Data protection & privacy laws in Sao Tome and Principe (2026)

Law No. 03/2016 (adopted 15 February 2016, promulgated 18 March 2016) regulates all processing of personal data by controllers established in São Tomé and Príncipe, including video surveillance and audio-visual recording. It mirrors the EU Directive 95/46/EC structure rather than the GDPR.

The Agência Nacional de Protecção de Dados Pessoais (ANPDP) is an independent administrative authority with legal personality and financial and administrative autonomy, constituted under Law No. 07/2017. It receives processing notifications, issues prior authorisations, supervises compliance, and imposes fines and ancillary measures (data blocking, deletion, cessation).

Controllers must notify or obtain prior written authorisation from the ANPDP before processing personal data, implement appropriate technical and organisational security measures, and bind processors via written contract. Special categories of sensitive data (health, criminal records, race, religion) attract additional restrictions.

Chapter 3 of Law No. 03/2016 grants individuals rights to be informed of the controller's identity, processing purposes, and recipients; rights of access, rectification, and erasure; and the right to bring civil claims for damages arising from unlawful processing. No separate breach-notification right for data subjects is mandated.

Transfers of personal data outside São Tomé and Príncipe are permitted only where the recipient country ensures an adequate level of protection, or where the data subject has unequivocally consented, or where appropriate contractual clauses have been notified to the ANPDP. No adequacy-decision mechanism analogous to GDPR Article 45 decisions exists domestically.

The Law establishes criminal liability, civil liability, and administrative fines for infringements. There is currently no statutory obligation to notify the ANPDP or affected individuals of a personal data breach, a notable gap relative to GDPR-aligned regimes.