Introduction

On June 29, 2021, the Union of the Comoros enacted the Protection of Personal Data Law, establishing a comprehensive legal framework for data protection in the country. The law aligns with international data protection principles and aims to safeguard the rights of individuals while fostering a secure digital environment. This review provides an overview of the key provisions of the Comoros data protection law.

‍

Scope and Application

The law applies to the processing of personal data by any data controller or processor through automated or non-automated means. It has a broad territorial scope, covering entities established in Comoros, as well as those outside the country that process the personal data of individuals in Comoros in relation to offering goods and services or monitoring their behaviour. The law exempts data processing for purely personal or domestic activities and for journalistic, artistic, or literary purposes under specific conditions.

Key Obligations for Data Controllers and Processors

The law imposes several key obligations on all entities that control or process personal data, which include:

Data Protection Principles

All data controllers and processors must adhere to the core principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and confidentiality.

Lawful Basis for Processing

Processing of personal data is only lawful if it is based on one of the recognised legal grounds, such as the data subject's consent, contractual necessity, a legal obligation, or the legitimate interests of the controller.

Privacy Notices

Controllers must provide individuals with clear and comprehensive information at the time of data collection, explaining the purposes of the processing, the data subject's rights, and other essential details.

Data Protection by Design and by Default

Entities must embed data protection principles into their systems and processes from the design phase and ensure that, by default, only data necessary for a specific purpose is processed.

Data Processing Agreements

When a controller engages a processor to handle data on its behalf, the relationship must be governed by a legally binding contract. This agreement must stipulate that the processor acts only on the controller's instructions and is bound by similar data protection obligations.

Security Measures

Controllers and processors are required to implement appropriate technical and organisational measures to ensure the security of personal data against accidental or unlawful destruction, loss, alteration, or unauthorised access.

Data Breach Notification

In the event of a personal data breach, controllers must notify the National Authority for the Protection of Personal Data within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to individuals' rights and freedoms. Data subjects must also be notified without undue delay if the breach poses a high risk.

Appointment of Data Protection Officer (DPO)

The appointment of a DPO is mandatory for public authorities, as well as for other entities whose core activities involve large-scale, regular monitoring of individuals or processing of sensitive data.

Record Keeping

Controllers and processors must maintain internal records of their processing activities.

Data Subject Rights

The law empowers individuals with a suite of rights to control their personal data, ensuring transparency and accountability. These include the right to be informed about how their data is used and the right to access it. To ensure data quality, individuals can demand the correction of inaccurate information through the right to rectification and, under certain conditions, request its complete removal via the right to erasure (the ‘right to be forgotten’). The law also grants individuals the ability to limit how their data is used through the right to restrict processing, the right to object to certain processing activities, and the right to data portability, which allows them to receive their data in a machine-readable format. Finally, individuals are protected from decisions made solely by automated means that have significant legal effects on them.

The National Authority for the Protection of Personal Data

The law establishes the National Authority for the Protection of Personal Data as an independent public body responsible for monitoring and enforcing compliance. The Authority is granted powers to conduct investigations, issue warnings, and impose administrative sanctions for infringements. However, as of mid-2024, the Authority has not yet been formally constituted or made operational.

International Data Transfers

For entities in Comoros looking to transfer personal data abroad, the law establishes a clear, risk-based approach. The most straightforward path is transferring data to a country or organisation that the competent authority has officially recognised as providing an adequate level of protection. If such a determination (an 'adequacy decision') does not exist, entities must then implement 'appropriate safeguards', such as legally binding standard contractual clauses or binding corporate rules, to ensure the data remains protected. As a final option for specific, non-repetitive situations, the law allows for transfers based on 'derogations,' which include, among others, the individual's explicit consent, the necessity to perform a contract with the individual, for important reasons of public interest, or for the establishment and defense of legal claims.

Conclusion

The Comoros data protection law represents a significant step forward in aligning the country with global data protection standards. However, its practical effectiveness will depend on the establishment and operationalisation of the National Authority for the Protection of Personal Data. Once the Authority is in place, its role in enforcing the law and promoting a culture of data privacy will be crucial for the development of the digital economy in Comoros.

‍