Privacy Policy (Ghana)
Privacy Policy
PRIVACY POLICY
Effective Date: [Effective Date]
[Organisation Name], of [Organisation Address] ("we", "us", or "our") is committed to protecting your personal data in accordance with the Data Protection Act 2012 (Act 843) of Ghana. Our Data Protection Commission (DPC) registration number is [DPC Registration Number]. For privacy queries, please contact us at [Privacy Contact Email].
1. Personal Data We Collect
We collect the following categories of personal data: [Data Types Collected].
"Personal data" has the meaning given to it in Section 97 of the Data Protection Act 2012 (Act 843): data about a person from which that person can be identified, directly or in combination with other information.
2. How We Use Your Personal Data
We process your personal data for the following purposes: [Purposes of Processing].
We process personal data only where we have a lawful basis under the Data Protection Act 2012 (Act 843), including: (a) your explicit consent under Section 19 of Act 843; (b) performance of a contract to which you are a party; (c) compliance with a legal obligation applicable to us under Ghana law; or (d) our legitimate interests, where those interests are not overridden by your rights and freedoms.
3. Sharing of Personal Data
We may share your personal data with: [Third Party Sharing].
We do not sell your personal data to third parties.
Where we transfer personal data outside Ghana, we do so only in compliance with Section 47 of the Data Protection Act 2012 (Act 843), by ensuring the recipient country provides adequate protection or by putting appropriate contractual safeguards in place.
4. How Long We Keep Your Data
We retain personal data for the following periods: [Retention Period]. Personal data is not retained for longer than is necessary for the purpose for which it was collected, in accordance with the data minimisation principles in Section 17 of Act 843.
5. Security of Your Personal Data
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction, in accordance with the data protection principles in Section 17 of the Data Protection Act 2012 (Act 843). These measures include encryption, access controls, staff data protection training, and incident response procedures.
6. Your Rights Under the Data Protection Act 2012
Under the Data Protection Act 2012 (Act 843), you have the following rights:
(a) Right of access (Section 37 of Act 843): You may request a copy of the personal data we hold about you.
(b) Right to correction (Section 38 of Act 843): You may request correction of inaccurate or incomplete personal data.
(c) Right to object (Section 40 of Act 843): You may object to the processing of your personal data where that processing is not justified.
(d) Right to withdraw consent: Where processing is based on your consent, you may withdraw consent at any time.
(e) Right to complain: You may file a complaint with the Data Protection Commission (DPC) if you believe your rights under Act 843 have been violated.
To exercise any of these rights, please contact us at [Privacy Contact Email]. We will respond within a reasonable period as required by Act 843.
8. Updates to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our data processing practices or applicable Ghana law, including the Data Protection Act 2012 (Act 843). The current version of this Privacy Policy, with its effective date, will always be available on our website. We will notify you of material changes by email or by a prominent notice on our website.
9. Contact Us
For any queries about this Privacy Policy or the exercise of your data protection rights under the Data Protection Act 2012 (Act 843), please contact our data protection officer at [Privacy Contact Email] or write to us at [Organisation Address].
Authorisation
This Privacy Policy is approved and adopted by [Organisation Name] with effect from [Effective Date].
Authorised Signatory
________________
Signature
What Is a Privacy Policy (Ghana)?
A Privacy Policy in Ghana establishes the obligations and procedures governing the conduct it regulates.
Section 17 of the Data Protection Act 2012 (Act 843) requires every data controller to register with the Data Protection Commission (DPC) before processing any personal data in Ghana. Section 18 of Act 843 sets out the information that a data controller must provide to data subjects when collecting personal data, including: the identity and contact details of the data controller; the purpose or purposes for which the data is being collected; the categories of personal data being collected; the third parties to whom the data may be disclosed; and the data subject's right to access and correct their personal data.
Personal data is defined broadly under Section 97 of the Data Protection Act 2012 (Act 843) as data about a person from which that person can be identified, whether directly from the data itself or from the data combined with other information in the possession of the data controller. This definition covers names, national identification numbers (Ghana Card numbers issued by the National Identification Authority (NIA)), addresses, telephone numbers, email addresses, IP addresses, payment card details, biometric data, health records, employment records, and any other information that identifies or could identify a living individual.
The seven data protection principles set out in Section 17 of Act 843 require that personal data be processed: (i) lawfully and fairly; (ii) only for specified, explicit, and legitimate purposes; (iii) only to the extent necessary for the stated purpose (data minimisation); (iv) accurately and kept up to date; (v) retained only for as long as necessary; (vi) securely, with appropriate technical and organisational measures; and (vii) not transferred to a country that does not provide an adequate level of data protection, without an appropriate safeguard under Section 47 of Act 843.
The Electronic Transactions Act 2008 (Act 772) governs electronic commerce and electronic communications in Ghana. Section 8 of Act 772 recognises the validity of electronic contracts and electronic signatures. Websites and mobile applications operating in Ghana that collect personal data — including name, email address, phone number, location data, or payment information — must publish a compliant Privacy Policy that is accessible to users before data is collected, in compliance with Act 843 and Act 772.
The National Communications Authority (NCA), established under the Electronic Communications Act 2008 (Act 775), regulates electronic communications service providers in Ghana. Internet service providers (ISPs), mobile network operators, and over-the-top (OTT) service providers operating in Ghana must comply with both Act 775 and Act 843 in connection with the collection, storage, and use of subscriber and user data. A Privacy Policy for a digital service operating in Ghana should address the requirements of both Act 843 and Act 775.
When Do You Need a Privacy Policy (Ghana)?
A Privacy Policy in Ghana is needed by any organisation, business, website, mobile application, or institution that collects, processes, stores, or transfers personal data relating to individuals in Ghana, in order to comply with the Data Protection Act 2012 (Act 843) and the requirements of the Data Protection Commission (DPC).
A Privacy Policy is required for all websites and mobile applications that collect personal data from users in Ghana — including contact forms, newsletter subscriptions, account registrations, e-commerce transactions, or analytics tracking using cookies and similar technologies. The Electronic Transactions Act 2008 (Act 772) and Act 843 together require websites to inform users of their data practices before collecting any personal data.
A Privacy Policy is needed by every business registered with the Office of the Registrar of Companies (ORC) under the Companies Act 2019 (Act 992) that collects customer, employee, or supplier personal data in the course of its operations — whether through paper forms, digital systems, or in-person interactions.
A Privacy Policy is required for financial institutions licensed by the Bank of Ghana (BoG), insurance companies regulated by the National Insurance Commission (NIC) under the Insurance Act 2021 (Act 1061), pension fund administrators regulated by the National Pensions Regulatory Authority (NPRA) under the National Pensions Act 2008 (Act 766), and securities dealers regulated by the Securities and Exchange Commission (SEC Ghana), all of which collect and process significant volumes of personal data.
A Privacy Policy is needed by hospitals, clinics, and health facilities regulated by the Ghana Health Service (GHS) and the Medical and Dental Council of Ghana that process health data — a special category of sensitive personal data under Act 843 that attracts heightened protection requirements.
A Privacy Policy is required by schools, universities, and educational institutions regulated by the Ghana Education Service (GES) and the National Accreditation Board (NAB) that process student, parent, and staff personal data.
A Privacy Policy is needed by non-governmental organisations (NGOs), charities, and civil society organisations registered with the Department of Social Welfare or the Registrar General's Department that process beneficiary, donor, and volunteer personal data.
A Privacy Policy is an essential component of the data controller registration application submitted to the Data Protection Commission (DPC) under Section 17 of Act 843. The DPC will assess the data controller's Privacy Policy as part of its review of the registration application.
What to Include in Your Privacy Policy (Ghana)
A compliant Privacy Policy in Ghana under the Data Protection Act 2012 (Act 843) must include the following key elements, reflecting the requirements of Section 17 and Section 18 of Act 843 and the guidelines of the Data Protection Commission (DPC).
Identity and Contact Details of the Data Controller: Full legal name, registered address, DPC registration number, and contact details (including a dedicated data protection or privacy contact email address) of the organisation collecting personal data. The DPC registration number confirms that the data controller has registered with the Data Protection Commission under Section 17 of Act 843.
Categories of Personal Data Collected: A clear description of the types of personal data collected — for example: identity data (name, date of birth, Ghana Card number issued by the National Identification Authority (NIA)); contact data (address, email address, telephone number); financial data (bank account details, payment card information); transaction data (purchase history, service usage); technical data (IP address, browser type, device identifiers, cookie data); health data (medical history, prescriptions); employment data (job title, salary, National Social Security and Insurance Trust (SSNIT) number); and biometric data.
Purpose and Legal Basis for Processing: A statement of each specific purpose for which personal data is collected and processed, together with the legal basis for that processing under Act 843. The lawful bases include: (i) the data subject's explicit consent under Section 19 of Act 843; (ii) performance of a contract to which the data subject is a party; (iii) compliance with a legal obligation applicable to the data controller under Ghana law; (iv) protection of the vital interests of the data subject; (v) performance of a task carried out in the public interest; or (vi) legitimate interests pursued by the data controller, provided those interests are not overridden by the rights and freedoms of the data subject.
Data Sharing and Third-Party Disclosure: A description of the categories of third parties with whom personal data is shared, including: service providers and data processors acting on the data controller's instructions; government authorities (including the Ghana Revenue Authority (GRA), the Bank of Ghana (BoG), the Ghana Police Service (GPS), and courts of Ghana) where disclosure is required by law; business partners; and group companies. The Policy must state the safeguards in place for cross-border data transfers under Section 47 of Act 843.
Data Retention: A statement of how long personal data will be retained for each processing purpose, or the criteria used to determine retention periods. Personal data must not be retained for longer than is necessary for the specified purpose under the data minimisation principles in Section 17 of Act 843.
Data Security: A description of the technical and organisational measures taken to protect personal data against unauthorised access, disclosure, alteration, or destruction — including encryption, access controls, staff data protection training, and incident response procedures.
Data Subject Rights: A clear statement of the rights of data subjects under Act 843, including: (i) the right of access to personal data held by the data controller under Section 37 of Act 843; (ii) the right to correction of inaccurate personal data under Section 38 of Act 843; (iii) the right to object to processing under Section 40 of Act 843; (iv) the right to withdraw consent where consent is the legal basis for processing; and (v) the right to complain to the Data Protection Commission (DPC) at its offices in Accra.
Cookies and Tracking Technologies: Where the data controller operates a website or mobile application, a description of the cookies and similar tracking technologies used, their purposes, and how users can manage their cookie preferences.
Updates to the Privacy Policy: A statement that the Privacy Policy may be updated from time to time and that the current version will always be available on the data controller's website, with the effective date of the current version clearly stated.
Forms-legal.com provides this Privacy Policy template as a starting point for businesses and organisations operating in Ghana. The template reflects the requirements of the Data Protection Act 2012 (Act 843), the Electronic Transactions Act 2008 (Act 772), and the guidelines of the Data Protection Commission (DPC). Data controllers are strongly encouraged to seek advice from a solicitor enrolled with the Ghana Bar Association and with expertise in data protection law to confirm full compliance with Act 843 and DPC requirements.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Privacy Policy (Ghana) (Ghana) [Legal document template]. Forms Legal. https://forms-legal.com/ghana/business/policies/privacy-policy-ghana
"Privacy Policy (Ghana) (Ghana)." Forms Legal, 2026, https://forms-legal.com/ghana/business/policies/privacy-policy-ghana.
@misc{formslegal-privacy-policy-ghana,
author = {{Forms Legal}},
title = {Privacy Policy (Ghana) (Ghana)},
year = {2026},
howpublished = {\url{https://forms-legal.com/ghana/business/policies/privacy-policy-ghana}},
note = {Free legal document template}
}
Frequently Asked Questions
A Privacy Policy is legally required in Ghana for every organisation that collects and processes personal data, under the Data Protection Act 2012 (Act 843). Section 17 of Act 843 requires every data controller to register with the Data Protection Commission (DPC) before processing personal data, and the registration process requires the data controller to submit a description of its data processing activities, which effectively constitutes a Privacy Policy. Section 18 of Act 843 requires a data controller to inform data subjects — at the time of collecting their personal data — of the identity of the data controller, the purpose of the processing, the categories of data collected, the third parties to whom data will be disclosed, and the data subject's rights. A published Privacy Policy is the primary means by which a data controller satisfies this obligation. Failure to register with the DPC or to provide the required information to data subjects is an offence under Act 843, carrying penalties including fines and imprisonment. The Data Protection Commission (DPC) has been increasingly active in enforcing Act 843 and has issued guidance on Privacy Policy requirements.
The Data Protection Commission (DPC) is the independent regulatory authority established under Section 3 of the Data Protection Act 2012 (Act 843) to oversee the implementation and enforcement of data protection law in Ghana. The DPC's functions include: (i) maintaining a register of data controllers who have registered under Section 17 of Act 843; (ii) issuing guidelines and codes of practice on data protection compliance; (iii) investigating complaints from data subjects about breaches of their rights under Act 843; (iv) conducting audits and inspections of data controllers' processing activities; (v) imposing administrative penalties on data controllers who breach Act 843; and (vi) co-operating with data protection authorities in other countries on cross-border data protection matters. The DPC is based in Accra, Ghana. Data controllers — including businesses, NGOs, and government agencies — must register with the DPC and pay the prescribed registration fee before commencing or continuing the processing of personal data in Ghana. The DPC's register of data controllers is publicly available and provides evidence that an organisation has complied with its registration obligations under Act 843.
The Data Protection Act 2012 (Act 843) grants data subjects — the individuals whose personal data is processed — the following rights against data controllers operating in Ghana. The right of access under Section 37 of Act 843: a data subject may request a copy of the personal data held about them by a data controller, together with information about the purposes of processing, the sources of the data, and the third parties to whom it has been disclosed. The data controller must respond within a reasonable period. The right to correction under Section 38 of Act 843: a data subject may request the correction of inaccurate, incomplete, or misleading personal data. The right to object under Section 40 of Act 843: a data subject may object to the processing of their personal data where the processing is not justified by a lawful basis under Act 843 or where it causes or is likely to cause unwarranted damage or distress. The right to withdraw consent: where processing is based on consent, the data subject may withdraw consent at any time, without affecting the lawfulness of processing before withdrawal. The right to complain to the Data Protection Commission (DPC): a data subject who believes their rights under Act 843 have been violated may file a complaint with the DPC for investigation and remediation. The DPC has power to order a data controller to comply with Act 843 and to award compensation to a data subject.
The Data Protection Act 2012 (Act 843) imposes restrictions on the transfer of personal data outside Ghana under Section 47 of Act 843. A data controller may only transfer personal data to a third country (a country outside Ghana) if: (i) the third country provides an adequate level of data protection — as determined by the Data Protection Commission (DPC) — that is substantially equivalent to the protection afforded by Act 843; (ii) the data subject has given explicit consent to the transfer; (iii) the transfer is necessary for the performance of a contract between the data subject and the data controller; (iv) the transfer is necessary for reasons of substantial public interest; (v) the transfer is necessary for the establishment, exercise, or defence of legal claims; or (vi) the data controller has put in place appropriate contractual safeguards — such as standard data protection clauses approved by the DPC — with the recipient in the third country. Businesses operating in Ghana that use cloud computing services hosted outside Ghana, or that share customer data with international group companies or service providers, must ensure that their cross-border data transfers comply with Section 47 of Act 843 and the guidelines of the DPC. The Privacy Policy must disclose any cross-border data transfers and the safeguards in place.
The Data Protection Act 2012 (Act 843) imposes both criminal and civil penalties for violations. Under Act 843, a data controller who: (i) fails to register with the Data Protection Commission (DPC) under Section 17 of Act 843 before processing personal data; (ii) processes personal data without a lawful basis; (iii) fails to respond to a data subject access request within a reasonable period under Section 37; (iv) transfers personal data to a third country without adequate safeguards under Section 47; or (v) obstructs the DPC in the exercise of its powers, commits an offence under Act 843 and may be liable on summary conviction to a fine or imprisonment. The DPC also has administrative powers to issue compliance notices ordering a data controller to take specific remedial action within a defined period. Data subjects who suffer damage as a result of a breach of Act 843 may also bring civil claims for compensation before the High Court in Accra. Organisations operating in Ghana should implement a detailed data protection compliance programme — including staff training, a data inventory, privacy impact assessments, and an incident response plan — to minimise the risk of regulatory enforcement action by the DPC.
A Privacy Policy in Ghana under the Data Protection Act 2012 (Act 843) should cover all categories of personal data processed by the data controller, including employee data. Employers in Ghana collect and process significant volumes of personal data about their employees, including: national identification numbers (Ghana Card numbers issued by the National Identification Authority (NIA)); SSNIT (Social Security and National Insurance Trust) numbers; bank account details for payroll processing; health information (for medical insurance and sick leave management); disciplinary records; and performance appraisal data. The Data Protection Act 2012 (Act 843) applies to the processing of employee data in the same way as it applies to customer or user data. Employers should publish an Employee Privacy Notice (a separate internal document addressed specifically to employees) in addition to the public-facing Privacy Policy, clearly informing employees of the purposes for which their personal data is collected, the legal bases for processing, the third parties to whom it may be disclosed — including the Ghana Revenue Authority (GRA) for PAYE purposes, the Social Security and National Insurance Trust (SSNIT), and the National Pensions Regulatory Authority (NPRA) — and their rights under Act 843.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Non-Disclosure Agreement — Disclosure (Ghana)
A binding Non-Disclosure Agreement for Ghana protecting confidential business information under the Contract Act 1960 (Act 25) and equitable principles of confidence recognised by Ghanaian courts.
Data Processing Agreement (Ghana)
A Data Processing Agreement for Ghana under the Data Protection Act 2012 (Act 843) s.37, governing the relationship between a data controller and a data processor handling personal data on the controller's behalf.