Data protection & privacy laws in Angola (2026)

Law No. 22/11 of 17 June 2011 is the omnibus data protection statute. It applies to all natural and legal persons — public, private, and cooperative — processing personal data in Angola or using equipment subject to Angolan law.

The Agência de Proteção de Dados (APD), headquartered in Luanda, is the independent authority responsible for monitoring compliance, conducting inspections, and imposing sanctions. It became operational in October 2019 under Presidential Decree No. 214/16.

Controllers must obtain express consent from data subjects and notify the APD before processing. Processing must comply with principles of transparency, lawfulness, proportionality, purpose limitation, accuracy, and storage limitation. Cross-border transfers require APD authorisation.

Individuals hold rights of access, rectification, and erasure of their personal data. The law also grants the right to object to processing in certain circumstances.

The APD imposed fines on multiple organisations: USD 150,000 on MAXAM for unlawful cross-border transfer to the UK (2024); USD 75,000 on Banco Comercial do Huambo for inadequate security measures (2024); and USD 175,000 on airline TAAG plus USD 75,000 on Banco de Desenvolvimento de Angola (BDA) for security failures (2025).

The APD submitted a draft revision of Law No. 22/11 for public consultation from 17 March to 17 April 2025. The revision aims to modernise the framework for AI and emerging technologies; formal legislative adoption was pending as of mid-2025.