Law No. 007/PR/2015 Chad

    Overview

    Law No. 007/PR/2015, also known as the Personal Data Protection Law, establishes a legal framework for the protection of personal data in Chad. The law outlines the principles for lawful data processing, supports individuals' rights regarding their data, and places specific obligations on businesses that collect or process personal data. It also defines penalties for violations and sets up a supervisory authority responsible for oversight.

     

    Regulation Summary

    Timeline

    February 10, 2015 – Law No. 007/PR/2015 enacted and effective.

    What Businesses Are Affected
    • All businesses operating in Chad or processing personal data of individuals residing in Chad.
    • Applies to companies of all sizes and industries, including technology, finance, healthcare, and e-commerce.
    • Non-Chadian companies targeting Chadian residents (e.g., via websites or digital services).
    Exemptions
    • National Security: Data processing for national defense or public safety is excluded.
    • Personal Use: Data processing strictly for private, non-commercial purposes.
    Responsibilities for Businesses
    • Lawful Data Processing: Personal data must be collected and processed for legitimate purposes.
    • Data Security: Businesses must implement technical and organizational measures to protect data.
    • Transparency: Individuals must be informed about the use of their data.
    • Accountability: Organizations must maintain records of processing activities.
    Specific Responsibilities for Website Owners
    • Cookie Consent: Users must provide explicit consent for cookies (except essential cookies).
    • Privacy Policy: Websites must display clear and detailed privacy notices.
    • User Rights Portal: Websites must enable individuals to exercise their data rights.
    • Secure Forms: Personal data submitted via forms must be encrypted.
    Additional Requirements
    • Cross-Border Data Transfers: Only allowed under strict safeguards.
    • Data Protection Officer (DPO): Required for entities processing large amounts of sensitive data.
    • Impact Assessments: Necessary for high-risk data processing activities.
    Data Subject Rights
    • Access: Request a copy of personal data.
    • Rectification: Correct inaccurate data.
    • Erasure: Request deletion of personal data under certain conditions.
    • Portability: Transfer data to another service provider.
    • Objection: Refuse processing for specific purposes.
    • Restriction: Limit processing in certain cases.
    Enforcement
    • Authority: The National Agency for Computer Security and Electronic Certification (ANSICE) oversees enforcement.
    • Fines: Penalties for non-compliance range from 1 million to 10 million Central African CFA francs (approximately $1,734 to $17,345 USD). Additionally, offenders may face imprisonment ranging from three months to one year.
    • Audits: Regular inspections and potential enforcement actions for violations.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596