Ethiopian Federal Laws

Go to Laws Index


Title: Personal Data Protection
Proclamation No.: 1321/2024
Jurisdiction: Federal
Law Type: Proclamation
Category: Information and Communication Technology
Country: Ethiopia 🇪🇹
Format: PDF (Amharic and English) | Text (English)

PROCLAMATION TO PROVIDE FOR PERSONAL DATA PROTECTION

WHEREAS, the lack of laws detailing individuals' rights concerning their personal data and the absence of a dedicated regulatory authority to oversee personal data protection has resulted in the absence of a robust personal data protection system in the country, and adopting a personal data protection proclamation is essential to prevent violations of personal data during its collection and processing;

WHEREAS, with the advancement of digital technology, the type and number of services delivered directly through the information network have expanded, and it is necessary to collect personal data to ensure these services are tailored to the needs of the users and streamline their delivery; and the role of processing personal data collected during digital service delivery is increasingly significant for social and economic development;

WHEREAS, it is critical to provide effective solutions to personal data breaches, reduce risks associated with data processing operations, encourage innovation, build trust in the digital economy, and foster a culture of responsible data processing;

WHEREAS, it is crucial to establish a robust personal data protection framework in Ethiopia aligned with international standards and to capitalize on beneficial opportunities presented by cross-border transfer of personal data both into and out of the country;

NOW, THEREFORE, in accordance with Article 55(1) of the Constitution of the Federal Democratic Republic of Ethiopia, it is hereby proclaimed as follows:




CHAPTER ONE
GENERAL

1. Short Title

This Proclamation may be cited as the “Personal Data Protection Proclamation No.1321/2024”.

2. Definition

In this Proclamation, unless the context requires otherwise,
  1. “Data” means information that:
    1. Is being processed by means of equipment operating automatically in response to instructions given for that purpose ;
    2. Is collected with the intention that it should be processed by means of such equipment mentioned in lit. (a) ;
    3. Is recorded as part of a filing system or with the intention that it should form part of a filing system ;or
    4. Does not fall within lit. (a), (b) or (c) of this Sub article but forms part of any other accessible public record;
  2. “Personal Data” means any information relating to an identified or identifiable natural person who can be identified , directly or indirectly , in particular by reference to an identifier such as a name, an identification number, location data , an online identifier or to one or more factors specific to the physical, physiological , genetic , mental , economic , cultural or social identity of that natural person;
  3. “Genetic Data” means personal data relating to the general characteristics of an individual which are inherited or acquired and which provide unique information about the physiology or health of the individual and which result, in particular, from an analysis of a biological sample from the individual in question;
  4. “Traffic Data” means any data relating to a communication by means of a computer system and generated by the system that form part in the chain of communication, indicating the communication’s origin, destination, route, time, date, size, duration, or type of underlying service;
  5. “Sensitive Personal Data” means natural person data on:
    1. Racial or ethnic origins;
    2. Genetic or biometric data;
    3. Physical or mental health or condition;
    4. Political opinions;
    5. Membership of a professional association ;
    6. Religious beliefs or other opinion of a similar nature;
    7. The commission or alleged commission of an offence;
    8. Any proceedings for an offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in the proceedings;
    9. Communications data, including content and metadata; or
    10. Any other personal data that the Authority may determine as sensitive personal data from time to time.
  6. “Biometric Data” means facial images, fingerprints, iris scans, or any other similar personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person;
  7. “Personal Data Breach” means breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
  8. “Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyze or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;
  9. “Data Subject” means an individual who is the subject of personal data;
  10. “Data Controller” means any person which, alone or jointly with others, process personal data and determine the purpose and means of processing of personal data;
  11. “Data Processor” means any person other than an employee of the data controller who processes the data on behalf of the data controller;
  12. “Data Recipient” means any person to whom personal data are disclosed or made available;
  13. “Data Protection Officer” means a natural person assigned in an organization with a responsiblties of controlling data handling , administration and usage
  14. “Consent” means any freely given specific, informed and unambiguous indication of the wishes of a data subject, either by
    1. A written statement;
    2. Verbal affirmations; or
    3. Any clear affirmative action by which he signifies his agreement to personal data relating to him being processed;
  15. “Minor” means a data subject below the age of sixteen years;
  16. “Processing” means an operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  17. “Restriction of Processing” means the marking of stored personal data with the aim of limiting their processing in the future;
  18. “Encryption” means the process of transfroming data into a form that can not be read by a person or machine other than the authorized person through the use of technical method.
  19. “Confidentiality” means the principle of preventing personal data from being seen, disclosed, transmitted or used by unauthorized parties.
  20. “Completeness” is a term that referes to the extent to which the content to be included in personal data is complete and accurate ;
  21. “Document” means
    1. a disc, tape or other device in which information other than visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced from the disc, tape or other device; or
    2. a film, tape or other device in which visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced from the film, tape or other device;
  22. “ Register” means the register kept and maintained by the Authority;
  23. “Accessible Record” means a health record, an education record, or any other accessible public record which contains personal data;
  24. “Health Record” means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his health status;
  25. “Filing System” means a structured set of personal data which is accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis;
  26. “Automated Device” means a device that makes decisions , intiates or implements actions without interventions , based on certain environmental conditions , time or data based on pre arranged algorithm and configuration.
  27. “Proceedings” means any proceedings conducted by a court or an alternative dispute resolution mechanism; and may include an inquiry or investigation into a criminal offence; and disciplinary proceedings;
  28. “Direct marketing” means the communication of any advertising or marketing material which is directed to any particular individuals;
  29. "Default" means a pre-set or standard configuration, setting or nature of a system, software or device in a technology;
  30. "Design" is a plan used or to be used to create systems or services;
  31. “Pseudonymization” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information and the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable individual;
  32. “Identifiable Natural Person” means one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, phone number, IP address, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  33. “Third party” means person other than the data subject, data controller, data processor or persons who, under the direct authority of the data controller or data processor, are authorized to process personal data;
  34. “Third Party Jurisdiction” means a country other than Ethiopia, and an international organization and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries;
  35. “Delegated Entity” means a Federal or Regional public body which is delegated by the Authority to perform the powers and functions entrusted to the later by this Proclamation;
  36. “Authority” means the Ethiopian Communications Authority established as per the Communications Proclamation No. 1148/2019;
  37. “Ministry” or “Minister” means the Ministry or the Minister of Innovation and Technology respectively;
  38. “House” means the House of Peoples’ Representative of the Federal Democratic Republic of Ethiopia;
  39. “Person” means a physical or legal person; and
  40. Any expression in the masculine gender shall include the feminine.

3. Scope of Application

  1. This Proclamation shall apply to the processing of personal data, wholly or partly, by automated means and to any processing other than by automated means where the personal data form part of a filing system or are intended to form part of a filing system.
  2. Except as otherwise provided, this Proclamation applies to a data controller or data processor in respect of any personal data only if:
    1. It is established in Ethiopia and the data are processed in the context of that establishment, or
    2. It is not established in Ethiopia but uses equipment in Ethiopia for processing the data otherwise than for the purposes of transit through Ethiopia and has a representative established in Ethiopia.
  3. For the purpose of the application of Sub-Article (2) lit. (a) Of this Article, this Proclamation shall apply on private and public institutions of the federal and regional governments, including the City Administrations of Addis Abeba and Dire Dawa, which have the power and function to process personal data.
  4. Notwithstanding the provisions of Sub-Article (1) to (3) of this Article, this Proclamation shall not apply to processing of personal data:
    1. By an individual in the course of purely personal or household activity;
    2. Which involves the exchange of information between Government Agencies where such exchange is required on a need-to-know basis;
    3. where the application of the proclamation is restricted; and
    4. Originating from a country outside of Ethiopia and merely transiting through Ethiopia to a third country.

4. Powers and Functions of the Ministry

The Ministry shall have the Powers and Functions to formulate policies and strategies on personal data and when approved, follow-up their execution.

5. Powers and Functions of the Authority

The Authority shall have the powers and functions to:
  1. Ensure the enforcement of this Proclamation;
  2. Establish administriative structures it considers appropriate to carry out its responsibilities;
  3. Collect service fees for the services it provides in accordance with a regulation to be issued to implement this Proclamation;
  4. Promote public awareness on issues which fall under this Proclamation;
  5. Ensure that personal data processed by data controllers and data processors in compliance with personal data processing principles ;
  6. Monitor the utilisation of of personal data and sensitive personal data;
  7. Undertake research into, and monitor developments in data processing and computer technology to ensure that any adverse effects of such developments on the privacy of persons are minimized;
  8. By undertaking research on the interaction of technology and the right to privacy, performs knowledge creation and capacity building works;
  9. Cooperate with supervisory authorities of other countries;
  10. Make determination as to whether a thirdparty jurisdiction ensures an appropriate level of protection comparable with the level of protection established as per this Proclamation and laws issued to implement this Proclamation;
  11. Investigate following legally established investigation procedures and principles complaints made to it, and require information which are relevant for its investigation which will enable it to take administrative measures;
  12. Keep and maintain Register of data controllers and data processors;
  13. Get injunction order for the expeditious preservation of personal data, including traffic data, where it has reasonable ground to believe that the data are vulnerable to loss or modification;
  14. Issue enforcement notice to a data controller or data processor, when based on evidence it is of the opinion that such bodies have contravened, are contravening or are about to contravene this Proclamation;
  15. Impose administrative fines for failures to comply with this Proclamation;
  16. Delegate whenever necessary any power conferred on it by this Proclamation to the Federal or Regional Government;
  17. Regarding the application of this Proclamation reports will be provided to the House of People’s Representative’s at least once a year.
  18. Exercise and perform such other functions, powers, and duties as are conferred or imposed on it by or under this Proclamation or any other subsidiary law.

CHAPTER TWO
PRINCIPLES OF PROCESSING OF PERSONAL DATA

6. Principles

Personal data shall be
  1. processed lawfully, fairly and in a transparent manner;
  2. obtained only for one or more explicit, specified and lawful purposes and further processed that is compatible with those purposes;
  3. adequate, relevant and not excessive in relation to the purposes for which they are processed;
  4. accurate and, where necessary, kept up to date;
  5. kept the personal data for no longer than is necessary for the purposes for which the personal data are processed;
  6. processed in a manner that ensures the integrity, confidentiality, and security of the personal data; and
  7. processed in a manner that ensures the sovereignty of the data.

7. Lawfulness of Processing

  1. Notwithstanding the provision of Sub-Article (1) of Article 6 of this Proclamation, personal data shall not be processed unless there is compliance with at least one of the conditions set out in Sub-Articles (2) and (3) of this Article; or in the case of sensitive personal data, Article 9 of this Proclamation.
  2. The processing of personal data shall be regarded as lawful when:-
    1. The data subject has given his consent;
    2. Processing is necessary and is related to the fulfillment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract;
    3. The processing is necessary for compliance with a legal obligation to which the data controller is subject;
    4. The processing is necessary to protect vitally important interests of the data subject, including life and health;
    5. The processing is necessary in order to respond to a public health crisis or national emergency or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate within the limits of a law issued for this purpose; or
    6. The processing is necessary for the purposes of the legitimate interests pursued by the personal data controller to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection of personal data.
  3. For the purpose of Sub-Article (2) lit. (e) of this Article,
    1. The impact of data proceccing on privacy right of the data subject shall be necessary and proportionate;
    2. The law shall determine the essential elements of processing such as the categories of data, the purpose, storage period, and possible disclosure; and
    3. Further processing of personal data after the expiry of such law shall be prohibited.
  4. The data processing should be proportionate to the legal aim it complies.

8. Conditions for Consent

  1. For the purpose of Article 7 Sub-Article (2) lit. (a) Of this Proclamation, personal data should be processed on the basis of the consent given prior to the commencement of the processing.
  2. For the consent of the data subject to be valid, it must be free, informed, specific, clear and require an active action from the data subject.
  3. The data subject may withdraw his consent at any time. Information with regard to withdrawal of consent shall be given prior to giving his consent.
  4. The data controller shall not make the provision of any goods or services or the quality thereof, the performance of any contract, or the enjoyment of any legal right or claim, conditional on consent to processing of any personal data not necessary for that purpose. The application of this provision shall be decided on a case-by-case basis.
  5. The data controller shall bear the burden of proof to establish that consent has been given by the data subject for processing of personal data in accordance with Sub-Article (2) of this Article. The request for consent shall be presented in a manner which is clearly distinguishable and separate from other matters; request for consent cannot be bundled with other terms and conditions.
  6. Where the data subject withdraws consent for the processing of any personal data necessary for the performance of a contract to which he is a party, reasonable legal consequences for the effects of such withdrawal shall be borne by him. The withdrawal of consent by the data subject shall not affect the lawfulness of processing based on consent before its withdrawal.

9. Processing of Sensitive Personal Data

  1. The processing of sensitive personal data shall be prohibited.
  2. Notwithstanding the provision of Sub-Article (1) of this Article, the processing of sensitive personal data shall be permitted in the following cases:
    1. The data subject has given his written consent, specific to the purpose prior to the processing except where a law provides that the prohibition referred in sub-Article of this Article may not be lifted by the data subject;
    2. The processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his consent prior to the processing;
    3. The processing is necessary to achieve the lawful and non-commercial objectives of public organizations;
    4. The processing is necessary for purposes of medical treatment and is carried out by a medical treatment institution;
    5. The processing concerns such personal data as is necessary for the protection of lawful rights and interests of persons in court proceedings, or other public institutions, or
    6. processing is carried out in the course of its legitimate activities by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects.
  3. Sensitive personal data in respect of race or ethnic origin shall not be processed unless the processing is:
    1. for ensuring justice and equality with regard to race or ethnic origin; and
    2. Carried out with appropriate safeguards for the rights and freedoms of the data subject.
  4. For the purpose of Sub-Article (2) and (3) of this Article, processing shall be permitted if it is done with appropriate technical and security safeguards.

10. Further Categories of Sensitive Personal Data

  1. A Regulation may prescribe further categories of personal data which may be classified as sensitive personal data.
  2. Where categories of personal data have been specified as sensitive personal data under Sub-Article (1) of this Article, the Authority may specify any further grounds on which such specified categories may be processed, having regard to:
    1. the risk of significant harm that may be caused to a data subject by the processing of such category of personal data;
    2. the level of confidentiality attached to such category of personal data;
    3. whether a significantly discernible class of data subjects may suffer significant harm from the processing of such category of personal data; and
    4. The adequacy of protection afforded by ordinary provisions applicable to personal data.
  3. The Authority may specify other categories of personal data based on study which require additional safeguards or restrictions.

11. Processing of Personal Data of a Minor

  1. Personal data of a minor shall be processed in a manner that protects and advances the rights and best interests of the minor. The data controller shall bear the burden of proof.
  2. The processing of a minor’s personal data shall be lawful where and to the extent that:
    1. consent is given or authorized by the parent or guardian or tutor of the minor; or
    2. Processing is necessary to the minor’s vitally important interest.
  3. The data controller shall make reasonable efforts to verify the age of the data subject and that consent is given or authorized by the parent or guardian of a minor, taking into consideration available technology.
  4. Notwithstanding the provisions of Sub-Article (1) – (3) of this Article, the processing of personal data of a minor for the purposes of marketing, profiling, or merging of profiles shall not be allowed.

12. Fairness and Transparency

  1. To meet the principle of fairness and transparency stated in Article 6 Sub-Article (1) of this proclamation , the processing of personal data shall meet the following conditions:
    1. The data controller or data processor shall take appropriate measures to provide any information relating to processing to the data subject;
    2. The information shall be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language;
    3. Processing shall not be done in a way that is unexpected or misleading to the data subject; or
    4. Processing shall respect the right of the data subject to informed and be done in a manner which is clear, open and honest.
  2. Any information addressed specifically to a minor as per the provisions of Sub-Article (1) lit. (b) Of this Article shall be given special attention.
  3. The data controller shall be under a duty to always provide the information stipulated in Article 25 of this Proclamation.

13. Purpose Limitation

  1. For the purposes of the application of the principles stipulated in Article 6 Sub-Article (2) of this Proclamation, the purpose for which personal data are obtained shall be specified
    1. In a notice given by the data controller to the data subject prior to that further processing; or
    2. In a description given to the Authority.
  2. For the purpose of the application of of Article 6 Sub-Article (2) of of this Proclamation, in determining whether any disclosure of personal data is compatible with the purpose for which the data were obtained, regard is to be had to the:
    1. Purpose for which the personal data are intended to be processed by any person to whom they are disclosed; and
    2. Functions or activities of the person processing the personal data.
  3. For the purpose of Sub-Article (2) of this Article, further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is, subject to appropriate safeguards, compatible with those purposes.

14. Accuracy

The principle of accuracy is not to be regarded as being contravened by reason of any inaccuracy in personal data which accurately record information obtained by the data controller from the data subject or a third party in a case where:
  1. Having regard to the purpose for which the data were obtained and further processed, the data controller has taken reasonable steps to ensure the accuracy of the data; and
  2. The data subject have notified the data controller of his view that the data is inaccurate, and the data indicates that fact.

15. Storage Limitation

  1. A data controller or a data processer must store and retain personal data for a reasonable period of time necessary to achieve the purpose of or the purpose for which it was processd or for a period defined by law.
  2. Notwihthstanding to Sub Article (1) of this article ; personal data may be stored indifinately in the following circumstances :
    1. as provided by this law or any other law;
    2. when the data owner consents ;
    3. when its necessary for lawful purposes;or
    4. For historical, stastical, literally and research purpose.
  3. A person who retains records for historical, statistical or research purposes shall ensure that the records that contain the personal data are adequately protected against access or use for unauthorized purposes.
  4. A person who uses a record of the personal data of a data subject to make a decision about the data subject shall retain the record for a period required or prescribed by law or a code of conduct.

16. Integrity and Confidentiality

  1. The data controller shall take reasonable steps to ensure the reliability of any employees of his who have access to the personal data.
  2. Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller shall in order to comply with this principle:
    1. choose a data processor who provides sufficient guarantees in respect of the technical and organizational security measures governing the processing to be carried out; and
    2. Take reasonable steps to ensure compliance with those measures.
  3. Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with this principle unless:
    1. the processing is carried out under a contract which is made or evidenced in writing;
    2. the data processor is to act only on instructions from the data controller; and
    3. The contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the principle of integrity and confidentiality.
  4. The data controller and data processor shall take technical steps to ensure that any individual acting under their authority and has access to personal data does not process the personal data except on instructions from the data controller, unless he is required to do so by a law.

17. Security

  1. Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to personal data.
  2. For the purposes of the application of the principle of integrity and confidentiality regard shall be made to the state of technological development.
  3. The measures referred in Sub-Article (2) of this Article must ensure a level of security appropriate to :
    1. The harm that might result from such unauthorized or unlawful processing or accidental loss, destruction or damage; and
    2. It must ensure security levels commensurate with nature of the the data to be protected.
  4. Taking into account the state of the art, the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, the data controller and the data processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
    1. the pseudonymization and encryption of personal data;
    2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
    3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
    4. A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
  5. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing.
  6. For the purpose of Sub-Article (5) of this Article, risks shall include in particular those risks from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.

18. The Principle of Data Transfer

Without prejudice to the provisions on data transfer, the transfer to a third-party jurisdiction of personal data that is to undergo processing may only take place subject to the provisions of this Proclamation and provided that the thirdparty jurisdiction to which the data is to be transferred ensures appropriate levels of protection.

19. Level of Protection in Third Party Jurisdiction

  1. The appropriate level of protection stipulated under Article 18 of this Proclamation shall be assessed in the light of all the circumstances surrounding a data transfer operation or a set of data transfer operations before the data is transferred.
  2. For the purpose of Sub-Article (1) of this Article, particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law in force in the third party jurisdiction and the professional rules and security measures which are compiled within that jurisdiction.
  3. Where, despite the absence of appropriate levels of protection, the Authority determines that some limited form of transfer may be facilitated; it shall authorize such transfer provided that the data subject’s rights in accordance with this Proclamation are not violated.
  4. Where the Authority determines that some limited form of transfer may be facilitated as per the provision of Sub-Article (3) of this Article, it shall ensure that
    1. the data subject consents to the transfer of the data to the third-party jurisdiction; and
    2. There is appropriate severance or reduction of those aspects of the data which it deems appropriate.
  5. Without prejudice the provision of Sub-Article (3) and (4) of this Article, the transfer of personal data to a third-party jurisdiction that does not ensure appropriate level of protection is prohibited.

20. Conditions for Cross Border Transfer

  1. A data controller or data processor may transfer personal data to a third-party jurisdiction where:
    1. He has given proof to the Authority on the existence of appropriate level of protection in that third party jurisdiction, and the Authority has made the determination according to SubArticle (3) of Article 19 of this Proclamation;
    2. The data subject has given explicit consent to the proposed transfer, after having been informed of the possible risks of the transfer;
    3. The transfer is necessary; or
    4. The transfer is made from a register which, according to law, is intended to provide information to the public.
  2. For the purpose of Sub-Article (1) lit. (c) of this Article, the transfer is necessary where:
    1. The performance of a contract between the data subject and the data controller or data processor or implementation of pre-contractual measures taken at the data subject’s request;
    2. For the conclusion or performance of a contract concluded in the interest of the data subject between the data controller and another person;
    3. For important reasons of public interest;
    4. For the establishment, exercise or defense of a legal claim; or
    5. In order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.

21. Safeguards Prior to Cross Border Transfer

  1. The Authority may request a person who transfers data to a third-party jurisdiction to demonstrate the effectiveness of the security safeguards and the existence of compelling legitimate interests.
  2. The Authority may, in order to protect the rights and fundamental freedoms of data subjects, prohibit, suspend or subject the transfer to such conditions as may be determined.

22. Data Sovereignty

  1. Every data controller or data processor shall ensure the storage, on a server or data center located in Ethiopia, of personal data collected or obtained locally.
  2. The Authority shall prescribe, based on grounds of strategic interests of the state, categories of personal data as critical personal data that shall only be processed in a server or data center located in Ethiopia.
  3. Cross-border transfer of sensitive personal data shall require the prior approval of the Authority.

CHAPTER THREE
RIGHTS OF DATA SUBJECTS

23. Duration of Personal Data Protection

  1. Privacy rights survive the death of the data subject.
  2. For the execution of the provision of SubArticles (1) of this Article, privacy rights shall remain valid for ten years after the death of the data subject.
  3. The lawful heir of the data subject may invoke the rights of the data subject at any time within the ten years which follow the death of the data subject.
  4. The consent of the lawful heir is not required if the processed personal data only contain the data subject's name, sex, date of birth and death, the fact of death, and the time and place of burial.

24. Right to be Informed

  1. Where personal data relating to a data subject are collected either from the data subject or other sources, the data subject shall have the right to be provided by the data controller with the following information:
    1. The name and contact details of the data controller;
    2. The name and contact details of the representative of the data controller;
    3. The contact details of the data protection officer of the data controller and his representative;
    4. The purposes of the processing;
    5. Whether providing answers to questions are voluntary or compulsory and the possible consequences of failure to reply;
    6. The lawful basis for the processing;
    7. The recipients or categories of recipients of the personal data;
    8. The details of transfers of the personal data to a third-party jurisdiction;
    9. The retention periods for the personal data;
    10. The rights available to data subjects in respect of the processing;
    11. The right to withdraw consent;
    12. The right to lodge a complaint for the authority;
    13. The details of the existence of an automated decision-making, including profiling;
    14. The categories of personal data processed; and
    15. Any necessary additional information in order to ensure fair and transparent processing.
  2. Apart from the information listed under SubArticle (1), where personal data have not been obtained from the data subject, the data controller shall provide the data subject with the following information:
    1. The categories of personal data obtained; and
    2. The source of the personal data.
  3. Where personal data relating to a data subject are collected from the data subject, the data controller shall provide the data subject with all of the information listed in Sub-Article (1) of this Article, at the time when personal data are obtained
  4. Where personal data relating to the data subject are not collected from the data subject, the data controller shall provide the data subject the information referred to in Sub-Article (1) and (2) of this Article:
    1. Within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;
    2. If the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or
    3. If a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.
  5. Where the data controller intends to further process the personal data for a purpose other than that for which the personal data were collected or obtained, as the case may be, he shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information.

25. . Right of Access

  1. A data subject shall have a right to obtain, on request, at reasonable intervals, free of charge, and without excessive delay:
    1. Confirmation of the processing of personal data relating to him;
    2. The communication in an intelligible form of the data processed;
    3. All available information on their origin;
    4. On the period for which the data will be stored; and
    5. Any other information that the data controller is required to provide in order to ensure the transparency of processing in accordance with Article 24 of this Proclamation.
  2. A data subject shall have the right to obtain the information listed in Sub-Article (1) of this Article, based on his preference, in an electronic or hard copy format.

26. Exception to the Right of Access

  1. The data controller may refuse to disclose personal data to the individual to whom the data relates where:
    1. The disclosure would constitute an unjustified invasion of another individual’s personal privacy;
    2. It is data that is subject to legal privilege or obtained in the course of an investigation or legal proceeding;
    3. It is health or medical data where the data controller has a reasonable belief that providing access to the data could harm the health or safety of another person; or
    4. It is evaluative, or opinion material compiled solely for the purpose of determining suitability or eligibility for employment, the award of government contracts and other benefits where the disclosure would reveal the identity of a source who furnished data in circumstances where it may reasonably be assumed that the identity of the source would be held in confidence.
  2. The data controller may disregard requests from an individual for access to that individual’s personal data where it would unreasonably interfere with the operations of the data controller because of the repetitious and systematic nature of the requests, and the requests are frivolous or vexatious.
  3. With regard to Sub-Article (1) lit. (b) Of this Article denial shall be limited to the extent and for as long as access would pose a risk to an investigation or the proper conduct of a legal proceeding
  4. The decision to refuse to disclose according to Sub-Article (1) and (2) of this Article shall be communicated in a written form and has to give detailed reasons for the denial.

27. Right to Rectification

  1. Where a data subject believes that the personal data is inaccurate, incomplete, misleading, notup-to-date, or is otherwise being processed contrary to the provisions of this Proclamation, the data subject shall have, on request, free of charge and without excessive delay, the right that the data controller corrects the data.
  2. Based on Sub article (1) of this provision On correcting personal data, the data controller shall notify any other data controller or any third party to whom that data has been disclosed during the one-year period before the correction was requested, of such correction.
  3. Upon being notified under Sub-Article (2) of this Article of a correction of personal data, the person shall make the correction on any record of that data in its custody or control.

28. Right to Erasure

  1. A data subject shall have on request, free of charge and without excessive delay, the right to erasure of personal data where:
    1. The data are no longer necessary in relation to the purpose for which they were collected or otherwise processed;
    2. The data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
    3. The data subject objects to the processing of personal data and there are no overriding legitimate grounds for the processing; or
    4. If the personal data has been processed unlawfully, the person has the right to claim for the personal data to be deleted as soon as possible with out any payment.
  2. Where the data controller has made the personal data public, he shall take all reasonable steps to inform third parties processing such data, that the data subject has requested the erasure of any links to, or copy or replication of, that personal data.
  3. Sub-Article (1) and (2) of this Article shall not apply where the processing of the personal data is necessary:
    1. For reasons of public interest in the field of public health;
    2. For the purpose of historical, statistical or scientific research when there is no recognizable risk of infringement of the rights and fundamental freedoms of data subjects;
    3. For compliance with a legal obligation to process the personal data to which the data controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller; or
    4. For the establishment, exercise or defense of a legal claim.

29. Right to Object

  1. The data subject shall have the right to object in writing at any time to the processing of personal data concerning him unless the data controller demonstrates in a written format compelling legitimate grounds for the processing which override the data subject’s interests, rights and freedoms or for the establishment, exercise or defense of a legal claim.
  2. Where personal data are processed for the purpose of direct marketing, the data subject may object to processing of personal data concerning him for such marketing, which includes profiling to the extent that it is related to such direct marketing.
  3. Where a data subject objects to processing of personal data for the purpose of direct marketing, the personal data shall no longer be processed for that purpose.
  4. The rights referred to in Sub-Articles (1) and (2) of this Article shall be explicitly brought to the attention of the data subject.

30. Restriction of Processing

  1. A data subject shall have the right to request the restriction of processing of personal data where:
    1. The accuracy of the personal data is contested by the data subject, for a period enabling the data controller to verify the accuracy of the data;
    2. The data controller no longer needs the personal data for the purpose of the processing, but the data subject requires them for the establishment, exercise or defense of a legal claim;
    3. The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; or
    4. He has objected to the processing pursuant to Article 29 of this Proclamation pending verification as to whether the legitimate grounds of the controller override those of the data subject.
  2. Where processing of personal data is restricted under Sub-Article (1) of this Article :
    1. the personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defense of a legal claim, the protection of the rights of another person or for reasons of public interest; and
    2. The data controller shall inform the data subject before lifting the restriction on the processing of the personal data.

31. Automated Individual Decision Making

  1. Every data subject shall have the right
    1. not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or significantly affects him;
    2. to obtain human intervention on the part of the data controller; and
    3. To express his views on the matter.
  2. Sub-Article (1) of this Article shall not apply where the decision is:
    1. Necessary for entering into, or performing, a contract between the data subject and a data controller;
    2. Authorized by a law to which the data controller is subject, and which lays down suitable measures to safeguard the data subject’s rights, freedoms and legitimate interests; or
    3. If it is Based on the data subject’s explicit consent.
  3. Any automated processing of personal data intended to evaluate certain personal aspects relating to an individual shall not be based on sensitive personal data.
  4. In the cases referred to in Sub-Article (2) of this Article, the data to be provided by the data controller under Article 24 of this Proclamation shall include data as to the existence of processing for a decision of the kind referred to in Sub-Article (1) of this Article and the envisaged effects of such decision on the data subject.
  5. In the cases referred to in Sub-Article (2) lit. (a) Or (c) of this Article, the data controller shall implement suitable measures to safeguard the data subject’s rights, freedoms and legitimate interests.

32. Right to Data Portability

  1. A data subject has the right to receive personal data concerning him, which the data subject has provided to a data controller or data processor, in a structured, commonly used and machine-readable format.
  2. A data subject have the right to transmit the data obtained under Sub-Article (1) of this Article, to another data controller or data processor without any hindrance.
  3. Where technically possible, the data subject shall have the right to have his personal data transmitted directly from one data controller or processor to another.
  4. The right under this Article shall not apply in circumstances where:
    1. processing may be necessary for the performance of a task carried out in the public interest or in the exercise of an official authority; or
    2. It may adversely affect the rights and freedoms of others.
  5. A data controller or data processor shall comply with data portability requests, free of charge and without excessive delay.

CHAPTER FOUR
DATA CONTROLLERS AND DATA PROCESSORS

Section One
Registration of Data Controllers and Data Processors

33. Registration

  1. In order to process personal data the data controller or the data processor shall be registered with the Authority.
  2. Where a data controller or data processor intends to process personal data for two or more purposes, the Authority shall make separate entries for each purpose in the Register.
  3. The Authority may determine the requirements for registration by a Directive.

34. Power to Refuse Registration

  1. The Authority shall reject an application for registration under this Proclamation where the particulars provided for inclusion in an entry in the Register are insufficient.
  2. Where the Authority refuses an application for registration as a data controller, it shall inform the applicant in writing within fourteen days of its decision and the reasons for the refusal, and
  3. A refusal of an application for registration is not a bar to re-application.

35. Effects of Registration

  1. The Authority shall enter the application in the Register if it is satisfied that the conditions required for registration are met.
  2. The Authority shall issue a certificate of Registration which is valid for a period of two years; the certificate shall be renewed every two years.
  3. The Authority determine the requirements for certificate of registration by a Directive.

36. Duty to Notify Change

  1. Data controllers shall have the duty to notify the Authority of matters relating to changes made to the registerable particulars stipulated under Article 33 Sub-Article (3) of this Proclamation.
  2. On receiving any notification, the Authority shall make such amendments of the relevant entry in the Register as are necessary.

37. Removal from Register

A person who wants the removal of its registration may request the Authority such removal to be effected from the Register.

38. Cancellation of Registration

  1. The Authority has the power to cancel a registration or vary its terms and conditions where ;
    1. Any information given to it by the applicant is false or misleading in any material particular; or
    2. If the holder of the registration certificate fails, without lawful excuse, to comply with any requirement of this Proclamation; or any term or condition specified in the certificate.
  2. The Authority shall, before cancelling or varying the terms and conditions of a registration certificate, require, by notice in writing, the holder of the certificate to show cause, within 21 days of the notice, why the registration certificate should not be cancelled, or its terms and conditions should not be varied.

39. Access by the Public

  1. The Authority:
    1. shall provide facilities for making the information contained in the Register available for inspection by members of the public at all reasonable hours; and
    2. May provide such other facilities when they seem necessary.
  2. The Authority shall supply any member of the public with a duly certified copy in writing of the particulars contained in the Register.

40. Data Protection Officer

  1. A data controller or data processor shall designate or appoint a data protection officer on such terms and conditions as the data controller or data processor may determine, where:
    1. The processing is carried out by a goverment body, except for courts acting in their judicial capacity;
    2. The core activities of the data controller or data processor consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systematic monitoring of data subjects on a large scale; or
    3. The core activities of the data controller or the data processor consist of processing on a large scale of sensitive personal data.
  2. A group of entities may appoint a single data protection officer provided that such officer is easily accessible by each entity.
  3. Where a data controller or a data processor is a a goverment body, a single data protection officer may be designated for several such public bodies, taking into account their organizational structures.
  4. A person may be designated or appointed as a data protection officer, if that person has relevant academic or professional qualifications which may include knowledge and technical skills in matters relating to data protection.
  5. A data controller or data processor shall publish the contact details of the data protection officer and communicate them to the Authority.

41. Duties of Data Protection Officer

  1. The responsibility of a data protection officer shall be to:
    1. Support the data controller or data processor and their employees on data processing requirements provided under this Proclamation or any other law;
    2. Ensure on behalf of the data controller or data processor that this Proclamation is complied with;
    3. Facilitate capacity building of staff involved in data processing operations;
    4. Provide advice on data protection impact assessment; and
    5. Cooperate with the Authority and any other authority on matters relating to data protection.
  2. Notwithstanding the provisions of Sub-Article (1) of this Article, a data protection officer may be a staff member of the data controller or data processor and may fulfill other tasks and duties provided that any such tasks and duties do not result in a conflict of interest.

Section Two
Obligations on Data Controllers and Data Processors

42. Technical and Organizational Measures

  1. The data controller and data processor shall implement the appropriate technical and organizational measures to ensure that processing is performed in accordance with this Proclamation.
  2. The measures referred to in Sub-Article (1) of this Article shall include:
    1. Implementing appropriate data security and organizational measures;
    2. Keeping a record of all processing operations;
    3. Performing a data protection impact assessment;
    4. Complying with the requirements for prior authorization from, or consultation with the Authority; and
    5. Designating a data protection officer.
  3. Every data controller and data processor shall implement such internal policies and mechanisms as may be required to ensure verification of the effectiveness of the measures referred to in this Article.

43. Notification of Personal Data Breach

  1. Where there is a personal data breach, the data controller shall within 72 hours after having become aware of it, notify the personal data breach to the Authority.
  2. Where the notification of the personal data breach to the Authority is not made as per the provision of Sub-Article (1) of this Article, the notification shall be accompanied by reasons for the delay.
  3. The data processor shall notify the data controller without undue delay after becoming aware of a personal data breach.
  4. The notification of the personal data breach to the Authority referred to in Sub-Article (1) of this Article shall:
    1. Describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
    2. Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
    3. Describe the likely consequences of the personal data breach; and
    4. Describe the measures taken or proposed to be taken by the data controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
  5. Where it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
  6. The data controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken in order to facilitate the Authority in its assessment of the data controller’s compliance with this provision.

44. Communication of Personal Data Breach To Data Subject

  1. Where a personal data breach has occurred, the controller shall communicate the personal data breach to the data subject within 72 hours after having become aware of it.
  2. The communication to the data subject shall describe in clear language the nature of the personal data breach and set out the information in Article 43 Sub-Article (4) lit. (b)- (d) Of this Proclamation.
  3. The communication of a personal data breach to the data subject shall not be required where:
    1. The data controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the breach, in particular, those that render the data unintelligible to any person who is not authorized to access it, such as encryption;
    2. The data controller has taken subsequent measures to ensure that the high risk to the rights and freedoms of the data subject referred to in Sub-Article (1) of this Article is no longer likely to materialize; or
    3. It would involve disproportionate effort and the data controller has made a public communication or similar measure whereby data subject is informed in an equally effective manner.
  4. Where the data controller has not already communicated the personal data breach to the data subject, the Authority may require it to do so.

45. Prior Security Check

  1. Where the Authority is of the opinion that the processing or transfer of data by a data controller or data processor may entail a specific risk to the privacy rights of data subjects, it may inspect and assess the security measures taken under Article 17 Sub- Articles (4), (5) and (6) of this Proclamation prior to the beginning of the processing or transfer.
  2. The Authority may, at any reasonable time during working hours, carry out further inspection and assessment of the security measures imposed on a data controller or data processor under Article 17 Sub-Article (4), (5) and (6) of this Proclamation.

46. Record of Processing Operations

  1. Every data controller and data processor shall maintain, including logging, a record of all processing operations under his responsibility.
  2. The record shall set out:
    1. The name and contact details of the data controller or data processor, and, where applicable, his representative and any data protection officer;
    2. The purpose of the processing;
    3. A description of the categories of data subjects and of personal data;
    4. A description of the categories of recipients to whom personal data have been or will be disclosed, including recipients in other countries;
    5. Any transfers of data to another country, and the suitable safeguards;
    6. where possible, the envisaged time limits for the erasure of the different categories of data; and
    7. The description of the mechanisms on data security.
  3. The data controller or data processor shall, on request, make the record available to the Authority.
  4. In case of logging,
    1. Data controllers and data processors shall keep logs of personal data processing activities including reading;
    2. Logs recording reading, disclosure and transmission shall enable to ascertain the reasoning for conduct of the specified activities, the date and time thereof and the information about the person who read, disclosed or transmitted the personal data, and the names of the recipients of such personal data;
    3. Logs may be used for verification of legality of personal data processing activities, internal monitoring, ensuring integrity and security of personal data and for adminstative and criminal proceedings;
    4. Information on logs shall be made available to the Authority;
    5. The Authority shall establish the retention periods of logs.

47. Data Protection Impact Assessment

  1. Where processing operations may result in a risk to the rights and freedoms of data subjects by virtue of their nature, scope, context and purposes, every data controller or data processor shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
  2. The processing operations referred to in SubArticle (1) of this Article are:
    1. A systematic and extensive evaluation of personal aspects relating to individuals which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individual or significantly affect the individual;
    2. Processing on a large scale of sensitive personal data;
    3. A systematic monitoring of a publicly accessible area on a large scale; and
    4. Any other processing operations for which consultation with the Authority is required.
  3. An assessment shall include:
    1. systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the data controller or data processor;
    2. an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
    3. an assessment of the risks to the rights and freedoms of data subjects; and
    4. The measures envisaged to address the risks and the safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Proclamation, taking into account the rights and legitimate interests of data subjects and other persons concerned.
  4. Where appropriate, the data controller or data processor shall seek the views of data subjects on the intended processing, without prejudice to the protection of commercial or public interests or the security of the processing operations.

48. Prior Authorization and Consultation

  1. Every data controller or data processor shall obtain authorization from the Authority prior to processing personal data in order to ensure compliance of the intended processing with this Proclamation and in particular to mitigate the risks involved for the data subjects where a data controller or data processor cannot provide for the appropriate safeguards in relation to the transfer of personal data to a third party jurisdiction.
  2. The data controller or data processor shall consult the Authority prior to processing personal data in order to ensure compliance of the intended processing with this Proclamation and in particular to mitigate the risks involved for the data subjects where:
    1. a data protection impact assessment indicates that processing operations are by virtue of their nature, scope or purposes, likely to present a high risk; or
    2. The Authority considers it necessary to carry out a prior consultation on processing operations that are likely to present a high risk to the rights and freedoms of data subjects by virtue of their nature, scope or purposes.
  3. Where the Authority is of the opinion that the intended processing does not comply with this Proclamation, it shall prohibit the intended processing and make appropriate proposals to remedy such non-compliance.
  4. The Authority shall make public a list of the processing operations which are subject to prior consultation in accordance with Sub-Article (2) lit. (b) Of this Article.
  5. The data controller or data processor shall provide the Authority with the data protection impact assessment and, whenever requested, any other information.

49. Data Protection by Design and by Default

  1. The data controller, where applicable, the data processor shall both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures designed to:
    1. Implement the personal data processing principles set out in this Proclamation in an effective manner; and
    2. Integrate the necessary safeguards into the processing in order to meet the requirements of this Proclamation and protect the rights of data subjects.
  2. The measures stipulated under Sub-Article (1) of this Article shall take into consideration the state of the art, the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of individuals posed by the processing.
  3. The data controller shall implement the appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing is processed.
  4. Sub-Article (3) of this Article applies to the amount of personal data collected, the extent of processing of the personal data, the period of storage of the personal data and the accessibility to the personal data.
  5. The technical and organizational measures referred to in Sub-Article (1) of this Article shall ensure that personal data is not, by default, made accessible without the individual's intervention to an indefinite number of individuals.

50. Duty to Destroy Personal Data

  1. Unless the contrary is stipulated under Article 15 of this Proclamation, where the purpose for storing personal data has lapsed, every data controller shall destroy the personal data as soon as is reasonably practicable.
  2. The destruction or deletion of a record of personal data shall be done in a manner that prevents its reconstruction in an intelligible form.
  3. The data controller shall have the duty to notify any data processor holding the data of its obligation under this Article.
  4. Any data processor who receives a notification under Sub-Article (3) of this Article shall, as soon as is reasonably practicable, destroy the data specified by the data controller.

51. Joint Data Controllers

  1. Where two or more data controllers jointly determine the purposes and means of processing of personal data, they shall be joint data controllers.
  2. Joint data controllers shall determine in their contracts their responsibilities, the scope of their obligations and the contact points for data subjects.

52. Accountability

  1. The data controller and, where applicable, the data processor, shall be responsible for complying with all obligations set out in this Proclamation in respect of any processing undertaken by him or on his behalf.
  2. The data controller shall be able to demonstrate that any processing undertaken by it or on its behalf is in accordance with the provisions of this Proclamation.

CHAPTER FIVE
EXEMPTION

53. Principle

  1. Exception to the provisions of this Proclamation shall be allowed where it constitutes a necessary and proportionate measure in a democratic society.
  2. Notwithstanding the provisions of Sub-Article (1) of this article :
    1. the protection of national security, defense or public security;
    2. historical, statistical and scientific research;
    3. an objective of general public interest, including an economic or financial interest of the State;
    4. the protection of judicial independence and judicial proceedings; or
    5. The protection of a data subject or the rights and freedoms of others shall be governed by Regulation.
  3. If the data subject, the Authority or third party is convinced that the exception introduced is not necessary and proportionate, he or it may institute a case in a court of law.

54. Research and Exceptions to Research

  1. Processing of personal data for historical, statistical or scientific research may be exempt from the provisions of this Proclamation.
  2. Without prejudice Sub Article 1 of this article, personal data may be processed without the consent of the data subject for the needs of scientific and historical research and official statistic, in a pseudonymised format or a format which provides an equivalent level of protection.
  3. Pseudonymisation or any other method by which the data not enabling identification of persons are changed again into the data which enable identification of persons are only permitted for the needs of additional scientific and historical research or official statistics.
  4. Processing of data concerning any data subjects for the needs of scientific and historical research or official statistics without the consent of the data subject in a format which enables identification of the data subject is permitted only in the case the following conditions are met:
    1. the purposes of data processing can no longer be achieved after removal of the data enabling identification or it would be unreasonably difficult to achieve these purposes;
    2. There is overriding public interest for it in the estimation of the persons conducting scientific and historical research or compiling official statistics.
  5. The processing of personal data for the purpose of historical, statistical or scientific research may be exempt from the provisions of this Proclamation where the data protection principles, rights of data subject and obligations put on data controllers and data processors, and the security and organizational measures specified in Article 17 Sub- Article (4), (5) and (6) of this Proclamation are implemented to protect the rights and freedoms of data subjects involved.

CHAPTER SIX
MONITORING, ADMINISTRATIVE DECISIONS AND CRIMINAL OFFENCES

55. Enforcement Order

  1. Where the Authority is of the opinion that a data controller or a data processor has contravened, is contravening or is about to contravene this Proclamation, the Authority may serve an enforcement order on him requiring him to take such steps within such period as may be specified in the order.
  2. An enforcement order served under Sub-Article (1) of this Article shall:
    1. specify the provision of this Proclamation which has been, is being or is likely to be contravened;
    2. specify the measures that shall be taken to remedy or eliminate the situation which makes it likely that a contravention will arise;
    3. specify a period which shall not be less than 21 days within which those measures shall be implemented; and
    4. State that a right of appeal is available.
  3. On complying with an enforcement order, the data controller or data processor, as the case may be, shall, within the period set, notify:
    1. the data subject concerned; and
    2. Where such compliance materially modifies the data concerned, any person to whom the data was disclosed during the period beginning 12 months before the date of the service of the order and ending immediately before compliance, of any amendment.
  4. Where the Authority considers that the enforcement order he has issued is not to the best interst of the situiation,, it may withdraw the order and, where it does so, it shall give written notice to the person on whom the order was served.
  5. The information order shall state that the person to whom the order is addressed has a right of appeal against the requirement specified in the order within the period specified under SubArticle (2) lit. (c) Of this Article.

56. Power to Obtain Information

  1. The Authority may, unless it violates public interest, request anyone to furnish to it information.
  2. The information requested under Sub-Article (1) of this Article shall be produced or given access to the Authority in a form in which it can be taken away, is intelligible and is retrievable.

57. Monitoring

The Authority’s monitoring activity may arise from the regular activities of its staff or from information or complaints submitted to it by any interested party.

58. Complaints

  1. Data subjects shall have the right to submit a complaint in writing to the Authority to have remedy for violation of his rights under this Proclamation.
  2. Where a complaint is made to the Authority under Sub-Article (1) of this Article, the Authority shall:
    1. Investigate the complaint or cause it to be investigated by an authorized entity, unless the Authority is of the opinion that the complaint is not made in good faith; and
    2. Within Twenty-One days, notify the data subject concerned in writing of its decision.
  3. The decision of the Authority may be appealed to the Federal High Court within sixty days of the date the decision was rendered.

59. Principles of Imposing Administrative Fines

  1. The Authority shall ensure that the imposition of administrative fines pursuant to this Proclamation is effective, proportional and dissuasive.
  2. Notwithstanding the provision of Sub Article (1) of this this article while deciding to impose administrative fines, the Authority shall have due regard, inter alias, to the following factors, namely :
    1. Nature, duration and extent of violation;
    2. Nature and extent of harm suffered by the data subject;
    3. Intentional or negligent character of the violation;
    4. Transparency and accountability measures implemented by the data controller or the data processor, as the case may be, including adherence to any relevant code of practice relating to security safeguards;
    5. Action taken by the data controller or the data processor, as the case may be, to mitigate the damage suffered by the data subject;
    6. Previous history of any, or such, violation by the data controller or the data processor, as the case may be;
    7. Whether the arrangement between the data controller and data processor contains adequate transparency and accountability measures to safeguard the personal data being processed by the data processor on behalf of the data controller;
    8. The accrual of undue benefits which can be measured; and
    9. Any other aggravating or mitigating factor relevant to the circumstances of the case.

60. Administrative Sanctions

  1. The Authority shall have the power to impose administrative penalities on persons who process personal data in contravention of provisions of this Proclamation and regulations and directives issued according to this Proclamation.
  2. When the offence has been committed
    1. by an institution,
    2. in relation to sensitive data, or
    3. Against the personal data of a minor, the offence shall be punishable by a fine up to four per cent of its total worldwide turn over of the preceding financial year. Any gain made through this act will go to the government.
  3. Without prejudice the provisions of Sub-Articles (1) and (2) of this Article, the details of administrative offences and fines shall be governed by regulation.

61. Administrative Complaints

  1. Anyone who has a complaint against a decision rendered by a data controller or data processor, in a matters related to the proclamation and regulation and directive adopted following the proclamation, shall have the right to make an administrative complaint to the Authority within twenty one days of such decision.
  2. The Authority after hearing the complaint shall render its decision in writing within twenty one days.

62. Decisions on Administrative Complaints

  1. The Authority
    1. Shall upon receiving the notice of appeal inform the data controller concerned and any other affected person of the notice of appeal.
    2. Investigate the compliant and provide appropriate decision.
    3. May dismiss the complaint if it holds that it is not supported by enough evidence.
    4. May, if it deems necessary, entertained by an arbitrator.
  2. The Inquiry by the Authority or arbitrator may be conducted in private.
  3. The Authority may issue a directive regarding complaint handling and administrative investigation procedure.

63. Burden of Proof

Where the data controller refuses to grant the request of the data subject, the burden of proof that the information lies within one of the specified exemptions of the Proclamation lies upon the data controller.

64. Criminal Offences and Sanctions

  1. Any person who
    1. does not to notify personal data breach
    2. does not implement technical and organizational measures when a breach is committed; or
    3. Processes personal data in contravention of the provisions of this Proclamation; Shall be punished with simple imprisonment from one to three years or fined from 60,000 – 100,000 birr or both.
  2. Any person who against the rights of the data subject
    1. fails to erase personal data;
    2. fails to respect the right to object processing;
    3. restricts processing; or
    4. Does not respect the right against automated decisions shall be punished with imprisonment for a period starting from three years to five years or fined from 100,000 – 200,000 birr or both.
  3. Any person
    1. Re-identifies personal data which has been deidentified; or
    2. Processes Re-identified personal data which is identified in Sub Article 3 let (a) of this article;
    3. sells or offers to sell personal data; or
    4. Transfers of personal data outside Ethiopia in violation of this Proclamation; shall be punished with serious imprisonment from five years to ten years or fined from 200,000 - 600,000 birr or both.
  4. Notwithstanding the provisions of Sub-Article (1), (2) and (3) of this Article, if the offence
    1. has been committed by an institution; or
    2. has caused any damage and as a result became a serious offence;
    3. has been committed in relation to sensitive personal data; or
    4. has been committed in relation the personal data of a minor, the offence shall be punishable with a fine up to four per cent of its total worldwide turnover of the preceding financial year.

CHAPTER SEVEN
MISCELLANEOUS PROVISIONS

65. Reference

The relevant provisions of the Communications including Appeals Tribunal Service Proclamation shall apply mutatis mutandis on personal data protection related matters.

66. Duty to Cooperate

Every person shall have the duty to cooperate with the Authority in order for the Authority to meet the objective and purpose of this Proclamation and may discharge the powers and functions entrusted to it.

67. Non applicable laws

With regard to declarations stated here, any law or custumarly practice conterary to this proclamation will not be applicable.

68. Transitory provisions

Personal data’s which existed before publication of this proclation and personal data’s which need protection processed or will be processed only according to this proclamation .

69. Power to issue Regulation and Directive

  1. The Council of Ministers may issue Regulations to implement this proclamation.
  2. The Authority may issue Directives to implement this proclamation and Regulations issued based Sub Article (1) of this Article.

70. Effective date

This proclamation shall enter into force on the date of publication in the Negarit Gazeta.

Done at Addis Abeba , this 24th day of July 2024
SAHLE-WORK ZEWDE
PRISEDENT OF THE FEDERAL DEMOCRATIC REPUBLIC OF ETHIOPIA

Disclaimer: The laws presented here are collected from various sources and are provided for informational purposes only. While we strive for accuracy, we encourage you to double-check the information with official government publications. Our goal is to increase awareness of the legal framework so that citizens can make informed decisions.

Output copied to clipboard!