Data Protection Compliance Form (Ghana)
Data Protection Compliance Form
DATA PROTECTION ACT 2012 (ACT 843) — SECTION 22
Internal Data Protection Compliance Assessment
This Data Protection Compliance Form is completed by [Organisation Name] on [Assessment Date] to document compliance with the Data Protection Act 2012 (Act 843) and the data protection principles under Section 18 of Act 843.
1. Organisation Details
Organisation name: [Organisation Name]
DPC registration number: [DPC Reg Number]
ORC company registration number: [ORC Reg Number]
Registered address: [Organisation Address]
Sector: [Sector]
Data Protection Officer: [DPO Name], Email: [DPO Email]
Date of assessment: [Assessment Date]
2. Processing Activities Register
Categories of personal data processed: [Data Categories]
Categories of data subjects: [Subject Categories]
Purposes of processing: [Processing Purposes]
Legal bases for processing under Section 22 of Act 843: [Legal Bases]
Data retention periods: [Retention Periods]
3. Data Subject Rights Procedures
Procedure for data subject access requests (Act 843 s.10): [Access Request Procedure]
Procedure for data correction requests (Act 843 s.11): [Correction Procedure]
4. Security Measures and Breach Response
Technical and organisational security measures: [Security Measures]
Data breach detection and notification procedure: [Breach Procedure]
Data Processing Agreements executed with all processors (Act 843 s.37): [Processor Agreements]
Data Protection Impact Assessments (DPIAs) conducted for high-risk processing: [DPIAs Conducted]
5. Declaration
The undersigned Data Protection Officer confirms that [Organisation Name] is committed to compliance with the Data Protection Act 2012 (Act 843) and that the information provided in this assessment is accurate and complete to the best of their knowledge as at [Assessment Date]. This form will be reviewed annually and updated whenever there is a material change in the organisation's processing activities.
Signature
Completed on behalf of [Organisation Name] on [Assessment Date].
Data Protection Officer
________________
Signature
What Is a Data Protection Compliance Form (Ghana)?
A Data Protection Compliance Form in Ghana organises the details a party must supply for the purpose it serves.
The Data Protection Act 2012 (Act 843) is the primary legislation governing personal data protection in Ghana. Act 843 establishes the Data Protection Commission (DPC) as the supervisory authority and requires every data controller that processes personal data in Ghana to register with the DPC under Section 17 before commencing processing. Section 18 of Act 843 sets out the data protection principles that all processing must comply with: personal data must be processed lawfully and fairly; collected for specified, explicit, and legitimate purposes; adequate, relevant, and not excessive; accurate and up to date; not kept longer than necessary; and processed in a manner confirming appropriate security.
Section 22 of Act 843 sets out the conditions for lawful processing: processing is lawful where the data subject has given consent; processing is necessary for performance of a contract to which the data subject is party; processing is necessary for compliance with a legal obligation; processing is necessary to protect the vital interests of the data subject; or processing is necessary for the performance of a task carried out in the public interest.
The National Identification Authority (NIA) issues the Ghana Card under Act 707, and the Ghana Card number constitutes personal data subject to Act 843. Banks licensed by the Bank of Ghana (BoG), insurance companies regulated by the National Insurance Commission (NIC), and telecommunications operators licensed by the National Communications Authority (NCA) are among the largest data controllers in Ghana and are subject to both Act 843 and their sector-specific data governance requirements.
A Data Protection Compliance Form in Ghana is distinct from the DPC registration form submitted to the Commission — it is an internal organisational document that tracks compliance readiness and serves as evidence of good-faith effort to comply with Act 843 in the event of a DPC investigation or audit. Forms-legal.com provides this template for organisations conducting self-assessments of their data protection compliance posture in Ghana.
The legal framework governing the Data Protection Compliance Form (Ghana) in Ghana draws on several key statutes and regulatory bodies. Under the Companies Act 2019 (Act 992), the Registrar General's Department (RGD) maintains the register of Ghanaian companies. Section 7 of the Companies Act 2019 governs company incorporation. The Ghana Revenue Authority (GRA) administers corporate tax under the Income Tax Act 2015 (Act 896). The Commercial Division of the High Court in Accra adjudicates business disputes. The Ghana Investment Promotion Centre (GIPC) regulates foreign investment under the GIPC Act 2013 (Act 865). Parties executing a Data Protection Compliance Form (Ghana) in Ghana should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Data Protection Act 2012 (Act 843) sets the foundational requirements.
When Do You Need a Data Protection Compliance Form (Ghana)?
A Data Protection Compliance Form in Ghana is required or strongly recommended in the following circumstances.
A Data Protection Compliance Form is needed when an organisation is preparing to register with the Data Protection Commission (DPC) under Section 17 of the Data Protection Act 2012 (Act 843) and wishes to document its processing activities and compliance measures before submitting the registration application.
A Data Protection Compliance Form is required when a data controller is responding to a DPC investigation or audit and needs to produce evidence of compliance with the data protection principles under Section 18 of Act 843 and the conditions for lawful processing under Section 22.
A Data Protection Compliance Form is needed when a company incorporated under the Companies Act 2019 (Act 992) is conducting an annual data protection compliance review — particularly banks regulated by the Bank of Ghana (BoG), insurance companies regulated by the National Insurance Commission (NIC), or telecommunications operators regulated by the National Communications Authority (NCA) — to confirm alignment with both Act 843 and sector-specific data governance requirements.
A Data Protection Compliance Form is required when an organisation appoints a new Data Protection Officer (DPO) and the DPO is carrying out an initial gap assessment of the organisation's data protection posture to identify areas requiring remediation.
A Data Protection Compliance Form is needed when a business is engaged in due diligence for a merger, acquisition, or investment transaction under the Companies Act 2019 (Act 992), and the prospective acquirer or investor requires the target company to demonstrate its data protection compliance status.
A Data Protection Compliance Form is required when an organisation is implementing a new data processing system — such as a new customer relationship management (CRM) platform, payroll system, or health information management system — and needs to conduct a data protection impact assessment to identify risks before processing commences. Completing a Data Protection Compliance Form proactively reduces the risk of DPC enforcement action and demonstrates good-faith compliance with Act 843.
What to Include in Your Data Protection Compliance Form (Ghana)
A thorough Data Protection Compliance Form in Ghana under the Data Protection Act 2012 (Act 843) must contain the following essential elements.
Organisation Details: Full legal name of the data controller; DPC registration number under Section 17 of Act 843 (or confirmation that registration is pending); company registration number issued by the Office of the Registrar of Companies (ORC) under the Companies Act 2019 (Act 992); registered address in Ghana; sector of operation; and the name and contact details of the appointed Data Protection Officer (DPO) or designated data protection contact.
Processing Activities Register: A systematic inventory of the categories of personal data processed — such as names, Ghana Card numbers, SSNIT numbers, financial data, health data, or biometric data; the categories of data subjects — such as customers, employees, or members of the public; the purposes of processing for each category; the legal basis under Section 22 of Act 843 for each processing activity; the retention periods applicable to each category; and the third parties (processors or other controllers) with whom personal data is shared.
Data Protection Principles Compliance: A self-assessment of compliance with each data protection principle under Section 18 of Act 843: lawfulness and fairness; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability.
Data Subject Rights Procedures: Documentation of the procedures in place to enable data subjects to exercise their rights under Act 843, including: the right of access under Section 10; the right to correction under Section 11; the right to object to processing; and the right to withdraw consent. Response timeframes and escalation procedures should be described.
Security Measures: A description of the technical and organisational measures implemented to protect personal data against unauthorised access, loss, or destruction, consistent with the Cybersecurity Act 2020 (Act 1038) and the Cyber Security Authority's (CSA) guidelines. Measures should include access controls, encryption, staff training, and incident response procedures.
Data Breach Response: A description of the data breach detection, assessment, and notification procedures in place, including the procedure for notifying the DPC under Section 30 of Act 843 without undue delay.
Additional compliance elements include: records of staff data protection training; documentation of data protection impact assessments (DPIAs) conducted for high-risk processing; and evidence of Data Processing Agreements executed with processors under Section 37 of Act 843. Forms-legal.com provides this template as a starting point for Ghana data protection compliance documentation.
Additional compliance elements for a Data Protection Compliance Form (Ghana) used in Ghana include: Under the Companies Act 2019 (Act 992), the Registrar General's Department (RGD) maintains the register of Ghanaian companies. Section 7 of the Companies Act 2019 governs company incorporation. The Ghana Revenue Authority (GRA) administers corporate tax under the Income Tax Act 2015 (Act 896). The Commercial Division of the High Court in Accra adjudicates business disputes. The Ghana Investment Promotion Centre (GIPC) regulates foreign investment under the GIPC Act 2013 (Act 865). Forms-legal.com provides this template as a starting point for Ghana-compliant documentation.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Data Protection Compliance Form (Ghana) (Ghana) [Legal document template]. Forms Legal. https://forms-legal.com/ghana/business/policies/data-protection-compliance-form-ghana
"Data Protection Compliance Form (Ghana) (Ghana)." Forms Legal, 2026, https://forms-legal.com/ghana/business/policies/data-protection-compliance-form-ghana.
@misc{formslegal-data-protection-compliance-form-ghana,
author = {{Forms Legal}},
title = {Data Protection Compliance Form (Ghana) (Ghana)},
year = {2026},
howpublished = {\url{https://forms-legal.com/ghana/business/policies/data-protection-compliance-form-ghana}},
note = {Free legal document template}
}Frequently Asked Questions
Under Section 17 of the Data Protection Act 2012 (Act 843), every person or organisation that processes personal data in Ghana as a data controller must register with the Data Protection Commission (DPC) before commencing processing. This obligation applies to all sectors — banks licensed by the Bank of Ghana (BoG), insurance companies regulated by the National Insurance Commission (NIC), telecommunications operators regulated by the National Communications Authority (NCA), healthcare providers, e-commerce companies, employers processing employee data, and government agencies. There is no general exemption for small or medium-sized enterprises. Failure to register with the DPC before processing personal data is an offence under Act 843 and can result in enforcement action including fines and prosecution. The DPC maintains the National Data Protection Register, which is publicly accessible. Registration must be renewed periodically in accordance with DPC requirements.
Section 22 of the Data Protection Act 2012 (Act 843) provides that processing of personal data is lawful if at least one of the following conditions is met: (1) the data subject has given consent to the processing for one or more specific purposes; (2) processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract; (3) processing is necessary for compliance with a legal obligation to which the data controller is subject; (4) processing is necessary in order to protect the vital interests of the data subject or of another natural person; (5) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller; or (6) processing is necessary for the purposes of the legitimate interests pursued by the data controller or a third party, except where such interests are overridden by the interests or fundamental rights of the data subject. The Data Protection Compliance Form (Ghana) should document the legal basis applied to each category of processing activity.
Although the Data Protection Act 2012 (Act 843) does not expressly mandate the appointment of a Data Protection Officer (DPO) in the same way as the EU General Data Protection Regulation (GDPR), the Data Protection Commission (DPC) strongly recommends — and in practice expects — that data controllers processing significant volumes of personal data appoint a DPO or designated data protection contact. The DPO is responsible for: advising the organisation on its obligations under Act 843; monitoring compliance with Act 843 and internal data protection policies; conducting data protection impact assessments (DPIAs) for high-risk processing activities; acting as the primary point of contact with the DPC; managing data subject access requests and other rights requests under Act 843; and coordinating the organisation's response to data breaches under Section 30. The DPO's contact details are included in the DPC registration and in the Data Protection Compliance Form (Ghana). A well-functioning DPO programme is a strong mitigating factor in DPC enforcement proceedings.
Under the data protection principle of storage limitation in Section 18 of the Data Protection Act 2012 (Act 843), personal data must not be kept for longer than is necessary for the purposes for which it was collected. Data controllers in Ghana must establish and document retention periods for each category of personal data processed. Retention periods are typically determined by: the purpose of processing — for example, customer transaction records at banks licensed by the Bank of Ghana (BoG) may be retained for up to seven years for anti-money laundering compliance under the Anti-Money Laundering Act 2020 (Act 1044); employee records may be retained for the duration of employment and for a defined post-employment period; and marketing data may be retained only as long as the data subject's consent remains valid. Where a statutory retention period is prescribed by another law — such as the Companies Act 2019 (Act 992) for financial records or the Labour Act 2003 (Act 651) for employment records — that statutory period takes precedence. The Data Protection Compliance Form (Ghana) should document the retention period and the legal basis for each category of data retained.
A data protection impact assessment (DPIA) is a process used by a data controller to identify and minimise the data protection risks of a new processing activity before it commences. The Data Protection Act 2012 (Act 843) does not use the term DPIA explicitly but the data protection principles under Section 18 — particularly accountability and integrity — require data controllers to assess and manage privacy risks proactively. The Data Protection Commission (DPC) recommends conducting a DPIA when: introducing a new system that will process large volumes of personal data; processing special categories of data such as health data, biometric data, or financial data; implementing surveillance or monitoring systems; conducting large-scale profiling of data subjects; or transferring personal data outside Ghana. Banks regulated by the Bank of Ghana (BoG) are also required under the BoG's Technology Risk Management Guidelines to conduct risk assessments before deploying new technology systems. The Data Protection Compliance Form (Ghana) should record whether DPIAs have been conducted for relevant processing activities and their outcomes.
The Data Protection Act 2012 (Act 843) establishes baseline data protection obligations for all data controllers in Ghana, but sector-specific regulations impose additional or complementary requirements in particular industries. Banks licensed by the Bank of Ghana (BoG) must comply with both Act 843 and the BoG's Cyber and Information Security Directive, Technology Risk Management Guidelines, and Anti-Money Laundering Act 2020 (Act 1044). Telecommunications operators regulated by the National Communications Authority (NCA) must comply with Act 843 and the Electronic Communications Act 2008 (Act 775) regarding subscriber data confidentiality. Insurance companies regulated by the National Insurance Commission (NIC) must comply with Act 843 in handling policyholder personal data. Healthcare providers are subject to Act 843 and the Health Facilities Regulatory Agency (HeRAF) standards for patient data governance. In all cases, where a sector-specific rule imposes a higher standard of data protection than Act 843, the higher standard prevails. The Data Protection Compliance Form (Ghana) should identify all applicable sector-specific regulations alongside Act 843.
Non-compliance with the Data Protection Act 2012 (Act 843) in Ghana can result in a range of consequences. The Data Protection Commission (DPC) has the power to: issue enforcement notices requiring a data controller to take specified steps to comply with Act 843; impose administrative penalties; refer cases to the Attorney-General for prosecution; and publish details of enforcement actions, which can damage the organisation's reputation. A person convicted of an offence under Act 843 is liable to a fine of up to 5,000 penalty units or imprisonment for up to two years, or both. In addition, data subjects whose personal data has been unlawfully processed may bring a civil claim for damages before the High Court. For regulated entities such as banks licensed by the Bank of Ghana (BoG), non-compliance with Act 843 may also trigger regulatory action by the sector regulator, including licence conditions or revocation. Completing and maintaining a Data Protection Compliance Form (Ghana) is a tangible step towards demonstrating compliance and mitigating the risk of DPC enforcement action.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Data Processing Agreement (Ghana)
A Data Processing Agreement for Ghana under the Data Protection Act 2012 (Act 843) s.37, governing the relationship between a data controller and a data processor handling personal data on the controller's behalf.
Data Subject Access Request Form (Ghana)
A Data Subject Access Request Form for Ghana under the Data Protection Act 2012 (Act 843) s.10, enabling individuals to formally request access to personal data held about them by a data controller.