Population: 89,561,404

Capital: Kinshasa

President: Felix Tshisekedi

2021 Freedom House Score: 20/100

Data protection law? No, with no data protection  authority yet appointed

Privacy enshrined in Constitution: Yes, Article 31 of the Constitution protects the right to privacy and the secrecy of correspondence, telecommunications and any other form of communication.

DPA legislation: The Democratic Republic of the Congo (DRC) currently has no dedicated data protection legislation.

Some specific sectoral laws deal with elements related to data protection, such as Law No. 013/2002 of 16 October 2002 which governs the telecommunications sector and provides that personal data protection should be a factor in the establishment and implementation of telecommunications networks. Law 10/002 of 20 August 2010 establishing the Customs Code and Decree-Law 011/46 of 24 November 2011 regarding the application measures of the Customs Code provide some principles relating to the protection of personal information.

In December 2022, the Council of Ministers approved a draft bill authorising the ratification of the African Union Convention on Cybersecurity and the Protection of Personal Information.

ICCPR: Acceded

Council of Europe Convention 108: No

Council of Europe Convention 185: No

Malabo Convention: No

ECOWAS Supplementary Act on Personal Data Protection: No

Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No

Applies to natural persons: No law

Applies to juristic persons: No law

Applies to public entities: No law

Domestic/personal purposes exclusion: No law

National security exclusion: No law

Law enforcement exclusion: No law

Cabinet or Executive Council exclusion: No law

Judicial functions exclusion: No law

Journalistic, literary or artistic purposes exclusion: No law

Temporary copies exclusion: No law

Other exclusion(s): No law

Broad or vague exclusions: No law

Applies to foreign entities: No law

Excludes foreign entities that only transit personal data through the country: No law

Personal data is not defined under Congolese law.

There are currently no requirements for collection and processing.

Notification that data is being processed: No law

Notification to DPA in event of data breach: No law

Notification to data subject in event of data breach: No law

Timeframe for notification is specified: No law

Exceptions exist to breach notifications: No law

Requires a data processing register: No law

Register is publicly available: No law

Provides for terms of service icons: No law

DPA must submit at least annual report: No law

DPA report is made public: No law

Explicit provision for civil liability: No law

Established/designates a Data Protection Authority: No law

DPA is empowered to investigate: No law

DPA is empowered to subpoena or request evidence: No law

Law provides for criminal penalties: No law

Law provides for administrative penalties: No law

DPA is independently structured (does not exist within or receive instructions from another public body): No law

DPA receives funding directly from the state budget/legislative body: No law

DPA may receive some forms of external funding/own revenue: No law

Adequate protections against undue removal: No law

Number of members in DPA: No law

Maximum term length for members of the DPA (years): No law

Right of data subject to access a copy of their personal data: No law

Right of data subject to request a correction of data: No law

Right of data subject to request deletion of data: No law

Justification required for a request for deletion: No law

Defines the requirements for consent: No law

DPA is mandated to participate in policy formulation: No law

There are no laws restricting cross-border transfer.

Provides a right not to be subject to automated decision-making: No law