Data Protection Policy (Ghana)
Data Protection Policy
This Data Protection Policy is adopted by [Organisation Name], of [Organisation Address], Data Protection Commission Registration No. [DPC Registration Number] (the "Organisation").
Effective Date: [Effective Date] | Next Review Date: [Review Date] | Data Protection Officer: [DPO Name] | Contact: [DPO Contact]
1. Our Commitment to Data Protection
[Organisation Name] is committed to processing personal data in accordance with the Data Protection Act 2012 (Act 843) and the eight data protection principles set out in Section 19 of Act 843: (a) accountability; (b) lawfulness of processing; (c) specification of purpose; (d) compatibility of further processing; (e) quality of information; (f) openness; (g) data security; and (h) data subject participation.
The Organisation is registered with the Data Protection Commission (DPC) under Section 27 of Act 843. All staff, contractors, and third-party service providers with access to personal data are required to comply with this Policy.
2. Personal Data We Collect and Why
The Organisation processes the following categories of personal data: [Data Categories].
Personal data is processed for the following purposes: [Processing Purposes].
The Organisation processes the following categories of sensitive personal data: [Sensitive Data Types]. Sensitive data is processed only where a specific lawful basis under Section 17 of Act 843 applies and appropriate additional safeguards are in place.
The legal bases on which the Organisation processes personal data include: consent (Section 17 of Act 843), performance of a contract, compliance with legal obligations (including Anti-Money Laundering Act 2020 - Act 1044), and legitimate business interests.
3. Data Sharing and Third-Party Processors
The Organisation may share personal data with: [Third Party Processors]. All third-party processors are required to enter into a data processing agreement with the Organisation under Section 19 of Act 843, obliging them to process data only on the Organisation's documented instructions and to implement appropriate security measures.
Where personal data is transferred outside Ghana, the Organisation implements the following safeguards: [Transfer Safeguards], in compliance with Act 843.
4. Data Security
The Organisation implements the following technical and organisational security measures to protect personal data: [Security Measures].
In the event of a data breach, the Organisation will: (a) contain the breach immediately; (b) assess the severity and likely impact; (c) notify the Data Protection Commission as soon as practicable; (d) notify affected data subjects where the breach is likely to result in serious risk to their rights or interests; and (e) conduct a post-incident review.
5. Data Retention
The Organisation retains personal data for no longer than is necessary for the purposes for which it was collected. Key retention periods are: [Retention Schedule]. At the end of the applicable retention period, personal data will be securely deleted or anonymised.
6. Data Subject Rights
Under the Data Protection Act 2012 (Act 843), individuals whose personal data we process have the following rights: (a) Right of access — to request a copy of personal data held about them (Section 33 of Act 843); (b) Right to rectification — to request correction of inaccurate data; (c) Right to erasure — to request deletion where processing is unlawful or the purpose has ended; (d) Right to object — to object to processing based on legitimate interests or for direct marketing; (e) Right to withdraw consent — where consent is the legal basis for processing, at any time without detriment.
To exercise these rights or to make a complaint, please contact our Data Protection Officer: [DPO Name] at [DPO Contact]. Complaints may also be referred to the Data Protection Commission (DPC) of Ghana.
7. Policy Approval
This Data Protection Policy was approved by the Board / Senior Management of [Organisation Name] and takes effect on [Effective Date]. It will be reviewed on [Review Date] or earlier if required by changes in law or processing activities.
Approved by (Authorised Signatory)
________________
Signature
Data Protection Officer
________________
Signature
What Is a Data Protection Policy (Ghana)?
A Data Protection Policy in Ghana establishes the obligations and procedures governing the conduct it regulates.
The Data Protection Act 2012 (Act 843) is the primary legislation governing personal data protection in Ghana. Act 843 was enacted to regulate the processing of personal information, to provide for the rights of data subjects, and to establish the Data Protection Commission as the independent supervisory authority. Section 19 of Act 843 sets out the eight data protection principles that all data controllers must comply with: (1) accountability; (2) lawfulness of processing; (3) specification of purpose; (4) compatibility of further processing with the original purpose; (5) quality of information; (6) openness; (7) data security; and (8) data subject participation.
The Data Protection Commission, established under Part I of Act 843, has powers to register data controllers, investigate complaints, conduct audits, issue enforcement notices, and impose financial penalties on organisations that fail to comply with Act 843. Data controllers must register with the DPC before commencing processing operations under Section 27 of Act 843. Non-registration and non-compliance are criminal offences under Act 843.
A Data Protection Policy in Ghana is required by organisations in all sectors — including banking (Bank of Ghana-licensed institutions), insurance (National Insurance Commission-regulated companies), telecommunications (National Communications Authority licensees), healthcare (Ghana Health Service-registered facilities), and educational institutions — as proof of their commitment to Act 843 compliance and as a prerequisite for DPC registration. The Electronic Transactions Act 2008 (Act 772) and the Electronic Communications Act 2008 (Act 775) supplement Act 843 for digital data processing.
The Data Protection Policy is distinct from a Privacy Policy — which is an external-facing document informing customers and website users of an organisation's data practices — and from individual Data Processing Consent Forms — which record the specific consent of individual data subjects. The Policy is an internal governance document that binds all staff and contractors of the organisation.
The legal framework governing the Data Protection Policy (Ghana) in Ghana draws on several key statutes and regulatory bodies. Under the Companies Act 2019 (Act 992), the Registrar General's Department (RGD) maintains the register of Ghanaian companies. Section 7 of the Companies Act 2019 governs company incorporation. The Ghana Revenue Authority (GRA) administers corporate tax under the Income Tax Act 2015 (Act 896). The Commercial Division of the High Court in Accra adjudicates business disputes. The Ghana Investment Promotion Centre (GIPC) regulates foreign investment under the GIPC Act 2013 (Act 865). Parties executing a Data Protection Policy (Ghana) in Ghana should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Data Protection Act 2012 (Act 843) sets the foundational requirements.
When Do You Need a Data Protection Policy (Ghana)?
A Data Protection Policy in Ghana is needed in the following circumstances.
A Data Protection Policy is required when an organisation registers with the Data Protection Commission (DPC) under Section 27 of the Data Protection Act 2012 (Act 843), as evidence of the organisation's data governance framework. The DPC's registration process requires organisations to demonstrate that they have implemented appropriate policies and procedures.
A Data Protection Policy is needed when an organisation in Ghana onboards employees, contractors, or third-party service providers who will have access to personal data, to confirm that all persons with access understand their obligations under Act 843 and the organisation's data handling standards.
A Data Protection Policy is required when a bank licensed by the Bank of Ghana (BoG), a mobile money operator, or a fintech company implements a Know Your Customer (KYC) programme under the Anti-Money Laundering Act 2020 (Act 1044), since KYC involves the systematic collection and processing of personal data including Ghana Card numbers, biometric data, and financial information.
A Data Protection Policy is needed when a healthcare organisation — including hospitals, clinics, diagnostic centres, pharmacies, and health insurance companies regulated by the National Insurance Commission (NIC) — processes patient medical records, test results, and health insurance data in Ghana, where heightened obligations apply to sensitive personal data under Act 843.
A Data Protection Policy is required when a company in Ghana enters into a contract with an international client, investor, or partner who requires evidence of GDPR-equivalent data protection standards as a condition of the business relationship.
A Data Protection Policy is required for all entities that process the personal data of employees in Ghana — including payroll data, SSNIT numbers, tax identification numbers, and biometric clock-in data — to establish clear internal standards for HR data handling consistent with Act 843.
Parties in Ghana should prepare a Data Protection Policy (Ghana) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under the Companies Act 2019 (Act 992), the Registrar General's Department (RGD) maintains the register of Ghanaian companies. Section 7 of the Companies Act 2019 governs company incorporation. The Ghana Revenue Authority (GRA) administers corporate tax under the Income Tax Act 2015 (Act 896). The Commercial Division of the High Court in Accra adjudicates business disputes. The Ghana Investment Promotion Centre (GIPC) regulates foreign investment under the GIPC Act 2013 (Act 865). Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.
What to Include in Your Data Protection Policy (Ghana)
A thorough Data Protection Policy for Ghana under the Data Protection Act 2012 (Act 843) must contain the following essential elements.
Scope and Application: Identification of the organisation, its DPC registration number, and the scope of the policy — covering all personal data processed by the organisation in Ghana, including data processed by employees, contractors, and third-party processors under Section 19 of Act 843.
Data Protection Principles: Statement of the organisation's commitment to the eight data protection principles under Section 19 of Act 843: accountability, lawfulness, purpose specification, purpose compatibility, information quality, openness, data security, and data subject participation.
Lawful Bases for Processing: Description of the lawful bases on which the organisation processes personal data under Section 17 of Act 843 — including consent, contract, legal obligation, vital interests, public task, and legitimate interests — and the procedure for identifying and documenting the applicable basis for each processing activity.
Categories of Personal Data and Purposes: A description of the categories of personal data processed by the organisation (including any sensitive categories such as health data, biometric data, Ghana Card numbers, and financial data) and the specific purposes for which each category is processed.
Data Subject Rights: Procedures for receiving, processing, and responding to data subject access requests (Section 33 of Act 843), rectification requests, erasure requests, and objections, within the time periods required by the DPC.
Data Security: Technical and organisational measures implemented to protect personal data against unauthorised access, loss, destruction, or alteration — including encryption, access controls, staff training, and incident response procedures.
Data Breach Notification: The procedure for identifying, containing, and notifying data breaches to the Data Protection Commission and affected data subjects within the periods required by Act 843.
Third-Party Processors: Requirements for engaging data processors — including the mandatory data processing agreement under Section 19 of Act 843 — and the due diligence process for selecting processors with adequate security measures.
Cross-Border Data Transfers: The organisation's policy on transfers of personal data outside Ghana, including the requirement for appropriate safeguards or DPC approval.
Data Retention and Disposal: Documented retention periods for each category of personal data and the secure disposal procedures to be followed at the end of the retention period.
Governance and Accountability: The role of the Data Protection Officer (DPO), employee data protection training requirements, and the escalation procedure for data protection queries and incidents. Forms-legal.com provides this template as a starting point for Act 843-compliant data governance in Ghana.
Additional compliance elements for a Data Protection Policy (Ghana) used in Ghana include: Under the Companies Act 2019 (Act 992), the Registrar General's Department (RGD) maintains the register of Ghanaian companies. Section 7 of the Companies Act 2019 governs company incorporation. The Ghana Revenue Authority (GRA) administers corporate tax under the Income Tax Act 2015 (Act 896). The Commercial Division of the High Court in Accra adjudicates business disputes. The Ghana Investment Promotion Centre (GIPC) regulates foreign investment under the GIPC Act 2013 (Act 865). Forms-legal.com provides this template as a starting point for Ghana-compliant documentation.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Data Protection Policy (Ghana) (Ghana) [Legal document template]. Forms Legal. https://forms-legal.com/ghana/business/policies/data-protection-policy-ghana
"Data Protection Policy (Ghana) (Ghana)." Forms Legal, 2026, https://forms-legal.com/ghana/business/policies/data-protection-policy-ghana.
@misc{formslegal-data-protection-policy-ghana,
author = {{Forms Legal}},
title = {Data Protection Policy (Ghana) (Ghana)},
year = {2026},
howpublished = {\url{https://forms-legal.com/ghana/business/policies/data-protection-policy-ghana}},
note = {Free legal document template}
}Also available for these jurisdictions:
Frequently Asked Questions
While the Data Protection Act 2012 (Act 843) does not use the specific term 'Data Protection Policy' as a named mandatory document, the Act's requirements effectively make a written data protection policy essential for any organisation that processes personal data in Ghana. Section 27 of Act 843 requires all data controllers to register with the Data Protection Commission (DPC) before processing personal data, and the DPC's registration process requires organisations to submit information about their data governance arrangements — which in practice requires documented policies. Furthermore, Section 19 of Act 843 requires data controllers to implement appropriate technical and organisational measures to ensure data security, and a written policy is the primary evidence of such organisational measures. In regulated sectors — banking (Bank of Ghana), insurance (National Insurance Commission), healthcare (Ghana Health Service) — sector regulators additionally require evidence of data protection compliance as part of licensing and supervisory oversight. A documented Data Protection Policy is therefore a practical necessity for any organisation registered with the DPC.
The Data Protection Act 2012 (Act 843) provides for both civil and criminal consequences for non-compliance. Processing personal data without registration with the Data Protection Commission (DPC) under Section 27 of Act 843 is a criminal offence for which an organisation may be prosecuted in the High Court of Ghana. The DPC has powers under Act 843 to issue enforcement notices requiring an organisation to take specified remedial action within a stated period, to impose financial penalties for breaches of the data protection principles, and to seek injunctive relief from the High Court to stop unlawful processing. Data subjects whose rights under Act 843 have been violated may also file complaints with the DPC and may bring civil claims for damages in the High Court. The reputational consequences of DPC enforcement action — which is published on the DPC's public register — may be more damaging to a Ghana-registered business than the direct financial penalties, particularly for organisations dealing with international clients or investors who conduct data protection due diligence.
The Data Protection Act 2012 (Act 843) applies to data controllers and processors who are established in Ghana or who process personal data in Ghana. The question of whether Act 843 applies to a foreign company processing data about Ghanaian residents from outside Ghana — for example, an international e-commerce platform — depends on whether the processing takes place 'in Ghana' within the meaning of Act 843. Ghanaian courts have not yet issued authoritative rulings on the extraterritorial scope of Act 843, but the Data Protection Commission has indicated in published guidance that organisations targeting Ghanaian residents or systematically processing the personal data of persons in Ghana should comply with Act 843 regardless of where the processing infrastructure is physically located. Foreign companies with Ghana subsidiaries, offices, or agents are clearly subject to Act 843 with respect to processing activities carried out through those Ghanaian entities, and such entities must be registered with the DPC.
The Data Protection Act 2012 (Act 843) requires data controllers in Ghana to implement appropriate technical and organisational security measures to prevent data breaches. Where a data breach occurs — meaning unauthorised access, loss, destruction, alteration, or disclosure of personal data — the data controller must take immediate steps to contain the breach and assess its severity. Act 843 and Data Protection Commission (DPC) guidance require that significant data breaches be notified to the DPC as soon as practicable, and that affected data subjects be informed where the breach is likely to result in serious risk to their rights, privacy, safety, or financial interests. The Data Protection Policy should specify: who within the organisation is responsible for managing data breach incidents (typically the Data Protection Officer); the internal escalation procedure and timeline; the criteria for determining whether a breach must be notified to the DPC; the content of the notification to the DPC and to data subjects; and the post-incident review process for preventing recurrence.
Section 19 of the Data Protection Act 2012 (Act 843) requires that where a data controller engages a data processor — a third party that processes personal data on behalf of and under the instructions of the data controller — the engagement must be governed by a written data processing agreement. The data processing agreement must specify: the subject matter and duration of the processing; the nature and purpose of the processing; the categories of personal data and data subjects involved; the obligations and rights of the data controller; the obligation of the processor to process personal data only on the documented instructions of the controller; the obligation of the processor to implement appropriate technical and organisational security measures; the obligation of the processor to assist the controller in responding to data subject requests and data breach notifications; and the processor's obligation to delete or return all personal data to the controller at the end of the processing engagement. A Data Protection Policy should include the organisation's standard requirements for data processing agreements and the approval process for engaging new processors.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Personal Data Processing Consent Form (Ghana)
A Personal Data Processing Consent Form for Ghana compliant with the Data Protection Act 2012 (Act 843), enabling organisations to obtain freely given, specific, and informed consent from data subjects before processing their personal data.
Privacy Policy (Ghana)
A compliant Privacy Policy for businesses operating in Ghana disclosing data collection, processing, and user rights under the Data Protection Act 2012 (Act 843) and the Data Protection Commission (DPC).