Lei 22/11

Law 22/11 on Personal Data Protection (Lei de Proteccao de Dados Pessoais / LPDP)

Flag of AO
AngolaOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
June 17, 2011
Enacted
June 17, 2011
Enforcing Authority
Agencia de Proteccao de Dados (APD)
Consent Model
Opt-in
Applies To
All controllers processing personal data through automated or non-automated means within Angola or subject to Angolan laws

Overview

Angola's Lei 22/11 (Law on Personal Data Protection) was enacted in June 2011, establishing the Agencia de Proteccao de Dados (APD) as the supervisory authority. The APD was formally established in 2016 and has become increasingly active, fining five companies in June-July 2024. Penalties are unusually dollar-denominated, with major violations attracting fines of $75,000-$150,000 plus criminal and civil liability.

What This Means for Your Website

If your website processes personal data of Angolan visitors, express consent is required before processing begins. All processing activities must be notified to the APD, and international data transfers to countries without adequate protection require APD authorization. The APD's increasing enforcement activity makes compliance a practical priority.

Key Requirements

The APD enforces penalties of $75,000-$150,000 for major violations and $7,000-$15,000 for failure to notify. Data must be processed transparently, lawfully, and proportionally with purpose limitation. Data subjects have rights to access, rectify, and object to processing of their personal data.

How ConsentStack Handles This

ConsentStack detects Angolan visitors and displays a compliant consent banner requiring express opt-in before activating non-essential cookies and data processing technologies.

Penalties

$75,000-$150,000 (major violations); $7,000-$15,000 (failure to notify APD); criminal and civil liability

Maximum Fine
$150,000 per violation

Key Requirements

  • Express consent required for personal data processing
  • Notification to APD required for all processing activities
  • APD authorization required for international transfers to inadequate countries
  • Principles of transparency, lawfulness, proportionality, and purpose limitation
  • Data subjects have rights of access, rectification, and objection
  • Data security measures mandatory

Notable Provisions

  • APD increasingly active -- fined 5 companies in June-July 2024
  • Dollar-denominated penalties (unusual in Africa)
  • Criminal and civil liability in addition to administrative fines
  • APD formally established in 2016 (5 years after the law)

Other Sub-Saharan Africa Regulations

POPIASouth Africa
Africa's most developed and actively enforced data protection law. POPIA establishes eight conditions for lawful processing and grants the Information Regulator broad enforcement powers including criminal sanctions. The inclusion of "online identifiers" in the definition of personal information means cookies are covered, and Section 69's direct marketing consent requirement is directly relevant to consent management.
NDPANigeria
One of Africa's most comprehensive data protection laws, with the GAID providing Africa's most detailed cookie consent framework. Essential cookies are exempt; non-essential cookies require conspicuous accept/reject banners. The NDPC enforces a two-tier penalty structure based on organizational significance.
Ghana Act 843Ghana
Ghana's foundational data protection law requires mandatory registration with the DPC before processing begins, with renewal every 2 years. Criminal penalties include up to 10 years imprisonment for serious violations. A new comprehensive bill is under consultation as of late 2025.
Kenya DPA 2019Republic of Kenya
Kenya's comprehensive data protection law establishes the ODPC as an independent enforcement authority. It uniquely calculates penalties using "whichever is lower" rather than the global norm of "whichever is higher." Mandatory registration of data controllers is required before processing, and consent serves as the primary legal basis for personal data collection.
Tanzania PDPA 2022United Republic of Tanzania
Tanzania's first comprehensive data protection legislation establishes the Personal Data Protection Commission as the supervisory body. It mandates DPO appointment for all controllers and processors, a broader requirement than most jurisdictions. Personal data must be processed lawfully with consent, and criminal penalties of up to 10 years imprisonment apply for violations.
Ivory Coast Law 2013-450Ivory Coast
Ivory Coast's data protection law features an escalating penalty structure with significant increases for repeat offenders — up to 5% of pre-tax sales or XOF 500 million. ARTCI has been active in issuing formal notices against online lending applications. Prior declaration or authorization from ARTCI is required.

Frequently Asked Questions

Is Angola's APD actively enforcing?

Yes. The APD fined five companies in June-July 2024, signaling a growing enforcement posture.

Why are Angola's penalties in US dollars?

Angola's Lei 22/11 uniquely denominates penalties in dollars rather than the local currency, with major violations reaching $75,000-$150,000.

Does Angola require notification before processing?

Yes. All personal data processing activities must be notified to the APD before they begin.

Stay compliant with Lei 22/11

ConsentStack helps you implement Opt-in consent for Angola automatically.

Get started free