The protection of personal data is included in the law on telecommunications, information and communication technology N° 20/017 of 25 November 2020 and published in the official journal on 22 September 2021 (the "Law"). The Law entered into force on the date of its approval (25 November 2020).
The Ministerial Decree which should regulate the more practical details of the law has not yet been issued.
In the meantime, the council of Ministers adopted on 2 December 2022 a bill authorizing the ratification of the African Union Convention on Cybersecurity and the Protection of Personal Data adopted in Malabo, Equatorial Guinea on 27 June 2014.
In addition, a bill on the establishment of a Digital Code was adopted by the Council of Ministers on 14 October 2022. No draft is publicly available yet.
Definition of Personal Data
Personal data: any information relating to an identified or identifiable natural person, directly or indirectly, by reference to an identification number or to one or more factors specific to his/her physical, physiological, genetic, mental, cultural, social or economic identity (Article 4, 37).
Definition of Sensitive Personal Data
There is no separate definition of sensitive data, but the Law prohibits the collection of certain data which can be considered as sensitive:
The collection and processing of personal data revealing racial, ethnic or regional origin, parentage, political opinions, religious or philosophical beliefs, trade union membership, sex life, genetic data or, more generally, data relating to the state of health of the person concerned, are prohibited.
ARPTC (Autorité de Régulation de la Poste et des Télécommunications du Congo) or the authority for the regulation of postal and telecommunication services).
Not yet determined.
The collection and processing of personal data can only be carried out with the prior and explicit consent of the person concerned or on the request of the public prosecutor's office.
Explicit and prior consent of the person is required.
No known cases as the Law is relatively new.
Criminal sanctions apply as well as a fine ranging from USD 25,000 to 50,000 for the entity employing a person who breached data protection laws.