The Agência de Protecção de Dados (APD), the Angolan data protection authority, has imposed a fine of 140,000 euros on Africell for violating protection of personal data legislation.
According to the DPA’s decision, Africell breached the obligation to notify and request prior authorisation from the APD for the processing of its customers’ personal data.
The mobile network operator collected various categories of personal data from the individuals concerned. Under Angola’s Personal Data Protection Act, in addition to obtaining the consent of the individuals concerned, the entity processing personal data must inform the APD before processing any personal data.
However, the authority pointed to legal circumstances that mitigated Africell’s responsibility for the breach. Firstly, Africell had shown a clear and immediate intention to comply with the law,
had no history of data breaches and did not derive any economic benefit from the situation that occurred. In addition, Africell cooperated promptly with the APD, providing the authority with the required information.
Although the fine imposed on Africell is less than the maximum amount of 418,000 euros, the case highlights the importance of complying with the law on the protection of personal data. In its press release, the APD stated that companies that collect and process personal data must obtain the consent of the individuals concerned and comply with the obligations to notify and obtain prior authorization from the APD.
Description of the categories of personal data contained in the APD processing notification form.