Chad

DATA PROTECTION FACTSHEET

DATA PROTECTION LAW IN PLACE

DATA PROTECTION AUTHORITY APPOINTED

Download the Act

Fast Facts
Domestic Law

Privacy enshrined in Constitution: Yes, Chad’s Constitution protects the right to privacy under Articles 17 and 49.

DPA legislation: The Law No. 007/PR/2015 on the Protection of Personal Data (the Law) governs the protection of personal data in Chad. The law was signed in 2015 and the data protection authority in Chad, the Agence Nationale de Sécurité Informatique et de Certification Électronique (ANSICE), was established in the same year, through Law No. 006/PR/2015, but only became fully operational in 2020.

Under Article 38 of the Law, data subjects have the right to know certain information pertaining to the processing of their personal information, the right to require the correction of their data, and the right o request its deletion. Finally, they also have the right to object, with legitimate reasons, to the processing of their personal data.
International Commitments
Scope of Application

Applies to natural persons: Yes

Applies to juristic persons: Yes

Applies to public entities: Yes

Domestic/personal purposes exclusion: Yes

National security exclusion: No

Law enforcement exclusion: No

Cabinet or Executive Council exclusion: No

Judicial functions exclusion: Yes

Journalistic, literary or artistic purposes exclusion: No

Temporary copies exclusion: No

Other exclusion(s): No

Broad or vague exclusions: No

Applies to foreign entities: Yes

Excludes foreign entities that only transit personal data through the country: No
Personal Data

Personal data is defined as any information relating to a natural person, identified or identifiable directly or indirectly, by reference to an identification number or to one or more elements specific to their physical, physiological, genetic, psychological, cultural, social, and economic identity.

Sensitive personal data are specific categories of data that reveal or contain information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and health and sexual life.

Data controller is an individual or public/private company, any other agency or association which, alone or jointly with others, takes the decision to collect and process personal data and determines the purposes thereof.
Collection and Processing
The processing of personal data is considered legitimate if the data subject gives their explicit consent. Consent can be withdrawn at any time by the data subject.

However, this consent requirement may be waived when the processing is essential with respect to:
- compliance with a legal obligation to which the controller is subject;
- execution of a mission in the public interest;
- execution of a contract to which the data subject is party or to the execution of pre-contractual measures;
- safeguarding of the interests or rights and fundamental liberties of the data subject.
The processing of sensitive personal data is forbidden except for when it is:
- carried out by associations with legal authority or public institutions whose purpose is the defence and promotion of human rights, provided that such processing is permitted by ANSICE and that the data collected is not communication to third parties without the consent of the data subject;
- necessary for the interests of social security;
- necessary for legal proceedings;
- necessary for statistical or historical research;
- necessary for the purposes of preventative medicine, medical diagnoses, or the administration of care or treatment either to the data subject or to a relative, in the interest of the data subject, and the processing of the data is carried out under the supervision of a healthcare professional; or
- permitted by another law for a motive important to public interest.
Pursuant to Article 35 of Law No. 007/PR/2015, the data controller must inform the data subject on collection, or as soon thereafter as feasible, of:
- the identity of the data controller and its representative (if any);
- the purposes of the processing;
- the category of data concerned;
- the recipients or categories of recipients of the data;
- the right to object to the collection of such data;
- the right to access the collected data and have it edited;
- the duration of the processing; and
- details on any intended transfer of the data.
Transparency

Notification that data is being processed: Yes

Notification to DPA in event of data breach: Yes

Notification to data subject in event of data breach: Yes

Timeframe for notification is specified: No

Exceptions exist to breach notifications: No

Requires a data processing register: No

Register is publicly available: NA

Provides for terms of service icons: No

DPA must submit at least annual report: No

DPA report is made public: NA
Accountability

Explicit provision for civil liability: Yes

Established/designates a Data Protection Authority: Yes

DPA is empowered to investigate: Yes

DPA is empowered to subpoena or request evidence: Unclear

Law provides for criminal penalties: Yes

Law provides for administrative penalties: Yes

DPA is independently structured (does not exist within or receive instructions from another public body): No

DPA receives funding directly from the state budget/legislative body: Yes

DPA may receive some forms of external funding/own revenue: Yes

Adequate protections against undue removal: Yes

Number of members in DPA: 11

Maximum term length for members of the DPA (years): 8
Participation
Cross-border Transfer
Automated Processing

LEARN MORE ABOUT THE METHODOLOGY

Page last updated: 23 May 2022