Page 1

Tuesday, May 10, 2016

Number 39

SAO TOME AND PRINCIPE

REPUBLIC DIARY

SUMMARY
NATIONAL ASSEMBLY
Law No. 03/2016
Aims to Guarantee and Protect Personal Data
of Individuals.

Page 2
No. 39 - 10 May 2016

SÃO TOMÉ AND PRÍNCIPE - DIARY OF THE REPUBLIC

National Assembly
Law No. 03/2016
Protection of Personal Data
Preamble
The relevance of private life, or rather, of
right to the protection of personal data is, today, a
acquisition that is stabilizing, both in terms of
regionally or internationally, with an impact on
almost every country in the world.
The relationship between identification data and life
of its bearers is narrow, and elements
such as: name, phone number, address
electronic, etc., allow anyone to use
using modern technological means, can accept
give privacy to third parties for the most diverse
ends.
São Tomé and Príncipe, as a permanent state
belonging to the global community, says, through the
this Diploma, the principle that private life
must be protected, without prejudice to the most varied
advantages arising from the circulation of personal data
sounds. Therefore, it highlights the existence of a framework
legal to mark these two vectors.

285

added by the guarantee of protection conferred by
this legal order.
Third, no less important, will be
all those who, in breach of
compliance with this legal provision, proceed in the
the failure to protect the personal data to which
access, subject to either the sanctions provided for
or to those contained in other laws so that this
forward.
Chapter I
General provisions
Article 1
Object
This Law aims to guarantee and protect data
personal data of natural persons.
Article 2
General principles
The processing of personal data must take place
transparently and in strict respect for
reserve the intimacy of private and family life,
as well as rights, freedoms and guarantees
fundamental principles established in the Constitution of
Democratic Republic of São Tomé and Príncipe,
instruments of international law and legislation
current legislation.

In accordance with the mutations inherent in the
socio-economic development process,
Article 3
attentive to what is stipulated in the Constitution of the Republic and
Scope of application
other legal instruments that are effective in
São Tomé and Príncipe, this Diploma established
1. This Law applies to the treatment of
the conditions under which the use of
personal data by means wholly or partially
personal data and the terms under which those responsible
automated systems, as well as treatment by means
for the treatment of these data and their holders
non-automated use of personal data contained in
may proceed for the purpose of guaranteeing rights
manual files or intended for them.
and obligations.
This Law establishes three relevant lines in terms of
concerning the processing of personal data, circulation
of them and, finally, of the responsibility
arising from the failure to comply with the
protection.

2. The present Law applies equally to the work
processing of personal data carried out:
a) By the person responsible for the treatment based
in São Tomé and Príncipe;

First, consent is consecrated
of the holder and the narrow situations of need
fundamental requirements for the treatment of
personal data.

b) In the scope of the activities of the person in charge
for the treatment established in São Tomé
e Príncipe, even though the aforementioned
does not have its headquarters in national territory;

Second, the transfer of personal data
personnel to a location outside the national territory is

c) Outside the national territory, in a place where
Sao Tome legislation is applicable for

Page 3
286

SÃO TOMÉ AND PRÍNCIPE - DIARY OF THE REPUBLIC

No. 39 - 10 May 2016

under international public law or
private;
d) By a controller who does not
being established in São Tomé and Príncipe
cipe, resort, for data processing
personal belongings, to means located in
national.
3. For the purposes of paragraph d) of paragraph 2,
It is known that the controller uses
means located in São Toméan territory when the
Personal data processing operations are
carried out with the means located in the territory
national level, or when personal data is housed
in environments located in São Toméan territory,
For the purposes of this Law, the mere use of
such means for the collection, registration or transit
personal data in the national territory.
4. In the case of paragraph 2 d), the person responsible
treatment shall designate, by means of
tion to the National Data Protection Agency
Personnel (ANPDP), an established representative
in São Tomé and Príncipe to replace him in
all their rights and obligations, without prejudice to
your own responsibility.
5. This Law does not apply to the treatment of
personal data made by a natural person in the
the exercise of activities exclusively personal or
domestic, unless communication is intended
systematic or diffusion.
6. This Law applies to video surveillance and
other ways of capturing, treating and disseminating
sounds and images that allow people to be identified
whenever the controller is
domiciled or headquartered in São Tomé and Príncipe, or
use a computer network access provider
and telematics established there.
7. This Law applies to the treatment of
personal data which have as their objective the security
public service, without prejudice to the provisions of
special provisions of legal instruments
international and interregional agreements to which
Tome and Principe is bound and specific laws
related to that sector and other correlated ones.

Article 4
Definitions
1. For the purposes of this Law, the following definitions apply:
a) "Personal data": any information, according to
whatever nature regardless of
support, including sound and images
relating to a natural person identified
or identifiable ('data subject'),
being considered identifiable the person
that can be identified directly or
correctly, namely by reference
to an identification number or to one or
more specific elements of your identity
physical, physiological, psychic, economic,
cultural or social;
b) «Data subject»: natural person to whom
refer to the data subject to the treatment;
(c) 'processing of personal data' ('processing
'): any operation or set of
transactions on personal data, carried out
with or without automated means, such as
such as the collection, registration, organization,
conservation, adaptation or alteration,
recovery, consultation, use,
communication by transmission, by broadcast
or by any other form of placing on the market
provision, with comparison or interconnection
connection, as well as the blocking, elimination or
undoing;
d) «Personal data file» («file»):
any structured set of personal data
accessible according to certain criteria
irrespective of the form or
modality of its creation, storage
and organization;
e) "controller" means the person
natural or legal person, the public entity, the
service or any other body that,
individually or in conjunction with
someone else, determine the purposes and means
processing of personal data;
f) «Subcontractor»: the natural person or
corporate body, the public entity, the service or
any other body that handles the data
personal data on behalf of the person
treatment;

Page 4
No. 39 - 10 May 2016

SÃO TOMÉ AND PRÍNCIPE - DIARY OF THE REPUBLIC

g) «Third party»: the natural or legal person,
the public entity, the service or any
another body which, not being the holder
the data controller, the controller, the
subcontractor or other person under authorization
direct responsibility of the controller
or of the subcontractor, is entitled to work
tar the data;
(h) 'recipient': the natural or legal person
the public authority, the service or any other
any other body to which they are
personal data are communicated, regardless of
whether it is a third party or not, without
judgment of not being considered as recipients
authorities to whom they are communicated
given in the scope of a legal provision
or regulatory provision of a nature
organic;
i) «Consent of the data subject»:
any manifestation of free will,
specific and informed, pursuant to which
the holder accepts that his personal data
are subject to treatment;
j) 'Data interconnection': form of processing
which consists of the possibility of relaoperation of the data in a file with
data from a file or files kept
by another or other responsible persons, or
maintained by the same responsible with
another purpose;
k) «Regulatory provision of a nature
organic »: constant provision of diploma
of organization and operation or status
status of a competent authority for the practice
data processing and other acts
acts referred to in this Law.
2. For the purposes of paragraph e) of paragraph
above, whenever the purposes and means of the
treatment are determined by legal provision
or regulatory provision of an organic nature,
the person responsible for the treatment of
personal data concerned.

287

Chapter II
Data processing
Section I
Quality of personal data
Article 5
Data quality
1. Personal data must be:
a) Treated lawfully and with respect for the
principle of good faith and general principles
set out in Article 2;
b) collected for specific purposes,
explicit and legitimate and directly
related to the exercise of the activity of the
responsible for the treatment and cannot
subsequently be dealt with in a
incompatible with these purposes;
c) Adequate, relevant and not excessive
regarding the purposes for which they are
collected and subsequently treated;
d) Accurate and, if necessary, updated,
appropriate measures should be taken
to ensure that they are erased or rectified
inaccurate or incomplete data have been
taking into account the purposes for which
were collected or what they are treated for
posteriorly;
e) Preserved in such a way as to allow the
registration of its holders, only during the
necessary period for the continuation of the
the purposes of the collection or the posterior.
2. Upon request by the person responsible for
treatment, and if there is a legitimate interest, the
National Agency for the Protection of Personal Data
authorize data retention for historical purposes
statistical or scientific data for a longer period
to that referred to in paragraph e) of the previous number.
Article 6
Conditions for the legitimacy of the treatment of
Dice
The processing of personal data can only be carried out
if its holder has authorized in an unauthorized manner
chemical or if treatment is necessary to:

Page 5
288

SÃO TOMÉ AND PRÍNCIPE - DIARY OF THE REPUBLIC

a) Execution of contracts or contracts in which the
data subject is a party or due diligence
prior to the formation of the contract or
negotiation will be carried out at your
order;
b) Compliance with the legal obligation to which the
controller is subject;
c) Protection of the vital interests of the
data, if it is physically or legally
unable to give consent;
d) Execution of a public interest mission
co or in the exercise of agency powers
National Protection of Personal Data
in which the person responsible for the
processing or a third party to whom the data
are communicated;
e) Pursuit of the legitimate interests of the
responsible for the treatment or third party to
whom the data is communicated, provided
that interests or interests should not prevail
the holder's rights, freedoms and guarantees
of the data.
Article 7
Treatment of sensitive data
1. The processing of personal data is prohibited
referring to philosophical or political beliefs,
membership in political or union association, religious faith
private life and racial or ethnic origin, as well as
such as the processing of data relating to health and
sexual life, including genetic data.
2. The processing of the data referred to in paragraph
however, can be carried out provided that
with guarantees of non-discrimination and with
security measures provided for in Article 16,
following conditions:
a) By legal provision or provision
regulatory nature of an organic nature
expressly authorizes the treatment of
data foreseen in the previous number; or

No. 39 - 10 May 2016

c) When the data subject has authorized
expressly for this treatment.
3. The processing of the data referred to in paragraph 1 may
still be done when one of the
following conditions:
a) Be necessary to protect interests
of the data subject or another
person and the data subject is a physical or
legally unable to give consent
ment;
(b) be carried out, with the consent of the
home, by a legal person or body without
political, philosophical and non-profit making
religious or union, within the scope of its
legitimate activities, on condition that the
respect only those members of the
whether organism or the people who with it
maintain periodic contacts linked to the
their purposes, and that the data are not
communicated to third parties without consent
of its holders;
(c) relate to data which is manifestly torpublic by its holder, provided that it is
can legitimately deduct from its statements
consent to treatment
of the same;
d) Be necessary for the declaration, exercise or
defense of a right in judicial proceedings and
is carried out exclusively with that
goal.
4. The treatment of data relating to health and
sexual life, including genetic data, can be
carried out when necessary for the purposes of
preventive medicine, medical diagnosis,
provision of medical or medical care or treatment
management of health services, provided that treatment
such data to be carried out by a professional
health obliged to secrecy or by another person subject
professional secrecy, be notified to the
National Agency for the Protection of Personal Data,
in accordance with Article 21 and measures are
adequate information security.

b) Authorization from the National Agency for
protection of Personal Data, when
important public interest grounds
such treatment is indispensable for the exercise
of the duties and competences of its
responsible; or

Page 6
No. 39 - 10 May 2016

SÃO TOMÉ AND PRÍNCIPE - DIARY OF THE REPUBLIC

Section II
Legitimacy in the processing of personal data
Article 8
Suspected illegal activities, infringements
criminal and administrative offenses
1. The creation and maintenance of central records
concerning persons suspected of illicit activities,
criminal offenses, administrative offenses and decisions
decisions that apply penalties, security measures,
fines and ancillary sanctions can only be maintained for
public services with specific competence
seen in a legal provision or regulatory provision
of an organic nature and observing proexisting data protection and data protection policies.
2. The processing of personal data relating to
suspicions of illegal activities, criminal offenses,
administrative offenses and decisions applying
penalties, security measures, fines and sanctions
accessories can be made as long as they are observed
the data protection and security standards of the
information, when such treatment is necessary to
execution of legitimate purposes of its responsible
provided that the rights do not prevail,
and warranties of the data subject.
3. The processing of personal data for the purpose of
police investigation should be limited to what is necessary
for the prevention of a specific danger or danger
of a specific offense, for the exercise of
competences provided for in a legal provision or
regulatory provision of an organic nature and
still under the terms of an international law instrument
or interregional agreement to which São Tomé and
Prince is bound.
Article 9
Interconnection of personal data
1. The interconnection of personal data that
is provided for in a legal provision or provision
regulatory nature of an organic nature is subject to
authorization from the National Agency for the Protection of
Personal Data requested by the person in charge or in
jointly by the responsible correspondents of the
treatments, as provided for in paragraph 1 of article
22.
2. The interconnection of personal data must respect
meet the following requirements:

289

a) Adequate to the pursuit of the purposes
legal or statutory and legitimate interests
hands of those responsible for the treatments;
b) It does not imply discrimination or reduction
of the rights, freedoms and guarantees of
data homes;
c) Be surrounded by adequate security measures
ranch; and
d) Take into account the type of data subject to
interconnection.
Chapter III
Data subject's rights
Article 10
Right of information
1. When collecting personal data directly
of its holder, the controller or the
your representative must provide it, unless you have already
are known, the following information:
a) Identity of the controller
and, if applicable, its representative;
b) Purposes of the treatment;
c) Other information, such as:
i. The recipients or categories of recipients
the data;
ii. The mandatory or optional nature of the
response, as well as the possible consequences
quences if you do not answer;
iii. The existence and conditions of the right to
access and rectification, provided they are
necessary, taking into account the
specific circumstances of data collection, to
guarantee its holder fair treatment
of the same.
2. The documents on which the collection is based
personal data must contain the information
contained in the previous number.
3. If the data is not collected from your
holder, and unless they are already known to him, the
responsible for the treatment, or its representative,
shall provide you with the information provided for in paragraph 1,

Page 7
290

SÃO TOMÉ AND PRÍNCIPE - DIARY OF THE REPUBLIC

at the time of recording the data or, if you are
communication to third parties is foreseen, even when
first communication of this data.
4. In the case of data collection on open networks,
the data subject must be informed, unless
you are already aware of this, that your data
personal data can circulate on the network without
security, running the risk of being seen and used
unauthorized third parties.
5. The information obligation provided for in this
this article may be waived in the following cases:

No. 39 - 10 May 2016

b) The communication, in an intelligible form, of
your data subject to processing and any
any information available on the origin
such data;
c) Knowledge of the reasons underlying the
automated data processing
say respect;
d) Rectification, elimination or blocking
data whose treatment does not comply with the
provisions of this Law, namely
due to incomplete or inaccurate character
of that data;

a) By legal provision;
b) For reasons of safety and prevention or
criminal investigation;
c) When, in particular in the case of treatment
data for statistical purposes,
historical or scientific research, the
information of the data subject is revealed
impossible or involve disproportionate efforts
or when the law or regulation
administrative procedure expressly determines
the registration of the data or its
disclosure, in which case they must be notified
the National Agency for the Protection of
Personal data.
6. The obligation to inform, under the terms
in this article, does not apply to the treatment
data made for exclusively daily purposes
linguistic or artistic or literary expression in the
respect of the fundamental rights of the data subject
pursuant to paragraph 3 of the following article.
Article 11
Right of access
1. The data subject has the right to obtain from the
responsible for the treatment, freely and without
restrictions, with reasonable periodicity and without delay
or excessive costs:
a) Confirmation of whether or not they are treated
data concerning you, as well as
information about the purposes of this work
the categories of data on which
applies and the recipients or categories of
recipients to whom the information is communicated
Dice;

e) Notification to third parties to whom the data
have been communicated of any rectification
fication, deletion or blocking carried out
under the terms of the previous paragraph, unless
proved to be impossible or implied
manifestly disproportionate effort
the third party must proceed
also to rectification, elimination, disposal
destruction or blocking of data.
2. In the case of the processing of personal data
safety and prevention or investigation
criminal, the right of access is exercised through
competent authority in the case.
3. In the case provided for in paragraph 6 of the previous article, the
right of access is exercised through the Agency
National Protection of Personal Data with salaries
regardless of the applicable rules, namely the
guarantee freedom of expression and information
freedom of the press and independence and
professional secrecy of journalists.
4. In the cases provided for in paragraphs 2 and 3, if the
communication of data to the data subject may impair the
security, prevention or criminal investigation
or even freedom of expression and information or
freedom of the press, the competent authority in the
case or the National Data Protection Agency
Personnel, respectively, are limited to informing the
holder of the data only of the steps taken
which are not likely to cause damage to the
values ​that are intended to be safeguarded in the present
number.
5. The right of access to information relating to
health data, including genetic data, is
exercised through a doctor chosen by the
data holder.

Page 8
No. 39 - 10 May 2016

SÃO TOMÉ AND PRÍNCIPE - DIARY OF THE REPUBLIC

6. In case the data are not used for
take action or decisions in relation to people
determined, the law may restrict the right of access
only in cases where it clearly does not exist
any danger of violating the rights, freedoms
and guarantees of the data subject, namely the
the right to privacy, and the said data are
exclusively used for research purposes
scientific or kept in the form of personal data
personnel for a period not exceeding what is necessary
to the exclusive purpose of compiling statistics.
Article 12
Right of opposition
1. Unless otherwise provided by law, the holder
of the data has the right to object in any
height, for weighted and legitimate reasons related
with their particular situation, to which the data
concerning him are subject to treatment,
and, in the case of justified opposition, the treatment
carried out by the person in charge no longer has the power
focus on that data.
2. The data subject also has the right to
oppose, at their request and free of charge, the
of the personal data concerning him / her foreseen
by the controller for the purposes of
direct marketing or any other form of promotion
commercial inspection, or to be informed, before
personal data are communicated for the first time
third parties for direct marketing purposes or
used on behalf of third parties, and to be
expressly granted the right to object, without
expenses, such communications or uses.
Article 13
Right not to be subject to individual decisions
automated
1. Anyone has the right not to be
subject to a decision having effect on its
legal sphere or that significantly affects it
taken exclusively on the basis of treatment
automated data processing to evaluate
certain aspects of your personality, called
particular their professional capacity, their
credit, the confidence that it deserves it or its
behavior.
2. Without prejudice to the fulfillment of the remaining
provisions of this Law, a person may be
subject to a decision taken pursuant to paragraph 1, if
the same is:

291

a) Taken in connection with the celebration or
performance of a contract, and subject to
your request to conclude or execute the
contract has been satisfied, or there are
appropriate measures to ensure the defense
their legitimate interests, namely
their right of representation and
expression;
b) Authorized by law that establishes measures
guaranteeing the defense of rights and
legitimate interests of the data subject.
Article 14
Right to compensation
1. Anyone who has suffered an injury
arising from the unlawful processing of data or
any other act that violates a legal provision or
regulatory framework on data protection
personal data has the right to obtain from the person
treatment and reparation for the damage suffered.
2. The controller may be partial
or totally exonerated from this responsibility if
prove that the fact that caused the damage is not
imputable.
Chapter IV
Security and confidentiality of treatment
Article 15
Treatment security
1. The controller must ensure that
the appropriate technical and organizational measures
measures to protect personal data against
accidental or unlawful destruction, accidental loss,
unauthorized alteration, dissemination or access,
particularly when the treatment implies its
network transmission, and against any other form
illicit treatment, and they must ensure, taking into account
according to the available technical knowledge and
costs resulting from its application, a level of
adequate security in relation to the risks that the
treatment presents and the nature of the data to be
teger.
2. The controller, in the case of work
your own account, you must choose a subcontractor
that it offers sufficient guarantees in relation to the
technical security and organization measures
treatment to be carried out, and must ensure compliance
of these measures.

Page 9
292

SÃO TOMÉ AND PRÍNCIPE - DIARY OF THE REPUBLIC

3. Carrying out treatment operations in
subcontracting must be governed by a contract or
legal act which binds the subcontractor to the
responsible for the treatment and which stipulates,
in particular, that the subcontractor only acts
through instructions from the controller
and that it is also responsible for the fulfillment of the
obligations referred to in paragraph 1.
4. The evidence of the business declaration,
contract or legal act relating to the protection
data, as well as the requirements relating to
measures referred to in paragraph 1, are consigned by
written in a document with legal evidential value
recognized.
Article 16
Special security measures
1. Data controllers
referred to in paragraph 2 of article 7 and paragraph 1 of article
8 must take appropriate measures to:
a) Prevent access by unauthorized person
the facilities used for the treatment
such data (control of entry to premises
lations);
b) Prevent data carriers from being
read, copied, altered or removed by
unauthorized person (control of
data);
c) prevent unauthorized introduction as well
such as taking knowledge, changing
unauthorized removal or disposal of
personal data entered (control of insertion
dog);
d) Prevent automated treatment systems
data can be used by
unauthorized persons through installations
data transmission operations (control of
use);
e) Ensure that authorized persons can only
have access to the data covered by the
authorization (access control);
f) Guarantee the verification of the entities to whom
personal data can be transmitted
through the transmission facilities of
data (transmission control);

No. 39 - 10 May 2016

g) Ensuring that it can take place afterwards,
within a period appropriate to the nature of the treatment.
therefore, to be set out in the regulations applicable to
each sector, what personal data are entered
produced when and by whom (control of
introduction);
(h) prevent the transmission of personal data
as well as in the transport of your
support, the data can be read, copied,
altered or eliminated in a way that is not
authorized (transport control).
2. Taking into account the nature of the entities
responsible for the treatment and type of facilities
where it is carried out, the National Protection Agency
Personal Data may dispense with the existence of
certain security measures, ensuring that
show respect for rights, freedoms and guarantees
of the data subjects.
3. Systems must guarantee logical separation
between health and sexual life data,
including genetics, of the remaining personal data.
4. The National Data Protection Agency
Personnel can determine that, in cases where the
network circulation of personal data referred to in
Article 7 may jeopardize rights, freedoms and
guarantees of the respective holders, the
be encrypted.
Article 17
Subcontractor treatment
Any person who, acting under the authority of the
controller or processor,
as well as the subcontractor himself, has access to
personal data cannot process it
without instructions from the controller,
except under legal obligations.
Article 18
Professional secrecy
1. Those responsible for processing personal data
employees, as well as people who, in the exercise of
their duties, have knowledge of the personal data
treated, are bound by professional secrecy,
even after the end of their duties.
2. Employees, agents or technicians who exercise
provide advisory or consultancy functions to the Agency

Page 10
No. 39 - 10 May 2016

SÃO TOMÉ AND PRÍNCIPE - DIARY OF THE REPUBLIC

293

National Protection of Personal Data are
subject to the same obligation of professional secrecy.

(a) is necessary for the performance of a contract
contract between the data subject and the
responsible for the treatment or pre-procedure
3. The provisions of the preceding paragraphs do not exclude the
ways to form the contract, decided to
duty to provide mandatory information
request from the data subject;
under the legal terms, except when they appear in
files organized for statistical purposes.
b) It is necessary for the execution or celebration
a contract concluded or to be concluded,
Chapter V
in the interest of the data subject, between the
Transfer of personal data to location
controller and a third party;
located outside the Democratic Republic of São
Tome and Principe
c) It is necessary or legally required for the
protection of an important public interest
Article 19
amount, or for the declaration, exercise or
Principles
defense of a right in a judicial process;
1. The transfer of personal data to a location
located outside the national territory can only be
respecting the provisions of the present Law and
whether the respective legal system to which they are
transferred to ensure an adequate level of protection
quado.
2. The adequacy of the level of protection referred to in
previous paragraph is assessed in light of all the
circumstances surrounding the transfer or
set of data transfers, and should be
taking into account in particular the nature of
data, the purpose and duration of the treatment or
projected treatments, countries of origin and
final destination, the rules of law, general or secin force in the legal system in question,
as well as professional rules and control measures
that are respected in that same order.
menting.
3. It is up to the National Agency for the Protection of
Personal Data decide whether a legal order
ensures an adequate level of protection depending on
the provision of the previous number.
Article 20
Derogations
1. The transfer of personal data to a
legal system that does not guarantee a level of
adequate protection under paragraph 2 of Article
previous period may be made by notifying the
National Agency for the Protection of Personal Data,
if the data subject has authorized
unambiguous to the transfer or when there is
any of the following situations:

d) It is necessary to protect the interests
vital data subjects;
e) It is carried out from a public register
that, under the terms of the law or regulation
administrative, is intended for the information of the
public and is open to consultation by the
general public or anyone who
can prove a legitimate interest, provided
that the conditions established therein for the
consultation are fulfilled in the specific case.
2. Without prejudice to paragraph 1, the Agency
National Protection of Personal Data may
authorize a transfer or a set of
transfers of personal data to a
legal instrument that does not ensure a level of proprotection under paragraph 2 of the previous article
previous, provided that the controller
ensure sufficient mechanisms for guaranteeing
protection of privacy and rights and freedoms
fundamental rights of people, as well as their exercise
namely through contractual clauses
appropriate.
3. The transfer of personal data that constitutes
your necessary measure for the protection of defense,
public security, prevention, research and
prosecution of criminal offenses and protection of
public health is governed by specific legal provisions
specific or international law instruments
national and interregional agreements to which São Tomé and
Prince is bound.

Page 11
294

SÃO TOMÉ AND PRÍNCIPE - DIARY OF THE REPUBLIC

Chapter VI
Notification and authorization
Article 21
Notification obligation
1. The controller or, where applicable
In addition, your representative must notify you in writing
and within eight days, before treatment begins
However, the National Personal Data Protection Agency
of the start of a treatment or
set of treatments, totally or partially
automated systems for the pursuit of one or more
more interconnected purposes.
2. The National Data Protection Agency
Personnel can authorize simplification or exemption
notification for certain categories of workers
which, in view of the data to be processed, do not
are likely to call into question the rights and
freedoms of data subjects and take into account
criteria of speed, economy and efficiency.
3. The authorization is published in the Diário da República
public and must specify the purposes of the treatment
the data or categories of data to be processed, the
category or categories of data subjects, data
recipients or categories of recipients to whom
the data and the period of your stay can be communicated
conservation.
4. Treatments are exempt from notification
whose sole purpose is record keeping
that, under the terms of law or administrative regulation
are aimed at informing the public and can
be consulted by the general public or by those
can prove a legitimate interest.
5. Non-automated data processing
personal data provided for in paragraph 1 of article 7
notification when treated under subparagraph
paragraph a) of paragraph 3 of the same article.
Article 22
Prior control

No. 39 - 10 May 2016

b) The processing of personal data relating to
credit and solvency of its holders
res;
c) The interconnection of personal data provided for
in article 9;
d) The use of personal data for purposes other than
determinants of collection.
2. The treatments referred to in the previous number
above may be authorized by legal provision or
regulatory provision of an organic nature, not
in this case requiring authorization from the Agency
National Protection of Personal Data.
Article 23
Content of requests for opinions or authorizations
authorization and notification
Requests for opinions or authorization, as well as
such as notifications, sent to the National Agency
Protection of Personal Data must contain the
following information:
a) Name and address of the person responsible for the
and, if applicable, its representative
you;
b) The purposes of the treatment;
c) Description of the holder category or categories
of data and data or categories of
personal data that respect them;
d) Recipients or categories of recipients
to whom the data can be communicated and
under what conditions;
e) Entity in charge of processing the
information if you are not responsible
treatment;
f) Possible interconnections of treatment of
personal data;

1. Except as provided for in paragraph 2 of this article
require authorization from the National Agency for
Protection of Personal Data:
a) The processing of personal data referred to
referred to in Article 7 (2);

g) Retention time of personal data;
h) Form and conditions as the holders of
data can have knowledge or make
correct the personal data relating to them
has;

Page 12
No. 39 - 10 May 2016

SÃO TOMÉ AND PRÍNCIPE - DIARY OF THE REPUBLIC

i) Data transfers planned for countries
third countries or territories;
j) General description that makes it possible to assess
preliminary the adequacy of the measures
taken to ensure the security of the treatment
pursuant to Articles 15 and 16.
Article 24
Mandatory indications

295

3. The data controller is not
subject to the notification is obliged to provide
appropriate, to anyone who requests it,
at least the information referred to in paragraph 1 of
previous article.
4. The provisions of this article do not apply to
treatments whose sole purpose is the maintenance
records that, under the terms of the law or regulation
administrative, are intended for the information of the public

The legal provisions or regulatory provisions
organic nature referred to in paragraph 2 of article
7 and in Article 8 (1), as well as the authorities
of the National Data Protection Agency
Personal data and records of personal data processing
should indicate at least:
a) The person in charge of the file or his representative
important;

and are open to public consultation on
general or any person who can prove a
legitimate interest.
5. The National Data Protection Agency
Personnel publishes in its annual report all
opinions and authorizations prepared or granted
under this Law, namely the authorations provided for in paragraph 2 of article 7 and paragraph 1 of
Article 9.

b) The categories of personal data processed;

Chapter VII
Codes of conduct

c) The purposes for which the data are intended and
the categories of entities to which they can
be transmitted;
d) The form of exercising the right of access and
rectification;
e) Possible interconnections of treatment of
personal data;
f) Data transfers planned for countries
third countries or territories.
2. Any change in the information contained in
paragraph 1 is subject to the procedures provided for in
Articles 21 and 22.
Article 25
Advertising of treatments
1. The processing of personal data, when not
is the subject of a legal or regulatory provision of
organic nature and should be authorized or notified
market, is registered with the National Agency for
Protection of Personal Data, open to consultation by
anyone.
2. The register contains the information listed
in points a) to d) and i) of article 23.

Article 26
Codes of conduct
1. The National Data Protection Agency
Personnel encourages and supports the drafting of codes
conduct designed to contribute, depending on the
characteristics of the different sectors, for the good
execution of the provisions of this Law and, in
general, for greater efficiency of self-regulation and
in the realization and defense of fundamental rights
linked to the protection of privacy.
2. Professional associations and other organizations
representations of categories of responsible persons
for the processing of data that they have prepared
draft codes of conduct can, if so
understand, submit them to the National Agency for
Protection of Personal Data for registration purposes.
3. In the case of the National Agency for the Protection of
Personal Data consider that there is compliance of the
projects with the legal and regulatory provisions
prevailing in the field of personal data protection
soais proceeds with its registration.
4. The registration of codes of conduct has an effect
mere declaration of legal compliance does not
lining these codes nature of legal norms
or regulatory.

Page 13
296

SÃO TOMÉ AND PRÍNCIPE - DIARY OF THE REPUBLIC

No. 39 - 10 May 2016

Article 30
Compliance with omitted duty

Chapter VIII
Administrative and jurisdictional protection
Section I
Administrative and jurisdictional protection

Whenever the administrative offense results from
omission of a duty, the application of the sanction and the
payment of the fine does not exempt the offender from
compliance, if this is still possible.

Article 27
General principle
Without prejudice to the right to file a complaint
the National Agency for the Protection of Personal Data
any person may, under the law,
resort to administrative or jurisdictional means
to ensure compliance with legal provisions
and data protection regulations
personal.
Article 28
Jurisdictional protection
1. A decision handed down by a court is always
appeal to the Court of last resort with
plea in violation of fundamental rights
guaranteed in this Law, the direct appeal being
and per saltum, restricted to the issue of violation and
urgent.

Article 31
Omission or defective fulfillment of obligations
gations
1. Entities that, through negligence, fail to comply
the obligation to notify the National Agency
Protection of Personal Data for the processing of
personal data referred to in paragraphs 1 and 5 of
Article 21, provide false information or comply with
the obligation to notify non-observers of the
terms provided for in article 23, or even when,
after being notified by the National Agency for
Protection of Personal Data, maintain access
open data transmission networks responsible for
responsible for processing personal data other than
comply with the provisions of this Law, practice
administrative offense punishable by the following
fines:

a) In the case of a natural person, at least
2. Without prejudice to the provisions of the preceding paragraph,
50,000,000.00 (fifty million
appeal to the administrative court for acts
folds) and a maximum of 120,000,000.00
administrative measures or the simple factual way of
(Hundred and Twenty Million Folds);
public officials, based on the violation of rights
fundamental rights guaranteed in this Law, which
b) In the case of a group of people without
it is of an urgent nature.
legal personality, at least
100,000,000.00 (one hundred million folds) and
3. The procedural processing of remedies under tutelage
maximum of 200,000,000.00 (two hundred
jurisdiction provided for in the preceding paragraphs
million folds);
with the necessary adaptations, the provisions of
Code of Civil Procedure and the Code of Procedure
c) In the case of a legal person, at least
Administrative, respectively.
250,000,000.00 (two hundred and fifty
million folds) and a maximum of
Section II
500,000,000.00 (five hundred million
folds).
Administrative offenses
Article 29
Subsidiary legislation
The infringements provided for in this section are
the general regime for infringements is
administrative changes, with constant adaptations
of the following articles.

2. The fine is increased to double its limits
when it comes to data subject to pre-control
in accordance with Article 22.
3. The criteria for applying the fines referred to
in this Article are regulated by the Agency
National Protection of Personal Data.

Page 14
No. 39 - 10 May 2016

SÃO TOMÉ AND PRÍNCIPE - DIARY OF THE REPUBLIC

Article 32
Other administrative offenses
1. They commit an administrative offense punishable by
a fine of 25,000,000.00 (twenty-five million
folds) to 50,000,000.00 (fifty million
folds), entities that do not comply with any
following provisions of this Law established
referred to in Articles 5, 10, 11, 12, 13, 16, 17
and 25 (3).

Section III
Crimes
Article 36
Non-compliance with obligations related to
data protection
1. You are punished with imprisonment for up to one year or
penalty of fine up to 120 days who intentionally:
(a) omitting the notification or application for
organization referred to in Articles 21 and
22;

2. When the obligations are not fulfilled
contained in Articles 6, 7, 8, 9, 19 and 20, the
responsible entities commit an administrative offense
penalty sanctioned with a fine of 45,000,000.00
(forty-five million folds) to
90,000,000.00 (ninety million folds).

b) Provide false information in the notification
or requests for authorization for the treatment
personal data or in this procedure
modifications not consented to by the
legalization instrument;

Article 33
Infringement contest

c) Divert or use personal data, in a way
incompatible with the determining purpose
collection or with the legalization instrument
zation;

1. If the same fact constitutes, simultaneously,
crime and administrative offense, the agent is punished
always as a crime.
2. The sanctions applied to administrative offenses
tenders are always cumulated materially
mind.

d) Promote or carry out an interconnection
illegal personal data;
e) After the deadline which has been exceeded
has been fixed by the National Agency for
Protection of Personal Data to comply with
fulfillment of the obligations provided for in this
Law or other legislation for the protection of
data, not to comply with them;

Article 34
Punishment of negligence and attempt
1. Negligence is always punished for infringements
administrative provisions provided for in Article 31.
2. Attempt is always punishable in offenses
administrative provisions provided for in Articles 32 and 33.

f) After being notified by the National Agency
Protection of Personal Data for the non
do, maintain access to open networks of
transmission of data to those responsible for
processing of personal data that does not
the provisions of this Law.

Article 35
Application of fines
1. The application of the fines provided for in this
Law falls to the National Agency for the Protection of
Personal data.

297

2. The penalty is increased to twice its limits
when dealing with personal data to which they refer
refer to Articles 7 and 8.

2. The decision of the National Protection Agency
Personal Data constitutes an enforceable title,
if it is not challenged within the time limit and under
cool.

Article 37
Improper access
1. Who, without proper authorization, for any reason
In this way, access personal data that you have access to.
is prohibited, is punished with imprisonment for up to one year or
penalty of up to 120 days, if more severe penalty
if it does not fit under special law.

Page 15
298

SÃO TOMÉ AND PRÍNCIPE - DIARY OF THE REPUBLIC

No. 39 - 10 May 2016

2. The penalty is increased to twice its limits
when access:
a) It is achieved through violation of
technical safety rules;
b) Has made it possible for the agent or third parties
knowledge of personal data;
(c) has provided the agent or third party with
equity benefit or advantage.

Article 40
Breach of the duty of secrecy
1. Whoever, bound by professional secrecy, has
the law, without just cause and without due consent
investment, reveal or disclose in whole or in part
personal data is punishable by imprisonment up to two
years or a fine of up to 150 days, if more
serious to the case does not fit under special law.
2. The penalty is increased by half its limits
if the agent:

3. In the case of paragraph 1, criminal proceedings
depends on complaint.

a) is a civil servant or equivalent, in accordance
criminal law terms;

Article 38
Addiction or destruction of personal data
1. Whoever, without proper authorization, eliminates,
destroy, damage, delete or modify data
personal data, rendering them unusable or affecting
ability to use, is punishable by imprisonment
up to two years or a fine of up to 150 days, if
more serious if the case does not fit under the law
Special.
2. The penalty is increased twice as much in its limits
if the damage caused is particularly severe.

b) is determined by the intention to obtain
any asset or other advantage
illegitimate benefit;
c) endanger the reputation, honor and conconsideration or the intimacy of private life
someone else's.
3. Negligence is punishable by imprisonment up to
six months or a fine of up to 120 days.
4. Outside the cases provided for in paragraph 2, the
criminal prosecution depends on a complaint.

3. If the agent acts negligently, the penalty is,
in both cases provided for in the previous paragraphs
prison terms of up to one year or a fine of up to 120 days.
Article 39
Qualified disobedience

Article 41
Punishment of the attempt
In the crimes provided for in this section, attempting to
is always punishable.

1. Who, after being notified to that effect, does not
interrupt, cease or block the treatment of
personal data is punished with the corresponding penalty
to the crime of qualified disobedience.
2. The same penalty applies to anyone who, after
stayed:
a) Refuse, without just cause, the collaboration that
concretely required by the Agency
National Protection of Personal Data;

Section IV
Accessory feathers
Article 42
Accessory penalty
In conjunction with the fines and penalties imposed
pursuant to sections II and III of this chapter may,
incidentally, be ordered:
(a) the temporary or permanent prohibition on the
treatment, blocking, elimination or disposal
total or partial data destruction;

b) Do not proceed with elimination, total destruction
or partial personal data;

b) Publicity of the condemnatory sentence;
c) Do not proceed with the destruction of personal data
the expiry of the conservation period foreseen
in Article 5.

Page 16
No. 39 - 10 May 2016

SÃO TOMÉ AND PRÍNCIPE - DIARY OF THE REPUBLIC

c) The public warning or censorship of the
responsible for the treatment, by the Agency
National Protection of Personal Data.

Chapter X
Final and transitional provisions
Article 45
Transitional provision

Article 43
Publication of a condemnatory decision
1. Publication of the condemnatory decision is made
the convict's expense, in a periodical publication
tip of great expansion in Portuguese language, as well
as through the posting of a public notice in an
for a period of not less than 30 days.
2. The publication is made by extract of which
has the elements of the offense and the sanctions
as well as the identification of the agent.
Chapter IX
Complementary provisions
Article 44
National Personal Data Protection Agency
sounds

299

1. The processing of existing data in files
manuals on the date of entry into force of this
Law shall comply with the provisions of articles 7, 8,
10 and 11 within 2 years.
2. In any case, the data subject may
obtain, at their request and, in particular, when
exercise of the right of access, rectification,
completion or blocking of incomplete data,
or preserved in a manner incompatible with
the legitimate purposes pursued by the person
treatment.
3. The National Personal Data Protection Agency
can authorize data in files
manual and kept for the sole purpose of
historical research do not have to comply with the articles
7, 8 and 9, provided that they are not re-used in any case
used for a different purpose.

1. The following are approved by law of the National Assembly:

Article 46
Doubts and omissions

a) The organic law and the staff of the
ANPDP;
b) The regime of incompatibility, of impediment
term of office, suspension and loss of mandate,
as well as the remuneration status of
ANPDP members.
2. The statute of ANPDP members guarantees the
independence of the exercise of their functions.
3. ANPDP has its own framework for the
technical and administrative support.

The doubts and omissions resulting from the interpretation and
application of this Law are resolved in accordance with
general principles of law.
Article 47
Implementation
The present Law enters into force in the legal terms.
National Assembly, in São Tomé, on February 15
2016.- The President of the National Assembly,
José da Graça Diogo.
Enacted on March 18, 2016.
Publish yourself.The President of the Republic, Manuel do Espírito Santo
Pinto da Costa.

REPUBLIC DIARY
NOTICE
Correspondence concerning the publication of advertisements in the Diário da República , your signature
or lack of remittance, should be addressed to the Ministry of Justice's Computer and Reprography Center
and Human Rights - Telephone: 2225693 - PO Box 901 - E-mail: cirreprografia@hotmail.com São Tomé and Príncipe. - S. Tomé.

