Angola: Cloud in Financial
Services

The banking sector in Angola is supervised by the National Bank of Angola (Banco Nacional de Angola, also known by the acronym "BNA"). In its supervisory role, the BNA may carry out inspections in order to assess the banks’ compliance with the applicable rules and regulations, amongst other supervisory powers.

The insurance sector in Angola is supervised by the Angolan Agency for Regulation and Supervision of Insurances Companies (Agência Angolana de Regulação e Supervisão de Seguros, also known by the acronym "ARSEG"). ARSEG is the regulatory, supervisory, and auditing body for insurance, reinsurance, pension funds, and insurance mediation activities.

Cloud services are permitted to the extent that they comply with general laws and regulations. There is no specific regulation on cloud services in Angola.

Cloud services in the financial sector will usually require assessing compliance with banking secrecy rules, which covers information relating to the customer's account, the customer's transactions with the bank and information relating to the customer acquired through the keeping of a bank account. The duty to respect privacy and confidentiality is expressly recognized in the Financial Institutions Law.

There are no specific approvals required for cloud computing under the financial institutions regulations. However, notification to and/or prior approval from the relevant regulator may be required in some instances.

A bank must be able to provide the BNA with any relevant information requested from time to time by the BNA and to ensure that the BNA can carry out its supervisory activities.¹

An insurance company must also provide to the ARSEG all relevant information and to ensure that the ARSEG can carry out its supervisory activities.

Microsoft recognizes such requirements and is able to support same and cater for appropriate audit of its cloud services in relation to banks and insurers. Additionally Microsoft recognizes that ownership in the data resides with the relevant bank or the insurer, which has complete access to and control over the data, allowing it to meet its compliance obligations.

According to Law no. 22/2011, of 17 June (the "Data Protection Law"), the communication of data to a subcontracted data processor can only be carried out if the following conditions are complied with: (a) the subcontractor and the data controller must enter into a written agreement or other legally valid written document, under which terms the subcontractor undertakes to comply with the provisions of the Data Protection Law and to act according to the instructions of the data controller; and (b) notification to the Angolan data protection authority².

The data controller may only transfer personal data to a third party outside Angola after notifying the Angolan data protection authority and if the country has a level of protection at least identical to that provided by the Data Protection Law³. Otherwise, the transfer of personal data to a third party outside Angola has to be authorized by the Angolan data protection authority, and such authorization may only be granted when the specific circumstances set out in the Data Protection Law are complied with⁴.

Microsoft holds itself accountable to and is subject to laws of general application applicable to information technology service providers, and has binding agreements which, in its view, are likely to constitute adequate protection. In addition, Microsoft adheres to the EU Model Clauses as well as the EU Privacy Shield and the ISO 27018 Privacy Standard. Microsoft is also committed to ensuring that its products and services comply with the EU General Data Protection Regulation (GDPR) which came into force in May 2018.