Law 2019-014
Law No. 2019-014 of October 29, 2019 Relating to the Protection of Personal Data
Key Facts
Overview
Togo enacted Law 2019-014 in October 2019 to regulate personal data processing across both public and private sectors. The law establishes principles of lawfulness, fairness, purpose limitation, and data minimization. It mandates the creation of the Instance de Protection des Donnees a Caractere Personnel (IPDCP) as the supervisory authority, though this body has not yet been formally established, leaving enforcement in a state of limbo.
What This Means for Your Website
Websites collecting personal data from visitors in Togo are legally required to obtain opt-in consent before processing. You must declare or obtain authorization for processing activities before they begin. Data subjects have broad rights including access, objection, rectification, and erasure. While the law is technically in force, the absence of the IPDCP means active enforcement has not commenced. Preparing for compliance now positions you well for when enforcement begins.
Key Requirements
Consent is the primary legal basis for processing personal data. Organizations must follow principles of lawfulness, data minimization, and purpose limitation. Penalties include fines from XOF 1 million to XOF 25 million and imprisonment of 1 to 5 years. Private entities were given a 1-year compliance window from enactment, while state and public bodies had 2 years. Sensitive data categories require enhanced protection measures.
How ConsentStack Handles This
ConsentStack detects visitors from Togo and displays an opt-in consent banner before activating non-essential data collection scripts. Consent preferences and timestamps are recorded for audit readiness. Even though the IPDCP has not been established, ConsentStack ensures your website is compliant with the law's requirements so you are prepared when enforcement begins.
Penalties
1-5 years imprisonment; XOF 1,000,000-25,000,000 fines; additional administrative sanctions
Key Requirements
- Consent required for personal data processing
- Principles of lawfulness, fairness, purpose limitation, data minimization, accuracy, and security
- Data subjects have rights to information, access, objection, rectification, and erasure
- Prior declaration or authorization required before processing
- Sensitive data subject to enhanced protections
Notable Provisions
- Supervisory authority (IPDCP) mandated by law but NOT YET ESTABLISHED
- Different compliance timelines: 1 year for private entities, 2 years for state bodies
- Criminal penalties up to 5 years imprisonment despite no active enforcement body
Other Sub-Saharan Africa Regulations
Frequently Asked Questions
Is Togo's data protection law enforced?
Law 2019-014 is technically in force, but the designated supervisory authority (IPDCP) has not yet been established. This means active enforcement and complaint handling are not currently operational.
What are the penalties under Togo's data protection law?
Violations can result in fines from XOF 1 million to XOF 25 million and imprisonment of 1 to 5 years. Additional administrative sanctions may also apply.
Does Togo require cookie consent?
The law does not specifically address cookies, but personal data collected through any tracking technology requires opt-in consent under the general data protection principles of Law 2019-014.
When did Togo's data protection law take effect?
Law 2019-014 was enacted on October 29, 2019. Private entities had a 1-year compliance period, while state and public bodies had 2 years to comply.
Stay compliant with Law 2019-014
ConsentStack helps you implement Opt-in consent for Togolese Republic automatically.