Law 2016/037

Law No. L/2016/037/AN of July 26, 2016 on Cybersecurity and Protection of Personal Data

Flag of GN
Republic of GuineaOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
July 26, 2016
Enacted
July 26, 2016
Enforcing Authority
Commission Nationale de l'Informatique et des Libertes (CNIL Guinea)
Consent Model
Opt-in
Applies To
All entities processing personal data within Guinea

Overview

Guinea enacted Law 2016/037 in July 2016 as a combined cybersecurity and personal data protection instrument. The law established the Commission Nationale de l'Informatique et des Libertes (CNIL) as the enforcement authority responsible for compliance oversight, complaint handling, and penalty imposition. The framework is notable for imposing some of the most severe criminal penalties for data protection violations anywhere in West Africa.

What This Means for Your Website

Websites processing personal data of individuals in Guinea must obtain explicit prior consent before any data collection or processing. If your website handles sensitive data categories such as medical, genetic, or biometric information, you need separate prior authorization from competent authorities. Cross-border data transfers are restricted. The severe criminal penalties, including up to 7 years imprisonment, underscore the seriousness with which Guinea treats data protection violations.

Key Requirements

Explicit prior consent is mandatory for all personal data processing. Sensitive data (genetic, medical, biometric, scientific research) requires additional prior authorization. The CNIL handles complaints and enforces penalties. Criminal sanctions for sensitive data violations range from 1-7 years imprisonment plus fines of GNF 30-150 million. Unauthorized marketing violations carry 1-5 years imprisonment plus GNF 30-200 million in fines. Data subjects have rights of access, rectification, and opposition.

How ConsentStack Handles This

ConsentStack detects visitors from Guinea and shows an opt-in consent banner before any non-essential scripts execute. The platform blocks all tracking until explicit consent is given, meeting the law's 'explicit prior consent' standard. Consent records are stored with full audit details, and configurable consent categories let you distinguish between general processing and sensitive data collection for authorization purposes.

Penalties

1-7 years imprisonment plus GNF 30,000,000-150,000,000 (sensitive data); 1-5 years plus GNF 30,000,000-200,000,000 (unauthorized marketing); additional fines for other violations

Maximum Fine
GNF200,000,000 aggregate

Key Requirements

  • Explicit prior consent required for personal data processing
  • Prior authorization required for sensitive data processing (genetic, medical, biometric)
  • CNIL oversees compliance, handles complaints, and imposes penalties
  • Data subjects have rights of access, rectification, and opposition
  • Cross-border transfers restricted
  • Data security measures mandatory

Notable Provisions

  • Among the harshest criminal penalties in West Africa, up to 7 years imprisonment
  • Combines cybersecurity and data protection in a single law
  • Distinct penalty tiers for sensitive data vs. marketing violations

Other Sub-Saharan Africa Regulations

POPIASouth Africa
Africa's most developed and actively enforced data protection law. POPIA establishes eight conditions for lawful processing and grants the Information Regulator broad enforcement powers including criminal sanctions. The inclusion of "online identifiers" in the definition of personal information means cookies are covered, and Section 69's direct marketing consent requirement is directly relevant to consent management.
NDPANigeria
One of Africa's most comprehensive data protection laws, with the GAID providing Africa's most detailed cookie consent framework. Essential cookies are exempt; non-essential cookies require conspicuous accept/reject banners. The NDPC enforces a two-tier penalty structure based on organizational significance.
Ghana Act 843Ghana
Ghana's foundational data protection law requires mandatory registration with the DPC before processing begins, with renewal every 2 years. Criminal penalties include up to 10 years imprisonment for serious violations. A new comprehensive bill is under consultation as of late 2025.
Kenya DPA 2019Republic of Kenya
Kenya's comprehensive data protection law establishes the ODPC as an independent enforcement authority. It uniquely calculates penalties using "whichever is lower" rather than the global norm of "whichever is higher." Mandatory registration of data controllers is required before processing, and consent serves as the primary legal basis for personal data collection.
Tanzania PDPA 2022United Republic of Tanzania
Tanzania's first comprehensive data protection legislation establishes the Personal Data Protection Commission as the supervisory body. It mandates DPO appointment for all controllers and processors, a broader requirement than most jurisdictions. Personal data must be processed lawfully with consent, and criminal penalties of up to 10 years imprisonment apply for violations.
Ivory Coast Law 2013-450Ivory Coast
Ivory Coast's data protection law features an escalating penalty structure with significant increases for repeat offenders — up to 5% of pre-tax sales or XOF 500 million. ARTCI has been active in issuing formal notices against online lending applications. Prior declaration or authorization from ARTCI is required.

Frequently Asked Questions

Does Guinea require cookie consent?

Guinea's Law 2016/037 does not specifically address cookies, but data collected through tracking technologies is subject to the general requirement for explicit prior consent before processing personal data.

What are the penalties for data protection violations in Guinea?

Penalties are among the harshest in West Africa. Sensitive data violations carry 1-7 years imprisonment plus GNF 30-150 million. Unauthorized marketing violations carry 1-5 years plus GNF 30-200 million.

Who enforces data protection in Guinea?

The Commission Nationale de l'Informatique et des Libertes (CNIL Guinea) is the national enforcement authority responsible for compliance oversight, complaint handling, and imposing penalties.

Does Guinea's law cover cybersecurity too?

Yes. Law 2016/037 is a combined cybersecurity and data protection instrument, covering both domains within a single legislative framework.

Stay compliant with Law 2016/037

ConsentStack helps you implement Opt-in consent for Republic of Guinea automatically.

Get started free