Data Processing Obligations

Today, personal information such as names, telephone numbers, pictures, addresses, birth dates, medical reports, accounts, and credit card information and many others are collected by individuals or organizations and processed for various reasons. We rely on you or your organisation to use or divulge such personal information as intended and to keep it safe. The privacy and data protection rights of an individual must therefore be respected by those collecting and processing such information.


Below are some of the obligations on Data Controllers and Processors in the processing personal information.

1. Requirement for consent and justification

A person or an organisation shall not process personal data without the prior consent of the individual in question (data subject) unless the purpose for which the data is processed is:

    • Necessary for the purpose of completing a contract with the data subject;
    • Required or authorised by law;
    • To protect the legitimate interest of the data subject;
    • Necessary for the proper performance of a statutory duty; or
    • Necessary to pursue the legitimate interest of the data controller or a third party to whom the data is supplied.

There are, however, exceptions to these rules and they are generally purpose-based. For example, some of these exceptions relate to emergency situations, data for policing, judicial functions, etc.


2. Withdrawal of Consent or Objection to Processing

Individuals may withdraw their consent or object, with reasonable notice to the processing of their personal information.  In such circumstances, the Data Controller or Processor must inform them of the likely consequences of such withdrawal or objection. Upon withdrawal of consent to the collection, use or disclosure for any purpose, you or your organisation must cease such collection, use or disclosure of the personal data.



Organizations shall take necessary steps to protect or control the personal data in their possession to prevent unauthorised access, collection, use, disclosure or similar risks through the adoption of appropriate, reasonable, technical, physical and organisational measures.

 In addition, data controllers should ensure that a data processor who processes personal data on their behalf, establishes and complies with the security measures specified under the Act. A contract between a data controller and a data processor shall therefore require the data processor to establish and maintain the confidentiality and security measures specified under the Act.


4. Ensuring Openness or Transparency

Organisations and individuals who control and process personal information of data subjects shall ensure transparency in their operations and make known to their clients what personal information they have, who  (third party) they share it with and how it is processed.

In ensuring openness, a data controller may appoint a certified and qualified individual as Data Protection Supervisor to ensure compliance with the Act as well as your organisations internal data protection policies;.and the supervisor’s information  should also be made available to the public through our online public register


5. Correction of Personal Data

Organisations are required to correct or delete personal data about the data subject that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.

Data controllers are  also required to destroy or delete a record of personal data about a data subject held by themthat they  no longer have authorisation to retain.

Unless  you or your organisation is satisfied on reasonable grounds that the correction or deletion should not be made, you or your organisation shall correct the personal data as soon as practicable.

Where the data controller complies a request to correct, delete, etc; the data controller shall inform other organisations to which the personal data was disclosed  or shared of the correction(s) made (or, with the individual's consent, only to selected organisations).


6. Transfer of Data outside Ghana

 Where the data processor is not domiciled in this country, the data controller shall ensure that the data processor complies with the requirements prescribed under the law,  by providing the same or  higher  standards  of protection  for the personal data in question.


7. Quality of information

A data controller or processor shall ensure that the data they keep or process is complete, accurate, up-to-date and not misleading bearing in mind the purpose for the collection or processing.


8. Right to Compensation

Where an individual suffers damage or distress through the contravention by a data controller or processor of the requirements under the Data Protection Act, 2012, the  data subject can seek compensation in Court.