Data Protection

As the importance of technology and international trade in our world increases, so does the need to regulate the processing and cross border flow of personal information. At the same time, organisations are increasingly at risk of cyberattacks. The need for adequate prevention, security and incident response plans cannot be overstated.

In addition to the General Data Protection Regulation (GDPR), which has had a global impact on how international businesses conduct themselves, several countries in Africa have recently passed, started to enforce, or are considering adopting data protection legislation of their own.

[1] These laws have considerable overlap but differ slightly in their scope. Law No. 2009-09 pertains to the digital processing of personally identifiable information in digital files or manuals, as well as personal identification mechanisms based on nominative, personal, and biometric information processed alongside a national ID number. Book V pertains to the collection, treatment, transmission, storage, and use of personal data by a person, the state, local authorities, and legal persons, as well as automated processing and non-automated processing of personal data contained in files, or any processing of data for public security, defence, research, prosecution of criminal offenses, or the security and essential interests of the state.

[2] This strengthens the protection of the privacy of individuals by broadening its geographical scope to offshore data controllers who carry out processing operations from Burkina Faso (irrespective of whether they use local means of processing), by supervising transborder transfers, by providing a more comprehensive right to be informed and by reinforcing security requirements with the obligation.

[3] Under Law n° 1/012 of May 30, 2018 on the Code of Health Care and Health Services Provision in Burundi, healthcare institutions are required to maintain the confidentiality of patient information, unless confidentiality is waived in cases provided for by law. Further, Law No. 1/17 of August 22, 2017 governing banking activities: Article 133 imposes confidentiality obligations on customer and account information. This article provides that any person who contributes to the operation, control or supervision of a banking institution is bound to professional secrecy. Violations are enforced under penal code provisions without prejudice to disciplinary proceedings. Lastly, several Ministerial Orders applicable to the telecommunications sector have been adopted to protect the privacy of and restrict access to and interception of the contents of communications (Legislative Decree No. 100/153 of June 17, 2013 on the Regulation of the Control and Taxation System for International Telephone Communications entering Burundi; Decree-Law No. 100/112 of April 5, 2012 on the Reorganization and Operation of the Telecommunications Regulatory and Control Agency ‘ARCT’; Ministerial Ordinance No. 730/1056 of November 7, 2007 on the interconnection of telecommunications networks and services opened to the public).

[4] The government issued a call for public comments on 10 February 2021. As of January 2023, it has yet to be passed into law.

[5] There have been two notable failed attempts to pass comprehensive data protection laws in Tanzania: the 2006 Freedom of Information Draft Bill failed to define key terms and was derided by journalists as curtailing freedom of information, and the Draft Data Protection Bill 2014—which was supposedly based on the EU Directive and the SADC Model Law—omitted consent as a condition for processing, and has been criticised as effectively inoperable despite its similarities to data protection legislation in other countries.

Every transaction, contract and dispute requires the processing of personal information. It is relevant to every area of law, in every jurisdiction on our continent and around the world.

Our multi-disciplinary team of experienced lawyers across our offices can assist clients with their data protection queries and compliance and incident response initiatives.

Specialist services: 

• advising on the data processing requirements set out in the applicable laws and the implications for client businesses, including reviewing and preparing contracts, policies, processes and procedures, and other data protection and privacy controls;
• assisting with the appointment and training of information officers, and their registration with the relevant regulatory authorities;
• conducting training and awareness sessions with employees, in order to ensure compliance with data protection, privacy, incident response and other data processing requirements;
• assisting with conducting impact assessments, preparing and implementing compliance frameworks and developing incident response plans;
• advising employers on their obligations pertaining to the processing of the personal information of employees;
• representing clients and providing dispute resolution advice;
• advising on the implications of data protection laws on corporate transactions and the obligations arising from the ownership, sharing and transfer of personal information;
• advising on the cross-border transfer of personal information and cloud data processing;
• advising on the competition law aspects pertaining to the processing and the use of personal information; and
• advising on data protection concerns in the context of due diligences.

Our specialist Cybersecurity and Major Incidents Group provides advice on crisis management and the handling of major incidents that arise from data breaches and the consequences of those breaches. We advise boards on governance surrounding incident response decisioning, reporting obligations and resulting litigation risk exposure.