Data protection & privacy laws in Cape Verde (2026)

Law 133/V/2001 of 22 January 2001 is the foundational data protection statute, making Cape Verde the first African country with comprehensive data protection legislation. It has been amended twice: by Law 41/VIII/2013 (17 September 2013) and Law 121/IX/2021 (17 March 2021).

The Comissão Nacional de Proteção de Dados (CNPD) was established as an independent administrative authority by Law 42/VIII/2013 and became operational in 2015. It monitors compliance, handles complaints, and is a member of NADPA (Network of African Data Protection Authorities).

Law 121/IX/2021 introduced GDPR-style provisions: explicit affirmative consent, rights to erasure, data portability, and restriction of processing, as well as extraterritorial applicability to controllers/processors outside Cape Verde that process data of individuals located in the country.

Individuals hold rights to be informed, access, rectification, erasure/destruction, restriction of processing, portability, and objection (including to direct marketing). These rights are enforceable against data controllers and processors.

Controllers and processors must notify the CNPD of personal data breaches. Where a breach poses a high risk to the rights and freedoms of data subjects, affected individuals must also be directly notified.

Fines for first-time violations range from CVE 1 million to CVE 100 million, escalating to CVE 100–300 million for repeat offences. The CNPD has investigatory and corrective powers under Law 42/VIII/2013.