Data protection & privacy laws in Equatorial Guinea (2026)

Article 13 of the Constitution of Equatorial Guinea guarantees the right to privacy of domicile and communications, providing the constitutional basis on which statutory data protection obligations rest.

Enacted on 22 July 2016, Law No. 1/2016 on the Protection of Personal Data is the principal data protection statute. It establishes core principles of transparency, purpose limitation, data minimisation, accuracy, storage limitation, and integrity/confidentiality, broadly mirroring international frameworks. The law is available only in Spanish.

The Órgano Rector de Protección de Datos Personales was created by Law No. 1/2016 as the dedicated supervisory body. As of early 2026, it had still not become operational; registration of personal data files falls to the General Data Protection Registry under its Technical Secretariat in the interim.

Data controllers must adopt appropriate technical and organisational security measures, maintain records of processing activities, and notify both the relevant authority and affected data subjects in the event of a personal data breach.

Law No. 1/2017 on Internet Communications (January 2017) supplements the 2016 law by requiring that commercial electronic communications — including advertising and promotions — comply with data protection rules on the creation, maintenance, and cessation of use of personal data files; data used for such purposes must be clear and identifiable.

Equatorial Guinea hosted the adoption of the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention) in Malabo in June 2014 but has not ratified it. The Convention entered into force in June 2023 on the basis of other states' ratifications; Equatorial Guinea is not among the 15 ratifying states.