Population: 5,518,092

Capital: Brazzaville

President: Denis Sassou Nguesso

2021 Freedom House Score: 20/100

Data protection law? Yes, but data protection authority not yet appointed

Privacy enshrined in Constitution: Yes, the Constitution of the Republic of Congo provides for the protection of privacy of correspondence and communication under Article 26.

DPA legislation: The Law No. 29-2019 on the Protection of Personal Data governs the protection of personal data in the Republic of Congo. The law was passed in 2019 and provides for the creation of a national data protection authority, the Commission, although it has not yet been established. The Law follows the typical Francophone African model, providing for prior notification to the Commission for the processing of personal information.

ICCPR: Acceded

Council of Europe Convention 108: No

Council of Europe Convention 185: No

Malabo Convention: Signed

ECOWAS Supplementary Act on Personal Data Protection: No

Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No

Applies to natural persons: Yes

Applies to juristic persons: Yes

Applies to public entities: Yes

Domestic/personal purposes exclusion: Yes

National security exclusion: No

Law enforcement exclusion: No

Cabinet or Executive Council exclusion: No

Judicial functions exclusion: No

Journalistic, literary or artistic purposes exclusion: Yes

Temporary copies exclusion: Yes

Other exclusion(s): No

Broad or vague exclusions: No

Applies to foreign entities: Yes

Excludes foreign entities that only transit personal data through the country: Yes

Personal data is defined as any information related to an identified or identifiable natural person, directly or indirectly referencing an identification number, or one or more elements specific to their physical, physiological, genetic, psychological, cultural, social, or economic identity.

Sensitive personal data are genetic data, data related to minors, data regarding offences, criminal convictions or security measures, biometric data, all personal data relating to religious, philosophical or political, opinions, or activities trade union, sex life, race, health.

Data controller is any natural, legal, public or private person, any organisation or association which, alone or with others, makes the decision to collect and process personal data and determines the purposes thereof.

The processing of personal data is considered legitimate only if the data subject gives their explicit consent, with some exceptions.

This consent requirement may be waived when the processing is essential with respect to:

• compliance with a legal obligation to which the controller is subject;
• execution of a mission in the public interest;
• execution of a contract to which the data subject is party or to the execution of pre-contractual measures;
• safeguarding of the interests or rights and fundamental liberties of the data subject.

The processing of personal data that reveals a person’s ethnic or regional origin, parentage, political opinions, religious or philosophical beliefs, membership in a trade union, sex life, genetic data or more generally those relating to the state of health of the person concerned, is forbidden except for in a number of specific circumstances.

Notification that data is being processed: Yes

Notification to DPA in event of data breach: Yes

Notification to data subject in event of data breach: Partial

Timeframe for notification is specified: Partial

Exceptions exist to breach notifications: Yes

Requires a data processing register: No

Register is publicly available: NA

Provides for terms of service icons: No

DPA must submit at least annual report: No

DPA report is made public: NA

Explicit provision for civil liability: No

Established/designates a Data Protection Authority: Yes

DPA is empowered to investigate: No

DPA is empowered to subpoena or request evidence: No

Law provides for criminal penalties: Yes

Law provides for administrative penalties: Yes

DPA is independently structured (does not exist within or receive instructions from another public body): Unclear

DPA receives funding directly from the state budget/legislative body: Unclear

DPA may receive some forms of external funding/own revenue: Unclear

Adequate protections against undue removal: Unclear

Number of members in DPA: Unclear

Maximum term length for members of the DPA (years): Unclear

Right of data subject to access a copy of their personal data: Yes

Right of data subject to request a correction of data: Yes

Right of data subject to request deletion of data: Yes

Justification required for a request for deletion: Yes

Defines the requirements for consent: Yes

DPA is mandated to participate in policy formulation: Unclear

In light of Article 23 of the Law, personal information may be transferred to another country if the destination country provides a sufficient level of protection for the right to privacy and fundamental rights and freedoms.  The data controller must inform the Commission of any transfer prior to its implementation, which will take measures to ensure that the data controller is providing a sufficient level of protection, notably with regard to security measures, and will take into consideration factors such as the nature of the information, the purpose of the processing, the duration of the processing, as well as the origin and the destination of the information.

The Law provides for certain exceptions to Article 23, such as if the transfer is punctual, not significant, and the data subject has consented or the transfer is necessary for various reasons.

Provides a right not to be subject to automated decision-making: Yes