Law 133/V
Law No. 133/V/2001 of January 22, 2001 on the Protection of Personal Data (as amended by Law No. 41/VIII/2013 and Law No. 121/IX/2021)
Key Facts
Overview
Cape Verde holds the distinction of enacting Africa's first comprehensive data protection law in January 2001. Law 133/V established foundational principles for personal data processing and created the Comissao Nacional de Proteccao de Dados (CNPD), which has been operational since 2015. The law was significantly updated by a 2013 amendment and then modernized again in 2021 to introduce GDPR-aligned rights and extraterritorial scope.
What This Means for Your Website
If your website processes personal data of individuals in Cape Verde, you must obtain opt-in consent before processing. The 2021 amendment extended the law's reach to foreign controllers, meaning your website may be subject to Cape Verdean law even if you operate from outside the country. You must notify the CNPD before processing begins and ensure adequate security measures. Data subjects now have comprehensive rights including portability and erasure.
Key Requirements
Consent is required for personal data processing, with prior notification to the CNPD mandatory. The 2021 amendment introduced GDPR-style data subject rights including portability, erasure, and restriction of processing. Fines range from CVE 1 million to CVE 100 million for first offences, escalating to CVE 100-300 million for repeat violations. Cross-border transfers require adequacy assessments. Extraterritorial scope means foreign organizations processing Cape Verdean residents' data must comply.
How ConsentStack Handles This
ConsentStack detects visitors from Cape Verde and presents an opt-in consent banner before non-essential processing begins. The platform supports the full range of GDPR-aligned data subject rights introduced by the 2021 amendment. Consent records are stored with timestamps for audit compliance, and configurable consent categories help you document processing activities for CNPD notification.
Penalties
Fines CVE 1M-100M; repeat violations CVE 100M-300M
Key Requirements
- Consent required for personal data processing
- Data subjects have rights to access, rectification, erasure, restriction, and portability (2021 amendment)
- Extraterritorial application to foreign controllers (2021 amendment)
- Prior notification to CNPD before processing
- Data security measures mandatory
- Cross-border transfers subject to adequacy requirements
Notable Provisions
- FIRST African data protection law, enacted in 2001
- 2021 amendment introduced GDPR-style rights including data portability and erasure
- Extraterritorial scope added in 2021 covering foreign controllers
Other Sub-Saharan Africa Regulations
Frequently Asked Questions
Does Cape Verde require cookie consent?
Cape Verde's Law 133/V does not have specific cookie provisions, but personal data collected through cookies requires opt-in consent under the general processing rules. The 2021 GDPR-aligned amendment strengthened consent requirements.
What are the penalties under Cape Verde's data protection law?
First-offence fines range from CVE 1 million to CVE 100 million. Repeat violations face CVE 100 million to CVE 300 million in penalties.
Does Cape Verde's law apply to foreign companies?
Yes. The 2021 amendment introduced extraterritorial scope, meaning foreign controllers processing personal data of Cape Verdean residents must comply with Law 133/V.
What makes Cape Verde's data protection law historically significant?
Law 133/V, enacted in January 2001, was the first comprehensive data protection law in Africa. It has since been modernized with GDPR-aligned amendments in 2013 and 2021.
Stay compliant with Law 133/V
ConsentStack helps you implement Opt-in consent for Republic of Cabo Verde automatically.