Data Protection Act, 2023
| Data Protection Act, 2023 | |
|---|---|
 | |
| Somalia Parliament | |
| |
| Citation | Law 005 |
| Territorial extent | The Republic of Somalia |
| Enacted by | Federal Parliament of Somalia |
| Enacted | 2023 |
| Assented to | March 23, 2023 |
| Signed by | President of the Republic of Somalia |
| Effective | March 23, 2023 |
| Administered by | Data Protection Authority |
| Status: Current legislation | |
The Data Protection Act also known as DPA or the Act is a national legislation enacted by the Federal Government of Somalia in 2023 to regulate the collection, storage, processing, and transfer of personal data within the country. It aims to safeguard the privacy rights of individuals and to ensure responsible use of personal information in the digital era. [1][2][3]
Background
[edit]The Data Protection Act (DPA) is grounded in the 2012 Constitution of the Federal Republic of Somalia, which guarantees citizens the right to privacy. To ensure the enforcement of this legislation, the DPA created the Somalia Data Protection Authority (“the Authority”) as the responsible oversight body. The bill was presented to Somalia’s Federal Parliament between February and March 2023. It was officially signed into law by President Hassan Sheikh Mohamud on March 21, 2023, and became effective two days later, on March 23, 2023.[4][5]
Structure
[edit]| Heading | Chapters | Articles | Pages |
|---|---|---|---|
| Arrangements of Articles | - | - | 2-4 |
| Preliminary Provisions | 1 | 1 - 5 | 5-8 |
| Administration | 2 | 6–12 | 8-13 |
| Principles Governing Processing of Personal Data | 3 | 13-19 | 13–17 |
| Rights of a Data Subject | 4 | 17-18 | 20-23 |
| Data Security and Data Impact Assessments | 5 | 18 -22 | 20-29 |
| Cross-Border Transfers of Personal Data | 6 | 22-25 | 30- 31 |
| Registration and Fees | 7 | 25-26 | 32-35 |
| Enforcement | 8 | 26-28 | 35-40 |
| Miscellaneous | 9 | 28-29 | 41-43 |
Provisions
[edit]The Somalia Data Protection Act establishes a legal framework for:[1]
- The rights of individuals (data subjects) over their personal data.
- The obligations of data controllers and processors.
- Lawful grounds for data processing, including consent and public interest.
- Limitations on cross-border data transfer.
- Data breach notification requirements.
- The creation of an independent data protection authority (DPA).
Data subject rights
[edit]The Act affirms the rights of individuals over their personal data, including the ability to access, correct, erase, withdraw consent, object to processing, and avoid being subjected to decisions made purely through automated means. It also outlines specific situations where these rights may be limited or not applicable.[1]
Data protection authority
[edit]The Act creates a Data Protection Authority tasked with ensuring the effective enforcement of its provisions. This Authority is empowered to develop additional regulations, carry out investigations, and levy penalties. Its key responsibilities include registering significant data controllers and processors, raising awareness about data protection duties, accrediting and licensing compliance organizations, handling complaints related to data misuse, and providing policy advice to the government.[1]
References
[edit]- ^ a b c d "Review of Somalia's Data Protection Act and Implementing Regulations". www.techhiveadvisory.africa. Retrieved 2025-06-22.
- ^ "Data Guidance of Somalia Data Protection Act" (PDF).
- ^ "DPA". digitalpolicyalert.org. Retrieved 2025-06-22.
- ^ a b "Data ProtectionAct" (PDF).
- ^ "رئيس الصومال يوقع ثمانية قوانين لتعزيز أسس الحكومة الصومالية | الصومال الجديد". Retrieved 2025-06-23.