‍Introduction  

In January 2024, the Central African Republic (CAR) enacted Law No. 24.001 on the Protection of Personal Data. The law established a comprehensive legal framework for the safeguarding of personal data in CAR. It reflects growing international standards of data governance by setting obligations for data controllers and processors while also protecting the rights of individuals.

Key Provisions

Scope

The law applies broadly to any processing of personal data within the Central African Republic or having effects within its territory, including activities related to public security, defence, investigation and prosecution of criminal offences, as well as judicial proceedings. The law exempts personal data processing within the context of personal or household use, facilitating the access to digital networks, and temporary technical storage.

Principles of Processing

Like most data protection laws in Africa, the law provides for key principles of processing, including lawfulness, fairness, transparency, accuracy, storage limitation, and purpose limitation. Data controllers are required to adopt appropriate technical and organisational measures to protect against unauthorised access, accidental loss, destruction, or misuse. The law obliges controllers to consider the risks involved in processing and to implement measures that preserve confidentiality and integrity.

Lawful Basis for Processing

The law provides for the legal bases for processing, which includes consent, performance of a contract, compliance with legal obligations, protection of vital interests, public interest, exercise of official authority, and legitimate interests. The law particularly emphasises that where the data subject is a minor, parental consent must be obtained.

Processing of Sensitive Data

Sensitive data such as racial origin, political opinions, religious beliefs, trade union membership, genetic and biometric data, health information, and sex life is subject to stricter regulation. Processing of such data is generally prohibited, except where the processing is based on consent, protection of vital interests, preventive medicine, medical treatment, or legal claims.

Direct Marketing

The law places strict controls on direct marketing. Any marketing activity by telephone, Short Message Service, email, instant messaging, or social media requires the prior consent of the recipient. Data subjects must also be provided with a simple and effective mechanism to unsubscribe or alter their preferences at any time. Marketing communications must include clear information and an opt-out option.

Cross-Border Transfers

The law creates a tiered system for international data transfers. A controller may only transfer personal data to a foreign country if that state provides a level of protection similar to that of the CAR. For transfers to member states of the Economic and Monetary Community of Central Africa (CEMAC)^[1] or the Economic Community of Central African States (ECCAS)^[2], the law outlines specific conditions related to the necessity and lawfulness of the transfer. For transfers to non-member states that do not offer an adequate level of protection, transfers are only permissible under specific derogations, such as the data subject's explicit consent, contractual necessity, or the safeguarding of an important public interest. The law also allows the data protection agency to authorise such transfers if the controller provides sufficient guarantees, for example, through appropriate contractual clauses.

Rights of Data Subjects

The law provides for key data subjects’ rights, including the right of access, rectification, erasure, the right to object to processing, the right not to be subject to automated decision-making, and right to be informed. Where the data subject is a minor, these rights can be exercised through their parents or guardians. Where the data subject is physically or mentally incapable, the data subject rights can be exercised by a spouse, cohabitant, child, or sibling of the data subject.

Appointment of a Data Protection Officer (DPO)

Data controllers are required to appoint a DPO, who is resident in CAR to ensure compliance, maintain processing registers, advise on new operations, and act as a liaison with the supervisory authority. The DPO must act independently, have sufficient resources, and may only be dismissed under serious conditions.

Record Keeping

The DPO, on behalf of the controller, is tasked with maintaining an up-to-date register of all data processing activities.

Security Measures

Controllers and processors are required to implement all necessary precautions and appropriate technical and organisational measures to preserve the security of personal data and protect it against accidental or unlawful destruction, loss, alteration, or unauthorised access.

Data Breach Notification

The law defines a personal data breach but places the primary notification duty on the controller to inform the yet-to-be-established data protection agency in the event of a breach.

Data Processing Agreements

When a controller engages a processor, the relationship must be governed by a contract that ensures the processor acts only on the controller's instructions and provides sufficient guarantees regarding security and confidentiality.

Supervision and Sanctions

The law provides for the establishment of an independent administrative authority. The authority is tasked with supervising compliance and application of the law, conducting investigations, handling complaints, and imposing administrative sanctions. It may issue warnings, cease-processing orders, or financial penalties of up to five percent of annual turnover. Criminal sanctions, including imprisonment and fines, are provided for offences such as fraudulent collection, misuse of data, or unlawful retention.

Establishment of a Supervisory Authority

The law requires the Ministry of Digital Economy, Posts, and Telecommunications to establish the data protection authority within 12 months from the enactment of the law. However, pending the establishment of the authority, the Ministry will oversee the implementation of the law.

Conclusion  

The data protection law provides a legal framework for protecting personal data within the country, ensuring the protection of the rights of data subjects and imposing relevant obligations on data controllers and processors. However, its effectiveness depends on the timely establishment of the supervisory authority and the consistent enforcement to ensure compliance across the public and private sectors. The transition of responsibilities from the supervisory Ministry to a fully functional and resourced agency will be the critical next step in ensuring that the rights and protections enshrined in this law are realised for the data subjects in CAR.

‍

^[1]These countries include Gabon, Cameroon, the Central African Republic (CAR), Chad, the Republic of the Congo, and Equatorial Guinea.

^[2]These countries include Angola, Burundi, Cameroon, Congo, Gabon, Equatorial Guinea, the Central African Republic, the Democratic Republic of Congo, Rwanda, São Tomé and Príncipe, and Chad.

‍