Law 03/2016

Law No. 03/2016 on the Protection of Personal Data (Personal Data Guarantee and Protection Law)

Flag of ST
Sao Tome and PrincipeOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
May 10, 2016
Enacted
May 10, 2016
Enforcing Authority
Agencia Nacional de Proteccao de Dados Pessoais (ANPDP)
Consent Model
Opt-in
Applies To
All data controllers and processors operating within Sao Tome and Principe

Overview

Sao Tome and Principe enacted Law 03/2016 in May 2016, modeling its data protection framework on the EU Directive 95/46/EC. The Agencia Nacional de Proteccao de Dados Pessoais (ANPDP) serves as the supervisory authority and is relatively active compared to many Central African counterparts. A unique feature is the 8-day advance notification requirement before processing begins. Separate penalty tiers apply: individuals face STN 50M-120M, while legal entities face STN 250M-500M.

What This Means for Your Website

If your website processes personal data of visitors from Sao Tome and Principe, you must notify the ANPDP at least 8 days before processing begins. Consent is required for lawful processing, and cross-border transfers are subject to strict notification and registration requirements. Sensitive data receives enhanced protections.

Key Requirements

Penalties for individuals range from STN 50M to STN 120M, while legal entities face STN 250M to STN 500M. Criminal liability applies for intentional violations, including fines based on daily salary and up to 1 year imprisonment. Data subjects have rights of access, rectification, and deletion. Data security measures are mandatory.

How ConsentStack Handles This

ConsentStack detects visitors from Sao Tome and Principe and presents a compliant consent banner requiring opt-in before activating non-essential data processing technologies.

Penalties

Individuals: STN 50M-120M. Legal entities: STN 250M-500M. Criminal: fines of 120+ days' salary and/or 1 year imprisonment for intentional violations.

Maximum Fine
STN 500,000,000 per violation

Key Requirements

  • ANPDP notification required at least 8 days before processing begins
  • Consent required for personal data processing
  • Cross-border transfers subject to strict notification and registration
  • Data subjects have rights of access, rectification, and deletion
  • Data security measures mandatory
  • Sensitive data subject to enhanced protections

Notable Provisions

  • Modeled on EU Directive 95/46/EC
  • ANPDP is relatively active for a Central African DPA
  • 8-day advance notification requirement before processing
  • Criminal liability for intentional violations
  • Separate penalty tiers for individuals vs. legal entities

Other Sub-Saharan Africa Regulations

POPIASouth Africa
Africa's most developed and actively enforced data protection law. POPIA establishes eight conditions for lawful processing and grants the Information Regulator broad enforcement powers including criminal sanctions. The inclusion of "online identifiers" in the definition of personal information means cookies are covered, and Section 69's direct marketing consent requirement is directly relevant to consent management.
NDPANigeria
One of Africa's most comprehensive data protection laws, with the GAID providing Africa's most detailed cookie consent framework. Essential cookies are exempt; non-essential cookies require conspicuous accept/reject banners. The NDPC enforces a two-tier penalty structure based on organizational significance.
Ghana Act 843Ghana
Ghana's foundational data protection law requires mandatory registration with the DPC before processing begins, with renewal every 2 years. Criminal penalties include up to 10 years imprisonment for serious violations. A new comprehensive bill is under consultation as of late 2025.
Kenya DPA 2019Republic of Kenya
Kenya's comprehensive data protection law establishes the ODPC as an independent enforcement authority. It uniquely calculates penalties using "whichever is lower" rather than the global norm of "whichever is higher." Mandatory registration of data controllers is required before processing, and consent serves as the primary legal basis for personal data collection.
Tanzania PDPA 2022United Republic of Tanzania
Tanzania's first comprehensive data protection legislation establishes the Personal Data Protection Commission as the supervisory body. It mandates DPO appointment for all controllers and processors, a broader requirement than most jurisdictions. Personal data must be processed lawfully with consent, and criminal penalties of up to 10 years imprisonment apply for violations.
Ivory Coast Law 2013-450Ivory Coast
Ivory Coast's data protection law features an escalating penalty structure with significant increases for repeat offenders — up to 5% of pre-tax sales or XOF 500 million. ARTCI has been active in issuing formal notices against online lending applications. Prior declaration or authorization from ARTCI is required.

Frequently Asked Questions

Is Sao Tome's data protection authority active?

Yes. The ANPDP is relatively active compared to many Central African data protection authorities.

What is the advance notification requirement?

Data controllers must notify the ANPDP at least 8 days before processing personal data begins.

What are the penalties under Law 03/2016?

Individuals: STN 50M-120M. Legal entities: STN 250M-500M. Criminal: fines based on daily salary and/or 1 year imprisonment for intentional violations.

Stay compliant with Law 03/2016

ConsentStack helps you implement Opt-in consent for Sao Tome and Principe automatically.

Get started free