Law No. 29-2019 Congo

    Overview

    Loi n° 29-2019 on the Protection of Personal Data governs the protection of personal data in the Republic of Congo. Adopted on October 10, 2019, this law establishes rules to safeguard individuals' fundamental rights, particularly regarding their privacy, in relation to the collection, processing, and use of personal data. The law mandates that personal data processing must align with legal, fair, and transparent principles. It also emphasizes specific conditions for handling sensitive personal data and outlines the creation of a supervisory authority for enforcement, though this authority has not yet been established.

     

    Regulation Summary

    Timeline
    • October 10, 2019: Law No. 29-2019 is enacted.
    • November 7, 2019: The law is published in the Official Journal.
    • Compliance Deadline: Organizations must comply within one year for private sector entities and two years for public sector entities.
    What Businesses Are Affected
    • All organizations processing personal data in Congo, including private companies and public institutions.
    • Foreign companies processing data of individuals in Congo or using local data processing means.
    • Entities processing personal data related to public security, defense, law enforcement, and economic or financial interests of the state.
    Exemptions
    • Personal data processing for exclusively personal or domestic purposes, provided it is not shared with third parties.
    • Temporary copies of data used for technical transmission and network access services.
    • Processing of data for journalistic, artistic, literary, or research purposes, subject to ethical guidelines.
    Responsibilities for Businesses
    • Lawful Processing: Data must be collected with consent, a legal obligation, contractual necessity, or another legitimate basis.
    • Purpose Limitation: Processing must be limited to the specified and legitimate purposes.
    • Data Security: Organizations must implement protective measures to prevent unauthorized access, loss, or alteration of data.
    • Accountability: Businesses must maintain processing records and appoint responsible officers where applicable.
    Specific Responsibilities for Website Owners
    • Cookie Consent: Users must be informed and given a choice before cookies are stored (except for essential cookies).
    • Privacy Notice: Websites must display a clear privacy policy outlining data collection, usage, and retention.
    • User Rights Portal: Websites should provide an interface for individuals to exercise their data rights.
    • Secure Data Transmission: Personal data collected through forms must be encrypted and protected.
    Additional Requirements
    • Cross-Border Data Transfers: Allowed only if the recipient country ensures an adequate level of data protection or specific safeguards are in place.
    • Data Protection Officer (DPO): Required for public entities and private companies involved in large-scale or sensitive data processing.
    • Impact Assessments: Mandatory for high-risk processing activities, including automated decision-making, profiling, or large-scale processing of sensitive data.
    Data Subject Rights
    • Access: Individuals can request a copy of their data.
    • Rectification: Right to correct inaccurate or incomplete data.
    • Erasure: Right to request deletion of personal data under certain conditions.
    • Portability: Right to obtain and transfer personal data in a structured format.
    • Objection: Individuals can refuse processing for marketing, research, or certain other purposes.
    • Restriction: Individuals may request processing limitations under specific circumstances.
    Enforcement
    • Regulatory Body: The Data Protection Commission (Commission de Protection des Données à Caractère Personnel - CPDCP) oversees compliance.
    • Fines: Penalties range from 1 million to 100 million CFA francs (~$1,650 to $165,000 USD), depending on the severity of the violation.
    • Audits & Inspections: The commission can conduct investigations and order corrective measures, including suspension of processing activities.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596