Angola Personal Data Protection Law
The Trust Challenge

Key Obligation and Consequences

The personal data protection law applies to.

  • The processing of personal data carried out by any person in the public sector, the private sector or the cooperative sector, namely, when the data controller is based in Angola.
  • The "data controller" is the entity that determines the purpose and means of the processing of personal data. "Personal data" is any information relating to an identified natural person or identification, such as name, address, telephone number, etc.

In general terms, personal data collection and processing of personal data is subject to express and prior consent from the data subject and prior notification to the DPA. However, data subject consent is not required in certain circumstances provided by law.

With respect to sensitive data processing, collection and processing is only allowed where there is a legal provision allowing such processing or prior authorization from the DPA is obtained (please note that the authorization may only be granted in specific cases provided by law). If the sensitive personal data processing results from a legal provision, the same shall be notified to DPA.

There are specific rules applicable to the processing of personal data relating to

  • Sensitive data on health and sexual life.
  • Illicit activities, crimes and administrative offenses.
  • Solvency and credit data
  • Video surveillance and other electronic means of control
  • Advertising by email
  • Advertising by electronic means (direct marketing)
  • Call recording

Specific rules for the processing of personal data within the public sector also apply

  • The data subject shall be provided with.
  • The identity and address of the controller.
  • The purposes of the processing and of the creation of a file for such purposes
  • the recipients or categories of personal data recipients
  • the conditions under which the right of access, rectification, deletion, opposition and updating may be exercised
  • the consequences of the collection of personal data without consent of the data subject.
  • The data controller must implement appropriate technical and organizational measures and to adopt adequate security levels in order to protect personal data against accidental or unlawful total or partial destruction, accidental loss, total or partial alteration, unauthorized disclosure or access (in particular where the processing involves the transmission of data over a network) and against all other unlawful forms of processing.
  • Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected. Specific security measures shall be adopted regarding certain types of personal data and purposes (notably, sensitive data, call recording and video surveillance).
The Trust Challenge

Key Challenges in brief:

Companies offering electronic communications services accessible to the public shall also keep an accurate register of data breaches, indicating the concrete facts and consequences of each breach and the measures put in place to repair or prevent the breach.

International transfers of personal data to countries with an adequate level of protection require prior notification to the DPA. An adequate level of protection is understood as a level of protection equal to the Angolan Data Protection Law. DPA decides which countries ensure an adequate level of protection by issuing an opinion to this respect.

International transfers of personal data to countries which do not ensure an adequate level of protection are subject to prior authorization from the DPA which will only be granted in case specific requirements are fulfilled. In case of transfers between the companies of the same group, the requirement of an adequate level of protection may be reached through the adoption of harmonized and mandatory internal rules on data protection and privacy.

Data subjects have the right to access, object to, rectify, update and delete their personal data.

Win-Win Situation

Solutions

TurtleShield PA (Privacy Automation) automates and streamline privacy-related processes and tasks. PIAs and DPIAs aim to enhance privacy practices, ensure compliance with applicable privacy laws and regulations, and protect sensitive information. Overall, a privacy automation solution simplifies and streamlines privacy management processes, reducing the risk of non-compliance and improving data protection practices.

Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments. TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.

With TurtleShield RTBF (Right to Be Forgotten) provides the businesses the capabilities to comply with mandatory deletion of personal data by providing the capabilities to delete the data on request along with the validation of the deletion.

Search capability in large datasets to fulfill data subject requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.

TurtleShield CM is the solution designed to help in enabling consent compliance within your organization involves implementing processes, technologies, and policies that ensure you collect and manage user consent in a way that aligns with applicable data protection regulations and industry best practices. It also helps in enabling consent management in 22 regional languages.

The Trust Challenge

Key Obligations & Consequences

Pointer

Applicability: The personal data protection law applies to.

  • The processing of personal data carried out by any person in the public sector, the private sector or the cooperative sector, namely, when the data controller is based in Angola.
  • The "data controller" is the entity that determines the purpose and means of the processing of personal data. "Personal data" is any information relating to an identified natural person or identification, such as name, address, telephone number, etc.
Pointer

Collection and Processing:

In general terms, personal data collection and processing of personal data is subject to express and prior consent from the data subject and prior notification to the DPA. However, data subject consent is not required in certain circumstances provided by law.

With respect to sensitive data processing, collection and processing is only allowed where there is a legal provision allowing such processing or prior authorization from the DPA is obtained (please note that the authorization may only be granted in specific cases provided by law). If the sensitive personal data processing results from a legal provision, the same shall be notified to DPA.

There are specific rules applicable to the processing of personal data relating to:

  • Sensitive data on health and sexual life.
  • Illicit activities, crimes and administrative offenses.
  • Solvency and credit data.
  • Video surveillance and other electronic means of control
  • Advertising by email
  • Advertising by electronic means (direct marketing)
  • Call recording.

Specific rules for the processing of personal data within the public sector also apply.

  • The data subject shall be provided with.
  • The identity and address of the controller.
  • The purposes of the processing and of the creation of a file for such purposes.
  • The recipients or categories of personal data recipients.
  • The conditions under which the right of access, rectification, deletion, opposition and updating may be exercised.
  • The consequences of the collection of personal data without consent of the data subject.
Pointer

Data Security:

The data controller must implement appropriate technical and organizational measures and to adopt adequate security levels in order to protect personal data against accidental or unlawful total or partial destruction, accidental loss, total or partial alteration, unauthorized disclosure or access (in particular where the processing involves the transmission of data over a network) and against all other unlawful forms of processing.

Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected. Specific security measures shall be adopted regarding certain types of personal data and purposes (notably, sensitive data, call recording and video surveillance).

The Trust Challenge

Key Challenges in brief:

Pointer

Data Breach Notification

Companies offering electronic communications services accessible to the public shall also keep an accurate register of data breaches, indicating the concrete facts and consequences of each breach and the measures put in place to repair or prevent the breach.

Pointer

Cross Border Data Transfer

International transfers of personal data to countries with an adequate level of protection require prior notification to the DPA. An adequate level of protection is understood as a level of protection equal to the Angolan Data Protection Law. DPA decides which countries ensure an adequate level of protection by issuing an opinion to this respect.

International transfers of personal data to countries which do not ensure an adequate level of protection are subject to prior authorization from the DPA which will only be granted in case specific requirements are fulfilled. In case of transfers between the companies of the same group, the requirement of an adequate level of protection may be reached through the adoption of harmonized and mandatory internal rules on data protection and privacy.

Pointer

Fulfillment of Data Subject Rights

Data subjects have the right to access, object to, rectify, update and delete their personal data.

Win-Win Situation

Solutions

Pointer

Privacy Process Automation: TurtleShield PA (Privacy Automation) automates and streamline privacy-related processes and tasks. PIAs and DPIAs aim to enhance privacy practices, ensure compliance with applicable privacy laws and regulations, and protect sensitive information. Overall, a privacy automation solution simplifies and streamlines privacy management processes, reducing the risk of non-compliance and improving data protection practices.

Pointer

Data discovery, inventory and mapping: Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments.
TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Pointer

Third party Privacy Intelligence (monitors third party sharing): Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

Pointer

Data Minimization: TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.

Pointer

Right to Erasure with Assured Deletion: With TurtleShield (Right to Erasure) provides the businesses the capabilities to comply with mandatory deletion of personal data by providing the capabilities to delete the data on request along with the validation of the deletion.

Pointer

Enable Data subject rights with cost savings and compliance in totality: Search capability in large datasets to fulfill data subject requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.

Pointer

Consent Management: TurtleShield CM is the solution designed to help in enabling consent compliance within your organization involves implementing processes, technologies, and policies that ensure you collect and manage user consent in a way that aligns with applicable data protection regulations and industry best practices. It also helps in enabling consent management in 22 regional languages.

Featured News & Blogs

Be the first to catch our latest updates,
happenings and more.

Follow us