Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Cameroon - Data Protection Overview
Back

Cameroon - Data Protection Overview

March 2022

1. Governing Texts

The increased use of digital platforms requires the collection and storage of a wide range of personal data. Thus, some websites, commercial companies, public entities, health care establishments, banks, and others often hold valuable information in digital form, on their customers or users. Protecting such data has become a major regulatory and legislative concern in Cameroon.

1.1. Key acts, regulations, directives, bills

In Cameroon, legal provisions on data protection are found in several laws. As a specific data protection law is still yet to be adopted, it is quite challenging for users to control the use of their data. However, Cameroon is preparing a privacy bill ('the Bill'), according to the competent services of the Ministry of Posts and Telecommunications. The drafting of the Bill is ongoing. The Bill will govern the collection, processing, transmitting, storage, and use of data.

The applicable laws mostly cover data relating to the electronic communications meanwhile some other sectors of activity handle personal data daily.

In the preamble to the Constitution of the Republic of Cameroon, Law No. 96/6 of 18 January 1996 revising the Constitution of 02 June 1972, as amended and supplemented by Law No. 2008/001 of 14 April 2008 ('the Constitution'), it is stated that:

Data protection is, therefore, a right enshrined in the Constitution.

In addition, the following national laws are applicable:

  • Law No. 2005/007 of 27 July 2005 on the Criminal Procedure Code (only available in French here);
  • Law No. 2000/011 of 19 December 2000 on Copyrights and Neighbouring Rights (only available in French here);
  • Law No. 2003/004 of 21 April 2003 on Banking Secrecy ('the Law on Banking Secrecy');
  • Law No. 2006/018 of 29 December 2006 to Regulate Advertising in Cameroon (only available in French here) ('the Advertising Law');
  • Law No. 2010/013 of 21 December 2010 Regulating Electronic Communications in Cameroon (only available in French here) ('the Electronic Communications Law');
  • Law No. 2010/012 of 21 December 2010 on Cybersecurity and Cybercrime in Cameroon (only available in French here) ('the Cybersecurity Law');
  • Law No. 2010/021 of 21 December 2010 Regulating Electronic Commerce in Cameroon (only available in French here) ('the E-Commerce Law');
  • Law No. 2011/012 of 06 May 2011 on Consumer Protection in Cameroon (only available in French here) ('the Consumer Protection Law');
  • Decree No. 2011/1521/PM of 15 July 2011 Laying down the Conditions of Application of Law No. 2010/021 of 21 December 2010 Regulating Electronic Commerce in Cameroon (only available in French here) ('the Regulating Electronic Commerce Decree');
  • Decree No. 2015/3759 of 3 September 2015 Laying Down the Identification Requirements for Subscribers and Terminal Equipment of Electronic Communication Networks (only available in French here) ('the Identification Requirements Law');
  • Decree No. 2012/1641/PM of 14 June 2012 Laying Down the Conditions for Number Portability of Subscribers' Numbers of Operators of Electronic Communications Networks Open to the Public (only available in French here) ('the Number Portability Decree');
  • Decree No. 2012/203 of 20 April 2012 on the Organisation and Functioning of the Telecommunications Regulatory Agency (only available in French here);
  • Decree No. 2013/0399/PM of 27 February 2013 Laying Down the Rules for the Protection of Consumers of Electronic Communications Services (only available in French here) ('the E-Communications Consumer Protection Decree');
  • Law No. 2015/006 of 20 April 2015 Amending and Completing Some Provisions of Law No. 2010/013 of 21 December 2010 Regulating Electronic Communications in Cameroon (only available in French here);
  • Law No. 2016/007 of 12 July 2016 on the Penal Code in Cameroon (only available in French here) ('the Penal Code');
  • Decree No 2017/2580/ PM of 06 April 2017 Setting the Terms and Conditions for the Establishment or Operation of Electronic Communications Networks and Supplies of Electronic Communications Services subject to the Authorisation Regime; and
  • Decree No. 2019/150 of 22 March 2019 on the Organisation and Functioning of the National Information and Communication Technology Agency (ANTIC) (only available in French here) ('the ANTIC Decree').

CEMAC legislation

The following legislation issued by the Central African Economic and Monetary Community ('CEMAC') is applicable:

  • Regulation No. 21/08-UEAC-13-CM-18 of 19 December 2008 on the Harmonisation of Regulations and Regulatory Policies on Electronic Communications in CEMAC Member States ('the Regulation on Harmonisation in CEMAC Member States');
  • Directive No. 07/08-UEAC-133-CM-18 of 19 December 2008 on the Legal Framework for the Protection of Users of Electronic Communications Networks and Services within CEMAC (only available in French here);
  • Directive No. 09/08-UEAC-133-CM-18 of 19 December 2008 Harmonising the Legal Frameworks of Electronic Communications in the CEMAC Member States (only available in French here);
  • Regulation No. 03/16-CEMAC-UMAC-CMAC-CM of 21 December 2016 on Systems, Means and Incidents of Payment (only available in French here) ('the CEMAC Payment Systems Regulation');
  • Directive No. 02/19-UEAC-639-CM-18 of 08 April 2019 Harmonising the Protection of Consumers within CEMAC (only available in French here) ('the Directive Harmonising Consumer Protection within CEMAC'); and
  • Regulation No. 01/20/CEMAC/UMAC/COBAC of 03 July 2020 on the Protection of Consumers of Banking Products and Services in CEMAC ('the CEMAC Regulation on Financial Consumer Protection').

Banking sector and financial market

The following legislation applies:

  • the Law on Banking Secrecy;
  • the CEMAC Payment Systems Regulation;
  • the CEMAC Regulation on Financial Consumer Protection;
  • Regulation No. 06/03-CEMAC-UMAC of 12 November 2003 on the Organisation, Functioning and Supervision of the Central African Financial Market (only available in French here) ('the Financial Market Regulation');
  • Central African Banking Commission ('COBAC') Regulation No. R-2016/04 of 08 March 2016 on the Internal Control of Credit Establishments and Financial Holdings (only available in French here);
  • Regulation No. 01/CEMAC/UMAC/CM of 11 April 2016 on the Prevention and Suppression of Money Laundering and the Financing of Terrorism and Proliferation in Central Africa (only available in French here) ('the Prevention and Suppression of Money Laundering and Financing of Terrorism Regulation');
  • Additional Act No. 06/17-CEMAC-COSUMAF-CCE-SE of 19 February 2018 on the Unification of the CEMAC Financial Market (only available in French here); and
  • Instruction No. 001/GR/2021 of 09 February 2021 on Defining the Operating Modalities of the Central Payment Incident Unit (only available in French here).

Health and pharmaceuticals sector

In Cameroon, the health sector and the pharmaceutical industry is governed by various laws including:

  • the Penal Code;
  • Law No. 90/36 of 10 August 1990 Organising Medical Practice (only available in French here) ('the Law on Medical Practice');
  • Decree No. 83-166 of 12 April 1983 on the Code of Ethics of Medical Doctors (only available in French here) ('the Medical Code of Ethics'); and
  • Decree No. 2002/209 of 19 August 2002 on the Organisation of the Ministry of Public Health (only available in French here).

Telecommunications

The telecommunications sector encompasses all the aspects of ICT and electronic communications. The relevant laws are:

  • the Cybersecurity Law;
  • the Electronic Communications Law;
  • the E-Commerce Law;
  • the Consumer Protection Law;
  • the Identification Requirements Law;
  • the E-Communications Consumer Protection Decree;
  • the ANTIC Decree; and
  • the Regulation on Harmonisation in CEMAC Member States.

1.2. Guidelines

Banking sector

The main regulator in the banking sector is the COBAC, established by the Convention of 16 October 1990 (only available in French here). COBAC has supervisory competence over credit institutions, monitoring their liquidity and solvency, in addition to noting and sanctioning breaches.

Financial market

The Financial Market Supervisory Commission ('COSUMAF') was established by the Financial Market Regulation.

Health & pharma

The Ministry of Public Health and the National Council of Medical Doctors ('the Doctors Council') play a key role in the health and pharmaceutical sector in Cameroon.

The Doctors Council ensures that the principles of morality and dedication relevant to the practice of a medical doctor are respected and that the rules laid down in the Medical Code of Ethics are complied with.

Telecommunications

The main regulator is the National Information and Communication Technology Agency ('ANTIC') established by the ANTIC Decree. Its missions include:

  • ensuring the ethical use of ICT, consumer protection, and privacy; and
  • regulating, controlling, and monitoring activities relating to the security of information systems and electronic communications networks, as well as electronic certifications.

In addition, the Telecommunications Regulatory Agency ('ART') supervises and regulates the activities of telecommunications operators.

1.3. Case law

In Cameroon, infringements of image rights have led to:

YOMBA Madeleine v. Les Brasseries du Cameroun and the case of Mrs. MFOPA MAMA born NTOUO SABIATOU v. Société NESTLE Cameroun S.A and Société Océan Central Africa SA

In both cases, an individual photo was unlawfully used for advertising purposes without the individual's consent, constituting a violation of the individual's image right.

Mrs. MBOCK Frankline Junior v. Les Films TERRE AFRICAINE and Les Brasseries du Cameroun

In this case, a contract for the use of an individual's image within a specific period of two years was infringed, as the broadcasting of the advertising spot went beyond the agreed term. That constituted a violation of the individual's image rights. The final judgment ruled that mere evidence of the invasion of one's privacy gives rise to compensation and that there is, therefore, no need to establish that the claimant suffered damage.

2. Scope of Application 

2.1. Personal scope

In Cameroon, data protection laws apply to identifiable natural persons. 

2.2. Territorial scope

National data protection laws apply to facts governed by national laws. The CEMAC laws apply to the facts that they specifically cover.

2.3. Material scope

In Cameroon, the protection of personal data is governed by several national and community laws. As far as electronic communications are concerned, specific laws govern the collection of personal data by operators and of electronic communications networks service providers.

As such, the information covered by these laws is as follows:

  • Prohibition to collect sensitive data: Article 28 of the CEMAC Regulation on Financial Consumer Protection provides: '[...] it is prohibited for reporting institutions to collect, store, process or disseminate sensitive consumer data.' 

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

An Authority dedicated to data protection has not yet been appointed.

However, the ANTIC ensures, on behalf of the State, the regulation, control, and monitoring of activities related to the security of information systems and electronic communications networks. It also assists in the identification of cybercriminals.

3.2. Main powers, duties and responsibilities

The ANTIC has the power to:

  • ensure the ethical use of ICT and the protection of intellectual property, consumers, public morals, and privacy;
  • monitor, detect, and provide information on computer risks and the actions of cybercriminals;
  • establish material facts in the commission of cybercrime, that can only be revealed through systematic, unannounced, and pluralist checks carried out by professionals in the sector, by judicial police officers, and duly commissioned agents; and
  • commit its sworn agents who may, as a result, gain access to premises, land, or means of transport for professional use, request communication of any professional document and take copies of it, and collect information.

4. Key Definitions

Data controller: There is no definition provided by Cameroon law.

Data processor: There is no definition provided by Cameroon law.

Personal data: Any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural, or social identity (Article 2 of the Directive Harmonising Consumer Protection within CEMAC). Thus, personal data can be considered as the full name, social security number, national identity card number, passport number, account number, date and place of birth, physical address and email, telephone number, bank card number, biometric data such as fingerprints and DNA, etc.

Sensitive data: Religious opinions or activities, political opinions, trade union membership, data concerning sex life, genetic and biometric information, health data are referred to as sensitive data (Article 28 of the CEMAC Regulation on Financial Consumer Protection).

Health data: Data related to health conditions.

Biometric data: Fingerprints, DNA, etc.

Pseudonymisation: There is no definition provided by Cameroon law.

Data subject: A data subject is an identified or identifiable natural person, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural, or social identity (Article 2 of the Directive Harmonising Consumer Protection within CEMAC).

Data processing: Any operation or set of operations, whether or not carried out by automatic means and applied to personal data, such as the collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, communication by transmission, distribution or otherwise making available, alignment or interconnection, blocking, erasure or destruction of personal data (Article 2 of the Directive Harmonising Consumer Protection within CEMAC).

Direct marketing: The sending of any message intended to promote, directly or indirectly, goods, services or the image of a person selling goods or providing services (Article 7(2) of the E-Commerce Law).

Electronic communication: Emission, transmission, or reception of signs, signals, writings, images, or sounds, by electromagnetic means (Article 4(22) of the Cybersecurity Law).

Cybercrime: All offences committed through cyberspace by means other than those usually used, for criminal purpose (Article 4(32) of the Cybersecurity Law).

5. Legal Bases

5.1. Consent

Consent is a described as a prerequisite in several laws governing the collection and processing of personal data in Cameroon.

Section 44(1) of the Cybersecurity Law provides that it is prohibited for any natural person or legal entity to listen, intercept, store communications and related traffic data, or subject them to any other means of interception or surveillance, without the consent of the users concerned, except where such person is legally authorised to do so.

In addition, Section 3 of the Regulating Electronic Commerce Decree provides that persons engaged in electronic commerce and established in a third country must specify the applicable law and obtain the consent of the recipient of the proposed service.

Moreover, Section 7 of the E-Commerce Law provides that prior consent is necessary for direct marketing using an automatic calling machine, fax or e-mail using, in any form whatsoever, the contact details of a natural or legal person.

Further, Section 60 of the Advertising Law makes it clear that anyone who knowingly causes the dissemination of an advertisement containing references or other declarations emanating from an identified individual, firm, or institution, without the authorisation of the interested parties or their proxies, or without the permission of the authorised party exhibiting the image, first name, surname, or pseudonym of an identifiable individual, shall be liable to the punishment provided under the Penal Code.

5.2. Contract with the data subject

Not applicable.

5.3. Legal obligations

The relevant laws provide for a set of obligations for the data controller, including the following:

  • to give the subscriber the possibility to obtain, free of charge, communication of identifying information concerning them and the rectification, clarification, or updating of such information;
  • to guarantee the right to confidentiality and respect for correspondence and the right to security of the information on their networks;
  • to take appropriate measures to ensure the protection, integrity, and confidentiality of the identification data they hold or process; and
  • to take technical measures to protect identification data against accidental or illicit destruction, accidental loss, alteration, dissemination, unauthorised access, interception, even during the transfer of data in their networks.

5.4. Interests of the data subject

See section on data subject rights below.

5.5. Public interest

Not applicable.

5.6. Legitimate interests of the data controller

Not applicable.

5.7. Legal bases in other instances

Not applicable.

6. Principles

From the various laws that apply to data protection, it is established that data protection must be based on various principles, such as:

  • the principle of the confidentiality of communications transmitted and data relating to traffic on communication networks;
  • the principle of keeping the connection and traffic data for a period not exceeding ten years; and
  • the principle that data can be rectified, modified, or updated at any time by the data subject.

7. Controller and Processor Obligations

7.1. Data processing notification

Not applicable.

7.2. Data transfers

On data localisation requirements and transfer of data outside the territory of Cameroon, Cameroon law provides that the relevant data must be available in the device/system present on the Cameroonian territory on which it was generated.

In case of judicial proceedings in Cameroon, the data should remain available to the investigators.

For banking institutions, when a licensed CEMAC bank partners with a foreign financial institution, the bank should store all the transactional data in their facilities for ten years and make them available for any control at the initiative of the COBAC.

7.3. Data processing records

Not applicable.

7.4. Data protection impact assessment

Not applicable.

7.5. Data protection officer appointment

Not applicable.

7.6. Data breach notification

Not applicable.

7.7. Data retention

Regarding data retention, Section 25(1) of the Cybersecurity Law provides that network operators and electronic communications service providers are required to retain data on connections and traffic for ten years.

Banking sector

Regarding the storage of personal data, Article 10 of the CEMAC Payment Systems Regulation provides that, when opening an account, the customer must provide their personal data.

Article 218 of the CEMAC Payment Systems Regulations adds that the Bank of Central African States ('the Central Bank') shall take all appropriate precautions to prevent the personal data recorded from being distorted, damaged, or accessed by unauthorised third parties.

Furthermore, the CEMAC Regulation on Financial Consumer Protection requires credit institutions to record, collect, process, store, and share consumer personal data in a lawful, fair, and non-fraudulent manner. However, credit institutions are prohibited from collecting, storing, processing, and disseminating sensitive consumer data.

Financial market

Financial market data must be kept for a specified period of ten years. Persons handling such data have an obligation of confidentiality, and disclosure is subject to prior authorisation by the competent authority. Any offender shall be liable to penalties, including imprisonment, as provided by Article 38 of the Prevention and Suppression of Money Laundering and Financing of Terrorism Regulation.

Health and pharmaceuticals sector

Patient data is stored at several levels. Within each healthcare establishment, patient-doctor communications are privileged and confidential.

7.8. Children's data

Not applicable.

7.9. Special categories of personal data

Not applicable.

7.10. Controller and processor contracts

Not applicable.

8. Data Subject Rights

8.1. Right to be informed

Article 4(1) of the E-Communications Consumer Protection Decree provides that a consumer of electronic communications services has, notably, the right to [...] information from the operator or service providers.

Article 30 of the CEMAC Regulation on Financial Consumer Protection provides that where personal data has been collected from the consumer, the reporting institution shall be required to […] communicate to the consumer the purposes of the processing and the identity of the possible receivers of the personal data.

8.2. Right to access

Article 4(2) of the E-Communications Consumer Protection Decree provides that the consumer of electronic communications services] is also entitled to [...] access to electronic communications services, with standards of quality and regularity inherent in its nature, throughout the national territory.

8.3. Right to rectification

Article 20 of the Identification requirements Law provides that subscribers have the right to obtain, free of charge, the communication of their identification information and require this data to be the rectified, or updated.

8.4. Right to erasure

Article 30 of the CEMAC Regulation on Financial Consumer Protection provides that where personal data has been collected from the consumer, the reporting institution shall be required to […] communicate to the consumer the purposes of the processing and the identity of the possible receivers of the personal data, [and to] inform the consumer of their right to rectification and erasure.

8.5. Right to object/opt-out

Article 4(2) of the E-Communications Consumer Protection Decree provides that the consumer of electronic communications services] is also entitled to the right […] to the service provider's responses to his complaints; [and to] compensation for damages arising from the violation of their rights.

8.6. Right to data portability

Article 2 of the Number Portability Decree requires the operators to preserve the subscriber’s right to maintain the same phone number when he changes the operator.

8.7. Right not to be subject to automated decision-making

Article 30 of the CEMAC Regulation on Financial Consumer Protection provides that the reporting institution is required to obtain the prior consent of each consumer before transmitting his data to third parties, except for credit information offices and any person to whom banking secrecy is not enforceable.

8.8. Other rights

Not applicable.

9. Penalties

Banking sector

In the banking sector, the sanction for a violation of banking secrecy is provided by Article 26 of the Law on Banking Secrecy. Anyone who violates banking secrecy shall be punished by imprisonment for a term of three months to three years and/or a fine of XAF 1 million (approx. €1,520) to 10 million (approx. €15,240). If the offence is committed through the press or a computer network, the penalties shall be doubled.

Financial market

The Penal Code punishes the offences of insider trading and interference with the financial market.

Insider trading

According to Section 135(1) of the Penal Code, commits insider trading:

  • a commercial or industrial company manager, or a natural person, who, by reason of their duties or professions, has insider information on the situation or prospects of the issuer of stocks and shares whose transferrable securities are on the market, and performs or knowingly helps to perform, either directly or indirectly, transactions before public disclosure of such information, with the objective of obtaining an undue profit;
  • a natural person who, in the course of their duties or profession, has access to privileged information on the situation or prospects of the issuer of stocks and shares whose transferrable securities are on the market, and who beyond the scope of their ordinary duties of profession, transmits the information to a third party with a view to obtaining an undue profit; and
  • a natural person who, in the exercise of their profession or duties, possesses privileged information that is considered confidential, relating to the implementation of a project by the State, regional, and local authority or any other public corporate body, and uses the information to their advantage or that of a third party so as to delay the envisioned project or to include additional costs.

Insider trading shall be punished with imprisonment for a term of six months to two years and with a fine of XAF 1 million (approx. €1,520) to XAF 10 million (approx. €15,240).

Interference with the financial market

According to Section 135(2) of the Penal Code, commits interference with the financial market any natural person or corporate body who:

  • rigs the functioning of the market;
  • gives undue advantage to persons who would not have had it under normal market conditions
  • violates the right to equal information and treatment of investors or their interest;
  • allows issuers and investors to engage in practices contrary to their obligations
  • habitually provides investment services to third parties without authorisation; and
  • carries out negotiations or transactions other than those provided for by the regulations in force on securities listed on the stock market without referring to an investment service provider.

In the above cases, financial market interference shall be punished with fine of XAF 500,000 (approx. €760) to XAF 5 million (approx. €7,600).

Moreover, commits interference with the financial market any natural person or corporate body who knowingly propagates false or deceptive information on the situation or prospects of an issuer whose securities are on the market such as to influence the prices, or interfere or attempt to interfere, in any manner, with the proper functioning of the market. In such cases, financial market intereference shall be punished with imprisonment for six months to two years or with fine of XAF 1 million (approx. €1,520) to XAF 10 million (approx. €15,240) or with both such imprisonment and fine.

Health and pharmaceuticals sector

Article 310 of the Penal Code provides that whoever without permission from the person interested in secrecy reveals any confidential fact which has come to their knowledge or which has been confided to them solely by reason of their profession or duties, shall be punished with imprisonment from three months to three years and a fine from XAF 20,000 (approx. €30) to XAF 200,000 (approx. €300).

In addition, Article 48 of the Law on Medical Practice provides for a reprimand, suspension of activity ranging from three months to one year depending on the seriousness of the fault committed, and removal from the roll of the Doctors Council.

Telecommunications

Where an amicable settlement between the concerned parties cannot be reached, the parties should refer to ANTIC. If the decision rendered by ANTIC is not satisfactory, parties can then seek relief before the courts.

Article 61 et seq. of the Cybersecurity Law provides for a number of sanctions in case of data violations. In addition, Article 74 of the Cybersecurity Law provides for a term of imprisonment of one to two years and a fine of XAF 1 million (approx. €1,520) to 5 million (approx. €7,620) to whoever interferes with the privacy of others by fixing, recording, or transmitting, without the consent of the author, electronic data of a private or confidential nature.

9.1 Enforcement decisions

There are no other notable enforcement decisions.

Telecommunications

In 2019, the ART sanctioned telecommunications operators in Cameroon for failure to handle the identification process for subscribers and users of terminal equipment in electronic communications networks.