Population: 4,829,764

Capital: Bangui

President: Faustin-Archange Touadéra

2021 Freedom House Score: 9/100

Data protection law? No, with no data protection authority yet appointed.

Privacy enshrined in Constitution: Yes, article 16 of the Constitution protects the secrecy of correspondence.

DPA legislation: No, the Central African Republic (CAR) currently has no comprehensive data protection legislation. However, the right to privacy is protected under Article 16 of the Constitution, and the CAR is a member of the Central African Economic and Monetary Community (CEMAC), which has issued some legislation which is applicable, for example:

• Regulation No. 21/08-UEAC-13-CM-18 of 19 December 2008 on the Harmonisation of Regulations and Regulatory Policies on Electronic Communications in CEMAC Member States;
• Directive No. 07/08-UEAC-133-CM-18 of 19 December 2008 on the Legal Framework for the Protection of Users of Electronic Communications Networks and Services within CEMAC;
• Directive No. 09/08-UEAC-133-CM-18 of 19 December 2008 Harmonising the Legal Frameworks of Electronic Communications in the CEMAC Member States;
• Regulation No. 03/16-CEMAC-UMAC-CMAC-CM of 21 December 2016 on Systems, Means and Incidents of Payment;
• Directive No. 02/19-UEAC-639-CM-18 of 08 April 2019 Harmonising the Protection of Consumers within CEMAC; and
• Regulation No. 01/20/CEMAC/UMAC/COBAC of 03 July 2020 on the Protection of Consumers of Banking Products and Services in CEMAC.

ICCPR: Acceded

Council of Europe Convention 108: No

Council of Europe Convention 185: No

Malabo Convention: No

ECOWAS Supplementary Act on Personal Data Protection: No

Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No

Applies to natural persons: No law

Applies to juristic persons: No law

Applies to public entities: No law

Domestic/personal purposes exclusion: No law

National security exclusion: No law

Law enforcement exclusion: No law

Cabinet or Executive Council exclusion: No law

Judicial functions exclusion: No law

Journalistic, literary or artistic purposes exclusion: No law

Temporary copies exclusion: No law

Other exclusion(s): No law

Broad or vague exclusions: No law

Applies to foreign entities: No law

Excludes foreign entities that only transit personal data through the country: No law

Personal data is not defined under Central African law.

There are currently no requirements for collection and processing.

Notification that data is being processed: No law

Notification to DPA in event of data breach: No law

Notification to data subject in event of data breach: No law

Timeframe for notification is specified: No law

Exceptions exist to breach notifications: No law

Requires a data processing register: No law

Register is publicly available: No law

Provides for terms of service icons: No law

DPA must submit at least annual report: No law

DPA report is made public: No law

Explicit provision for civil liability: No law

Established/designates a Data Protection Authority: No law

DPA is empowered to investigate: No law

DPA is empowered to subpoena or request evidence: No law

Law provides for criminal penalties: No law

Law provides for administrative penalties: No law

DPA is independently structured (does not exist within or receive instructions from another public body): No law

DPA receives funding directly from the state budget/legislative body: No law

DPA may receive some forms of external funding/own revenue: No law

Adequate protections against undue removal: No law

Number of members in DPA: No law

Maximum term length for members of the DPA (years): No law

Right of data subject to access a copy of their personal data: No law

Right of data subject to request a correction of data: No law

Right of data subject to request deletion of data: No law

Justification required for a request for deletion: No law

Defines the requirements for consent: No law

DPA is mandated to participate in policy formulation: No law

There are no laws restricting cross-border transfer.

Provides a right not to be subject to automated decision-making: No law