Collections
African Union
African Union Convention on Cyber Security and Personal Data Protection
- Published
- Commenced
- [This is the version of this document at 27 June 2014.]
Article 1 – Definitions
For the purposes of this Convention:"AU" means the African Union;"Child pornography" means any visual depiction, including any photograph, film, video, image, whether made or produced by electronic, mechanical, or other means, of sexually explicit conduct, where:a)the production of such visual depiction involves a minor;b)such visual depiction is a digital image, computer image, or computer-generated image where a minor is engaging in sexually explicit conduct or when images of their sexual organs are produced or used for primarily sexual purposes and exploited with or without the child's knowledge;c)such visual depiction has been created, adapted, or modified to appear that a minor is engaging in sexually explicit conduct."Code of conduct" means set of rules formulated by the processing official with a view to establishing the correct use of computer resources, networks and the electronic communication of the structure concerned, and approved by the protection authority;"Commission" means the African Union Commission;"Communication with the public by electronic means" refers to any provision to the public or segments of the public, of signs, signals, written material, image, audio or any messages of any type, through an electronic or magnetic communication process;"Computer system" means an electronic, magnetic, optical, electrochemical, or other high speed data processing device or a group of interconnected or related devices performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device or devices;"Computerized data" means any representation of facts, information or concepts in a form suitable for processing in a computer system;"Consent of data subject" means any manifestation of express, unequivocal, free, specific and informed will by which the data subject or his/her legal, judicial or treaty representative accepts that his/her personal data be subjected to manual or electronic processing;"The (or this) Convention" means the African Union Convention on Cyber-security and Personal Data Protection;"Critical Cyber/ICT Infrastructure" means the cyber infrastructure that is essential to vital services for public safety, economic stability, national security, international stability and for the sustainability and restoration of critical cyberspace;"Cryptology activity" means all such activity that seeks to produce, use, import, export or market cryptology tools;"Cryptology" means the science of protecting and securing information particularly for the purpose of ensuring confidentiality, authentication, integrity and non-repudiation;"Cryptology tools" means the range of scientific and technical tools (equipment or software) which allows for enciphering and/or deciphering;"Cryptology service" refers to any operation that seeks to implement cryptology facilities on behalf of oneself or another person;"Cryptology services provider" means any natural or legal person who provides cryptology services;"Damage" any impairment to the integrity or availability of data, a program, a system, or information;"Data controller" means any natural or legal person, public or private, any other organization or association which alone or jointly with others, decides to collect and process personal data and determines the purposes;"Data subject" means any natural person that is the subject of personal data processing;"Direct marketing" means the dispatch of any message that seeks to directly or indirectly promote the goods and services or the image of a person selling such goods or providing such services; it also refers to any solicitation carried out through message dispatch, regardless of the message base or nature, especially messages of a commercial, political or charitable nature, designed to promote, directly or indirectly, goods and services or the image of a person selling the goods or providing the services;"Double criminality (dual criminality)" means a crime punished in both the country where a suspect is being held and the country asking for the suspect to be handed over or transferred to;"Electronic communication" means any transmission of signs, signals, written material, pictures, sounds or messages of whatsoever nature, to the public or a section of the public by electronic or magnetic means of communication;"Electronic Commerce (e-commerce)": means the act of offering, buying, or providing goods and services via computer systems and telecommunications networks such as the Internet or any other network using electronic, optical or similar media for distance information exchange;"Electronic mail" means any message in the form of text, voice, sound or image sent by a public communication network, and stored in a server of the network or in a terminal facility belonging to the addressee until it is retrieved;"Electronic signature" means data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication;"Electronic signature verification device" means a set of software or hardware components allowing the verification of electronic signature;"Electronic signature creation device" means a set of software or hardware elements allowing for the creation of an electronic signature(s);"Encryption" means all techniques consisting in the processing of digital data in an unintelligible format using cryptology tools;"Exceeds authorized access" means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter;"Health data" means all information relating to the physical or mental state of the data subject, including the aforementioned genetic data;"Indirect electronic communication" means any text, voice, sound or image message sent over an electronic communications network which is stored in the network or in the recipient's terminal equipment until it is collected by the recipient;"Information" means any element of knowledge likely to be represented with the aid of devices and to be used, conserved, processed or communicated. Information may be expressed in written, visual, audio, digital and other forms;"Interconnection of personal data" means any connection mechanism that harmonizes processed data designed for a set goal with other data processed for goals that are identical or otherwise, or interlinked by one or several processing official(s);"Means of electronic payment" refers to means by which the holder is able to make electronic payment transactions online;"Member State or Member States" means Member State(s) of the African Union;"Child or Minor" means every human being below the age of eighteen (18) years in terms of the African Charter on the Rights and Welfare of the Child and the United Nations Convention on the Rights of the Child respectively;"Personal data" means any information relating to an identified or identifiable natural person by which this person can be identified, directly or indirectly in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity;"Personal data file" means all structured package of data accessible in accordance with set criteria, regardless of whether or not such data are centralized, decentralized or distributed functionally or geographically;"Processing of Personal Data" means any operation or set of operations which is performed upon personal data, whether or not by automatic means such as the collection, recording, organization, storage, adaptation, alteration, retrieval, backup, copy, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination and locking, encryption, erasure or destruction of personal data;"Racism and xenophobia in information and telecommunication technologies" means any written material, picture or any other representation of ideas or theories which advocates or encourages or incites hatred, discrimination or violence against any person or group of persons for reasons based on race, colour, ancestry, national or ethnic origin or religion;"Recipient of processed personal data" means any person entitled to receive communication of such data other than the data subject, the data controller, the sub-contractor and persons who, for reasons of their functions, have the responsibility to process the data;"Secret conventions" means unpublished codes required to implement a cryptology facility or service for the purpose of enciphering or deciphering operations;"Sensitive data" means all personal data relating to religious, philosophical, political and trade-union opinions and activities, as well as to sex life or race, health, social measures, legal proceedings and penal or administrative sanctions;"State Party or State Parties" means Member State(s), which has (have) ratified or acceded to the present Convention;"Sub-contractor" means any natural or legal person, public or private, any other organization or association that processes data on behalf of the data controller;"Third Party" means a natural or legal person, public authority, agency or body, other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor are authorized to process the data.Chapter I
Electronic transactions
I: Electronic commerce
Article 2 – Scope of application of electronic commerce
Article 3 – Contractual liability of the provider of goods and services by electronic means
E-commerce activities are subject to the law of the State Party in whose territory the person exercising such activity is established, subject to the intention expressed in common by the said person and the recipient of the goods or services.Article 4 – Advertising by electronic means
II: Contractual obligations in electronic form
Article 5 – Electronic contracts
Article 6 – Writing in electronic form
III: Security of electronic transactions
Article 7 – Ensuring the security of electronic transactions
Chapter II
Personal data protection
I: Personal data protection
Article 8 – Objective of this Convention with respect to personal data
Article 9 – Scope of application of the Convention
Article 10 – Preliminary personal data processing formalities
II: Institutional framework for the protection of personal data
Article 11 – Status, composition and organization of national personal data protection authorities
Article 12 – Duties and powers of national protection authorities
III: Obligations relating to conditions governing personal data processing
Article 13 – Basic principles governing the processing of personal data
Principle 1: Principle of consent and legitimacy of personal data processing
Processing of personal data shall be deemed to be legitimate where the data subject has given his/her consent. This requirement of consent may however be waived where the processing is necessary for:Principle 2: Principle of lawfulness and fairness of personal data processing
The collection, recording, processing, storage and transmission of personal data shall be undertaken lawfully, fairly and non-fraudulently.Principle 3: Principle of purpose, relevance and storage of processed personal data
Principle 4: Principle of accuracy of personal data
Data collected shall be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectifiedPrinciple 5: Principle of transparency of personal data processing
The principle of transparency requires mandatory disclosure of information on personal data by the data controller.Principle 6: Principle of confidentiality and security of personal data processing
Article 14 – Specific principles for the processing of sensitive data
Article 15 – Interconnection of personal data files
The interconnection of files laid down in Article 10.4 of this Convention should help to achieve the legal or statutory objectives which are of legitimate interest to data controllers. This should not lead to discrimination or limit data subjects’ rights, freedoms and guarantees, should be subject to appropriate security measures, and also take into account the principle of relevance of the data which are to be interconnected.IV: The Data subjects' rights
Article 16 – Right to information
The data controller shall provide the natural person whose data are to be processed with the following information, no later than the time when the data are collected, and regardless of the means and facilities used, with the following information:Article 17 – Right of access
Any natural person whose personal data are to be processed may request from the controller, in the form of questions, the following:Article 18 – Right to object
Any natural person has the right to object, on legitimate grounds, to the processing of the data relating to him/her.He/she shall have the right to be informed before personal data relating to him/her are disclosed for the first time to third parties or used on their behalf for the purposes of marketing, and to be expressly offered the right to object, free of charge, to such disclosures or uses.Article 19 – Right of rectification or erasure
Any natural person may demand that the data controller rectify, complete, update, block or erase, as the case may be, the personal data concerning him/her where such data are inaccurate, incomplete, equivocal or out of date, or whose collection, use, disclosure or storage are prohibited.V: Obligations of the personal data controller
Article 20 – Confidentiality obligations
Processing of personal data shall be confidential. Such processing shall be undertaken solely by persons operating under the authority of a data controller and only on instructions from the controller.Article 21 – Security obligations
The data controller must take all appropriate precautions, according to the nature of the data, and in particular, to prevent such data from being altered or destroyed, or accessed by unauthorized third parties.Article 22 – Storage obligations
Personal data shall be kept for no longer than is necessary for the purposes for which the data were collected or processed.Article 23 – Sustainability obligations
Chapter III
Promoting cyber security and combating cybercrime
I: Cyber security measures to be taken at national level
Article 24 – National cyber security framework
Article 25 – Legal measures
Article 26 – National cyber security system
Article 27 – National cyber security monitoring structures
Article 28 – International cooperation
II: Criminal provisions
Article 29 – Offences specific to information and communication technologies
Article 30 – Adapting certain offences to information and communication technologies
Article 31 – Adapting certain sanctions to information and communication technologies
Chapter IV
Final provisions
Article 32 – Measures to be taken at the level of the African Union
The Chairperson of the Commission shall report to the Assembly on the establishment and monitoring of the operational mechanism for this Convention.The monitoring mechanism to be established shall ensure the following:Article 33 – Safeguard provisions
The provisions of this Convention shall not be interpreted in a manner that is inconsistent with the relevant principles of international law, including international customary law.Article 34 – Settlement of disputes
Article 35 – Signature, ratification or accession
This Convention shall be open to all Member States of the Union, for signature, ratification or accession, in conformity with their respective constitutional procedures.Article 36 – Entry into force
This Convention shall enter into force thirty (30) days after the date of the receipt by the Chairperson of the Commission of the African Union of the fifteenth (15th) instrument of ratification.Article 37 – Amendment
Article 38 – Depository
History of this document
27 June 2014 this version
Consolidation