Ghana Act 843

Data Protection Act, 2012 (Act 843)

Flag of GH
GhanaOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
January 1, 2012
Enacted
January 1, 2012
Enforcing Authority
Data Protection Commission (DPC)
Consent Model
Opt-in
Applies To
All data controllers processing personal data in Ghana; registration mandatory before processing

Overview

Ghana's Act 843 requires mandatory registration with the Data Protection Commission before any personal data processing begins, with renewal every 2 years. Criminal penalties are significant, reaching up to 10 years imprisonment for serious offences. A new comprehensive bill is expected to modernize the framework.

What This Means for Your Website

  • Registration with the DPC is mandatory before processing personal data of Ghanaian visitors
  • Registration must be renewed every 2 years
  • Criminal penalties include up to 10 years imprisonment for serious violations
  • Personal data processing must be lawful and not unreasonably infringe privacy
  • A modernizing replacement bill is under consultation

Key Requirements

The DPC enforces Act 843 as an independent statutory body. Registration before processing and 2-year renewals create ongoing compliance obligations. Penalties range from 250 penalty units for unregistered processing to 5,000 units or 10 years for serious offences.

How ConsentStack Handles This

ConsentStack applies consent-based processing for Ghanaian visitors, supporting compliance with the registration-based framework.

Penalties

Up to 250 penalty units or 2 years for unregistered processing. Up to 5,000 units or 10 years for serious offences.

Key Requirements

  • Mandatory registration with DPC before processing
  • Registration renewal every 2 years
  • Personal data processed lawfully without infringing privacy rights
  • Data controllers must secure data integrity
  • Processing must be reasonable and not unreasonably infringe privacy
  • Data subject rights: access, rectification

Notable Provisions

  • Mandatory registration before processing with 2-year renewal
  • Criminal penalties up to 10 years for serious violations
  • New comprehensive bill under consultation (late 2025)
  • DPC is independent statutory body

Other Sub-Saharan Africa Regulations

POPIASouth Africa
Africa's most developed and actively enforced data protection law. POPIA establishes eight conditions for lawful processing and grants the Information Regulator broad enforcement powers including criminal sanctions. The inclusion of "online identifiers" in the definition of personal information means cookies are covered, and Section 69's direct marketing consent requirement is directly relevant to consent management.
NDPANigeria
One of Africa's most comprehensive data protection laws, with the GAID providing Africa's most detailed cookie consent framework. Essential cookies are exempt; non-essential cookies require conspicuous accept/reject banners. The NDPC enforces a two-tier penalty structure based on organizational significance.
Kenya DPA 2019Republic of Kenya
Kenya's comprehensive data protection law establishes the ODPC as an independent enforcement authority. It uniquely calculates penalties using "whichever is lower" rather than the global norm of "whichever is higher." Mandatory registration of data controllers is required before processing, and consent serves as the primary legal basis for personal data collection.
Tanzania PDPA 2022United Republic of Tanzania
Tanzania's first comprehensive data protection legislation establishes the Personal Data Protection Commission as the supervisory body. It mandates DPO appointment for all controllers and processors, a broader requirement than most jurisdictions. Personal data must be processed lawfully with consent, and criminal penalties of up to 10 years imprisonment apply for violations.
Ivory Coast Law 2013-450Ivory Coast
Ivory Coast's data protection law features an escalating penalty structure with significant increases for repeat offenders — up to 5% of pre-tax sales or XOF 500 million. ARTCI has been active in issuing formal notices against online lending applications. Prior declaration or authorization from ARTCI is required.
Uganda DPPA 2019Republic of Uganda
Uganda's Data Protection and Privacy Act 2019 establishes the PDPO as an independent office under NITA-U. It prohibits processing personal data without prior consent and mandates accountability, lawful collection, data minimization, and purpose limitation. Criminal penalties of up to 10 years imprisonment make it one of the strictest enforcement regimes in East Africa.

Frequently Asked Questions

Must organizations register before processing in Ghana?

Yes. Mandatory registration with the DPC is required before processing personal data, with renewal every 2 years.

What are Ghana's penalties?

Up to 250 penalty units or 2 years for unregistered processing. Up to 5,000 penalty units or 10 years for serious offences.

Is Ghana updating its data protection law?

Yes. A new comprehensive bill is under consultation as of late 2025, expected to significantly modernize the framework.

Stay compliant with Ghana Act 843

ConsentStack helps you implement Opt-in consent for Ghana automatically.

Get started free