Introduction

In June 2025, Djibouti enacted its comprehensive data protection law as part of its broader Digital Code. It comprises 156 articles; this legislation establishes a modern, detailed regime for regulating the collection, processing, storage, and transfer of personal data. Unusually for primary legislation, it provides extensive guidance on operational matters often reserved for implementation directives or guidance notes in other jurisdictions. Drawing heavily on international standards, the law aims to safeguard the fundamental rights and freedoms of individuals, particularly their right to privacy, while striking a balance between the needs of the state, public services, and the private sector.

Scope and Application

The law applies to automated and non-automated processing of personal data, provided the latter is part of, or intended to form part of, a structured filing system. Its territorial reach is extensive, applying not only to data controllers and processors established in Djibouti but also extraterritorially to those outside the country whose processing activities relate to offering goods/services to individuals in Djibouti or monitoring their behaviour within Djibouti. It also covers processing where Djiboutian law applies under public international law. Key exclusions include data processed for purely personal/household activities and transient technical copies made for network access.

Regulatory Oversight

The law establishes the National Commission for the Protection of Personal Data (CNDP) as the authority responsible for overseeing the law's implementation. The CNDP is designed as an independent body with administrative and financial autonomy, composed of multi-stakeholder representatives (presidency appointees, deputies, magistrates, ministry officials, the human rights commission, and a business association).

Key Obligations for Controllers and Processors

The law places significant responsibilities on data controllers and processors:

• Accountability & Responsibility: Controllers are primarily responsible for ensuring and demonstrating compliance with the law, including for processing done by processors under their instruction. Joint controllers must transparently define their respective responsibilities.
• Processor Obligations: Controllers must select processors that offer sufficient guarantees of data protection. Processing by processors must be governed by a contract outlining specific obligations, including confidentiality, security, restrictions on sub-processing, assistance with data subject rights, and data deletion/return.
• Local Representative: Controllers or processors not established in Djibouti may be required to designate a local representative.
• Data Protection by Design & Default: Controllers must implement appropriate technical and organisational measures from the design stage and ensure that, by default, only necessary data is processed.
• Confidentiality & Security: Strict obligations are imposed to ensure the confidentiality and security of processing, including detailed technical and organisational measures to prevent unauthorised access, alteration, loss, or disclosure.
• Breach Notification: Controllers must notify the CNDP of personal data breaches within 72 hours of becoming aware of them, unless the breach is unlikely to pose a risk. Data subjects must also be notified without undue delay if the breach poses a high risk to their rights and freedoms.
• Data Protection Officer (DPO): Designation of a DPO is mandatory for public authorities, organisations engaged in large-scale systematic monitoring, and those processing sensitive data or criminal conviction data on a large scale. The DPO acts independently to inform, advise, monitor compliance, and cooperate with the CNDP.
• National Register: The CNDP maintains a public national register detailing authorised or declared data-processing activities.
• Post-Mortem Privacy: Specific rules govern the handling of personal data after an individual's death. Data subjects can issue directives on how their data should be managed (retention, erasure, communication). In the absence of directives, heirs have limited rights to access data necessary to settle the estate, close accounts, and object to further processing.
• Further Processing: Processing data for a purpose different from the one for which it was originally collected is permitted only if based on consent, a legal obligation, or if the new purpose is compatible with the original one. Controllers must assess compatibility, considering the link between purposes, the context of collection, the nature of the data, consequences for the data subject, and available safeguards
• Prior Formalities (Declarations & Authorisations): The law establishes a tiered system requiring prior engagement with the CNDP for many processing activities. While simple declarations suffice for routine processing and simplified declarations for common low-risk types, prior authorisation from the CNDP is mandatory for higher-risk activities. This includes processing sensitive data for research, genetic data, biometric data for identification, data on offences/convictions, processing likely to exclude individuals from rights/contracts, certain data interconnections, and processing involving the national identification number. Specific pathways involving decrees or orders apply to state processing. This system of requiring authorisation for high-risk processing echoes similar requirements in laws like South Africa's POPIA. Exemptions exist, notably for processing covered by a DPO (unless international transfers are involved).
• Specific Regime for Health Data Processing: The law also addresses the processing of personal data for health research, study, or evaluation. This processing requires prior CNDP authorisation, given the public-interest purpose. Authorisation involves an opinion from a specialist advisory committee. The section outlines specific derogations and modifications related to data subject rights (information, consent, and objection) applicable to this context. It outlines strict conditions for the transmission of health data held by professionals, ensuring confidentiality, and mandates professional secrecy for those involved. It also includes provisions for handling data of minors and deceased persons in research contexts and allows the CNDP to withdraw authorisation for non-compliance.

Data Subject Rights

Individuals are granted a comprehensive set of rights, exercisable free of charge:

• Right to Information: Extensive information must be provided at the time of data collection (direct or indirect) regarding the controller, processing purposes, legal basis, recipients, transfers, retention periods, data subject rights, and automated decision-making.
• Right of Access: Right to confirm processing and access detailed information about it, including obtaining a copy of the data (Art 32-36). Controllers may request additional information to verify the requester's identity if doubts arise. Controllers can refuse manifestly abusive requests (e.g., repetitive or systematic), but bear the burden of proof. Specific provisions allow heirs to access a deceased person's health data through a designated physician.
• Right to Object: Right to object to processing based on legitimate interests or public tasks, and an absolute right to object to direct marketing.
• Right to Rectification: Right to have inaccurate or incomplete data corrected.
• Right to Erasure ('Right to be Forgotten'): Right to obtain data erasure under specific grounds (e.g., data no longer necessary, consent withdrawal, unlawful processing).
• Right to Portability: Right to receive personal data provided by the data subject in a structured, machine-readable format and transmit it to another controller, where processing is based on consent or contract and is automated.
• Rights related to Automated Decision-Making (ADM): Individuals have the right not to be subject to decisions based solely on automated processing (including profiling) that produce legal effects concerning them or have a similarly significant effect on them. Exceptions exist if the decision is legally authorised (with safeguards), necessary for a contract, or based on explicit consent (with safeguards such as the right to human intervention, to express a point of view, and to contest the decision). Businesses relying on ADM must be transparent about the logic involved and the potential consequences.
• Right to Lodge a Complaint & Appeal: Data subjects can lodge a complaint with the CNDP if their rights are infringed or their requests are improperly handled. If dissatisfied with the CNDP's response or lack thereof, they have the right to seek judicial remedy before the Administrative Court of First Instance.
• Rights after Death: Individuals can provide directives concerning their data after death, and heirs have limited rights in the absence of directives.

International Data Transfers

Transfers outside Djibouti are permitted only if the recipient country or international organisation ensures an adequate level of data protection, equivalent to that provided by Djiboutian law.

• The CNDP is responsible for assessing and publishing a list of countries/organisations deemed adequate.
• Transfers to non-adequate jurisdictions are prohibited unless specific derogations apply (e.g., explicit consent, contractual necessity, vital interests, public interest, legal claims) or if the controller provides sufficient guarantees authorised by the CNDP.

Enforcement and Penalties

The CNDP possesses significant enforcement powers:

• Investigative Powers: Including on-site inspections, document requests, data access, and summoning individuals.
• Corrective Measures: Issuing warnings, formal notices to comply, injunctions to cease processing, withdrawal of authorisations, and data locking. Financial penalties (astreintes) can accompany injunctions.
• Administrative Fines: The CNDP can impose substantial financial penalties for non-compliance, up to 70,000,000 DJF, or, for undertakings, 5% of their global annual turnover, whichever is higher.
• Criminal Offences: The law establishes numerous criminal offences for violations, including non-compliance with formalities, unlawful processing of sensitive data, fraudulent collection, breaches of purpose limitation, unauthorised transfers, security failures, breach notification failures, and obstruction of the CNDP. Penalties range significantly, including imprisonment up to 10 years and fines up to 35,000,000 DJF for serious offences.

Conclusion

The law establishes a strong, comprehensive, and modern data protection law, clearly drawing inspiration from other global frameworks. Its strengths lie in its detailed provisions, broad scope, robust data subject rights, clear rules on international transfers, and a powerful enforcement regime combining administrative and criminal sanctions. The inclusion of granular detail often found in secondary legislation demonstrates an intent to provide clear operational guidance from the outset.

However, the framework's complexity, particularly the multi-layered system of prior declarations, authorisations, and regulatory acts, could pose significant implementation challenges for both businesses and the newly established CNDP. The effectiveness of the law will depend heavily on the CNDP being adequately resourced and equipped with the necessary technical and legal expertise to navigate its extensive mandate, issue clear guidance, manage authorisation processes efficiently, and consistently enforce the rules. If implemented effectively, this law has the potential to significantly enhance privacy

‍