Derivatives
  • CSAnalytics

    An in-depth guide to ISDA's collateral opinions

  • diligence

    Essential pre-trade information for OTC derivatives

  • diligence ISDA e-contracts

    Helps you assess electronic contract enforceability issues

  • DRVanalytics

    Detailed coverage of DRV netting opinions

  • EFETalytics

    Examines enforceability under EFET documentation

  • netalytics

    Practical analysis of ISDA's netting opinions

  • repoAnalytics

    Simplifies analysis of the GMRA legal opinions

  • Rulefinder G20

    High quality data supporting your OTC derivatives function

  • SLAnalytics

    Simplifies analysis of ISLA's securities lending opinions

Cross-border distribution

Private banking

Cross-border lending

Crypto

Shareholding disclosure

Data privacy

e-Signatures
Ghana

Speed Read

Data privacy - Ghana

Complexity
Data privacy - Ghana

The full report, available to subscribers and those on a free trial, includes access to a detailed legal memorandum, Breach Response App, Horizon Scanning and Sanctions Tracking, Schrems II Toolkit and Territorial Scope View, all supported by daily monitoring and alerts.

Source date:  20th August 2024

Overview

Legal Framework

Relevant law: Data Protection Act, 2012 (Act 843)

Regulator: Data Protection Commission (website)

Fines and Enforcement

Maximum possible fine: 5,000 penalty units (circa USD 3,900).

Top fine to-date: Reports are not clear on the levels of fines issued.

Compliance Overview

Register with regulator: Data Controllers must register with the Commission, pay the required fee and renew their registration every 2 years.

Appoint a DPO: A DPO is not required by law, however, in practice the Commission requires large Data Controllers to appoint a ‘data protection supervisor’.

Appoint a CISO: There is no specific legal obligation to appoint an information security officer, but doing so is good practice.

Formal compliance programme: There is no requirement in law for a compliance programme (except in certain sectors), however, there is a general obligation to follow the principle of accountability, and, in practice, large Data Controllers must train their DPOs.

Publish/provide privacy notice: A Data Controller collecting Personal Data must make Data Subjects aware of the collection and of certain information about the processing.

Maintain records of activities: There is no requirement to maintain an internal register or file any such register with the Commission.

Conduct privacy assessment (DPIA): DPIAs are not generally required (other than for appointing a representative), but undertaking DPIAs may assist with broader compliance.

Data security measures: Data Controllers must secure the integrity of Personal Data through appropriate technical and organisational measures.

Key Risks and Considerations

1) Ghana has an established regime, but requirements are less onerous than the GDPR.
2)  Consent is generally required for processing, but exceptions exist (e.g., legitimate interests).
3) The law has extra-territorial effect (but data in transit through Ghana is not subject to the law).
4) There are clear data breach notification obligations, with notifications required to individuals and to the Commission.
5) There are specific laws on direct marketing, which generally require consent.

Find out how aosphere can help

Rulefinder Data Privacy is an easy-to-use online resource that provides practical analysis of data protection and privacy laws across key global markets. The analysis is simple to access online, easy to navigate and maintained by a dedicated team of senior lawyers. 

Request free trial
Find out how aosphere can help