DLA Piper Intelligence

Data Protection
Laws of the World

Law

Republic of Congo
Republic of Congo

The protection of personal data is governed by the law on the protection of data with a personal character N° 29 - 2019 of 10 October 2019 and was published in the official journal on 7 November 2019 (the "Law"). The Law entered into force on the date of its approval (25 November 2020). 

Beside the Law, there are several sectoral laws or decrees that contain data protection aspects (on cybersecurity, mobile telecommunications, etc.)

Last modified 21 Feb 2022
Law
Republic of Congo

The protection of personal data is governed by the law on the protection of data with a personal character N° 29 - 2019 of 10 October 2019 and was published in the official journal on 7 November 2019 (the "Law"). The Law entered into force on the date of its approval (25 November 2020). 

Beside the Law, there are several sectoral laws or decrees that contain data protection aspects (on cybersecurity, mobile telecommunications, etc.)

Last modified 21 Feb 2022
Definitions

Definition of Personal Data

Any information relating to a natural person identified or identifiable directly or indirectly, by reference to an identification number or identifiable on the basis of one or more elements specific to his/her physical, physiological, genetic, psychological, cultural, social or economic identity.

Definition of Sensitive Personal Data

tic data, data relating to minors, data relating to offences, criminal convictions or security measures, biometric data and, all personal data revealing ethnic origin, parentage, political opinions, religious or philosophical beliefs, trade union membership, gender, health and sex life.

Last modified 21 Feb 2022
Authority

The Law provides for the creation of a national data protection Commission by a separate law. This Commission plays an important role in the Law and its application. However, we are not aware this Commission has been established.

Last modified 21 Feb 2022
Registration

The Law requires, save for some exceptions, that the processing of personal data must be notified to the Commission. The Commission provides a confirmation of receipt of the notification after which the entity that made the notification can start processing personal data. If some of the data or sensitive personal data and the processing is not prohibited, a prior authorisation is to be obtained from the Commission. The Commission renders a decision within two months after receipt of the request to process certain sensitive personal data.

Last modified 21 Feb 2022
Data Protection Officers

A data protection officer (délégué à la protection des données) needs to be appointed when the data procession is done by (i) a public entity, (ii) the nature of the data processing because of its nature, purpose or nature require a regular and systematic follow-up, or (iii) when the data processing is on a large scale for particular data.

Last modified 21 Feb 2022
Collection & Processing

The collection and processing of personal data can only be carried out with the prior and explicit consent of the person concerned. Some exceptions apply when the processing is for valid legal reasons, in the public interest, for the performance of an agreement or to protect the fundamental rights of the person concerned.

Last modified 21 Feb 2022
Transfer

Cross-border transfer of personal data is only allowed if the receiving state offers a similar protection of personal data and the Commission is notified in advance of the intention to transfer data to a third country.

Last modified 21 Feb 2022
Security

The Law provides for a detailed overview of security measures that must be taken by the processor of personal data in order to secure the personal data.

Last modified 21 Feb 2022
Breach Notification

The processor of personal data must in case of a breach of the security inform the Commission without delay and at the latest within 72 hours after it identified the breach.

Mandatory breach notification

It is mandatory to notify every breach to the Commission, however, the 72 hours deadline does not apply in case there is no risk for the rights of the persons concerned. The breach must still be notified, but it must be explained why the breach was notified more than 72 hours after the identification of the breach. 

The persons concerned must also informed of the breach if it poses an important risk for its rights.

Last modified 21 Feb 2022
Enforcement

No known cases as far as we know. The Commission is not yet established. 

Criminal sanctions apply as well as fines ranging from USD 1,800 to 180,000.

Last modified 21 Feb 2022
Electronic Marketing

Regulated by separate law.

Last modified 21 Feb 2022
Online Privacy

Regulated by separate law.

Last modified 21 Feb 2022
Contacts
Sophie Kabano Niwese
Sophie Kabano Niwese
Partner
PKM Africa
T +32 476 080 079
Yves Brosens
Yves Brosens
Partner
PKM Africa
T +32 472 582 000
Last modified 21 Feb 2022