In compliance with the provisions of paragraph 3 of article 53 of Law nº. 22/11, of 17 June, the Board of Directors of the Angolan Data Protection Agency (APD) makes public that, through deliberations 004 /2024 and 005/2024, of 19th July, the entities described bellow were sentenced to pay a fine for violating personal data protection rules:
1. COSAL - Comércio e Serviços de Angola, Lda – It has been fined equivalent in AKZ to 75,000.00 USD (Seventy-Five Thousand US dollars), for failure to comply with the duty to implement the appropriate technical and organizational measures to protect the personal data of its customers and employees, against the ransomware-type cyber attack that occurred on 22nd September 2023, which resulted in the encryption, unavailability, unauthorized access and disclosure of said data.
It should be noted that the penalty now applied was extraordinarily attenuated taking into account the number and importance of the mitigating circumstances.
2. Empresa Nacional de Distribuição de Electricidade, ENDE-EP – It has been fined equivalent in AKZ to 225. 000.00 USD (Two Hundred and Twenty Five Thousand US Dollars), for failure to comply with the duty to implement appropriate technical, organizational and security measures to protect the personal data of its customers and employees against the ransomware cyber attack that took place on 18th September 2023, which resulted in encryption, unavailability, unauthorized access by the attackers to said data, namely telephone contact, address, georeferenced location, personal identification, such as full name, date of birth, affiliation, address, Identity Card number, Tax Identification Number and telephone contact.
Finally, APD recalls that the protection of personal data is a fundamental right of citizens, guaranteed by the Constitution of the Republic of Angola and that it therefore encourages all those who feel they have been harmed to report it.
Data Protection Agency, in Luanda, on July 19th, 2024