DATA PROTECTION FACTSHEET
President: Mahamat Déby
2021 Freedom House Score: 17/100
Data protection law? Yes, with data protection authority appointed.
Privacy enshrined in Constitution: Yes, Chad’s Constitution protects the right to privacy under Articles 17 and 49.
DPA legislation: The Law No. 007/PR/2015 on the Protection of Personal Data (the Law) governs the protection of personal data in Chad. The law was signed in 2015 and the data protection authority in Chad, the Agence Nationale de Sécurité Informatique et de Certification Électronique (ANSICE), was established in the same year, through Law No. 006/PR/2015, but only became fully operational in 2020.
Under Article 38 of the Law, data subjects have the right to know certain information pertaining to the processing of their personal information, the right to require the correction of their data, and the right o request its deletion. Finally, they also have the right to object, with legitimate reasons, to the processing of their personal data.
Council of Europe Convention 108: No
Council of Europe Convention 185: No
Malabo Convention: Signed
ECOWAS Supplementary Act on Personal Data Protection: No
Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No
Applies to natural persons: Yes
Applies to juristic persons: Yes
Applies to public entities: Yes
Domestic/personal purposes exclusion: Yes
National security exclusion: No
Law enforcement exclusion: No
Cabinet or Executive Council exclusion: No
Judicial functions exclusion: Yes
Journalistic, literary or artistic purposes exclusion: No
Temporary copies exclusion: No
Other exclusion(s): No
Broad or vague exclusions: No
Applies to foreign entities: Yes
Excludes foreign entities that only transit personal data through the country: No
Personal data is defined as any information relating to a natural person, identified or identifiable directly or indirectly, by reference to an identification number or to one or more elements specific to their physical, physiological, genetic, psychological, cultural, social, and economic identity.
Sensitive personal data are specific categories of data that reveal or contain information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and health and sexual life.
Data controller is an individual or public/private company, any other agency or association which, alone or jointly with others, takes the decision to collect and process personal data and determines the purposes thereof.
The processing of personal data is considered legitimate if the data subject gives their explicit consent. Consent can be withdrawn at any time by the data subject.
However, this consent requirement may be waived when the processing is essential with respect to:
- compliance with a legal obligation to which the controller is subject;
- execution of a mission in the public interest;
- execution of a contract to which the data subject is party or to the execution of pre-contractual measures;
- safeguarding of the interests or rights and fundamental liberties of the data subject.
The processing of sensitive personal data is forbidden except for when it is:
- carried out by associations with legal authority or public institutions whose purpose is the defence and promotion of human rights, provided that such processing is permitted by ANSICE and that the data collected is not communication to third parties without the consent of the data subject;
- necessary for the interests of social security;
- necessary for legal proceedings;
- necessary for statistical or historical research;
- necessary for the purposes of preventative medicine, medical diagnoses, or the administration of care or treatment either to the data subject or to a relative, in the interest of the data subject, and the processing of the data is carried out under the supervision of a healthcare professional; or
- permitted by another law for a motive important to public interest.
Pursuant to Article 35 of Law No. 007/PR/2015, the data controller must inform the data subject on collection, or as soon thereafter as feasible, of:
- the identity of the data controller and its representative (if any);
- the purposes of the processing;
- the category of data concerned;
- the recipients or categories of recipients of the data;
- the right to object to the collection of such data;
- the right to access the collected data and have it edited;
- the duration of the processing; and
- details on any intended transfer of the data.
Notification that data is being processed: Yes
Notification to DPA in event of data breach: Yes
Notification to data subject in event of data breach: Yes
Timeframe for notification is specified: No
Exceptions exist to breach notifications: No
Requires a data processing register: No
Register is publicly available: NA
Provides for terms of service icons: No
DPA must submit at least annual report: No
DPA report is made public: NA
Explicit provision for civil liability: Yes
Established/designates a Data Protection Authority: Yes
DPA is empowered to investigate: Yes
DPA is empowered to subpoena or request evidence: Unclear
Law provides for criminal penalties: Yes
Law provides for administrative penalties: Yes
DPA is independently structured (does not exist within or receive instructions from another public body): No
DPA receives funding directly from the state budget/legislative body: Yes
DPA may receive some forms of external funding/own revenue: Yes
Adequate protections against undue removal: Yes
Number of members in DPA: 11
Maximum term length for members of the DPA (years): 8
Right of data subject to access a copy of their personal data: Yes
Right of data subject to request a correction of data: Yes
Right of data subject to request deletion of data: Yes
Justification required for a request for deletion: Yes
Defines the requirements for consent: Yes
DPA is mandated to participate in policy formulation: Yes
In light of Article 29 of Law No. 007/PR/2015, the data controller cannot transfer personal data to another foreign country unless that country provides a sufficient level of protection for the privacy, fundamental rights, and freedoms of individuals.
Moreover, before any transfer of personal data abroad, the data controller must first inform ANSICE.
Provides a right not to be subject to automated decision-making: No