August 2023

1. Governing Texts

Madagascar’s 2010 Constitution (only available in French here) grants individuals the right to privacy. Article 13 of the Constitution specifically states that individuals are assured of the inviolability of their persons, domiciles, and of the secrecy of their correspondence. In 2015, the country’s comprehensive data protection regulation called Law No. 2014- 038 (only available in French here) (the DP Law) came into force upon publication in the Madagascan Official Gazette on July 20, 2015.  The DP Law draws upon the EU Data Protection Directive (95/46/EC) as well as advice from other Francophone countries belonging to the Francophone Association of Personal Data Protection Authorities ('AFAPDP').

The DP Law effectively constitutes the legal means by which data subjects in Madagascar can ensure that their personal data remains secure and protected from unauthorized use, illegal access, or destruction.

1.1. Key acts, regulations, directives, bills

The DP Law establishes the legal basis upon which personal data may be collected, processed, used, disclosed, and transferred within Madagascar. Also, the law provides for the establishment of a data protection authority for the purposes of enforcing the law, titled the Madagascan Information Commission ('CMIL').

1.2. Guidelines

The yet-to-be-established CMIL is responsible for issuing guidelines on the DP law (Article 4 of the DP Law).

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

The DP Law does not expressly set out its personal scope. However, this can be inferred from Article 7 thereof which defines personal data as any information relating to a natural person identified or who can be identified, directly or indirectly, by reference to a name, an identification number, or one or more elements specific to them. Further, Article 1 states that the purpose of the DP law is to protect the rights of individuals with regard to the processing of personal data, and Article 5 states that the DP Law applies to any processing carried out in whole or in part on Malagasy territory. This demonstrates that the personal scope of the DP law is natural persons within the Malagasy territory.

2.2. Territorial scope

The territorial scope of the DP Law is the Malagasy territory (Article 5 of the DP Law). Further, the processing of personal data is subject to the DP Law where:

• the processing manager is established on Malagasy territory. The data controller who carries out an activity on the territory within the framework of an installation, whatever its legal form, is considered to be established in the Malagasy territory; or
• the person in charge, without being established on Malagasy territory, uses means of processing located on Malagasy territory, excluding processing that is only used for transit purposes on the territory.

2.3. Material scope

Article 5 states that the DP Law applies to any processing, whether automated or not, of personal data contained or required to appear in files, carried out in whole or in part on Malagasy territory. The DP Law does not apply to the processing of personal data:

• used for the exercise of exclusively personal activities; or
• for the sole purposes of journalism or literary or artistic expression.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The DP Law provides for the creation of the CMIL as the independent data protection authority (Articles 28 and 30 of the DP Law). The CMIL is responsible for enforcing the DP law (Article 4 of the DP Law).

Even though the DP Law was adopted in 2014 and came into force in 2015, the CMIL is still yet to be established. There is no indication as to when the CMIL will commence operations and enforce the DP Law.

3.2. Main powers, duties and responsibilities

The CMIL is authorized to conduct online inspections and on-site verifications of an entity's data processing operations. When a data controller or processor has violated the DP Law, CMIL may issue:

• warnings and notices to comply with the obligations defined in the DP Law;
• notice of withdrawal of the authorization; and/or
• a fine of up to 5% of the last financial year's pretax turnover (not deducted from tax turnover).

The CMIL makes available to the public the list of processing which has been the subject of a declaration or authorization (Article 38 of the DP Law) and also informs all data subjects and data controllers of, amongst others (Article  37 of the DP Law):

• their rights and obligations;
• receives the declarations of creation of computer processing, or gives its written opinion or its written authorization in the cases provided by law;
• controls the creation and implementation of processing;
• establishes and publishes simplified standards and exemptions;
• makes recommendations;
• enacts standard rules to ensure the security of information systems;
• receives claims, petitions, and complaints related to its mission;
• issues warnings to the interested parties and denounces to the judicial authority the violations of the DP Law;
• pronounces the administrative sanctions provided for by the DP Law; and
• monitors developments in information and communication technologies and its legal environment.

4. Key Definitions

Data controller: The natural or legal person, public or private, who has the power to decide on the creation of processing alone or jointly with others, and who determines the purposes and the means to be implemented. (Article 9 of the DP Law).

Data processor: Any person other than the controller processing personal data on behalf of the controller and according to their instructions. (Article 10 of the DP Law).

Personal data: Any information relating to a natural person identified or who can be identified, directly or indirectly, by reference to a name, an identification number or to one of more elements specific to them. These elements are notably physical, physiological, economic, cultural or social. (Article 7 of the DP Law).

Sensitive data: Data revealing racial origin, biometric data, genetic data, political opinions, religious beliefs or other beliefs, trade union membership and data relating to health or sex life. (Article 18 of the DP Law).

Health data: Not defined in the legislation.

Biometric data: Not defined in the legislation.

Pseudonymization: Not defined in the legislation.

5. Legal Bases

5.1. Consent

The data subject must give prior consent before the processing of personal data (Article 17 of the DP Law).

5.2. Contract with the data subject

Processing related to the performance of a contract to which the individual concerned is a party, or pre-contractual measures requested by that individual is a legal basis. (Article 17 of the DP Law).

5.3. Legal obligations

Compliance with a legal obligation of the data controller is a legal basis for processing. (Article 17 of the DP Law).

5.4. Interests of the data subject

Processing in order to protect an individual's life is a legal basis for processing. (Article 17 of the DP Law).

5.5. Public interest

Processing in order to carry out a public service is a legal basis for processing. (Article 17 of the DP Law).

5.6. Legitimate interests of the data controller

Processing relates to the realization of the legitimate interest of the data controller or the data recipient, subject to the interest and fundamental rights and liberties of the concerned individual is a legal basis for processing. (Article 17 of the DP Law).

5.7. Legal bases in other instances

The conditions for processing of sensitive personal data include most of the above conditions but contain an additional list of more restrictive conditions that must also be satisfied such as the requirement to obtain prior consent of the data subject, or in the absence of consent where the processing is undertaken to carry out a public service and is required by law or priorly authorized by the CMIL.

6. Principles

The following principles must be satisfied when personal data is collected and processed (Article 14 of the DP Law):

• all personal data must be processed fairly and lawfully for specific, explicit and legitimate purposes and subsequently processed in accordance with these purposes;
• all personal data collected must be adequate, relevant and non-excessive in view of the purposes for which it is collected;
• all personal data must be accurate and comprehensive and when necessary, kept up to date; and
• all personal data must be retained no longer than is necessary for the purposes for which it is processed.

7. Controller and Processor Obligations

7.1. Data processing notification

Generally, personal data processing requires a prior declaration to the CMIL, but data controllers who appoint a data protection officer are not required to issue prior declarations except in special circumstances (e.g., an extraterritorial transfer to a country that does not provide an adequate level of personal data protection).

7.2. Data transfers

The transfer of a data subject's personal data to a third-party country is allowed only if the country guarantees individuals a sufficient level of protection in terms of privacy and fundamental rights and liberties. (Article 20 of the DP Law).

The sufficiency of the protection is assessed by considering all the circumstances surrounding the transfer, in particular the nature of the data, the purpose and the duration of the proposed processing, country of origin and country of final destination, rules of law, both general and sectorial in force in the country in question and any relevant codes of conduct or other rules and security measures which are complied with in that country.

Data controllers may transfer personal data to a third country that is not deemed to offer adequate protection only if:

• the data subject consents and duly informed of the absence of adequate protection;
• the transfer is necessary;
• for the performance of a contract between the data controller and the individual, or pre-contractual measures undertaken at the individual's request;
• for the conclusion or the performance of a contract in the interest of the individual, between the data controller and a third party;
• for the protection of the public interest;
• for consultation of a public register intended for the public's information; or
• to comply with obligations allowing the acknowledgment, the exercise, or the defense of a legal right.

In all cases, the data recipient in the third-party country cannot transfer personal data to another country, except with the authorization of the first data controller and the CMIL.

7.3. Data processing records

Not applicable. 

7.4. Data protection impact assessment

Not applicable.

7.5. Data protection officer appointment

The DP Law does not provide any legal requirement to appoint a data protection officer. However, an entity is exempt from making prior declarations to the CMIL if the entity has appointed a data protection officer ('DPO').

The appointment of a DPO does not exempt an entity from requesting prior authorization, where necessary (for example where there is a transfer of data to a country that does not provide an adequate level of protection for personal data).

The DPO must be a resident of Madagascar.

7.6. Data breach notification

While the DP Law requires a data controller to take all necessary precautions with respect to the nature of the data and the risk presented by the processing, and to preserve the security of personal data and prevent alteration, corruption, or access by unauthorized third parties (Article 15 of the DP Law), it does not obligate a data controller to alert CMIL or the data subject in the case of a breach.

7.7. Data retention

Not applicable.

7.8. Children's data

Not applicable

7.9. Special categories of personal data

The DP Law defines sensitive personal data to include information relating to racial origin, biometric and genetic information, political opinions, religious beliefs or other convictions, trade union affiliation, and health or sex life.

Due to risks of discrimination and infringement of individual freedoms, any processing of sensitive data is prohibited.

By way of derogation, sensitive data may be processed with appropriate safeguards as defined by law or the CMIL, in the following cases:

• when the data subject has given their express consent unless the law provides that the prohibition of processing cannot be lifted by the consent of the person;
• the processing is necessary to safeguard the life of the person concerned or of a third party when the person concerned cannot give his consent due to legal incapacity or material impossibility;
• the processing is implemented by an association or any other non-profit organization of a religious, philosophical, political or trade union nature for sensitive data corresponding to the purpose of the said association or the said organization provided that they do not concern only the members of this association or organization and, where applicable, the persons who maintain regular contact with it in the context of its activity. This processing does not involve communication to third parties unless the persons concerned expressly consent to it
• the processing is necessary for the establishment, exercise, or defense of legal claims;
• the processing is necessary for the purposes of preventive medicine, medical diagnosis, the administration of care or treatment, or the management of health services and carried out by a member of a health profession, or by another person on whom the obligation of professional secrecy provided for by the penal code is imposed because of his functions;
• the further processing of a patient's data is necessary for research in the public interest in the field of health and the person has not objected to it;
• the processing relates to data made public by the data subject; or
• the processing is necessary for the pursuit of a public interest and authorized by law or by CMIL in accordance with Article 46 of the DP Law.

The processing of personal data relating to offenses and convictions and security measures can only be implemented by:

• the courts, the public authorities managing a public service, acting within the framework of their legal attributions; or
• the legal assistants, for the strict needs of the exercise of the missions which assigned to them by law.

7.10. Controller and processor contracts

The processing of personal data may be subcontracted. Personal data may not be the subject of an operation of processing by a processor, only on the instructions of the controller.

The subcontractor must provide sufficient guarantees to ensure the implementation of security and confidentiality measures. This requirement does not exempt the data controller from his obligation to ensure compliance with these measures.

The contract binding the subcontractor to the controller includes an indication of the obligations incumbent on the subcontractor in terms of protection of the security and confidentiality of data and provides that the subcontractor can only act on the instructions of the controller. of the treatment.

8. Data Subject Rights

8.1. Right to be informed

Data subjects have the right to obtain information concerning the data controllers or processors who have collected or processed their personal data including (Article 27 of the DP Law):

• the purpose of the processing;
• the mandatory or optional nature of the information requested from them;
• the categories of data processed; and
• the recipients of the data.

8.2. Right to access

Data subjects have the right to access their personal data from the controller free of charge. (Article 23 of the DP Law).

8.3. Right to rectification

A data subject has the right to demand that a data controller rectifies, completes, updates, locks or deletes personal data concerning them, which is inaccurate, incomplete, ambiguous, outdated, or whose collection, use, communication or storage is prohibited. (Article 25 of the DP Law).

8.4. Right to erasure

A data subject has the right to demand that a data controller deletes personal data concerning them. (Article 25 of the DP Law).

8.5. Right to object/opt-out

A data subject has the right to object, at any time and free of charge, to the processing of personal data concerning them. (Article 22 of the DP Law).

8.6. Right to data portability

Data subjects have the right to obtain a copy of personal data concerning them. (Article 23 of the DP Law).

8.7. Right not to be subject to automated decision-making

A data subject has the right to obtain from the controller information making it possible to know and contest the logic behind automated decision making if the decision has legal effects on the data subject. (Article 23 of the DP Law).

8.8. Other rights

Not applicable.

9. Penalties

In cases where the CMIL is of the opinion that a data controller or a data processor has contravened the provisions of the DP Law, then it may serve, in accordance with the severity of the violation committed:

• warnings and notices to comply with the obligations defined in the DP Law;
• notice of withdrawal of the authorization.
• a financial sanction of up to 5% of the last financial year's pre-tax turnover (not deducted from tax turnover). Article 59 of the DP Law states that the amount of the financial penalty provided for is proportionate to the seriousness of the breaches committed and the benefits derived from this breach.

The DP Law provides that any processing of personal data in contravention of its provisions is considered an offense. For example, processing of personal data without prior declaration to or authorization of the CMIL can result in imprisonment of 6 months to 2 years and a fine of 200,000 Ariary (approx. $44) to 2,000,000 Ariary (approx. $440) (Article 62 of the DP Law).

In addition to any penalty, the Court may order the erasure of all or part of the personal data that was the object of the processing considered an offense.

Article 61 of the DP Law: Obstruction

Obstructing the action of the CMIL for Computing and Liberties is punishable by imprisonment of six months to two years and a fine of 800,000 Ariary (approx. $176) to 8,000,000 Ariary (approx. $1,760):

• either by opposing the exercise of the missions entrusted to its members or to authorized agents pursuant to Article 50;
• either by refusing to communicate to its members or to the agents authorized in the application of Article 50 the information and documents useful to their mission or by concealing the said documents or information or by causing them to disappear;
• or by communicating information that does not conform to the content of the recordings as it was at the time the request was made or which does not present this content in a directly accessible form.

Article 63 of the DP Law: Use of sensitive data, offense files or the national identification number outside the legal framework

Processing sensitive data as defined in  Articles 17 and 18 of the DP law in contravention of Articles 14 and 15 of the DP Law is  punishable by imprisonment of two to five years and a fine of 800,000 Ariary (approx. $176) to 8,000,000 Ariary (approx. $1,760).

Article 64 of the DP Law: Breach of security

Processing of personal data without implementing adequate security measures prescribed in Article 15 of the DP law is punishable by imprisonment of six months to two years and a fine of 200,000 Ariary (approx. $44) to 2,000,000 Ariary (approx. $440).  

Article 65 of the DP Law: Unfair collection

Collecting personal data by fraudulent, unfair, or illicit means is punishable by imprisonment of two to five years and a fine of 1,000,000 Ariary (approx. $220) to 10,000,000 Ariary (approx. $2,200).

Article 66 of the DP Law: Diversion of purpose

The act, by any person holding personal data of diverting the initial purpose of a personal data file in particular on the occasion of their recording, classification, transmission or any other form of processing is punishable by imprisonment of two to five years and a fine 800,000 Ariary (approx. $176) to 8,000,000 Ariary (approx. $1,760).

Article 67 of the DP Law: Failure to respect the rights of rectification or opposition

Processing personal data concerning a natural person despite the request for rectification or the objection of the person, when this request for rectification or this objection is based on legitimate grounds is punishable by imprisonment of two to five years and a fine of 800,000 Ariary (approx. $176) to 8,000,000 Ariary (approx. $1,760).

Article 68 of the DP Law: Failure to respect the right to information

Failing to respect the right to information under Article 27 of the DP Law is punishable by imprisonment of two to five years and a fine of 800,000 Ariary (approx. $176) to 8,000,000 Ariary (approx. $1,760).

Article 69 of the DP Law: Failure to respect the right of access

Failing to comply with a data subject access request under Article 23 of the DP Law is punishable by imprisonment of two to five years and a fine 800,000 Ariary (approx. $176) to 8,000,000 Ariary (approx. $1,760).

Article 70 of the DP Law: Failure to comply with the retention period

Storing personal data beyond the duration provided for in the prior declaration sent to the CMIL is punishable by imprisonment of six months to two years and a fine of 200,000 Ariary (approx. $44) to 2,000,000 Ariary (approx. $440), unless this storage is carried out for historical, statistical or scientific purposes under the conditions provided for by law.

Article 71: Violation of the consideration or intimacy of private life

Collecting, on the occasion of their registration, their classification, their transmission, or other form of processing, of personal data whose disclosure would have the effect of undermining the consideration of the data subject or the intimacy of their private life, or disclosing without the consent of the data subject, the data to an unauthorized third party is punishable by imprisonment of two to five years and a fine of 1,000,000 Ariary (approx. $220) to 10,000,000 Ariary (approx. $2,200).

9.1 Enforcement decisions

None to date.