Law 1/2016

Law No. 1/2016 of July 22, 2016 on the Protection of Personal Data

Flag of GQ
Equatorial GuineaOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
July 22, 2016
Enacted
July 22, 2016
Enforcing Authority
Governing Body for the Protection of Personal Data (NOT OPERATIONAL)
Consent Model
Opt-in
Applies To
All entities processing personal data within Equatorial Guinea

Overview

Equatorial Guinea enacted Law 1/2016 in July 2016 to establish a framework for personal data protection. The law mandates creation of a Governing Body for the Protection of Personal Data, but this authority has not become operational. As one of the least-documented data protection frameworks in Central Africa, the law is available only in Spanish, which limits international analysis and awareness.

What This Means for Your Website

If your website processes personal data of visitors from Equatorial Guinea, consent is technically required under the law. Data must be collected for specified, legitimate purposes and kept accurate. However, the absence of an operational governing body means there is no practical enforcement at this time.

Key Requirements

The law requires consent for processing, purpose limitation, data accuracy, and security measures to prevent unauthorized access. Data subjects have rights of access and rectification. Specific penalty amounts are not publicly available. Enforcement depends on the eventual establishment of the designated governing body.

How ConsentStack Handles This

ConsentStack detects visitors from Equatorial Guinea and presents a consent banner requiring opt-in, ensuring compliance readiness for when the governing body becomes operational.

Penalties

Fines and sanctions for non-compliance (specific amounts not publicly available)

Key Requirements

  • Consent required for personal data processing
  • Data collected for specified, legitimate purposes
  • Personal data must be accurate and kept up to date
  • Data processed securely to prevent unauthorized access or disclosure
  • Data subjects have rights of access and rectification

Notable Provisions

  • Governing Body NOT OPERATIONAL -- enforcement is non-existent
  • Law only available in Spanish, limiting international analysis
  • Among the least-documented data protection frameworks in Central Africa

Other Sub-Saharan Africa Regulations

POPIASouth Africa
Africa's most developed and actively enforced data protection law. POPIA establishes eight conditions for lawful processing and grants the Information Regulator broad enforcement powers including criminal sanctions. The inclusion of "online identifiers" in the definition of personal information means cookies are covered, and Section 69's direct marketing consent requirement is directly relevant to consent management.
NDPANigeria
One of Africa's most comprehensive data protection laws, with the GAID providing Africa's most detailed cookie consent framework. Essential cookies are exempt; non-essential cookies require conspicuous accept/reject banners. The NDPC enforces a two-tier penalty structure based on organizational significance.
Ghana Act 843Ghana
Ghana's foundational data protection law requires mandatory registration with the DPC before processing begins, with renewal every 2 years. Criminal penalties include up to 10 years imprisonment for serious violations. A new comprehensive bill is under consultation as of late 2025.
Kenya DPA 2019Republic of Kenya
Kenya's comprehensive data protection law establishes the ODPC as an independent enforcement authority. It uniquely calculates penalties using "whichever is lower" rather than the global norm of "whichever is higher." Mandatory registration of data controllers is required before processing, and consent serves as the primary legal basis for personal data collection.
Tanzania PDPA 2022United Republic of Tanzania
Tanzania's first comprehensive data protection legislation establishes the Personal Data Protection Commission as the supervisory body. It mandates DPO appointment for all controllers and processors, a broader requirement than most jurisdictions. Personal data must be processed lawfully with consent, and criminal penalties of up to 10 years imprisonment apply for violations.
Ivory Coast Law 2013-450Ivory Coast
Ivory Coast's data protection law features an escalating penalty structure with significant increases for repeat offenders — up to 5% of pre-tax sales or XOF 500 million. ARTCI has been active in issuing formal notices against online lending applications. Prior declaration or authorization from ARTCI is required.

Frequently Asked Questions

Is Equatorial Guinea's data protection law enforced?

No. The Governing Body mandated by Law 1/2016 has not become operational, and enforcement is non-existent.

What language is the law available in?

The law is available only in Spanish, which limits international awareness and analysis.

Does Equatorial Guinea require consent for data processing?

Yes, consent is required on paper, though the lack of an operational authority means no practical enforcement exists.

Stay compliant with Law 1/2016

ConsentStack helps you implement Opt-in consent for Equatorial Guinea automatically.

Get started free