Guidance

1. What is the Somalia Data Protection Act (Law No. 005/2023)?
It is the national law governing how personal data must be collected, used, stored, shared, and protected in Somalia. The Act establishes rights for individuals and legal obligations for organizations processing personal data.

2. Who must comply with the Data Protection Act?
The Act applies to: All public and private entities processing personal data in Somalia. Foreign organizations offering goods or services to individuals in Somalia. Data processors acting on behalf of Somali controllers. Government institutions handling citizen data. Compliance is mandatory under the Act for all applicable entities.

3. Does the Act apply outside Somalia?
Yes. The Act may apply to foreign organizations offering goods or services to individuals in Somalia.

4. What is the Somalia Data Protection Authority (DPA)?
The DPA is the independent national authority responsible for enforcing the Data Protection Act, supervising compliance, protecting privacy rights, and handling complaints and investigations.

5. What is personal data?
Personal data is any information relating to an identified or identifiable individual, such as names, phone numbers, identification numbers, biometric data, photographs, location data, financial information, or online identifiers.

6. What is sensitive personal data?
Sensitive personal data includes information requiring enhanced protection, such as: Health data. Biometric or genetic data. Religious or political beliefs. Criminal records. Children's data. Sexual life or orientation. Processing such data is subject to stricter safeguards under the Act.

7. What does "processing" mean?
Processing includes any operation performed on personal data, such as collection, storage, use, sharing, recording, analysis, transmission, or deletion.

8. What rights do individuals have under the Act?
Individuals have the right to: Access their personal data. Correct inaccurate or incomplete data. Request deletion in certain circumstances. Object to processing. Restrict processing. Data portability. Withdraw consent. Lodge a complaint with the DPA.

9. How can individuals exercise their rights?
By submitting a written or electronic request to the organization (controller) processing their data. Organizations must respond within the statutory timeframe under the Act and explain any action taken.

10. Can an organization refuse a rights request?
Yes, but only in limited circumstances under the Act, such as: Legal or regulatory obligations. National security considerations. Retention requirements mandated by law. Manifestly unfounded or excessive requests. Refusals must be justified in writing.

11. Who must register with the DPA?
The following must register under the Act: Data controllers. Data processors. Data Protection Officers (DPOs), where required. Foreign entities processing personal data of individuals in Somalia.

12. Why is registration required?
Registration ensures transparency, accountability, and enables the DPA to monitor compliance across sectors.

13. How long is registration valid?
Registration is valid for one year and must be renewed annually.

14. What happens if an organization fails to register?
Failure to register is a violation under the Act and may result in enforcement action, administrative penalties, or suspension of data processing activities.

15. What is a lawful basis for processing?
A lawful basis is the legal justification required under the Act before processing personal data.

16. What lawful bases are recognized under the Act?
The Act recognizes: Consent. Contractual necessity. Legal obligation. Vital interests. Public or official interest. Legitimate interest (subject to conditions).

17. What happens if processing has no lawful basis?
Processing without a lawful basis is unlawful under the Act and exposes the organization to enforcement measures and penalties.

18. What security measures must organizations implement?
Organizations must apply proportionate safeguards under the Act, including: Access controls. Encryption. Network and system security. Logging and monitoring. Secure backups. Staff training and confidentiality. Physical security measures.

19. Are small businesses exempt?
No. Small businesses are not exempt from the Act. However, compliance measures must be proportionate to the nature and scale of processing activities.

20. What is a personal data breach?
A breach is any incident involving unauthorized access, disclosure, loss, alteration, or destruction of personal data.

21. When must a breach be reported?
Where a breach poses a risk to individuals, notification to the DPA must occur within 72 hours of awareness, in accordance with the Act. If the breach poses a high risk, affected individuals must also be notified without undue delay.

22. What information must be included in a breach report?
Nature of the breach. Categories of data affected. Number of individuals affected. Likely consequences. Mitigation measures. DPO or contact details.

23. What is a DPIA?
A DPIA is a structured risk assessment required for processing activities that pose high risks to individuals' rights and freedoms.

24. When is a DPIA required?
DPIA are required for high-risk activities, including: Biometric systems. Surveillance technologies. Profiling or automated decisions. Large-scale processing. Children's data. Cross-border transfers.

25. Must DPIAs be submitted to DPA?
Prior consultation with the DPA may be required where high residual risks remain after mitigation, or where required under the Act.

26. Is international data transfer allowed?
Yes, but only where permitted under the Act, including where: The destination country provides adequate protection; or. Approved safeguards are used; or. Authorization is granted where required.

27. What must organizations do before transferring data abroad?
They must assess and document risks associated with the transfer, including legal and security considerations in the destination jurisdiction.

28. Can personal data be shared with vendors?
Yes, provided there is: A lawful basis. A Data Processing Agreement (DPA). Adequate security measures.

29. Are processors accountable?
Yes. Processors must comply with security obligations under the Act and follow the controller's documented instructions.

30. When is a DPO required?
A DPO is required where specified under the Act, including for public authorities and high-risk or large-scale processing activities.

31. What are the responsibilities of a DPO?
Advise on compliance. Monitor processing activities. Oversee DPIAs. Handle breaches. Act as contact point for DPA.

32. Are there special rules for children's data?
Yes. Organizations must under the Act: Obtain verifiable parental consent where required. Use child-friendly notices. Avoid profiling and targeted advertising. Apply enhanced security measures.

33. What about humanitarian or displaced populations?
Their data requires enhanced safeguards, minimization, and DPIAs due to heightened vulnerability.

34. What enforcement powers does DPA have?
DPA may issue: Warnings. Corrective orders. Processing restrictions. Administrative fines. Suspension of activities. Referrals for criminal investigation.

35. What determines penalties?
Administrative fines and corrective measures are determined based on the seriousness, duration, and impact of the violation, as provided under the Act.

36. Can DPA conduct inspections?
Yes. DPA may conduct audits, inspections, and investigations under the Act.

37. Can DPA decisions be appealed?
Yes. Decisions may be appealed through internal review mechanisms and judicial processes.

38. How can individuals file a complaint?
By submitting an official complaint form through DPA's designated channels.

39. What triggers a DPA investigation?
Investigations may be triggered by: Complaints. Data breaches. Failure to register. Audit findings. High-risk processing activities.

40. What records must organizations maintain?
Organizations must maintain, where applicable: Records of Processing Activities (ROPA). DPIA. Retention schedules. Vendor agreements. Breach logs. Security documentation.

41. How long must records be retained?
Records must be retained as required by law or operational needs and documented in retention schedules.

42. Do telecom operators have additional obligations?
Yes. Telecom operators must apply strong encryption, protect metadata, secure SIM registration data, and report breaches in accordance with the Act.

43. Are banks and fintech companies subject to stricter rules?
Yes. Financial data, KYC, and transactional records require enhanced safeguards and DPIA.

44. What obligations apply to NGOs and humanitarian organizations?
They must minimize beneficiary data, secure biometric systems, justify processing with clear lawful bases, and apply enhanced protections.

Footer:
For further clarification, please refer to official DPA guidance documents or contact the DPA through designated channels.