Skip to main content

Ghana Data Protection Act, 2012 (Act 843)

Ghana's Data Protection Act, 2012 (Act 843) regulates the processing of personal data around eight statutory principles and requires data controllers to register with the Data Protection Commission. It mandates consent, security safeguards, and data subject rights, with offenses and penalties for violations.

Jurisdiction
Ghana

Ghana Data Protection Act, 2012 (Act 843)

Ghana's Data Protection Act, 2012 (Act 843), is the country's primary law on the protection of personal data and the privacy of individuals. It was enacted in 2012 and is administered by the Data Protection Commission, an independent statutory body responsible for registration, supervision, and enforcement. The Act establishes process and principles by which personal data may be collected, used, disclosed, and otherwise processed.

Who It Applies To

The Act applies to data controllers established in Ghana that process personal data, and to controllers not established in Ghana that process data within the country, unless the processing is only for transit. A defining feature of the regime is mandatory registration: a person who processes personal data must register with the Data Protection Commission as a data controller, and registration must be renewed periodically. The Act covers both public and private sector processing.

Key Requirements

Processing must comply with eight data protection principles: accountability, lawfulness of processing, specification of purpose, compatibility of further processing, quality of information, openness, data security safeguards, and data subject participation. Controllers must generally obtain the data subject's consent and may process personal data only for a lawful, specified purpose. Special personal data, such as data on health, religious beliefs, and ethnicity, receives heightened protection. Data subjects have rights to access their data, to request correction or deletion, and to object to processing, including for direct marketing. Controllers must implement appropriate security safeguards and register with the Commission.

Penalties for Non-Compliance

The Act provides for offenses and penalties, including fines measured in penalty units and terms of imprisonment for serious violations such as unlawful processing, obstructing the Commission, or selling personal data unlawfully. Operating as a data controller without the required registration is itself an offense.

How to Comply

Register as a data controller with the Data Protection Commission and keep the registration current. Align processing to the eight statutory principles, obtain consent, and apply heightened safeguards to special personal data. Honor access, correction, and objection rights, and implement appropriate security measures to protect personal data.

Practical Notes

Ghana's mandatory data-controller registration with the Data Protection Commission, together with periodic renewal, is a foundational requirement that operating organizations must not neglect, since processing without registration is itself an offense. Aligning practices to the eight statutory principles and maintaining evidence of consent and security safeguards positions an organization well for the Commission's supervision.

Building a Durable Program

Organizations operating across borders should treat this regime as one input into a unified, principles-based privacy program rather than a standalone checklist. Practical foundations include maintaining a current record of processing activities that documents purposes, lawful bases, data categories, recipients, retention periods, and any cross-border transfers; classifying data so that sensitive categories receive heightened safeguards by default; and embedding privacy-by-design reviews into product and engineering workflows so that new features are assessed before launch. Robust consent and preference management, demonstrable through audit logs, is essential where the law is consent-centric, since the burden of proving a valid lawful basis typically rests on the controller. Incident-response runbooks should encode the applicable breach-notification timelines and decision criteria so that the organization can act within tight windows. Vendor management should ensure processors are bound by contracts that flow down core obligations, and periodic audits should verify that controls remain effective. Aligning to recognized frameworks such as ISO 27701 and privacy-by-design principles helps satisfy overlapping obligations across jurisdictions while reducing duplicated effort and the risk of gaps.