Burundi does not have a law that specifically regulates personal data protection. However, several laws and regulations currently in force contain data protection provisions or impose confidentiality obligations on specific types of personal information. For example, employment, banking, telecommunications and health sector laws impose some data protection requirements. Such provisions generally require covered entities to maintain the confidentiality of personal information.
- Under Law n° 1/012 of May 30, 2018 on the Code of Health Care and Health Services Provision in Burundi, healthcare institutions are required to maintain the confidentiality of patient information, unless confidentiality is waived in cases provided for by law.
- Law No. 1/17 of August 22, 2017 governing banking activities: Article 133 imposes confidentiality obligations on customer and account information. This article provides that any person who contributes to the operation, control or supervision of a banking institution is bound to professional secrecy. Violations are enforced under penal code provisions without prejudice to disciplinary proceedings.
- Several Ministerial Orders applicable to the telecommunications sector have been adopted to protect the privacy of and restrict access to and interception of the contents of communications (Legislative Decree No. 100/153 of June 17, 2013 on the Regulation of the Control and Taxation System for International Telephone Communications entering Burundi; Decree-Law No. 100/112 of April 5, 2012 on the Reorganization and Operation of the Telecommunications Regulatory and Control Agency 'ARCT'; Ministerial Ordinance No. 730/1056 of November 7, 2007 on the interconnection of telecommunications networks and services opened to the public).
Burundi does not have a law that specifically regulates personal data protection. However, several laws and regulations currently in force contain data protection provisions or impose confidentiality obligations on specific types of personal information. For example, employment, banking, telecommunications and health sector laws impose some data protection requirements. Such provisions generally require covered entities to maintain the confidentiality of personal information.
- Under Law n° 1/012 of May 30, 2018 on the Code of Health Care and Health Services Provision in Burundi, healthcare institutions are required to maintain the confidentiality of patient information, unless confidentiality is waived in cases provided for by law.
- Law No. 1/17 of August 22, 2017 governing banking activities: Article 133 imposes confidentiality obligations on customer and account information. This article provides that any person who contributes to the operation, control or supervision of a banking institution is bound to professional secrecy. Violations are enforced under penal code provisions without prejudice to disciplinary proceedings.
- Several Ministerial Orders applicable to the telecommunications sector have been adopted to protect the privacy of and restrict access to and interception of the contents of communications (Legislative Decree No. 100/153 of June 17, 2013 on the Regulation of the Control and Taxation System for International Telephone Communications entering Burundi; Decree-Law No. 100/112 of April 5, 2012 on the Reorganization and Operation of the Telecommunications Regulatory and Control Agency 'ARCT'; Ministerial Ordinance No. 730/1056 of November 7, 2007 on the interconnection of telecommunications networks and services opened to the public).
Definition of personal data
Not specifically defined.
Definition of sensitive personal data
Not specifically defined.
There is no national data protection authority in Burundi.
There is no requirement to register databases.
There is no requirement to appoint a data protection officer.
Most sector specific laws and regulations that impose confidentiality and data protection requirements apply to covered entities under the law or regulation, and require such entities to maintain the confidentiality of personal information during processing.
No geographic transfer restrictions apply in Burundi. Certain sector specific provisions require companies to obtain consent prior to third party transfers of personal information. Notably, under Article 16 of Law n ° 1/012 of May 30, 2018 on the Code of Health Care and Health Services Provision in Burundi, "every patient has the right to decide on the use of the medical information concerning him and the conditions under which they may be transmitted to third parties."
There are no specific data security requirements in Burundi.
There are no breach notification requirements in Burundi.
The relevant sector specific agency or regulator is generally authorized to enforce violations of confidentiality requirements.
There are no specific electronic marketing requirements in Burundi.
There are no specific online privacy requirements in Burundi.
