Democratic Republic of the Congo | Fact Sheet

DEMOCRATIC REPUBLIC OF CONGO

DATA PROTECTION FACTSHEET

Art by Nightstallion, Public domain, via Wikimedia Commons

PARTIAL DATA PROTECTION LAW IN PLACE

UNCLEAR IF DATA PROTECTION AUTHORITY IS APPOINTED

Fast Facts
Domestic Law

Privacy enshrined in Constitution: Yes, Article 31 of the Constitution protects the right to privacy and the secrecy of correspondence, telecommunications and any other form of communication.

DPA legislation: The Democratic Republic of the Congo (DRC) currently has no dedicated data protection legislation, but appears to have a partial data protection framework in place in the form of its Digital Code, enacted in 2023.

Some other specific sectoral laws deal with elements related to data protection, such as Law No. 013/2002 of 16 October 2002 which governs the telecommunications sector and provides that personal data protection should be a factor in the establishment and implementation of telecommunications networks. Law 10/002 of 20 August 2010 establishing the Customs Code and Decree-Law 011/46 of 24 November 2011 regarding the application measures of the Customs Code provide some principles relating to the protection of personal information.

In December 2022, the Council of Ministers approved a draft bill authorising the ratification of the African Union Convention on Cybersecurity and the Protection of Personal Information.
International Commitments
Scope of Application

Applies to natural persons: No law

Applies to juristic persons: No law

Applies to public entities: No law

Domestic/personal purposes exclusion: No law

National security exclusion: No law

Law enforcement exclusion: No law

Cabinet or Executive Council exclusion: No law

Judicial functions exclusion: No law

Journalistic, literary or artistic purposes exclusion: No law

Temporary copies exclusion: No law

Other exclusion(s): No law

Broad or vague exclusions: No law

Applies to foreign entities: No law

Excludes foreign entities that only transit personal data through the country: No law
Personal Data
Collection and Processing
Transparency

Notification that data is being processed: No law

Notification to DPA in event of data breach: No law

Notification to data subject in event of data breach: No law

Timeframe for notification is specified: No law

Exceptions exist to breach notifications: No law

Requires a data processing register: No law

Register is publicly available: No law

Provides for terms of service icons: No law

DPA must submit at least annual report: No law

DPA report is made public: No law
Accountability

Explicit provision for civil liability: No law

Established/designates a Data Protection Authority: No law

DPA is empowered to investigate: No law

DPA is empowered to subpoena or request evidence: No law

Law provides for criminal penalties: No law

Law provides for administrative penalties: No law

DPA is independently structured (does not exist within or receive instructions from another public body): No law

DPA receives funding directly from the state budget/legislative body: No law

DPA may receive some forms of external funding/own revenue: No law

Adequate protections against undue removal: No law

Number of members in DPA: No law

Maximum term length for members of the DPA (years): No law
Participation

Right of data subject to access a copy of their personal data: No law

Right of data subject to request a correction of data: No law

Right of data subject to request deletion of data: No law

Justification required for a request for deletion: No law

Defines the requirements for consent: No law

DPA is mandated to participate in policy formulation: No law
Cross-border Transfer
Automated Processing

LEARN MORE ABOUT THE METHODOLOGY

Page last updated: 23 May 2023