Law 001/2011

Law No. 001/2011 Relating to the Protection of Personal Data

Flag of GA
GabonOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
January 1, 2011
Enacted
January 1, 2011
Enforcing Authority
Commission Nationale pour la Protection des Donnees a Caractere Personnel (CNPDCP)
Consent Model
Opt-in
Applies To
All public, legal, private, or natural persons processing personal data through automated or non-automated means within Gabon

Overview

Gabon's Law 001/2011 establishes the Commission Nationale pour la Protection des Donnees a Caractere Personnel (CNPDCP) as the supervisory authority with broad enforcement powers. The CNPDCP can suspend processing activities for up to 2 months, extendable to a permanent suspension if non-compliance persists. Fines range from XOF 1,000,000 to XOF 100,000,000, with a graduated enforcement approach.

What This Means for Your Website

If your website processes personal data of Gabonese visitors, prior notification to the CNPDCP is required before processing begins. Consent is needed for lawful processing, and data must be collected for specified and legitimate purposes only. Data subjects have rights of access, rectification, and opposition to processing of their personal data.

Key Requirements

The CNPDCP enforces through graduated escalation: public warning, formal notice, suspension of activities, and then monetary fines up to XOF 100M. Data controllers must implement security measures and comply with cross-border transfer adequacy requirements. Prior notification is mandatory before processing activities begin.

How ConsentStack Handles This

ConsentStack detects Gabonese visitors and displays a compliant consent banner requiring affirmative opt-in before activating non-essential cookies and tracking technologies.

Penalties

XOF 1,000,000-100,000,000; suspension of activities up to 2 months (extendable to permanent)

Maximum Fine
XOF100,000,000 per violation

Key Requirements

  • Prior notification to CNPDCP required before processing
  • Consent required for lawful processing
  • Data subjects have rights of access, rectification, and opposition
  • Data collected for specified and legitimate purposes only
  • Data security measures mandatory
  • Cross-border transfers subject to adequacy requirements

Notable Provisions

  • CNPDCP can suspend processing activities for 2 months, extendable to permanent
  • Graduated enforcement: public warning, formal notice, suspension, then fines
  • Fine ceiling of XOF 100M mirrors other francophone African frameworks

Other Sub-Saharan Africa Regulations

POPIASouth Africa
Africa's most developed and actively enforced data protection law. POPIA establishes eight conditions for lawful processing and grants the Information Regulator broad enforcement powers including criminal sanctions. The inclusion of "online identifiers" in the definition of personal information means cookies are covered, and Section 69's direct marketing consent requirement is directly relevant to consent management.
NDPANigeria
One of Africa's most comprehensive data protection laws, with the GAID providing Africa's most detailed cookie consent framework. Essential cookies are exempt; non-essential cookies require conspicuous accept/reject banners. The NDPC enforces a two-tier penalty structure based on organizational significance.
Ghana Act 843Ghana
Ghana's foundational data protection law requires mandatory registration with the DPC before processing begins, with renewal every 2 years. Criminal penalties include up to 10 years imprisonment for serious violations. A new comprehensive bill is under consultation as of late 2025.
Kenya DPA 2019Republic of Kenya
Kenya's comprehensive data protection law establishes the ODPC as an independent enforcement authority. It uniquely calculates penalties using "whichever is lower" rather than the global norm of "whichever is higher." Mandatory registration of data controllers is required before processing, and consent serves as the primary legal basis for personal data collection.
Tanzania PDPA 2022United Republic of Tanzania
Tanzania's first comprehensive data protection legislation establishes the Personal Data Protection Commission as the supervisory body. It mandates DPO appointment for all controllers and processors, a broader requirement than most jurisdictions. Personal data must be processed lawfully with consent, and criminal penalties of up to 10 years imprisonment apply for violations.
Ivory Coast Law 2013-450Ivory Coast
Ivory Coast's data protection law features an escalating penalty structure with significant increases for repeat offenders — up to 5% of pre-tax sales or XOF 500 million. ARTCI has been active in issuing formal notices against online lending applications. Prior declaration or authorization from ARTCI is required.

Frequently Asked Questions

Can the CNPDCP suspend processing activities?

Yes. The CNPDCP can suspend processing for up to 2 months, extendable to a permanent suspension if non-compliance persists.

What are the penalties under Gabon's law?

Fines from XOF 1M to XOF 100M, with graduated enforcement escalating from warnings to suspensions before monetary penalties.

Is prior notification required in Gabon?

Yes. All data controllers must notify the CNPDCP before processing personal data begins.

Stay compliant with Law 001/2011

ConsentStack helps you implement Opt-in consent for Gabon automatically.

Get started free