Obligations

Data controllers, whether public or private entities, have several obligations under Cabo Verde's data protection law:

  • Notification and Consent They must clearly inform data subjects about the processing of their data and obtain explicit consent when necessary.
  • Data Security They must implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, destruction 1 or damage.
  • Incident Reports They must notify the CNPD and, in some cases, the data subjects about personal data breaches that may result in a risk to the rights and freedoms of individuals.
  • Impact Assessment They must conduct data protection impact assessments when the processing is likely to result in a high risk to the rights and freedoms of natural persons.

Record of Processing Activities

Controllers and processors must maintain an updated record of personal data processing activities under their responsibility. This record must include:

  • Purposes of processing;
  • Categories of data and data subjects;
  • Recipients of the data;
  • International transfers (when applicable);
  • Security measures adopted.


This record must be available for presentation to the CNPD, whenever requested, and constitutes an essential tool to ensure accountability.

Data Breach

A personal data breach is any security incident that leads to the destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to personal data.

Whenever such a breach may represent a risk to the rights and freedoms of data subjects, the controller must:

  • Notify the CNPD within a maximum of 72 hours after becoming aware of the breach;
  • Inform data subjects, when the breach may entail a high risk to their rights.


The notification must contain:

  • The nature of the breach;
  • The probable consequences;


The measures adopted or proposed to remedy and mitigate the effects.

Data Protection Officer

The Data Protection Officer (DPO) is the person responsible for ensuring compliance with data protection legislation in an organization.

The DPO:

  • Informs and advises the controller or processor and their employees;
  • Supervises compliance with the law and internal policies;
  • Cooperates with the CNPD and acts as a point of contact.


The appointment of a DPO is mandatory for:

  • Public authorities or bodies;
  • Organizations whose main activity involves large-scale processing of sensitive data or systematic monitoring of data subjects.


The identity and contact details of the DPO must be communicated to the CNPD.

Impact Assessment

Before initiating data processing that may represent a high risk to the rights and freedoms of individuals, controllers must conduct a Data Protection Impact Assessment (DPIA).

Typical cases where a DPIA is required:

  • Systematic and extensive processing of sensitive personal data;
  • Large-scale monitoring of public spaces;
  • Use of new technologies with a significant impact on data subjects.


The DPIA must include:

  • A detailed description of the processing and its purposes;
  • Assessment of necessity and proportionality;
  • Analysis of the risks to the rights of data subjects;
  • Measures to mitigate the identified risks.


If the risks cannot be mitigated to an acceptable level, the CNPD must be consulted beforehand.

Subscribe newsletter

Latest news

CONTACTS

Newsletter

Facebook-f Instagram Linkedin-in