

logics, religious faith, party or union alliance, racial or ethnic origin, private life, health and life
sexual, including generic data, except:

Legislative Decree
Italy

a) By express consent of the holder, with guarantees of non-discrimination and with the measures of seadequate security;

Peru

b) Upon authorization provided for by law, with guarantees of non-discrimination and security measures
adequate;

Decree Law
Cape Green

c) When intended for processing non-individually identifiable statistical data, with the
adequate safety measures.

Cuba

2. In the granting of authorization provided for in subparagraph b) of the preceding paragraph, the law shall adhere, namely, to the

Spain

indispensability of the processing of personal data referred to in number 1 for the exercise of the duties
legal or statutory of its responsible, for reasons of important public interest.

Qatar

3. The processing of the data referred to in number 1 is still allowed when one of the following con-

Tunisia

editions:

a) Be necessary to protect the vital interests of the data subject or another person and the data subject

Ministerial Decree

data is physically or legally unable to give your consent;

b) Be carried out, with the consent of the holder, by a foundation, association or non-profit organization

Italy

Ministerial Decree

of a political, philosophical, religious or union character, within the scope of their legitimate activities, under the condition of
the treatment respect only the members of that foundation, association or that body or people
with whom he maintains periodic contacts linked to his legitimate purposes, and that the data is not

Presidential Decree
Palestine

communicated to third parties without the consent of their holders;

c) Concerning data manifestly made public by its owner, provided that it can legitimately

Supreme Decree

deduct from your declarations your consent to their processing;

Peru

d) It is necessary for the declaration, exercise or defense of a right in legal proceedings and is carried out exclusively.
with that purpose.

4. The processing of personal data relating to health and sexual life, including genetic data, is permitted.

deliberation

dictamen

when necessary for the purposes of preventive medicine, medical diagnosis, provision of care.

Chile

medical treatment or treatment or management of health services, provided that the processing of such data is
carried out by a health professional bound by professional secrecy or by another person equally
subject to an obligation of equivalent secrecy, has been notified to the CNPD pursuant to article 23, and

directive

adequate information security measures are guaranteed.

Communate Economique des Etats de
l'Afrique de l'Ouest (ECOWAS)

5. The processing of the data referred to in number 1 may also be carried out, with appropriate security measures.
ance of information, when it proves indispensable to the protection of the security of the State, of the defense of the

Peru

public security and the prevention, investigation or prosecution of criminal offences.
European Union

Presidential Directive
Article 9 (Records of unlawful activities, criminal convictions, security measures, infractions and counterColombia

denations)

1. The creation and maintenance of central registers relating to persons suspected of illegal activities, con-

directive

criminal sentences, decisions that apply security measures, fines and ancillary and infraction sanctions.
actions and administrative offenses can only be maintained by public services with this legal competence,

Guideline

observing the procedural and data protection rules foreseen in the legal diploma.

Costa Rica

2. The processing of personal data relating to suspected illegal activities, criminal convictions, decisions.
ares that apply security measures, fines and accessory sanctions and infractions and counter-order.
nations may be authorised, subject to data protection and information security regulations.

disposition

when such treatment is necessary for the execution of legitimate purposes of its responsible,

Argentina

provided that the rights, freedoms and guarantees of the data subject do not prevail.
3. The processing of personal data for purposes of police investigation must be limited to what is necessary for the
prevention of a concrete danger or repression of a specific offence, for the exercise of com-

Work Document

powers provided for in the respective organic statute or other legal provision and also under the terms of

European Union

international agreement, treaty or convention to which Cape Verde is a party.
Personal Data Protection Standards
nales iberoamerican states
Article 10 (Interconnection of personal data)

1. Without prejudice to the express prohibition provided for by law, the interconnection of personal data that is not
established in a legal provision is subject to the authorization of the Parliamentary Oversight Committee.

Christmas congratulation

report

cited by the person in charge or jointly by the corresponding persons in charge of the treatments,

Spanish Agency for the Protection of Da-

terms of Article 23.

tos

2. The interconnection of personal data must be necessary and adequate for the pursuit of legal purposes
or statutory and legitimate interests of those responsible for the treatment, not to imply discrimination

instruction

or impairment of the fundamental rights, freedoms and guarantees of data subjects, taking into account the
type of data being interconnected and be surrounded by adequate security measures.

Legislation
Argentina
Argentina 2014

Section II.- Data Subject Rights

Argentina 2015

Internet

Article 11 (Right to information)

2016
1. When collecting personal data directly from its owner, the controller or its representative.
Registrant must provide you, unless they are already known to him, the following information:

Argentina 2020 Legislation

a) Identity of the controller and, if applicable, of his representative;

Brazil

b) Purposes of treatment;

2018

c) The recipients or categories of recipients of the data;

year 2021

d) The mandatory or optional nature of the response, as well as the possible consequences if it does not respond;

Computer Legislation of Brazil
2020

e) The existence and conditions of the right of access and recitation, provided they are necessary, taking into account
account the speciac circumstances of data collection, in order to guarantee the data subject a fair treatment of the data.

Computer Legislation of Brazil,

same;

year 2019

f) The decision to communicate your personal data for the first time to third parties for the terms provided for in the

Computer Legislation of Brazil.

paragraph b) of article 13, in advance and with the express indication that it has the right to oppose such communication.

year 2015

cation;
Computer Legislation of Brazil.
g) The decision of your personal data to be used on behalf of third parties, in advance and with the indi-

year 2017

express statement that you have the right to object to such use.
European Union
2. The documents that serve as the basis for the collection of personal data must contain the information contained
of the previous number.

communication

3. If the data is not collected from the holder and unless they are already known, the person responsible

opinion

by the treatment, or its representative, must provide you with the information provided for in number 1 at the time
registration of the data or, if communication to third parties is foreseen, at the latest at the time of the first co-

regulation

reporting of these data.
ley
4. In the case of data collection on open networks, the data subject must be informed, unless they already have it.
see knowledge, that your personal data can circulate on the network without security conditions, co-

germany

running the risk of being seen and used by unauthorized third parties.
Argentina
5. The obligation to provide information is waived for reasons of State security, prevention and criminal investigation.
and so, when, namely in the case of data processing with statistical purposes,

Armenia

scientiac research, the information of the data subject proves impossible or implies
disproportionate or even when the law expressly determines the recording of data or its disclosure.

Australia

tion.
Azerbaijan
6. The obligation to provide information does not apply to the processing of data carried out exclusively for newspapers.
or of artistic or literary expression, except when rights, freedoms and guarantees are at stake.

Jersey Bailiazgo

of data subjects.
Bolivia

Article 12 (Right of access)

1. The data subject has the right to obtain from the data controller, freely and without restrictions, with

Brazil

Cape Green

reasonable periodicity and without delays or excessive costs:
Chile
a) Confirmation of whether or not data concerning you are processed, as well as information on the anaof this processing, the categories of data on which it relates and the recipients or categories of dis-

China

recipients to whom the data is communicated;
Colombia
b) The communication, in an intelligible form, of their data subject to processing and any other information available.
available on the origin of this data;

South Korea

c) Knowledge of the logic underlying the automated processing of data concerning it, in

Costa Rica

refers to the automated decisions referred to in paragraph 1 of article 14;
Denmark
d) The rectification, erasure or blocking of data whose processing does not comply with the provisions of this
law, in particular due to the incomplete or inaccurate nature of these data;

Ecuador

e) Notification to third parties to whom the data has been communicated of any rectification, deletion

Spain

or blocking carried out pursuant to subparagraph d), unless this proves to be impossible or implies
a disproportionate effort.

2. In the cases provided for in numbers 4 and 5 of article 8, the right of access is exercised through the CNPD.

3. In the case provided for in number 6 of the previous article, the right of access is exercised through the CNPD, with the
safeguard of the applicable constitutional norms, namely those that guarantee the freedom of expression and

U.S

Philippines

france

information, press freedom and the professional independence and confidentiality of journalists.
Great Britain and Northern Ireland
4. In the cases provided for in numbers 2 and 3 of this article, if the communication of data to the holder could harm
indicate the security of the State, the prevention or criminal investigation or even the freedom of expression and information.

Greece

tion or press freedom, the CNPD is limited to informing the holder of the data of the steps taken.
Honduras
5. The right of access to information relating to health data, including genetic data, is exercised by inmedical terminology chosen by the data subject.

India

6. In case the data is not used to take action or decisions in relation to specific persons.

Iceland

nothing, the law may restrict the right of access in cases where there is clearly no danger.
violation of the rights, freedoms and guarantees of the data subject, namely the right to intimidate them.

Islas Fiyi

of private life, and the said data are exclusively used for scientiac research or
stored in the form of personal data for a period not exceeding that necessary for the exto compile statistics.

Italy

Jamaica

Article 13 (Right of opposition)

The data subject has the right to:

a) Unless otherwise provided by law, and at least in the cases referred to in paragraphs d) and e) of article 7, if

Jordan

Kenya

Kuwait

oppose at any time, for powerful and legitimate reasons relating to your particular situation, to which
the data relating to it are processed, and in the event of justified opposition, it must be processed.

morocco

processing carried out by the responsible person is no longer able to relate to these data;
Maurcio
b) Oppose, at your request and free of charge, the processing of personal data concerning you provided for
by the data controller for the purposes of direct marketing or any other form of prospecting;

Mexico

c) Oppose, without expense, that your personal data be communicated for the first time to third parties for

Mongolia

the penalties provided for in the previous paragraph or used on behalf of third parties.
Nicaragua

New Zealand
Article 14 (Not subject to automated individual decisions)
Paraguay
1. Any person has the right not to be subject to a decision that takes effect in their legal sphere.
or that significantly affects it, taken solely on the basis of an automatic treatment.
data to assess certain aspects of your personality, including your

Peru

your professional ability, your credit, the confidence you are deserving of, or your behavior.
2. Without prejudice to compliance with the other provisions of this law, a person may consent to

Dominican Republic

be subject to a decision taken pursuant to paragraph 1, provided that this occurs within the scope of the
execution or performance of a contract, and subject to your request for the execution or performance of the

Rumania

the contract has been satisfied, or that there are adequate measures to ensure the defense of its interests.
legitimate interests and to express their point of view, namely their right of representation and

Serbia

expression.
3. It may also be allowed to make a decision pursuant to paragraph 1, when authorized by the

Singapore

CNPD and provided that measures are taken to guarantee the defense of the legitimate interests of the holder of the
Dice.

South Africa

Tinidad and Tobago
Section III.- Security and confidentiality of treatment
Uruguay

Venezuela
Article 15 (Security of treatment)
Zimbabwe
1. The controller shall implement the appropriate technical and organizational measures to
protect personal data against accidental or unlawful destruction, accidental loss, alteration, dissemination,
are or unauthorized access, in particular when the processing involves its transmission by
network, and against any other form of illicit treatment.

Organic Law
Spain

2. The measures provided for in the preceding paragraph shall ensure, taking into account the technical knowledge available.
available and the costs resulting from its application, an adequate level of safety in relation to risks.

Tunisia

the processing presents and the nature of the data to be protected.
3. The controller, in case of processing on his own behalf, shall choose a subcontractor.
that it offers sufficient guarantees in relation to the technical security measures and the organization of the
treatment to be carried out, and shall ensure compliance with these measures.

Lineament
Mexico

4. The performance of processing operations in subcontracting shall be governed by a contract or legal act.
legal system that links the subcontractor to the controller and that stipulates, inter alia, that
the subcontractor only acts upon instructions from the controller and who is responsible for

March
Inter-American Red CSIRT

also the fulfillment of the obligations referred to in numbers 1 and 2.
5. For the purpose of preserving evidence, the elements of the business declaration, contract or legal act.
on data protection, as well as the requirements relating to the measures referred to in the paragraphs.

Masters

ros 1 and 2, are consigned in writing or in equivalent support, preferably, with evidential value
legally recognized.

Provisional Measure
Brazil

Article 16 (Special security measures)

Memo
Ecuador

1. Those responsible for processing the data referred to in paragraphs 1, 2 and 5 of the article
8 and in paragraph 1 of article 9 shall take the appropriate and increased measures of information security,

Standard

namely for:
Mexico
a) Prevent unauthorized person access to the facilities used for the processing of such data (conentrance to the premises);

Press Note

b) Prevent data carriers from being read, copied, altered or removed by unauthorized persons.

News

da (data carrier control);
news
c) Prevent unauthorized introduction, as well as knowledge, alteration or deletion.
authorized personal data entered (input control);

observation

d) Prevent automated data processing systems from being used by unauthorized persons.

Order

via data transmission facilities (control of use);
Spain
e) Ensure that authorized persons can only have access to the data covered by the authorization (control
access);

f) Ensure the verification of the entities to which personal data may be transmitted through the

Liberia

Orderly

data transmission links (transmission control);
American States Organization
g) Ensure that the nature of the treatment can be verified a posteriori, within an adequate period of time, to be established in the regulation.
applicable to each sector, which personal data are entered, when and by whom (control of entry.
duction);

h) Prevent, in the transmission of personal data, as well as in the transport of its support, the data may
be read, copied, altered or deleted in an unauthorized manner (transport control).

2. Taking into account the nature of the entities responsible for the treatment and the type of facilities in which it is

Inform Interamerican Legal Committeepipe

National Plan
Mexico

Presentation

carried out, the CNPD may waive the existence of certain security measures, ensuring that the
respect for the rights, freedoms and guarantees of data subjects.

Principles privacy and protection of
data

3. Systems should ensure a logical separation between data relating to health and sexual life, including
the genetic ones, of the other personal data.

4. The CNPD may determine that the transmission be encrypted, in cases where the circulation of data in a network
persons referred to in Articles 8 and 9 may jeopardize the rights, freedoms and guarantees of the respective holders.

Inter-American Legal Committee

Program
Mexico

res.
proposal
Mexico
Article 17 (Condentiality of treatment)
Protocol
Any person who, acting under the authority of the controller or the subcontractor, as well
as the subcontractor itself, has access to personal data, it cannot process it without prompting.
instructions of the controller, except by virtue of legal obligations.

Mexico

Ley Project
Brazil
Article 18 (Professional secrecy)

1. Those responsible for the processing of personal data, as well as persons who, in the exercise of their functions,

Colombia

Costa Rica

ntions, are aware of the personal data processed, are required to maintain professional secrecy, even
after the end of their duties.

Ecuador

2. The same obligation falls on the members of the CNPD, even at the end of their term of office.
3. The provisions of the previous numbers do not exclude the duty to provide mandatory information,
under the legal terms, except when they consist of files organized for statistical purposes.

Mexico

4. Personnel who exercise advisory functions to the CNPD or its members are subject to the same obligation.
professional secrecy.

Paraguay

Royal Decree
CHAPTER III.- TRANSFER OF PERSONAL DATA

Spain

Recommendation

Article 19 (Principles)

regulation
Mexico

1. Without prejudice to the provisions of the following article, the transfer of personal data that are the object of
treatment or intended to be treated, can only be carried out in compliance with the provisions of this law.

Municipality of Carthage

and other applicable legislation on the protection of personal data and, in the case of transfer,
abroad, to the country that ensures an adequate level of protection.
2. The adequacy of the level of protection is assessed in light of all the circumstances surrounding the

Puerto Rico

transfer or set of transfers of data, in particular the nature of the data, the purpose
and the duration of the treatment or treatments planned, the countries of origin and final destination, the rules

Singapore

of law, general or sectoral, in force in the country in question, as well as the professional and medithat are respected in that country.

Regulation of Ejecución EU

3. It is up to the CNPD to decide whether a foreign State ensures an adequate level of protection.
Rules
Mexico
Article 20 (Derogations)
Regulations
1. The transfer of personal data to a country that does not ensure an adequate level of protection in the accession.

Israel

The option of number 2 of the previous article may be allowed by the CNPD if the data subject has given
unambiguous your consent to the transfer or if such transfer:

a) It is necessary for the execution of a contract between the data subject and the controller or

Resolution
Argentina

steps prior to the formation of the contract decided at the request of the data subject;
Bolivia
b) It is necessary for the execution or execution of a contract granted or to be granted, in the interest of the holder.
data center, between the controller and a third party;

Colombia

c) It is necessary or legally required for the protection of an important public interest, or for the declaration of

Cuba

ration, exercise or defense of a right in a judicial proceeding;
Ecuador
d) It is necessary to protect the vital interests of the data subject;
Spain
e) It is carried out from a public register which, under the terms of laws or regulations,
is intended for public information and is open to consultation by the general public or anyone
that can prove a legitimate interest, provided that the conditions established by law for the consultation are

OAS

fulfilled in the specific case.
UN
2. Without prejudice to the provisions of number 1, a transfer or a set of
transfers of personal data to a country that does not ensure an adequate level of protection within the meaning of

European Parliament

of number 2 of the previous article, provided that the person responsible for the processing presents sufficient guarantees of
protection of private life and the fundamental rights and freedoms of individuals, as well as their exercise,

Peru

namely, through appropriate contractual clauses.
Directorial Resolution
3. The transfer of personal data that constitutes a necessary measure to protect the security of the State,
defence, public security and the prevention, investigation and prosecution of criminal offenses and governed by dis-

Peru

speciac legal positions or by the international conventions, treaties and agreements to which Cape Verde is party.
Ministerial Resolution

you.

Peru

Gobierno Digital Secretariat Resolution
CHAPTER IV.- NATIONAL AUTHORITY FOR THE SUPERVISION OF PERSONAL DATA PROTECTION
Peru

Magazine
Section I.- General provisions
seminars

sentence
Article 21 (Objectives of supervision)

The supervision of the protection of personal data aims to monitor, evaluate and control the activity of bodies or
legally competent services for their treatment, ensuring compliance with the Constitution and the law,

Argentina

Colombia

particularly of the regime of fundamental rights, freedoms and guarantees of the citizens.

Constitutional Court Colombia

Supreme Court of Chile
Article 22 (Nature of supervision)

1. The supervision of the protection of personal data is ensured by an independent administrative authority.

Ecuador

El Salvador

pending, the CNPD, which works with the National Assembly.
2. The CNPD is regulated by its own law.

Spain

European Court of Human Rights
Section II.- Notice

US

jobs
Electronic Commerce
Article 23 (Obligation to notify)
Computer offense
1. The controller or, if applicable, his representative must notify the CNPD before the
carrying out a treatment or set of treatments, fully or partially automated, intended for

Author's Rights

the pursuit of one or more interconnected purposes.
2. The CNPD may authorize the simplification or exemption of notification for certain categories of trawhich, given the data to be processed, are not likely to jeopardize the rights and releases.

Electronic Firm

data subjects and take into account criteria of speed, economy and efficiency.
3. The authorization must specify the purposes of the processing, the data or categories of data or categories.

New Technologies

of data to be processed, the category or categories of recipients to whom the
data and the period of retention of the data.

Data Protection

4. Treatments whose sole purpose is the maintenance of records that,
under the terms of legislative or regulatory provisions, they are intended to inform the public and provide

Many

should be consulted by the general public or by anyone who demonstrates a legitimate interest.
5. Unauthorized processing of personal data provided for in paragraph 1 of article 8 is subject to

Traite

notification when treated under sub-paragraph a) of number 3 of the same article.
Communauté Economique des Etats
de l'Afrique de l'Ouest (ECOWAS)
Article 24 (Prior control)

uncategorized

1. Unless authorized by law, the CNPD's authorization is required:

African Union

a) The processing of personal data referred to in subparagraphs a) and c) of paragraph 1 of article 8 and paragraph 2

Constitutive Minutes

of article 9;
Union Europe
b) The processing of personal data relating to the credit and solvency of its holders;

c) The interconnection of personal data, pursuant to article 10;

d) The use of personal data for purposes that do not determine the collection.

2. The legal diploma authorizing the treatments referred to in the previous number requires the prior opinion of the
CNPD.

Article 25 (Content of requests for opinion or authorization and notification)

Requests for opinion or authorization, as well as notifications, sent to the CNPD must contain the sefollowing information:

a) The name and address of the controller and, if applicable, his representative;

b) The purpose(s) of the treatment;

c) The description of the category or categories of data subjects or categories of personal data related to them.
peitem;

d) The recipients or categories of recipients to whom data may be communicated and under what conditions.
editions;

e) The entity in charge of processing the information, if not the person responsible for the processing;

f) Any interconnections of personal data processing;

g) The retention time of personal data;

h) The manner and conditions in which data subjects can become aware of or have the data corrected
people who respect them;

i) planned data transfers to third countries;

j) The general description that allows a preliminary assessment of the adequacy of the measures taken to ensure the
safety of treatment pursuant to Articles 15 and 16.

Article 26.- (Mandatory indications)

1. The legal diplomas referred to in subparagraph b) of paragraph 1 of article 8 and in paragraph 1 of article 9 as well as the
CNPD authorizations and personal data processing records must at least indicate:

a) The person in charge of the acheiro and, if applicable, its representative;

b) The categories of personal data processed;
Page 2

c) The purpose or purposes for which the data are intended and the categories of entities to which they may be transmitted.
From;

d) The form of exercising the right of access and recitation;

e) Possible interconnections of personal data processing;

f) The planned data transfers to other countries.

2. Any change to the indications contained in number 1 is subject to the procedures set out in the
Articles 23 and 24.

Article 27 (Advertising of treatments)

1. The processing of personal data, when it is not the subject of a legal diploma and must be authorized or not.
tiacado, appears in a register with the CNPD, open to consultation by anyone.
2. The register contains the information listed in subparagraphs a) to d) and i) of article 25.
3. The data controller not subject to notification is obliged to provide, in an appropriate manner,
to any person who requests at least the information referred to in paragraph 1 of article
26th.
4. The provisions of this article do not apply to treatments whose only purpose is the maintenance of
records that, under the terms of laws or regulations, are intended for the information of the
public and are open to consultation by the general public or anyone who can prove
a legitimate interest.
5. The CNPD must indicate in its annual report all opinions and authorizations issued or granted
under this law, namely the authorizations provided for in paragraph 1 of article
8 and in paragraph 2 of article 10.

CHAPTER V.- CODES OF CONDUCT

Article 28 (Purposes)

Codes of conduct are intended to contribute, depending on the characteristics of the different sectors, to the
proper execution of the provisions of this law.

Article 29 (CNPD Intervention)

1. The CNPD supports the development of a code of conduct.
2. Professional associations and other organizations representing categories of people responsible for the
processing data that have drawn up draft codes of conduct may submit them to
CNPD appreciation.
3. The CNPD may declare the projects' compliance with the legal and regulatory provisions in force.
on the protection of personal data.

CHAPTER VI.- LEGAL REMEDIES, CIVIL LIABILITY, INFRINGEMENTS AND SANCTIONS

Section I.- Judicial remedies and civil liability

Article 30 (Judicial Remedies)

Without prejudice to the right to file a complaint or claim with the CNPD, any person may, under the terms
of the law, appeal in court for the violation of the rights guaranteed by this law.

Article 31 (Civil Liability)

1. Anyone who has suffered damage due to illicit data processing or any other
act that violates laws or regulations on the protection of personal data
has the right to obtain compensation from the person responsible for the damage suffered.
2. The controller may be partially or totally exonerated from this responsibility if he provar that the fact that caused the damage is not attributable to you.

Section II.- Infractions and sanctions

Sub-section I.- Administrative offenses

Article 32 (Subsidiary legislation)

To the infractions provided for in this subsection, the general regime of counter-orders is subsidiarily applicable.
nations, with the adaptations contained in the following articles.

Article 33

(Omission or defective fulfillment of obligations)

1. Entities that, through negligence, do not comply with the obligation to notify the CNPD of the data processing
persons referred to in paragraphs 1 and 5 of article 23, provide false information or comply with the obligation.
notification with failure to comply with the terms provided for in article 25, or when, after notification
by the said Commission, maintain access to open networks for the transmission of data to responsible persons.
for processing personal data that do not comply with the provisions of this law, they practice counter-order
nation punishable by the following fines:

a) In the case of a natural person, a minimum of 50,000$00 and a maximum of 500,000$00;

b) In the case of a legal person or entity without legal personality, at least $300,000.00 and no
maximum of 3,000,000$00.

2. The fine is increased to double its limits in the case of data subject to prior control, in the
pursuant to Article 24.

Article 34 (Other infractions)

1. They practice an administrative offense punishable by a minimum fine of 100,000$00 and a maximum of 1,000,000$00,
entities that do not comply with any of the following provisions of this law:

a) Appoint a representative pursuant to paragraph 4 of article 2;

b) Comply with the obligations established in articles 6, 11, 12, 13, 14, 16, 17 and 27, number 3.

2. The fine is increased to double its limits when the constant obligations are not fulfilled
of articles 7, 8, 9, 10, 19 and 20.

Article 35 (Competition of infringements)

1. If the same fact constitutes, simultaneously, a crime and a misdemeanor, the agent is always punished to
crime title.
2. The sanctions applied to administrative offenses in competition are always materially cumulated.

Article 36 (Punishment for negligence and attempt)

1. Negligence is always punished in the infractions provided for in article 34.
2. The attempt is always punishable in the infractions provided for in articles 33 and 34.

Article 37 (Application of fines)

1. The application of the fines provided for in this law is the responsibility of the president of the CNPD, under prior resolution.
ration of this.
2. The decision of the CNPD is an enforceable title, in case it is not challenged within the legal term.

Article 38 (Fulfillment of duty omitted)

Whenever the administrative offense results from the omission of a duty, the application of the sanction and the payment of the
fine does not exempt the offender from complying with it, if this is still possible.

Article 39 (Destination of collected revenue)

The amount of amounts collected as a result of the application of fines reverts to the CNPD.

Subsection II.- Crimes

Article 40 (Non-compliance with data protection obligations)

1. Persons who intentionally:

a) Omit the notification or authorization request referred to in articles 23 and 24;

b) Provide false information in the notice or in requests for authorization for the processing of personal data.
or in this proceeding to modifications not consented to by the legalization instrument;

c) Divert or use personal data, in a manner incompatible with the purpose determining the collection or with
the legalization instrument;

d) Promote or carry out an illegal interconnection of personal data;

e) After the deadline set by the CNPD for the fulfillment of the prepursuant to this law or other data protection legislation, does not comply with them;

f) After being notified by the CNPD not to do so, maintain access to open data transmission networks.
those responsible for the processing of personal data that do not comply with the provisions of this law.

2. The penalty is increased to double its limits when dealing with personal data referred to in the
Articles 8 and 9

Article 41 (Improper access)

1. Who, without proper authorization, in any way, accesses personal data to which access is prohibited
is punishable by imprisonment for up to one year or a fine for up to 120 days.

2. The penalty is increased to double its limits when accessing:

a) Is achieved through violation of technical safety rules;

b) It has made it possible for the agent or third parties to know personal data;

c) Has provided the agent or third parties with property benefits or advantages.

3. In the case provided for in number 1, the criminal procedure depends on a complaint.

Article 42 (Viccation or destruction of personal data)

1. Whoever, without proper authorization, deletes, destroys, damages, suppresses or modifies personal data,
making them unusable or affecting their usability, he is punishable by imprisonment for up to two years or multiple
up to 240 days.
2. The penalty is doubled in its limits if the damage caused is particularly serious.
3. If the offender acts negligently, the penalty is, in both cases, imprisonment for up to one year or a fine of up to
120 days.

Article 43 (Qualiac Disobedience)

1. Who, after being notified for this purpose, does not interrupt, cease or block the processing of data
personal is punished with the penalty of imprisonment corresponding to the crime of qualified disobedience.
2. Whoever, after being notified, incurs the same penalty:
3. a) Refuse, without just cause, the collaboration that is specifically required by the CNPD, under the terms of the
law;
4. b) Not to erase, totally or partially destroy personal data;
5. c) Do not proceed with the destruction of personal data, and the retention period provided for in article 6.

Article 44 (Violation of the duty of confidentiality)

1. Whoever, obligated to professional secrecy, under the terms of the law, without just cause and without the due consent,
home or disclosing all or part of personal data is punishable by imprisonment from six months to three years
or a fine of eighty to two hundred days, if a more serious penalty is not applicable, regardless of the measure
disciplinary action corresponding to the seriousness of his fault, which may extend to the termination of the bond that links him to the
office or function.

2. The penalty is increased by half of its limits if the agent:

a) Are civil servants or equivalent, under the terms of criminal law;

b) Is determined by the intention to obtain any patrimonial advantage or other illegitimate benefit;

c) To endanger the reputation, honor and consideration or intimacy of another's private life.

3. Negligence is punishable by imprisonment for up to six months or a fine for up to 120 days.

4. Outside the cases provided for in number 2, criminal proceedings depend on a complaint.

Article 45 (Punishment of the attempt)

In the crimes provided for in the previous provisions, the attempt is always punishable.

Article 46 (Accessory Sanctions)

1. Together with the fines or penalties applied, it may, in addition, be ordered:

a) Temporary or definitive prohibition of treatment, blocking, deletion or total or partial destruction
of the data;

b) Publicity of the condemnatory sentence;

c) The public warning or censure of the controller.

2. The publicity of the condemnatory decision is made at the expense of the condemned, in a periodical publication of major
expansion published in the area of ​the region of the practice of the offense, or in its absence, in periodic publication of
further expansion of the nearest district, as well as through the addition of a notice in adequate support, by
period not less than 30 days.

3. The publication is made by extract containing the elements of the offense and the sanctions applied, as well as
as the identification of the agent.

CHAPTER VII.- TRANSITIONAL AND FINAL PROVISIONS

Article 47 (Existing manual files)

1. Data treatments existing in manual acheiros at the date of entry into force of the present law of
comes to comply with the provisions of articles 8, 9, 11 and 12 within a period of six months.
2. In any case, the data subject may obtain, at his request and, in particular, during the exercise
the right of access, rectification, deletion or blocking of incomplete, inaccurate or
kept in a manner incompatible with the legitimate intentions pursued by the person responsible for the
treatment.
3. The CNPD may authorize that the data existing in manual aches and kept only with
purposes of historical research do not have to comply with the provisions of articles 8, 9 and 10, since
that they are not, in any case, reused for a different purpose.

Article 48 (Existing automated files)

The holders of automated acheiros existing at the date of entry into force of this law must comply
strictly what it contains, namely adapting such acheiros within a period of six months.

Article 49 (Entry into force)

This law enters into force thirty days after its publication.

Approved on December 20, 2000.

The President of the National Assembly, António do Esprito Santo Fonseca.

Enacted on January 10, 2001.

publish yourself

The President of the Republic, ANTÓNIO MANUEL MASCARENHAS GOMES MONTEIRO.

Signed on January 13, 2001.

The President of the National Assembly, António do Espirito Santo Fonseca.

N

Tweet

k

Share 1

s

share

G 1SHAREGO

← 1992 Constitution, approved by Constitutional Law No. 1/IV/92, of 25 September
Law No. 42/VIII/2013 of 17 September, regulates the composition, competence, organization and functioning of the CNPD →

give a response
Your email address will not be published. Obligatory fields are marked with *
Comment

Name *
electronic mail
*
web
Post the comment

This site uses Akismet to reduce spam. Learn how to process the data from your comments .

Copyright © Legal Informatics

Works with WordPress , designed and developed by templatesnext

N

Tweet

k

Share 1

s

share

G 1SHARE

