Last modified 6 January 2025

Data Protection in the Republic of Congo

Breach notification in the Republic of Congo

Download PDF

Download current country

Change countries

Change country

Law

Data protection laws in the Republic of Congo

The protection of personal data is governed by the law on the protection of data with a personal character N° 29 - 2019 of 10 October 2019 and was published in the official journal on 7 November 2019 (the "Law"). The Law entered into force on the date of its approval (25 November 2020).

Beside the Law, there are several sectoral laws or decrees that contain data protection aspects (on cybersecurity, mobile telecommunications, etc.)

In addition, a National Commission for Personal Data, which was the subject of a project law approved by the Council of Ministers at the beginning of July 2024, should be created. Its role will be to oversee the processing of personal data and to inform data subjects and data controllers of their rights and obligations. The project law is yet to be adopted.

Related resources

Definitions

Definitions in the Republic of Congo

Definition of Personal Data

Any information relating to a natural person identified or identifiable directly or indirectly, by reference to an identification number or identifiable on the basis of one or more elements specific to his / her physical, physiological, genetic, psychological, cultural, social or economic identity.

Definition of Sensitive Personal Data

Genetic data, data relating to minors, data relating to offences, criminal convictions or security measures, biometric data and, all personal data revealing ethnic origin, parentage, political opinions, religious or philosophical beliefs, trade union membership, gender, health and sex life.

Related resources

Authority

National data protection authority in the Republic of Congo

The Law provides for the creation of a national data protection Commission by a separate law. This Commission plays an important role in the Law and its application. However, we are not aware this Commission has been established.

Related resources

Registration

Registration in the Republic of Congo

The Law requires, save for some exceptions, that the processing of personal data must be notified to the Commission. The Commission provides a confirmation of receipt of the notification after which the entity that made the notification can start processing personal data. If some of the data or sensitive personal data and the processing is not prohibited, a prior authorisation is to be obtained from the Commission. The Commission renders a decision within two months after receipt of the request to process certain sensitive personal data.

Related resources

Data protection officers

Data protection officers in the Republic of Congo

A data protection officer (délégué à la protection des données) needs to be appointed when the data procession is done by:

a public entity;
the nature of the data processing because of its nature, purpose or nature require a regular and systematic follow-up; or
when the data processing is on a large scale for particular data.

Related resources

Collection and processing

Collection and processing in the Republic of Congo

The collection and processing of personal data can only be carried out with the prior and explicit consent of the person concerned. Some exceptions apply when the processing is for valid legal reasons, in the public interest, for the performance of an agreement or to protect the fundamental rights of the person concerned.

Related resources

Transfer of personal data

Transfer of personal data in the Republic of Congo

Cross-border transfer of personal data is only allowed if the receiving state offers a similar protection of personal data and the Commission is notified in advance of the intention to transfer data to a third country.

Related resources

Security

Security in the Republic of Congo

The Law provides for a detailed overview of security measures that must be taken by the processor of personal data in order to secure the personal data.

Related resources

Breach notification

Breach notification in the Republic of Congo

The processor of personal data must in case of a breach of the security inform the Commission without delay and at the latest within 72 hours after it identified the breach.

Mandatory breach notification

It is mandatory to notify every breach to the Commission, however, the 72 hours deadline does not apply in case there is no risk for the rights of the persons concerned. The breach must still be notified, but it must be explained why the breach was notified more than 72 hours after the identification of the breach.

The persons concerned must also informed of the breach if it poses an important risk for its rights.

Related resources

Enforcement

Enforcement in the Republic of Congo

No known cases as far as we know. The Commission is not yet established.

Criminal sanctions apply as well as fines ranging from USD 1,800 to 180,000.

Related resources

Electronic marketing

Electronic marketing in the Republic of Congo

Regulated by separate law.

Related resources

Online privacy

Online privacy in the Republic of Congo

Regulated by separate law.

Related resources

Key contacts

Data protection lawyers in the Republic of Congo

Yves Brosens

Partner

KMK Africa

Pierre Vanholsbeke

Junior Partner

KMK Africa

The processor of personal data must in case of a breach of the security inform the Commission without delay and at the latest within 72 hours after it identified the breach.

Mandatory breach notification

The persons concerned must also informed of the breach if it poses an important risk for its rights.

Quick links

Data Protection in the Republic of Congo

Breach notification in the Republic of Congo

Mandatory breach notification

Continue reading