BURUNDI
DATA PROTECTION FACTSHEET

-
Population: 11,890,781
Capital: Gitega
President: Évariste Ndayishimiye
2021 Freedom House Score: 14/100
Data protection law? No, with no data protection authority yet appointed.
-
Privacy enshrined in Constitution: Yes, Articles 28 and 42 protect the right to privacy.
DPA legislation: Burundi does not have a comprehensive data protection law, but has been a party to meetings of the East African Community (EAC) to consider the status of cyber laws and highlight areas for reform. A few sectoral laws and regulations contain data protection provisions or impose confidentiality obligations on specific types of personal information. Employment, banking, telecommunications, and healthcare are among the sectors covered.
-
ICCPR: Acceded
Council of Europe Convention 108: No
Council of Europe Convention 185: No
Malabo Convention: No
ECOWAS Supplementary Act on Personal Data Protection: No
Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No
-
Applies to natural persons: No law
Applies to juristic persons: No law
Applies to public entities: No law
Domestic/personal purposes exclusion: No law
National security exclusion: No law
Law enforcement exclusion: No law
Cabinet or Executive Council exclusion: No law
Judicial functions exclusion: No law
Journalistic, literary or artistic purposes exclusion: No law
Temporary copies exclusion: No law
Other exclusion(s): No law
Broad or vague exclusions: No law
Applies to foreign entities: No law
Excludes foreign entities that only transit personal data through the country: No law
-
Personal data is not defined under Burundian law.
-
Certain sectoral laws and regulations require data handlers to process personal information confidentially.
-
Notification that data is being processed: No law
Notification to DPA in event of data breach: No law
Notification to data subject in event of data breach: No law
Timeframe for notification is specified: No law
Exceptions exist to breach notifications: No law
Requires a data processing register: No law
Register is publicly available: No law
Provides for terms of service icons: No law
DPA must submit at least annual report: No law
DPA report is made public: No law
-
Explicit provision for civil liability: No law
Established/designates a Data Protection Authority: No law
DPA is empowered to investigate: No law
DPA is empowered to subpoena or request evidence: No law
Law provides for criminal penalties: No law
Law provides for administrative penalties: No law
DPA is independently structured (does not exist within or receive instructions from another public body): No law
DPA receives funding directly from the state budget/legislative body: No law
DPA may receive some forms of external funding/own revenue: No law
Adequate protections against undue removal: No law
Number of members in DPA: No law
Maximum term length for members of the DPA (years): No law
-
Right of data subject to access a copy of their personal data: No law
Right of data subject to request a correction of data: No law
Right of data subject to request deletion of data: No law
Justification required for a request for deletion: No law
Defines the requirements for consent: No law
DPA is mandated to participate in policy formulation: No law
-
There are no laws restricting cross-border transfer, but under some sectoral laws, companies are required to gain consent before transferring personal information to third parties.
-
Provides a right not to be subject to automated decision-making: No law
Page last updated: 23 May 2022