Benin has enacted the (Loi n° 2017-20 portant Code du Numérique en République du Bénin) (“the Digital Code”) which is their overarching data protection law for the country.
Book Five of the Digital Code in particular addresses data protection and privacy. In addition, the Digital Code establishes Benin’s National Data Protection Authority Autorité de Protection des Données à caractère Personnel (“APDP”). Book Five mandates the Data Protection Officer as selected by the APDP to perform certain duties and powers specified in Articles 431 – 432.
Of the African countries, Benin is the first to enact a law that is closely aligned to The General Data Protection Regulation. The Digital Code in terms of Article 381 sets out the territorial scope (jurisdiction) under which it is stated that the Code applies to data controllers located in Benin and the Economic Community of West African States (“ECOWAS”) region. In addition, the Digital Code also has application to data controllers located outside of the ECOWAS where they provide goods and services (even free of charge) to individuals located in Benin or who monitor the behaviour of individuals located in Benin.
Book Five aligns with existing model laws for data protection principles. For the processing of personal data, the basic principles have been set out under Title II of Book Five (specifically under Articles 383 - 389) and include the following principles:
The legal and transparent processing of personal data as per Article 383;
The requirement for explicit consent for the collection of personal data which can only be carried out for a specified and legitimate purposes as per Article 384;
The maintenance of the confidentiality of personal data to the extent necessary to perform the purposes for which it was collected as per Article 385; and
Data controllers must ensure compliance with a set of obligatory responsibilities as per Article 387.
Article 394 recognises the processing of ‘special/sensitive’ data which is relates to a person’s race, health, religious or philosophical, trade union opinions and activities or sexual activities. The APDP excludes bank details from the definition of sensitive personal data but acknowledges that they should be processed using a similar standard of diligence.
Data subject rights are set out in Articles 437 – 441, including rights: of access; the right to information; the right to object; the right to rectification/erasure; and the right to data portability, respectively. A right to be forgotten in the cases of data made public has been included under Article 433 and the general principles for cross-border transfers contain derogations for cross-border transfers to third-countries as per Article 392.
As part of its Strategic Orientations In The Digital Economy Sector, 2021 Benin considers data protection a key strategic objective and the Digital Code is the commencement of the endeavours in that direction.