Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Already have an account? Log in

Namibia - Data Protection Overview

Back

Namibia - Data Protection Overview

April 2024

1. Governing Texts

The Republic of Namibia enshrined the right to privacy as a fundamental human right under Article 13 of the Constitution. Accordingly, all persons enjoy a right to privacy in their homes, correspondences, or communications. However, the right may be limited as required by law, as well as in the interest of protecting national security, public safety or the economic well-being of the country, health and morals, disorder and/or crime, and rights and freedoms of other individuals. Besides this, it is noteworthy to highlight that Namibia does not yet have any comprehensive legislation that directly provides for data protection, nor has it established a data protection authority. Attempts have been made in the past few years to promulgate an Electronic Transactions and Cybersecurity Bill in 2017 without success. The bill received extensive criticism and the Ministry of Information and Communication Technology of Namibia (‘the Ministry’) was compelled to remove the Bill from the public consultation process.

The Ministry has been developing a Data Protection Bill ('the Draft Bill') for several years. In February 2020, a multi-stakeholder consultation on the Draft Bill was had, with further online consultations having been had between September and mid-October 2020 with the support of the Council of Europe, and was eventually published in 2021 by the Namibian Government. The Draft Bill seeks to establish a data protection authority and includes ten principles of data protection that include the following:

the establishment of a Data Protection Supervisory Authority;
to provide for the powers, functions, and duties of the Authority;
creation of data controllers and processors’ obligations;
provide for the regulation of the processing of personal data in order to protect the fundamental rights and freedoms of individuals provided for in the Constitution;
stipulating the rights of individuals about whom data is processed;
providing for restrictions and exemptions with respect to the processing of data under the provisions of the Act; and
providing for the conduct requirements of controllers and processors of matter associated with the Act.

Nonetheless, there are various sector-specific pieces of legislation that protect client data, especially in the legal, labor, and banking spheres.

1.1. Key acts, regulations, directives, bills

Article 13 of the Constitution.
Section 227(3) of the Labour Act, 1992 (G.N. 156): regulating the health and safety of employees at work and the confidentiality of employee medical data.
Section 49 of the Financial Intelligence Act, 2012: protection of confidential information held by the Financial Intelligence Centre.

1.2. Guidelines

Not applicable.

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

Not applicable.

2.2. Territorial scope

Not applicable.

2.3. Material scope

Not applicable.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

Not applicable.

3.2. Main powers, duties and responsibilities

Not applicable.

4. Key Definitions

Data controller: Not defined.

Data processor: Not defined.

Personal data: Not defined.

Sensitive data: Not defined.

Health data: Not defined.

Biometric data: Not defined.

Pseudonymization: Not defined.

5. Legal Bases

5.1. Consent

Not applicable.

5.2. Contract with the data subject

Not applicable.

5.3. Legal obligations

Not applicable.

5.4. Interests of the data subject

Not applicable.

5.5. Public interest

Not applicable.

5.6. Legitimate interests of the data controller

Not applicable.

5.7. Legal bases in other instances

Not applicable.

6. Principles

Not applicable.

7. Controller and Processor Obligations

7.1. Data processing notification

Not applicable.

7.2. Data transfers

Not applicable.

7.3. Data processing records

Not applicable.

7.4. Data protection impact assessment

Not applicable.

7.5. Data protection officer appointment

Not applicable.

7.6. Data breach notification

Not applicable.

7.7. Data retention

Not applicable.

7.8. Children's data

Not applicable.

7.9. Special categories of personal data

Not applicable.

7.10. Controller and processor contracts

Not applicable.

8. Data Subject Rights

8.1. Right to be informed

Not applicable.

8.2. Right to access

Not applicable.

8.3. Right to rectification

Not applicable.

8.4. Right to erasure

Not applicable.

8.5. Right to object/opt-out

Not applicable.

8.6. Right to data portability

Not applicable.

8.7. Right not to be subject to automated decision-making

Not applicable.

8.8. Other rights

Not applicable.

9. Penalties

Not applicable.

9.1 Enforcement decisions

Not applicable.

Privacy Law Concepts Privacy Law Reform

About the authors

Irvin Titus

Koep & Partners

Irvin was admitted as an attorney of the High Court of Namibia in April 2003 and joined Koep & Partners in January 2004. He heads the commercial department at Koep & Partners and advises a range of multinational technology companies on telecommunications laws in Namibia. He has advised multiple fortune 500 companies on the launch of new software products and features in Namibia. Irvin Assisting an American multinational technology company that specializes in Internet-related services and products, which include a search engine, with the following scope of work in the development of a data protection regulation tracker for Namibia, assessing whether any data protection regulation has extra territorial reach, establishing any legal requirement for an agreement for controller-processor or controller-controller relationships, assessing whether there are any legal requirements for the appointment of a data protection officer, identifying any laws that require data localization confirming the existence of a data protection authority and identifying any fines or personal liability for data breaches.

Irvin is also ssisting a Namibian agri-business transferring personnel data to a subsidiary based in the United Kingdom with the following scope of work: reviewing agreements which govern cross-border inter-company data transfers between “data importer” and “data exporter”, with specific application to employee data. Irvin is a memenbr of Law Socity of Namibia.

[email protected]

Continue reading on DataGuidance with:

Free Member

Free Trial

Namibia - Data Protection Overview

April 2024

1. Governing Texts

1.1. Key acts, regulations, directives, bills

1.2. Guidelines

1.3. Case law

2. Scope of Application

2.1. Personal scope

2.2. Territorial scope

2.3. Material scope

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

3.2. Main powers, duties and responsibilities

4. Key Definitions

5. Legal Bases

5.1. Consent

5.2. Contract with the data subject

5.3. Legal obligations

5.4. Interests of the data subject

5.5. Public interest

5.6. Legitimate interests of the data controller

5.7. Legal bases in other instances

6. Principles

7. Controller and Processor Obligations

7.1. Data processing notification

7.2. Data transfers

7.3. Data processing records

7.4. Data protection impact assessment

7.5. Data protection officer appointment

7.6. Data breach notification

7.7. Data retention

7.8. Children's data

7.9. Special categories of personal data

7.10. Controller and processor contracts

8. Data Subject Rights

8.1. Right to be informed

8.2. Right to access

8.3. Right to rectification

8.4. Right to erasure

8.5. Right to object/opt-out

8.6. Right to data portability

8.7. Right not to be subject to automated decision-making

8.8. Other rights

9. Penalties

9.1 Enforcement decisions

Get the Latest News

Thanks for signing up!

Company

Our Policies

Your Rights

Follow us