﻿PRESIDENCY OF THE REPUBLIC 
--------------------------------- 
LAW N ° 2014 - 038 
On the protection of personal data 
EXPLANATORY STATEMENT 
Computing, information technology or e-technology constitute 
today an important factor of development. 
These technologies, unlike other industrial technologies, are exported 
quickly and their zone of propagation easily crosses borders without any real 
consideration of physical structures. They therefore have the advantage of being easily 
usable in developing countries, the infrastructure necessary for its 
usage being reduced. 
The use of IT saves time and productivity without 
precedent as well as more rigor in daily management. It also allows 
offer new services remotely, both nationally and nationally 
international. 
In short, economic development and the consolidation or modernization of 
the State can no longer be conceived without the use of information processing technologies. 
However, alongside these expected benefits of the use of these 
technologies, to consider in any democracy geared towards progress and 
development, the risks that these technologies pose to the freedoms of individuals 
concerned if they are not framed by the establishment of guiding principles and 
new individual rights. 
Indeed, any use of computers and communication networks for the purposes of 
research, information, for interpersonal communication, for 
commercial or administrative, involves the processing of personal data 
by third parties. 
Information relating to persons contained in a file can be 
kept for long periods of time and when they are computerized or digitized, they 
can be easily brought together with others, be the object of diversion of the finality 
for which they were collected, copied or manipulated without the knowledge of people 
concerned. 
The right to the protection of personal data is recognized for all 
nobody. It is an autonomous right which is an integral part of human rights. 
The right to the protection of personal data becomes an essential right 
to a real exercise of other fundamental rights and freedoms such as the freedom to come and go or freedom of information. 
Page 2 
Madagascar must adopt legislation to protect personal data 
staff. 
The purpose of this law is to protect people against the risks of abuse in matters of 
file and processing of personal data with regard to their freedoms and rights 
fundamentals. 
The protection of personal data is based on four pillars: 
- the fundamental principles which must govern the design and implementation 
carrying out the processing of personal data which is of a nature to 
prevent abuse: such as the principle of the legitimate purpose of data collection and 
processing of personal data, the principle of fair collection 
and processing; 
- the rights of individuals, namely the right of individuals to oppose the use of 
his personal data, the right of access, rectification; 
- the independent authority; 
- the sanctions regime. 
This law comprises nine (9) Chapters and seventy-eight (78) articles. 
Chapter 1 speaks of the twofold objective of IT which is to be of service 
of each person and to respect human identity, freedoms and rights 
fundamentals of people. 
Chapter II circumscribes the scope and defines the terms used such as 
personal data. 
Chapter III establishes the fundamental principles of the rules likely to prevent 
risks. 
Chapter IV enshrines the rights of individuals. 
Chapter V establishes an independent authority responsible for ensuring that 
data processing does not infringe the rights and freedoms of individuals. 
Chapter VI concerns the data protection officer 
staff. 
Chapter VII speaks of the sanctions pronounced by the independent authority as well as 
criminal sanctions. 
Chapter VIII deals with financial arrangements. 
Chapter IX concerns transitional and final provisions. 
This law was the subject of a workshop attended by representatives of the 
Prime Minister, various ministerial departments, civil society, the National Council 
of Human Rights, currently called the Independent National Commission of Rights 
of Man. 
Page 3 
It should be noted that Madagascar participated in the First Conference of 
Francophone Data Protection Commissioners and the Constituent Assembly 
of the Association of Francophone Data Protection Authorities 
staff. Madagascar is an observer member of this association because it has not yet 
data protection legislation. 
By adopting this law, the Malagasy Government supports the creation of businesses 
Malagasy and the establishment of foreign companies responsible for data processing in 
personal character. 
The development of this important source of employment for young people in our country 
and the activity of these companies will be greatly facilitated and encouraged by the establishment an adequate level of personal data protection with regard to 
current legislation of our main trading partners. 
This is the object of this law. 
Page 4 
PRESIDENCY OF THE REPUBLIC 
------------------------------- 
LAW N ° 2014 - 038 
On the protection of personal data 
The National Assembly adopted in its session of December 16, 2014, 
THE PRESIDENT OF THE REPUBLIC, 
Having regard to the Constitution; 
Considering the decision n ° 02-HCC / D3 of January 07, 2015 of the High Constitutional Court, PROMULATES THE LAW WHOSE CONTENT FOLLOWS: 
FIRST CHAPTER 
GENERAL PROVISIONS 
Article 1 - The purpose of this law is to protect the rights of persons in 
regarding the processing of personal data. 
Art.2 - Information technology must be at the service of each person. She must respect 
human identity, human rights, privacy, individual or public freedoms. 
Its development must take place within the framework of international cooperation. 
Everyone has the right to the protection of personal data 
concerning. 
Art.3 - No court decision involving an assessment of behavior 
human rights cannot be based on the computer processing of data of a 
staff intended to define the profile of the person concerned or to assess certain aspects of their 
personality. 
No administrative and private decision involving an assessment of a 
human behavior cannot be based solely on computer processing of 
data intended to define the profile of the interested party or to assess certain aspects of their 
personality. 
Art.4 - Compliance with the principles laid down in this law is subject to control 
an independent authority called the Malagasy Commission for Informatics and 
Freedoms (CMIL). 
Page 5 
CHAPTER II 
SCOPE AND DEFINITIONS 
Art.5 - Scope 
The law applies to any automated or non-automatic processing of personal data 
personnel contained or called upon to appear in files, processing carried out in whole or in 
party on Malagasy territory. 
The law does not apply to the processing of personal data placed in 
artwork : 
- for the exercise of exclusively personal activities; 
- or for the sole purpose of journalism or literary or artistic expression. 
Art.6 - Determination of the applicable law 
The processing of personal data is subject to this law: 
1 ° For which the person in charge is established on the Malagasy territory. The manager of a 
treatment which carries out an activity in the territory within the framework of an installation, which regardless of its legal form, is considered established there. 
2 ° Whose person in charge, without being established on Malagasy territory, resorts to 
means of treatment located on Malagasy territory, excluding treatment which does not 
are used only for transit purposes in this territory. 
Art.7 - Definition of personal data 
Personal data is any information relating to a person 
physical identified or which can be identified, directly or indirectly, by reference to 
a name, an identification number or one or more elements which are specific to it. These 
elements are in particular physical, physiological, psychic, economic, cultural or 
social. 
To determine whether a person is identifiable, it is necessary to consider all of the 
means with a view to allowing its identification, which are available or to which the 
controller or any other person. 
Art.8 - Definition of a processing and a file 
Processing of personal data is any operation or process 
operations, including manual ones relating to the collection, recording, use, 
communication of such data, whatever the process used and in particular 
organization, development, conservation, adaptation or modification, extraction, 
consultation, dissemination or any other form of provision, reconciliation or 
interconnection, as well as locking, erasure or destruction. 
A personal data file is all together structured and stable, from 
personal data accessible according to determined criteria. 
Page 6 
Art.9 - Definition of the person responsible for the processing of personal data 
staff 
The controller is the natural or legal person, public or 
who has the power to decide on the creation of the treatment alone or jointly with 
others, and which determines the purposes and means to be implemented. 
Art.10 - Definition of the subcontractor 
The subcontractor is any person different from the controller defined in article 9 and 
processing personal data on behalf of the controller and 
according to his instructions. 
Art.11 - Definition of the recipient of personal data 
The recipient is the natural or legal person, public authority, department or 
any other body that receives data communication or to which data is 
made accessible. 
Authorities empowered within the framework of a specific investigative mission are not 
not recipients of data within the meaning of this definition. 
Art.12 - Definition of the person concerned 
The data subject is the one to whom the data that is the subject of the 
processing. 
Art.13 - Definition of the consent of the data subject 
Any explicit manifestation of will, free, specific and informed by which the 
data subject accepts that personal data concerning him / her can be 
the subject ' treatment. 
CHAPTER III 
FUNDAMENTAL PRINCIPLES 
Art. 14 - General principles relating to data and processing 
Personal data must be: 
- collected and processed, in a fair, lawful and non-fraudulent manner for 
determined, explicit and legitimate purposes; for this purpose, they must not 
be used subsequently for other purposes without the consent of the 
data subject or purpose provided for in a legislative provision; 
- adequate, relevant and not excessive with regard to the purposes for 
which they are collected or used; 
- accurate, complete and if necessary updated; all measures 
reasonable requirements must be taken so that the data 
inaccurate or incomplete, with regard to the purposes for which they are 
collected or for which they are subsequently processed, either 
erased or corrected; 
- kept in a form allowing the identification of persons 
concerned for a period which does not exceed that necessary for 
purposes for which they are collected or used. 
Page 7 
The provisions of the previous paragraph do not preclude the conservation and 
the use of processed data for archive management or historical purposes, 
statistical or scientific according to the methods and the appropriate guarantees defined by the 
legislation or by the Malagasy Commission for Informatics and Freedoms, in the absence 
legal provisions. 
Art.15 - Security obligation 
The controller takes all necessary precautions, with regard to the nature 
data and the risks involved, to maintain data security. 
It must protect processing and data against, in particular, destruction 
accidental or unlawful, accidental loss, alteration, dissemination or unauthorized access. 
Art.16 - Subcontracting 
The processing of personal data may be the subject of a sub 
contracting. 
Personal data cannot be the subject of a transaction 
processing by a processor, only on the instruction of the controller. 
The subcontractor must present sufficient guarantees to ensure the implementation 
implementation of security and confidentiality measures. This requirement does not exempt the controller of its obligation to ensure compliance with these measures. 
The contract between the subcontractor and the controller includes an indication of the 
obligations incumbent on the subcontractor with regard to the protection of safety and 
confidentiality of data and provides that the subcontractor can only act on the instruction of the 
controller. 
Art.17 - Legitimization of data processing 
Processing of personal data must have received the consent of the 
data subject or meet one of the following conditions: 
1. compliance with a legal obligation incumbent on the controller; 
2. safeguarding the life of the person concerned; 
3. the performance of a public service mission vested in the person in charge or 
recipient of the treatment; 
4. the performance, either of a contract to which the data subject is a party, or of 
pre-contractual measures taken at the latter's request; 
5. the realization of the legitimate interest pursued by the controller or by 
the recipient, subject to not ignoring the interest or the rights and 
fundamental freedoms of the data subject. 
Art.18- Sensitive data 
Due to the risk of discrimination and infringement of personal freedoms, Any 
processing of sensitive data is prohibited. 
Page 8 
Are considered sensitive data, those revealing the racial origin, the 
biometric data, genetic data, political opinions, beliefs 
religious or other beliefs, trade union membership and those relating to 
health or sex life. 
By way of derogation, sensitive data may be subject to processing presenting 
appropriate guarantees as defined by law or the Commission, in cases 
following: 
- when the data subject has given their express consent, unless the law 
provides that the prohibition of processing cannot be lifted by the consent of the 
nobody ; 
- the processing is necessary to protect the life of the data subject or 
a third party, when the data subject cannot give his consent as a result of 
legal incapacity or material impossibility; 
- the processing is implemented by an association or any other organization for the purpose of 
non-profit and of a religious, philosophical, political or trade union nature for 
sensitive data corresponding to the purpose of said association or body and 
provided that they only concern the members of this association or this 
organization and, where applicable, the persons who maintain 
regular contacts within the framework of its activity. These treatments do not include 
communication to third parties unless the data subjects consent 
expressly; 
- the processing is necessary for the establishment, exercise or defense of a right 
in justice ; 
- treatment is necessary for the purposes of preventive medicine, diagnostics 
medical services, the administration of care or treatment or the management of services 
health and implemented by a member of a health profession, or by another 
person to whom the obligation of secrecy is imposed by reason of his duties 
professional provided for by the penal code; 
- further processing of patient data is necessary for research 
of public interest in the field of health and the person did not object; 
- the processing relates to data made public by the data subject; 
- the processing is necessary for the pursuit of a public interest and authorized by law or 
by the Commission in accordance with article 46 of this law. 
Art.19- Processing of personal data relating to infringements and 
convictions 
The processing of personal data relating to infringements and 
convictions and security measures can only be implemented by: 
- the courts, the public authorities managing a public service, acting in the 
framework of their legal powers; 
- the auxiliaries of justice, for the strict needs of the exercise of the missions which 
are entrusted to them by law. 
Page 9 
Art.20 - Transfer of personal data abroad 
The controller cannot transfer personal data 
to a foreign State only if the recipient State has legislation ensuring a level 
protection of persons similar to that provided by this law. 
The level of protection offered by a third country is assessed with regard to all 
circumstances relating to a transfer or category of data transfers; in 
particular, the nature of the data, the purpose and the duration of the or 
the planned processing, the countries of origin and final destination, the legal rules, 
general or sectoral, in force in the third country in question, as well as the rules 
professional and the security measures observed therein. 
In the absence of a similar level of protection, the Malagasy Commission of 
IT and Civil Liberties may authorize the transfer of personal data, 
when the controller offers sufficient guarantees with regard to the 
protection of privacy and fundamental rights and freedoms of individuals; these 
guarantees may result in particular from appropriate contractual clauses or from the adoption 
internal rules. 
By way of derogation from the previous paragraphs, the transfer of personal data 
personnel to a third party not ensuring a similar level of protection can be carried out 
exceptionally, provided that: 
a) the data subject has unambiguously given his consent to the transfer 
considered duly informed of the absence of a similar level of protection or; 
b) the transfer is necessary for the performance of a contract between the data subject and 
the controller or the execution of pre-contractual measures taken at 
the request of the data subject or; 
c) the transfer is necessary for the conclusion or performance of a concluded contract or for 
conclude, in the interest of the data subject, between the controller 
and a third party or; 
d) the transfer is necessary or made legally binding for the safeguard 
of an important public interest, or for the establishment, exercise or defense of a 
right to court or; 
e) the transfer is necessary to protect the vital interests of the data subject 
or ; 
f) the transfer takes place from a public register which, by virtue of provisions 
legislative or regulatory, is intended for public information and is open to 
public consultation or any person justifying a legitimate interest, in the 
insofar as the legal conditions for consultation are fulfilled in the case 
particular. 
The recipient is prohibited from transferring the personal data again 
personnel abroad, except with the consent of the original data controller and that of the 
Malagasy Commission for Computing and Freedoms. 
Art.21- Data collected by certification service providers 
electronic 
Without the express consent of the data subject, data of a 
personnel collected by electronic certification service providers for 
needs for issuing and keeping certificates related to signatures 
Page 10 
electronic must be sent directly to the data subject and cannot be 
processed only for the purposes for which they were collected. 
CHAPTER IV 
RIGHTS OF PERSONS 
Art.22 - Right to object to appearing in processing 
Anyone with a legitimate reason has the right to object, at any time and 
free of charge, that personal data concerning him / her are subject to a 
treatment. In the event of a dispute, the legitimacy of the reason is assessed by the 
Malagasy Commission for Computing and Freedoms. 
The data subject has the right to object to the data concerning him 
be used for prospecting purposes without having to justify a legitimate reason. 
The provisions of the first paragraph do not apply when the processing meets the 
a legal obligation or when the application of these provisions has been precluded by a 
express provision of the act authorizing the processing. 
Art.23 - Right of access to personal data 
Everyone has the right to know if they are affected by processing. 
Anyone, subject to proving their identity, has the right to obtain 
controller: 
- information relating to the purposes of the processing, to the categories of data 
of a personal nature processed and to the recipients or categories of 
recipients to whom the data are communicated; 
- communication, in an understandable form, of all the data 
which concerns it as well as any available information as to its origin; 
- information making it possible to know and challenge the logic underlying 
automated processing in the event of a decision taken on the basis thereof and 
producing legal effects with regard to the interested party. 
The applicant exercises his right of access free of charge on site or remotely. It is 
grants his request without delay. 
A copy of the data concerning him, in accordance with the content of the processing, is 
issued to the interested party at his request. 
When the exercise of the right of access applies to health data of a 
personal, these can be communicated to the data subject, according to their choice, 
directly or through the doctor it designates for this purpose. 
In the event of a risk of concealment or disappearance of data, the Commission 
Malagasy de l'Informatique et des Libertés may order all measures likely to 
to avoid. 
The provisions of this article are not applicable to processing 
concerning public security, as well as the collection of information necessary for 
Page 11 
finding of the infringements and the implementation of the consequent prosecutions. The article 26 of this law is then applicable. 
Art.24 - Abusive access requests 
The data controller may oppose manifestly abusive requests, 
in particular by their number, their repetitive or systematic nature. In case of dispute, 
the burden of proof of the manifestly abusive nature of the requests lies with the 
responsible to whom they are addressed. 
Art.25 - Right of rectification 
Any person may demand, provided with all the necessary justifications, the 
controller that, as appropriate, be rectified, completed, updated, 
locked or erased personal data concerning him, which is 
inaccurate, incomplete, equivocal, out of date, or of which the collection, use, 
communication or retention is prohibited. 
When the interested party so requests, the controller must justify, 
at no cost to the applicant, that he has carried out the required operations. 
In the event of a dispute, the burden of proof rests with the person responsible for 
of which the right of access is exercised except when it is established that the contested data have been communicated by the interested party or with his agreement. 
If the controller has transmitted data to a third party, he must notify him 
without delay the operations carried out on this data. 
Art.26 - Rights of indirect access and rectification 
By way of derogation from article 23 on the right of access and article 25 on the right of 
rectification, when a treatment concerns the security of the State, defense or security 
public, the rights of access and rectification to data are exercised indirectly. 
The request is addressed to the Malagasy Commission for Informatics and 
Freedoms which designates one of its members coming under the judiciary which it has specially 
mandated to carry out the useful investigations and make changes; this one 
may be assisted by an agent of the commission. 
When the Malagasy Commission for Informatics and Freedoms notes, in 
agreement with the controller, that the communication of the data contained therein 
contained does not jeopardize the security of the State, defense or public security, these 
data are communicated to the applicant. Failing this, the applicant is notified that he has been 
carried out checks and possible modifications. 
Art.27.- Right to be informed 
The controller ensures that the person with whom 
collected personal data is informed: 
- the identity of the controller and, where applicable, that of his 
representative; 
- the purpose of the processing; 
- the compulsory or optional nature of the information requested; 
- the categories of data processed; 
Page 12 
Page 1 
1 
2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
norme recy an n a cear an compee manner y e conroer or 
of its representative: 
- the purpose of any action tending to gain access, by way of transmission 
electronic information stored in its connection terminal equipment, 
or to enter, by the same means, information in its terminal equipment of 
connection; 
- the means at its disposal to oppose it. 
- the recipients or categories of recipients of the data; 
- of its rights of opposition, access and rectification as well as the terms and conditions 
exercise; 
- where applicable, transfers of personal data and, in this case, 
the guarantees attached to these transfers in accordance with the provisions of Article 20 of 
this law. 
This information is brought to the attention of the person in a form 
understandable and adapted according to the means used for data collection. To his 
request, the data subject can also obtain this information at any time. 
Anyone using electronic communications networks must be


These provisions are not applicable if access to information stored in 
the user's terminal equipment or the entry of information in the terminal equipment 
of the user: 
- either for the exclusive purpose of allowing or facilitating communication by 
electronic; 
- either is strictly necessary for the provision of a communication service in 
line at the express request of the user. 
When personal data has not been collected from the 
data subject, the controller or his representative must provide this 
last the information listed above as soon as the data is recorded or if a 
communication of data to third parties is envisaged, at the latest during the first 
data communication. 
The provisions of this article are not applicable to processing 
concerning public security, as well as the collection of information necessary for 
finding of the infringements and the implementation of the consequent prosecutions. 
CHAPTER V 
THE INDEPENDENT PROTECTION AUTHORITY 
PERSONAL DATA AND PROCESSING CONTROL. 
Section 1 
Malagasy Commission on Computing and Freedoms 
Art.28 - Creation 
An independent data protection authority is hereby established. 
staff called the Malagasy Commission for Informatics and Freedoms (CMIL) below 
after designated the Commission. It is responsible for ensuring that the treatments of 
12 
Page 13 
personal data are implemented in accordance with the provisions of the 
this law. 
To this end, it has regulatory and sanctioning power. 
Art.29 - Composition, method of appointment, term of office and 
benefits : 
Art 29.1: Composition 
The Malagasy Commission for Informatics and Freedoms is made up of nine 
(09) members: 
- a deputy elected in plenary session of the National Assembly; 
- a senator elected by the Permanent Bureau of the Senate; 
- a magistrate of the judicial order of the Court of Cassation elected by his peers; 
- a magistrate of the administrative order of the Council of State elected by his peers; 
- a magistrate of the financial order of the Court of Auditors elected by his peers; 
- a representative of the private sector, with experience in 
information and communication technologies, appointed by the Federation of 
Chambers of Commerce and Industry; 
- Two personalities with expertise in the technology of 
information and communication designated by the National Federation of 
the order of engineers; 
- a personality with particular competence in the field of Rights 
Humans appointed by the Independent National Commission for Human Rights 
the man 
Art.29.2: Method of appointment 
The designation of members is recorded by decree taken in the Council of Ministers . 
The absence of designation due to the lack of proposal by the source entity cannot 
constitute an obstacle to the normal and regular functioning of the Malagasy Commission of 
Computing and Freedoms. 
Art. 29.3: Term of office 
Members are appointed for a term of four (04) years renewable once 
only once or for the duration of their mandate in the event of an elective mandate. 
A member who ceases to exercise his functions during his term of office is replaced, in 
the same conditions for the remainder of the term of office. 
Unless resignation, the term of office of a member may only be terminated in the event of 
prevention noted by the Malagasy Commission for Informatics and Freedoms in 
the conditions fixed by decree taken in the Council of Ministers. 
Art .29.4: Benefits 
Compensation is allocated to members for their participation in the work of the 
Malagasy Commission for Computing and Freedoms. To this end, they perceive a 
sessional allowance, and in the event of an information mission or on-site control provided for in 
Article 40 of this law, travel and subsistence allowance. 
They also receive a share of discounts on recovery, on penalties 
pecuniary decisions pronounced by the Commission and on criminal fines. 
The amounts and rates of the benefits provided for in the preceding paragraphs pertaining to 
Members of the Commission are fixed by decree taken in the Council of Ministers. 
13 
Page 14 
The members of the Bureau benefit from a monthly official allowance, the amount of which 
amount is fixed by a decree taken by the Council of Ministers. 
Art.30 -: Operation 
The Malagasy Commission for Informatics and Liberties is an authority 
independent administrative. 
It includes a collegial deliberative body and an office. 
Art.30.1: Deliberative body 
Members of the Malagasy Commission for Informatics and Freedoms 
constitute the deliberative body. 
The Commission meets in plenary formation. In the event of a split vote, the voice of the 
President is decisive. 
Art.30.2: Office 
The Malagasy Commission for Informatics and Freedoms elects from among its members a 
President and two vice-presidents. They make up the office. 
The President and the Deputy Vice-President may be entrusted by the Commission 
Malagasy of Computing and Freedoms to exercise some of its attributions. 
With the exception of the members of the office, the members do not exercise any function as 
permanent. 
Art.30.3: Services 
The Malagasy Commission for Informatics and Freedoms has the services 
managers whose organization chart is set by decree taken by the Council of the Government. 
The agents of the Malagasy Commission for Informatics and Liberties are 
appointed by the President. 
As needed, it can set up decentralized offices to help it 
perform their duties. 
Art.31 - Professional secrecy 
Members and agents of the Malagasy Commission for Informatics and 
Freedoms are bound by professional secrecy for the information they have to know in 
the exercise of their functions under the conditions provided for in article 378 of the Penal Code and, 
subject to what is necessary for the preparation of the annual report. 
Before taking office, members lend before the Supreme Court sitting in 
solemn audience, the following oath: " Mianiana aho fa hanatanteraka antsakany sy 
andavany ary amim-pahamendrehana ny andraikitra amin'ny maha-mpikambana ahy ao 
amin'ny Vaomiera Malagasy miandraikitra ny Informatika sy ny Fahafahan'ny olona tsirairay, 
tsy hiandany na amin'iza na amin'iza ary hitandro mandrakariva sy tsy hamboraka na oviana 
na oviana ny tsiambaratelon'ny dinika ”. 
14 
Page 15 
Art.32 - Immunity 
No member of the Malagasy Commission for Informatics and Liberties may 
be prosecuted, investigated, arrested, detained or tried on the occasion of opinions expressed or acts 
accomplished in the exercise of its mandate and related to its mission. 
Art.33- Independence 
Within the framework of their missions or the exercise of their attributions, the members of the 
Malagasy Commission for Informatics and Freedoms do not receive instructions from any 
authority. 
Public authorities, managers of public or private companies, responsible 
various groups and more generally the holders or users of processing and 
personal data files cannot oppose the action of the 
commission or its members and must, on the contrary, take all necessary measures to 
to facilitate its task. 
Art.34 - Activity report 
The Malagasy Commission for Computing and Freedoms presents a report 
annual of its activities: 
- to the President of the Republic; 
- to the Prime Minister, Head of Government; 
- in Parliament; 
- to the Minister of Justice. 
It makes its activity report public by any means it deems appropriate. 
Art.35 - Incompatibilities 
Membership of the Malagasy Commission for Informatics and Freedoms 
is incompatible: 
- with the quality of member of the Government; 
- with any management function in a legal person, public or private, 
when the combination of this status and this function could constitute a conflict 
of interest. 
Incompatibilities are assessed by the President of the Malagasy Commission of 
Information Technology and Freedoms, before each member takes up their effective position, then 
once a year during their tenure. 
In the event of a change in status, any member declares it to the President; this 
the latter assesses the existence or not of incompatibility. 
Art.36.- Conflicts of interest 
No member may participate in a deliberation or carry out checks 
relating to an organization within which, during the thirty-six months preceding the 
15 
Page 16 
deliberation or verifications, held a direct interest, exercised functions or held a 
mandate. 
The Malagasy Commission for Informatics and Freedoms can appeal to any 
person whose competence it deems useful for certain matters; in this case, the 
President ensures that there is no conflict of interest. 
Art.37.- Powers 
The Malagasy Commission for Computing and Freedoms: 
- inform all data subjects and data controllers of 
their rights and obligations; 
- receives declarations of creation of computer processing, or gives its opinion 
in writing or with his written authorization in the cases provided for by law; 
- controls the creation and implementation of processing operations; 
- establishes and publishes simplified standards and exemptions; 
- makes recommendations; 
- issue standard rules to ensure the security of information systems; 
- receives complaints, petitions and complaints related to its mission and informs 
their authors of follow-up given to them; 
- sends the interested parties warnings and denounces to the judicial authority the 
infringements of the provisions of this law; 
- pronounces the administrative sanctions provided for by this law; 
- monitors developments in information technology and 
communication and its legal environment. 
- make public its assessment of the consequences of these changes on the 
protection of freedoms and privacy as part of its annual report; 
- proposes to the Government legislative or regulatory modifications which 
seem likely to improve the protection of individuals against 
the use of information and communication technologies; 
- gives an opinion within two months, renewable once if necessary 
on any draft text relating to the protection of personal data 
with regard to computerized processing; 
- responds to indirect access requests; 
- can issue labels; 
- cooperates with the personal data protection authorities established in 
other states; 
- cooperates with the network of data protection officers. 
It is associated with international negotiations affecting the treatment 
personal data. 
Art.38.- Information to the public 
It makes available to the public the list of treatments which have been the subject of a 
declaration or authorization. 
This list specifies for each treatment: 
- the act deciding the creation of the processing or the date of its declaration; 
- the name or the purpose of the processing; 
- the identity and address of the controller or, if this is not established on the 
national territory, those of its representative; 
- the person or service to which the right of access is exercised; 
16 
Page 17 
- the categories of personal data being processed as well as the 
recipients or categories of recipients authorized to receive them 
communication; 
- where applicable, transfers of personal data to a 
other state. 
It also makes available to the public its opinions, authorizations, decisions, 
recommendations, exemptions from declaration. 
It informs by any means it deems appropriate the public authorities, 
private organizations and representatives of civil society opinions, authorizations, decisions 
that it renders with regard to the protection of freedoms as well as its recommendations. 
The decisions of the Malagasy Commission for Informatics and Freedoms having 
of general scope are published in the Official Journal. 
Art.39 . - Exemption from publication 
Decrees may, with the assent of the Malagasy Commission to 
Information Technology and Civil Liberties, provide that regulatory acts relating to certain 
data concerning state security, defense and public security are not 
published. 
Art.40 - Powers 
To exercise the missions entrusted to it by law, the Malagasy Commission of 
IT and Civil Liberties can: 
- proceed by way of recommendations; 
- take individual or regulatory decisions; 
- adopt simplification measures or declaration exemptions; 
- define the procedures for exercising the rights of individuals, in particular 
information matters; 
- order those responsible for processing files to communicate to it any 
useful information about the computer files they use. 
It may decide to carry out information or on-site control missions. 
Except in cases where they are bound by professional secrecy, persons 
questioned as part of the verifications carried out by the Commission are required to provide 
the information requested by it for the exercise of its missions. 
Art.41 - Rules of procedure 
The Bureau establishes the rules of procedure which are subject to the approval of the 
Commission. 
In particular, it sets the rules relating to deliberations, the examination of cases and 
when they are presented to the deliberative body. 
Art.42 - Legal remedies 
The administrative decisions of the Malagasy Commission for Informatics and 
Freedoms are subject to appeal before the Council of State. 
17 
Page 18 
Section 2 
Formalities prior to implementation 
Art.43 - Principle of declaration or keeping of a register of processing operations 
Computerized processing in whole or in part by public or private organizations 
containing personal data must, prior to their implementation, be 
declared to the Malagasy Commission for Informatics and Freedoms. 
The declaration can be sent electronically. 
Computerized processing is entered in a register kept by the delegate for 
protection of personal data designated by the controller. 
Art.44 - Implementation of public sector salaries 
Except where they must be authorized by law, automated data processing 
personal data processed on behalf of the State, a public establishment, 
of a collectivity or of a legal person governed by private law managing a public service, are 
decided by regulatory act after reasoned assent from the Malagasy Commission of 
Computing and Freedoms. 
The regulatory act specifies in particular: 
- the name and purpose of the data processing; 
- the service to which the right of access is exercised; 
- the categories of personal information recorded as well as the 
recipients or categories of recipients authorized to receive communication 
of this information; 
- the data retention period. 
Art.45 - Implementation of private sector salaries 
The processing of personal data carried out on behalf of 
persons other than those subject to the provisions of article 46 must first 
upon their implementation, be the subject of a declaration to the Malagasy Commission for 
Computing and Freedoms. This declaration includes the commitment that the processing 
meets the requirements of the law. 
The receipt is issued without delay and computerized processing can be implemented. 
artwork. However, the declaration in no way exonerates the declarant from his responsibility. 
Art.46 - Authorization for the implementation of processing operations presenting risks 
individuals 
Computer processing or not, which presents particular risks for 
rights and freedoms or which are susceptible, by virtue of their content, structure or purpose, 
to infringe privacy must be authorized by the Commission 
Malagasy of Computing and Freedoms prior to their implementation. 
Art.47 - Simplified declarations and exemptions from declarations 
For the most common categories of public data processing 
or private, the Malagasy Commission for Informatics and Freedoms establishes and publishes 
18 
Page 19 
simplification standards, or exemption when the implementation of these is not 
likely to infringe privacy or freedoms. 
These standards specify: 
1 ° the purposes of the processing operations covered by a simplified declaration; 
2 ° personal data or categories of personal data 
processed; 
3 ° the category or categories of persons concerned; 
4 ° the recipients or categories of recipients to whom the personal data 
personnel are communicated; 
5 ° the retention period for personal data. 
For processing that meets the simplification standards, only a declaration 
simplified compliance with one of these standards is filed with the Commission 
Malagasy of Computing and Freedoms. 
Unless the latter decides otherwise, the declaration receipt is issued without 
time limit. Upon receipt of this receipt, the controller can implement the 
treatment. It is not exempt from any liability. 
Art.48 - Requests for opinions and authorizations 
The Malagasy Commission for Computing and Freedoms seized of requests 
notice or authorization is given within two months of receipt 
demand. However, this period can be renewed only once upon a reasoned decision. 
Of the president. 
The lack of response from the supervisory authority within the time limit is interpreted 
as a denial of the request; the request must therefore be rephrased. 
Art.49 - Common provisions 
Declarations and requests for advice or authorization addressed to the Commission 
Malagasy of Computing and Freedoms include: 
1. The identity and address of the controller and that of the person or 
the entity on whose behalf the processing is carried out and, if applicable, 
name of the treatment; 
2. The purpose (s) of the processing; 
3. Where applicable, interconnections, mergers or any other form of 
linking with other treatments; 
4. The personal data recorded, their origin and the categories of persons 
concerned by the processing and the retention period of the processed information; 
5. The service (s) responsible for carrying out the processing, the authorized persons 
to access the data or be able to obtain communication thereof; 
6. The function of the person or the service with which the data subjects 
can exercise their right of access; 
7. Where applicable, transfers of personal data to other States; 
8. The measures envisaged to ensure the security of the processing; 
9. The guarantee of secrets protected by law; 
10. Where applicable, indication of the use of a subcontractor. 
19 
Page 20 
The controller must notify any modification made in the 
information communicated to the Malagasy Commission for Informatics and Freedoms, 
as well as the removal of processing. 
Section 3 
Control over the implementation of processing 
Art.50 - Control missions 
Members and agents of the Malagasy Commission for Informatics and 
Freedoms participating in control missions are empowered for this purpose by mission order 
duly signed by the president. 
They can : 
- access from 6 a.m. to 7 p.m. to any type of room for use 
professional, used for the implementation of the processing of personal data 
staff ; 
- have unrestricted access to the files and processes and to the materials used, 
- take a copy of any information, whatever the medium, and collect the 
statements by the controller, his representative and any 
person placed under his authority or working on his behalf. 
They may, at the request of the President, be assisted by appointed experts. 
The report of the control mission is drawn up on both sides; the trial 
verbal is sent for observation to the controller. 
In the event of opposition from the person in charge of the premises, the visit can only take place 
the authorization of the President of the Tribunal in whose jurisdiction the premises to be visited are located 
or the judge delegated by him. 
This magistrate is seized at the request of the President of the commission, he decides by a 
reasoned order. 
The visit is carried out under the authority and control of the magistrate who authorized it. This one 
can go to the premises during the operation. At any time, he can decide to stop or 
suspension of the visit. 
CHAPTER VI 
THE DELEGATE FOR THE PROTECTION OF PERSONAL DATA 
Art.51- Designation and missions 
Any data controller appoints a data protection officer at 
personal character responsible for ensuring compliance with the obligations of this law. 
As such, the data protection officer: 
- keeps the register of processing operations implemented by the person responsible for 
treatments; 
- is consulted, prior to their implementation, on all new 
treatments; 
20 
Page 21 
- in case of doubt, consult the Malagasy Commission for Computing and Freedoms; 
- receives requests and complaints from interested persons relating to 
processing carried out by the controller. When they do not fall 
not its responsibility, it transmits them to the competent controller and 
notify the interested parties; 
- informs the data controller of any shortcomings observed before any 
referral to the Malagasy Commission for Informatics and Freedoms; 
- seizes the Malagasy Commission of Computing and Freedoms in the event of 
shortcomings noted, when the data controller does not take the 
measures necessary to put an end to them or in case of doubt about the application of the 
law ; 
- establishes an annual report of its activities which it presents to the person in charge of 
processing and that it is made available to the Malagasy Commission for Informatics 
and Freedoms. 
The appointment of the data protection officer is notified to the latter 
by any process leaving a written record. 
The Commission maintains the list of designated delegates. 
Art.52 - Exemption from declarations 
When a data protection officer has been appointed, the person responsible for 
processing is exempted from completing the formalities of declaration to the 
Malagasy Commission for Computing and Liberties, except in cases where the processing 
is subject to its authorization. 
Art.53 - Qualifications and incompatibilities 
Only delegates residing in the territory of the Republic can be appointed. 
Malagasy and having the knowledge and skills necessary for the exercise of their 
mission. It may be a person exclusively attached to the service of the person in charge of 
treatment or an external person. The data controller or his representative 
legal cannot be appointed as a delegate. 
The data protection officer performs his duties in a manner 
independent. In particular, it does not receive instructions from the data controller. He 
may not be subject to sanctions for the performance of his duties. 
The data controller must provide the data protection officer with 
means necessary for the performance of its missions. 
The data protection officer is bound by a duty of confidentiality on 
information collected during the investigation of a complaint or request for which it 
is seized. 
Art.54 - Revocation 
The data protection officer cannot be revoked by the data controller 
treatment only for serious reasons and after informing the Commission. 
The Malagasy Commission for Informatics and Freedoms may request the 
dismissal of the delegate in the event of a conflict of interest between the exercise of the delegate's functions and those exercised elsewhere. 
21 
Page 22 
When the Commission notes, after having obtained its observations, that the 
Data Protection Officer is failing in the duties of his 
mission, it asks the controller to relieve him of his duties by 
application of this article. 
CHAPTER VII 
SANCTIONS 
Section 1 
SANCTIONS PROMOTED BY THE MALAGASY COMMISSION OF 
COMPUTING AND FREEDOMS 
Art.55 - Sanctions 
The Malagasy Commission for Informatics and Freedoms can pronounce on 
against a data controller, in the event of a breach of one or more of the 
provisions of this law, and after an adversarial procedure, the penalties 
following: 
- a warning ; 
- an injunction to cease processing or withdrawal of the authorization granted; 
- a financial penalty; 
In an emergency, when the implementation of the treatment or the operation of 
processed data results in a violation of the rights and freedoms mentioned in Articles 1 and 2, the 
Commission may after an adversarial procedure: 
1.decide the interruption of the implementation of the treatment, for a maximum period of 
three months, if the treatment has not been implemented by the State and does not relate to the 
state security, defense or public security, or prevention, research, 
finding or the prosecution of criminal offenses or the execution of 
criminal convictions or security measures; 
2.decide the blocking of some of the personal data processed, in order to 
a maximum period of three months, if the treatment is not implemented for 
purposes which concern the security of the State, defense or public security, or which 
have as their object the prevention, investigation, observation or prosecution of 
criminal offenses or the execution of criminal convictions or measures of 
safety. 
Any sanction pronounced must be recorded in a register. 
In the event of a repeat offense, the financial penalties will be doubled. 
Art.56 - Referral to the summary judge 
In the event of a serious and immediate violation of the rights and freedoms mentioned in Article 2, the 
President, may request, by means of summary proceedings, the competent court to order, the case 
if applicable under penalty, any security measure necessary to safeguard these rights and 
freedoms. 
22 
Page 23 
Art.57 - Order to modify or delete processing 
Any sanction decision may be accompanied by an order to proceed, 
according to a time limit that it determines, to any modification or deletion that it considers 
useful in the operation of the processing (s) of personal data subject to the 
sanction decision. 
Art.58 - Adversarial procedure and appeal against a sanction decision 
The administrative sanctions provided for in this law are pronounced on the 
based on a report drawn up by the services of the Malagasy Commission for Informatics and 
Freedoms or by a member designated by the president. The report is notified to the manager 
processing, which can submit written and oral observations and be represented or 
assist. 
The rapporteur may present oral observations but does not take part in the 
deliberation. 
The Malagasy Commission for Informatics and Freedoms can hear any 
person whose hearing seems likely to contribute usefully to his information. 
The decisions taken are motivated and notified to the controller. 
Decisions imposing a sanction may be appealed against to the 
Board of state. 
Art.59- Amount of financial penalties 
The amount of the financial penalty provided for is proportionate to the seriousness of the 
breaches committed and the benefits derived from this breach. It cannot exceed 5% of the 
turnover excluding tax for the last closed financial year. 
The pecuniary sanctions are collected like the debts of the State. 
Art.60- Publication of sanction decisions 
Sanction decisions are made public. The identity of people 
physical matters mentioned in the sanction decisions can be made anonymous. 
The Malaas Commission for Informatics and Freedoms can also order
the insertion of the sanctions decisions it pronounces in publications or newspapers 
that it designates. The costs are borne by the sanctioned persons. 
Section 2 
Penalties 
Art.61 - Obstruction 
Is punished by imprisonment of six months to two years and a fine of 800,000 
Ariary to 8,000,000 Ariary hindering the action of the Malagasy Commission of 
Computing and Freedoms: 
1 ° - Either by opposing the exercise of the missions entrusted to its members or to 
agents authorized in application of Article 50; 
23 
Page 24 
2 ° - Either by refusing to communicate to its members or to authorized agents 
application of Article 50 information and documents useful for their mission, or 
concealing said documents or information or causing them to disappear; 
3 ° - Or by communicating information that does not comply with the content of the 
records as they were at the time the request was made or which do not 
not present this content in a directly accessible form. 
Art. 62 - Failure to comply with prior formalities 
Is punished by imprisonment from six months to two years and a fine of 200,000 
Ariary to 2,000,000 Ariary does so, including through negligence, to proceed or to have 
to processing of personal data without complying with the 
formalities prior to their implementation provided for by law. 
Art.63 - Use of sensitive data, infringement files or 
national identification number outside the legal framework 
Is punished by imprisonment for two to five years and a fine of 800,000 
Ariary to 8,000,000 Ariary for proceeding or having proceeded in a non-compliant manner 
under the conditions provided for in Articles 14 and 15, to the processing of personal data 
including among the data to which it relates, the data referred to in Articles 17 and 18. 
Art.64 - Breach of security 
Is punished by imprisonment from six months to two years and a fine of 200,000 
Ariary to 2,000,000 Ariary the fact of carrying out or having carried out a treatment of 
personal data without implementing the measures prescribed in Article 15. 
Art.65 - Unfair collection 
Is punished by imprisonment for two to five years and a fine of 1,000,000 
Ariary to 10,000,000 Ariary for collecting personal data by a 
fraudulent, unfair or unlawful means. 
Art.66 - Misuse of purpose 
Is punished by imprisonment for two to five years and a fine of 800,000 
Ariary to 8,000,000 Ariary does so, by any person holding personal data 
personal data to divert the original purpose of a personal data file 
in particular on the occasion of their recording, their classification, their transmission or 
any other form of treatment. 
Art.67 - Non-respect of the rights of rectification or opposition 
Is punished by imprisonment for two to five years and a fine of 800,000 
Ariary to 8,000,000 Ariary for processing personal data 
personnel concerning a natural person despite the request for rectification or 
the opposition of this person, when this request for rectification or this opposition is 
based on legitimate grounds. 
Art.68 - Non-respect of the right to information 
24 
Page 25 
Is punished by imprisonment for two to five years and a fine of 800,000 
Ariary to 8,000,000 Ariary for not respecting the provisions referred to in article 27 
relating to the information of persons. 
Art.69 - Non-respect of the right of access 
Is punished by imprisonment for two to five years and a fine of 800,000 
Ariary to 8,000,000 Ariary for not respecting the provisions referred to in article 23 
relating to the right of access. 
Art. 70 - Failure to respect the retention period 
Is punished by imprisonment from six months to two years and a fine of 200,000 
Ariary to 2,000,000 Ariary, unless this conservation is carried out for historical purposes, 
statistical or scientific under the conditions provided for by law, the fact of keeping 
personal data beyond the period provided for in the prior declaration 
addressed to the Malagasy Commission for Informatics and Freedoms. 
Art.71 - Infringement of the consideration or privacy of private life 
Is punished by imprisonment for two to five years and a fine of 1,000,000 
Ariary to 10,000,000 Ariary does so, by any person who has collected, on the occasion of their 
recording, classification, transmission or other form of processing, 
personal data the disclosure of which would have the effect of undermining the 
consideration of the interested party or the privacy of his private life, to wear, without permission of 
the interested party, these data to the knowledge of a third party who does not have the capacity to receive them. Art.72 - Additional measures 
In the cases provided for in Articles 61 to 71, the erasure of all or part of the data 
of a personal nature subject to the processing which gave rise to the infringement may be 
ordered. Members and agents of the Malagasy Commission for Informatics and 
Freedoms are entitled to note the erasure of this data. 
Art.73- Notice 
The Public Prosecutor of the competent Court notifies the President of the 
Malagasy Commission for Computing and Freedoms for prosecutions relating to 
infringements of the provisions of this law. 
The trial court may call the President of the Commission or his 
representative to file his observations or to develop them orally at the hearing. 
Chapter VIII 
FINANCIAL PROVISIONS 
Art.74 - Budget 
The budget of the Malagasy Commission for Computing and Liberties is supported 
by a specific budget line within the Presidency of the Republic. 
The Commission may receive donations, grants and bequests from 
national and international organizations of which Madagascar is a member. For this purpose, it is 
opened a deposit account with the Public Treasury intended to lodge said funds. The 
25 
Page 26 
mobilization of this deposit account must be subject to budgetary regularization both in terms of 
income than expenditure. 
The manager of this account is appointed by order of the Ministry of Finance and 
Budget. 
The President is the budget authorizing officer of the Commission. It can designate a 
secondary authorizing officer to replace him. 
Art 75. Public accounting and auditing 
The accounts of the Malagasy Commission for Informatics and Liberties are kept 
according to the rules of public accounting and auditing is the responsibility of the Court of 
Accounts. 
CHAPTER IX 
TRANSITIONAL AND FINAL PROVISIONS 
Art 76 - Transitional provisions 
Data processing governed by article 44 and already created is subject only to 
a declaration to the Malagasy Commission for Informatics and Freedoms in 
the conditions provided for in Article 43. 
It may, however, by decision, apply the provisions of Article 44 and of 
set the time limit within which the act regulating the processing of data must be taken. 
All the processing of personal data carried out before the entry into 
force of this law must comply with the requirements of this law within a 
one year from its publication according to a sectoral schedule adopted by the Commission and 
published in the Official Journal. 
Art.77- Final provisions 
Regulatory texts, will specify, as necessary, the modalities 
application of this law. 
Art.78 - This law will be published in the Official Journal . 
It will be executed as state law. 
Promulgated in Antananarivo, January 9, 2015 
RAJAONARIMAMPIANINA Hery Martial
26