FAST FACTS

Population: 43,849,269

Capital: Khartoum

Head of State: Abdel Fattah al-Burhan

2021 Freedom House Score: 17/100

Data protection law? No, with no data protection authority yet appointed

Privacy enshrined in Constitution: Yes, Section 55 of Sudan’s Constitution protects the right to privacy, including of correspondence.

DPA legislation: Sudan currently has no data protection legislation, although various sectoral laws are of relevance, such as the Electronic Transactions Act, 2007, the Cybercrime Act, 2007, the Cybercrime Prevention (Amendment) Act, 2020, and Law No. 14 on Information Technology Crime.

ICCPR: Acceded

Council of Europe Convention 108: No

Council of Europe Convention 185: No

Malabo Convention: No

ECOWAS Supplementary Act on Personal Data Protection: No

Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No

Applies to natural persons: No law

Applies to juristic persons: No law

Applies to public entities: No law

Domestic/personal purposes exclusion: No law

National security exclusion: No law

Law enforcement exclusion: No law

Cabinet or Executive Council exclusion: No law

Judicial functions exclusion: No law

Journalistic, literary or artistic purposes exclusion: No law

Temporary copies exclusion: No law

Other exclusion(s): No law

Broad or vague exclusions: No law

Applies to foreign entities: No law

Excludes foreign entities that only transit personal data through the country: No law

Personal data is not defined.

There are currently no requirements for collection and processing.

Notification that data is being processed: No law

Notification to DPA in event of data breach: No law

Notification to data subject in event of data breach: No law

Timeframe for notification is specified: No law

Exceptions exist to breach notifications: No law

Requires a data processing register: No law

Register is publicly available: No law

Provides for terms of service icons: No law

DPA must submit at least annual report: No law

DPA report is made public: No law

Explicit provision for civil liability: No law

Established/designates a Data Protection Authority: No law

DPA is empowered to investigate: No law

DPA is empowered to subpoena or request evidence: No law

Law provides for criminal penalties: No law

Law provides for administrative penalties: No law

DPA is independently structured (does not exist within or receive instructions from another public body): No law

DPA receives funding directly from the state budget/legislative body: No law

DPA may receive some forms of external funding/own revenue: No law

Adequate protections against undue removal: No law

Number of members in DPA: No law

Maximum term length for members of the DPA (years): No law

Right of data subject to access a copy of their personal data: No law

Right of data subject to request a correction of data: No law

Right of data subject to request deletion of data: No law

Justification required for a request for deletion: No law

Defines the requirements for consent: No law

DPA is mandated to participate in policy formulation: No law

There are no laws restricting cross-border transfer.

Provides a right not to be subject to automated decision-making: No law