Privacy Policy
This document explains how the Government of Somaliland, through the Africgreen platform, collects, processes, stores, and protects personal data in connection with maritime carbon tax administration and sovereign environmental monitoring.
Preamble & Legal Basis
The Africgreen Maritime Carbon Intelligence Platform is operated by the Ministry of Finance and Economic Development of the Republic of Somaliland (hereinafter "the Ministry") on behalf of the Somaliland Maritime Carbon Authority (SMCA). This platform collects and processes personal and organizational data as part of its statutory mandate to administer maritime carbon taxes, enforce environmental compliance, and generate sovereign revenue from the Gulf of Aden Exclusive Economic Zone (EEZ).
This Privacy Policy is enacted pursuant to the Somaliland Data Protection Act 2023, the principles of the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention, 2014), the IMO Maritime Cyber Risk Management Guidelines (MSC-FAL.1/Circ.3), and the Maritime Carbon Act 2024. Where applicable, we also align our practices with the EU General Data Protection Regulation (GDPR 2016/679) for data subjects residing in or connected to European jurisdictions.
All processing activities are subject to oversight by the Somaliland Data Protection Commissioner (SDPC) and are recorded in the official national data processing register. This policy applies to all users of Africgreen, including Port Authority officers, Finance Administrators, Shipping Agents, and Armateurs.
Data Controller
| Field | Information |
|---|---|
| Data Controller | Ministry of Finance & Economic Development — Republic of Somaliland |
| Operating Entity | Somaliland Maritime Carbon Authority (SMCA) |
| Platform | Africgreen — Sovereign Carbon Intelligence Platform |
| Registered Address | Ministry of Finance, Hargeisa, Republic of Somaliland |
| Data Protection Officer | dpo@smca.gov.sl |
| Technical Operations | Berbera Data Center (BER-DC1) — Node BER-01 |
| Encryption Standard | AES-256 at rest · TLS 1.3 in transit |
Data Collected
We collect data across three categories of data subjects:
A. Platform Users (Port Officers, Administrators)
- Full name, official email address, government employee identifier
- Functional role and clearance level within the platform
- IP address, device fingerprint, browser user-agent, session timestamps
- Immutable audit trail of all actions performed on the platform
- Multi-factor authentication (MFA) status and last login metadata
- Preferred language, timezone, and notification preferences
B. Shipping Agents & Armateurs
- Company name, IMO operator registration number, country of incorporation
- Contact person name, professional email address, phone number
- Fleet composition: vessel names, IMO numbers, MMSI codes, flag states
- Financial data: invoice history, payment records, outstanding tax liabilities
- Port call history, cargo declarations, and pro-forma invoice records
C. Maritime & Environmental Data
- Automatic Identification System (AIS) position data: latitude, longitude, heading, speed, last-seen timestamp
- Vessel technical specifications: gross tonnage, engine power, design speed
- Estimated CO₂ emission calculations based on IMO MARPOL Annex VI methodology
- Carbon credit retirement records and offset certificates
- Port entry/exit logs and EEZ transit records
Purpose of Processing
| Purpose | Legal Basis | Data Category |
|---|---|---|
| Maritime carbon tax assessment and invoice generation | Legal obligation — Maritime Carbon Act 2024, Art. 12 | Vessel data, AIS, tonnage |
| EEZ compliance monitoring and enforcement | Public interest — SMCA Mandate Decree 2023/07 | Position data, vessel status |
| Revenue collection and financial reporting | Legal obligation — Finance Act 2024, Art. 8 | Transaction, payment records |
| Platform access control and identity verification | Legitimate interest — Platform security | User credentials, session data |
| Immutable audit trail for governance accountability | Legal obligation — Government Audit Act 2022 | User actions, IP logs |
| Carbon credit issuance and environmental reporting | Public interest — Green Finance Policy 2024 | CO₂ data, offset records |
| Fraud detection and anomaly monitoring | Legitimate interest — SMCA Security Policy | Access patterns, IP addresses |
| Statistical reporting to international bodies (IMO, AU) | Legal obligation — MARPOL Annex VI | Aggregated vessel/emission data |
Legal Basis for Processing
Processing of personal data on Africgreen is grounded in the following legal bases under the Somaliland Data Protection Act 2023 and aligned international frameworks:
- Legal Obligation (Art. 6(1)(c) equivalent): Maritime Carbon Act 2024, IMO MARPOL Annex VI, Somaliland Finance Act 2024 — processing is mandatory for tax enforcement and cannot be refused by data subjects operating within the EEZ.
- Public Task (Art. 6(1)(e) equivalent): Sovereign mandate of the SMCA to monitor, regulate, and report on carbon emissions within Somaliland maritime jurisdiction.
- Legitimate Interests (Art. 6(1)(f) equivalent): Platform security, fraud prevention, and immutable audit logging — balanced against the rights of data subjects and documented in our Legitimate Interest Assessment (LIA/2024-03).
- Contractual Necessity (Art. 6(1)(b) equivalent): For Shipping Agents and Armateurs who register on the platform, processing is necessary to fulfil the digital services agreement and tax payment obligations.
Note on Sensitive Data: Africgreen does not process special categories of personal data (health, biometric, political affiliation) within the meaning of Art. 9 GDPR or equivalent Somaliland law. AIS positional data of vessels is not considered personal data under maritime law but is handled with equivalent security standards.
Data Retention
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| User account & credentials | 5 years after account deactivation | Finance Act 2024, Art. 31 |
| Audit log entries (immutable) | 10 years | Government Audit Act 2022, Art. 18 |
| Transaction & invoice records | 7 years | Tax Administration Act 2023, Art. 44 |
| AIS position data (raw) | 2 years | SMCA Data Governance Policy 2024 |
| CO₂ emission estimates & credits | 10 years | Maritime Carbon Act 2024, Art. 29 |
| Session tokens & IP logs | 90 days | Security Policy SP-2024-01 |
| Pro-forma invoice PDFs | 7 years | Tax Administration Act 2023, Art. 44 |
| Exemption records | 10 years | Maritime Carbon Act 2024, Art. 17 |
Upon expiry of the applicable retention period, data is securely deleted using cryptographic erasure (overwrite + key destruction) or anonymized for statistical archival. Deletion records are themselves maintained for 2 years.
Your Rights
Subject to applicable Somaliland law and operational constraints, data subjects have the following rights. Certain rights may be limited where they would interfere with mandatory legal processing obligations (e.g., tax enforcement, audit immutability):
| Right | Scope | Limitation |
|---|---|---|
| Access (Art. 15) | Request a copy of data held about you | May be restricted if data relates to an ongoing enforcement action |
| Rectification (Art. 16) | Correct inaccurate personal data | Audit log entries are immutable by design — cannot be altered |
| Erasure (Art. 17) | Request deletion of personal data | Does not apply to data subject to legal retention obligations |
| Restriction (Art. 18) | Limit processing during a dispute | Does not apply to active tax enforcement processing |
| Portability (Art. 20) | Receive your data in machine-readable format | Available for account data; not for vessel or AIS data |
| Objection (Art. 21) | Object to processing based on legitimate interest | Not applicable to legal obligation or public task processing |
| Complaint | Lodge a complaint with the SDPC | Always available — see contact details below |
To exercise your rights, submit a written request to dpo@smca.gov.sl with proof of identity. We will respond within 30 calendar days. Complex or multiple requests may be extended by an additional 60 days with notification.
AIS & Maritime Surveillance Data
The Automatic Identification System (AIS) is a mandatory radio transponder system under IMO SOLAS Chapter V Regulation 19. AIS data broadcast by vessels in the Somaliland EEZ is received by sovereign shore-based receivers and is considered publicly accessible technical data under international maritime law. Its collection and use for safety, environmental, and tax enforcement purposes does not require individual vessel owner consent.
Within Africgreen, AIS data is used exclusively for: (i) identifying vessels within the EEZ for carbon tax assessment, (ii) calculating estimated CO₂ emissions based on vessel speed, position, and engine specifications, (iii) generating pro-forma invoices and compliance notices, and (iv) populating the Command Center map display for authorized officers.
AIS position data is never used for commercial tracking, sold to third parties, or shared beyond the purposes listed above. Raw AIS feeds are retained for 2 years and then purged from primary systems.
Data Security
Africgreen implements a multi-layered security architecture in accordance with ISO/IEC 27001:2022, the IMO Maritime Cyber Risk Management guidelines, and the NIST Cybersecurity Framework (CSF 2.0):
- Encryption at rest: AES-256 for all stored data, with hardware security modules (HSMs) for key management at BER-DC1.
- Encryption in transit: TLS 1.3 for all API and web traffic. Older TLS versions (≤1.2) are rejected at the load balancer.
- Access control: Role-Based Access Control (RBAC) with least-privilege principles. All privileged actions require MFA. Superadmin actions require dual authorization.
- Immutable audit logging: All operator actions are SHA-256 hash-chained and stored in a tamper-evident append-only log.
- Penetration testing: Annual independent penetration tests by certified third parties. Results disclosed in the Security Audit report.
- Incident response: Data breach notification to the SDPC within 72 hours, affected data subjects within 5 business days, in accordance with Art. 33–34 GDPR equivalent.
Contact & Complaints
| Contact Type | Details |
|---|---|
| Data Protection Officer (DPO) | dpo@smca.gov.sl · Response within 5 business days |
| General Inquiries | info@smca.gov.sl · Ministry of Finance, Hargeisa, Somaliland |
| Security Incidents | security@smca.gov.sl · PGP key available at smca.gov.sl/pgp |
| Data Subject Rights Requests | rights@smca.gov.sl · Response within 30 calendar days |
| Supervisory Authority | Somaliland Data Protection Commissioner (SDPC) · sdpc.gov.sl |
If you believe your privacy rights have been violated, you have the right to lodge a complaint with the Somaliland Data Protection Commissioner (SDPC) at any time, without prejudice to any other administrative or judicial remedy. The SDPC contact is available at sdpc.gov.sl.
This Privacy Policy was last reviewed and approved by the Somaliland Data Protection Officer on March 1, 2025. Changes to this policy will be published at least 30 days before taking effect, with notification to all registered platform users via email.
© 2025 Government of Somaliland · Ministry of Finance & Economic Development · Africgreen Maritime Carbon Intelligence Platform