Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Chad - Data Protection Overview
Back

Chad - Data Protection Overview

April 2024

1. Governing Texts

The development of online activities, such as sending e-mails and social networks facilitates the exchange of personal information and makes it public and accessible. This evolution of information and communication technology poses new challenges in terms of personal data protection.

By Law No. 007/PR/2015 on the Protection of Personal Data ('the Law'), the Republic of Chad has organized the protection of personal data. The purpose of this law is to put in place a mechanism to protect private and professional life following the collection, processing, transmission, storage, and use of personal data, subject to the protection of public order.

1.1. Key acts, regulations, directives, bills

The main laws relating to data protection are:

  • Law No. 006/PR/2015 on the creation of the National Agency for Computer Security and Electronic Certification;
  • Legal order No. 009/PCMT/2022 modifying Law No 006/PR/2015 on the creation of the National Agency for Computer Security and Electronic Certification;
  • Decree No. 75 laying down the provisions for the application of Law No. 07 on the protection of personal data;
  • Law No. 008/PR/2015 on Electronic transactions;
  • Law No. 009/PR/2015 on Cybersecurity and Cybercrime;
  • Legal order No. 008/PCMT/2022 on Cybersecurity;
  • Law No. 001/PR/2017 on the Penal Code (only available in French here);
  • Decree No. 982/PR/PM/2017 of July 14, 2017, relating to the Organization and Operation of the National Agency for Computer Security and Electronic Certification;
  • Decree No. 1619/PR/2019 of October 14, 2019, rectifying the provisions of Article 5 of Decree No. 075/PR/2019 relating to the protection of personal data;
  • Decision No. 018/ANSICE/DG/DCPD/2020 of March 30, 2020, setting the conditions and modalities for payment of application fees regarding the protection of personal data; and
  • African Union Convention on Cybersecurity and Personal Data Protection of June 27, 2014 ('Malabo Convention').

1.2. Guidelines

Not applicable.

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

The Law applies to any natural person, any legal entity under public or private law, and any state or local authority that collects, processes, transmits, stores, and uses personal data.

2.2. Territorial scope

Not applicable.

2.3. Material scope

The Law applies to any collection, processing, transmission, storage, and use of personal data.

Furthermore, the Law also applies to any automated or non-automated processing of data contained or intended to be included in a file, with the exception of processing of data used by a natural person exclusively for personal or domestic activities, provided that the data is not intended for systematic communication to third parties or for dissemination.

Finally, the Law applies to any processing of data concerning public security, defense, investigation and prosecution of criminal offenses, or state security.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The regulatory authority for data protection in Chad is the Agence Nationale de Sécurité Informatique et de Certification Électronique ('ANSICE').

3.2. Main powers, duties and responsibilities

ANSICE is responsible for ensuring compliance, on the national territory, with the provisions of the Law. As such, it has the power to sanction any violation of the Law, issue formal notices, utter authorizations, and receive declarations according to the provisions of the Law.

4. Key Definitions

Data controller: An Individual, public/private company, or any other agency or association which, alone or jointly with others, takes the decision to collect and process personal data and determines the purposes thereof.

Data processor: Any individual, public/private company, or any other agency or association which processes data on behalf of the data controller and under their instructions.

Personal data: Any information relating to a natural person, identified or identifiable directly or indirectly, by reference to an identification number or to one or more elements specific to their physical, physiological, genetic, psychological, cultural, social, and economic identity.

Sensitive data: Data relating to religious, philosophical, political, trade union opinions or activities, sex or racial life, health, social measures, prosecutions, and criminal or administrative charges.

Health data: Any information concerning the physical and mental state of a data subject, including the aforementioned genetic data.

Biometric data: Not applicable.

Pseudonymization: Not applicable.

Data subject: Any natural person who is the subject of the processing of personal data.

5. Legal Bases

5.1. Consent

The processing of personal data is considered legitimate if the data subject provides their consent.

5.2. Contract with the data subject

Not applicable.

5.3. Legal obligations

Companies may, in certain cases, process personal data to comply with a legal obligation, i.e. to comply with a law or other statutory obligation following Articles 7 and 9 of the Law. 

The Law requires the company processing the personal data to comply with the following conditions: 

  • the person whose personal data is processed must give their consent;
  • the data must be processed lawfully, fairly, and without fraud; and
  • personal data must be collected for specific, explicit, and legitimate purposes.

However, the company may waive this requirement for consent where the processing of personal data is essential for:

  • compliance with a legal obligation to which the data controller is subject;
  • the performance of a contract to which the data subject is a party or the performance of pre-contractual measures taken at the data subject's request; or
  • the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller or the third party to whom the data is disclosed.

5.4. Interests of the data subject

Not applicable.

5.5. Public interest

Not applicable.

5.6. Legitimate interests of the data controller

Not applicable.

5.7. Legal bases in other instances

Not applicable.

6. Principles

The Law outlines the following data protection principles:

  • the collection, recording, processing, storage, and transmission of personal data must be lawful, fair, and not fraudulent;
  • data must be collected for specified, explicit, and legitimate purposes;
  • data must be relevant and not excessive in relation to the purposes for which it is collected and further processed;
  • data must be kept for a period not exceeding the period necessary for the purposes for which it was collected/processed;
  • the data collected must be accurate and, if necessary, updated whenever necessary;
  • the principle of transparency implies that the data controller must inform the data subject of any personal data processing operation that involves personal data; and
  • personal data must be treated confidentially and protected.

7. Controller and Processor Obligations

7.1. Data processing notification

The Law provides for both a declaration and an authorization regime:

The regime of authorization

Pursuant to the provisions of Article 52 of the Law, the authorization of the regulatory authority is required for the processing of any personal data relating to:

  • genetic, biometric data, and research in the health field;
  • offenses, convictions, or security measures;
  • interconnection of filing systems;
  • national identification number or any other identifier of the same nature; or
  • public interest, in particular for historical, statistical, or scientific purposes.

The regime of declaration

Apart from the data provided for by the authorization regime, any processing of personal data must be declared in a written form.

7.2. Data transfers

Under Article 29 of the Law, the data controller cannot transfer personal data to another foreign country unless that country provides a sufficient level of protection for the privacy, fundamental rights, and freedoms of individuals.

Moreover, before any transfer of personal data abroad, the data controller must first inform ANSICE.

7.3. Data processing records

Not applicable.

7.4. Data protection impact assessment

Not applicable.

7.5. Data protection officer appointment

The Law foresees that 'data protection delegate' may be appointed and holds the following responsibilities:

  • independently ensuring the internal application of the Law; and
  • keeping a register of the processing carried out by the data controller.

In case a data protection delegate is appointed, the data controller may be exempt from prior notification if he or she designates one.

7.6. Data breach notification

The data controller and the subcontractor must notify, without delay, ANSICE and the person concerned of any breach of security that has affected the personal data of the person concerned.

7.7. Data retention

Article 63 of the Law lays down the principle of the obligation to retain data. The Law does not specify how long data must be kept. It leaves the choice of retention period to the data controller, specifying that data must be retained for no longer than is necessary for the purposes for which it was collected or processed.

7.8. Children's data

Not applicable.

7.9. Special categories of personal data

Chapter V of the Law (Articles 16 to 25) relates to the processing of special categories of data. These categories of data include, among others, biometric data and personal data which, if processed for what they are or contain, reveal racial or ethnic origin, parentage, political opinions, religious or philosophical beliefs, trade union membership, gender as well as the processing of data relating to health and sex life. The processing of this data is prohibited without the written consent of the person concerned or necessary.

7.10. Controller and processor contracts

In light of the combined provisions of Articles 15 and 62 of the Law, the relationships between the data controller and the data processor are managed through contractual agreements.

Such an agreement must contain a clause of the obligations incumbent on the processor with regard to the protection of data security and confidentiality, providing that the data processor can only act on the instructions of the data controller.

8. Data Subject Rights

8.1. Right to be informed

Pursuant to Article 35 and following of the Law, the data controller must inform the data subject of:

  • the identity of the data controller and its representative (if any);
  • the purposes of the processing;
  • the category of data concerned;
  • the recipients or categories of recipients of the data;
  • the right to object to the collection of such data;
  • the right to access the collected data and have it edited;
  • the duration of the processing; and
  • details on any intended transfer of the data.

8.2. Right to access

Pursuant to Article 38 of the Law, data subjects have a right to access allowing them to obtain the following from the data controller:

  • information allowing for data subjects to be aware of the processing taking place and the possibility of contesting such processing;
  • confirmation of whether their personal data forms part of the processing;
  • a copy of their personal data, as well as any available information on the origin of the data; and
  • information relating to the purposes of the processing, categories of data processed, recipients, or categories of recipients, to whom the data are disclosed, and information relating to the transfer of personal data outside the country.

8.3. Right to rectification

In light of the provisions of Article 48 of the Law, any data subject may require that the data controller rectifies their personal data if it is inaccurate, incomplete, unclear, or expired, or if the collection, usage, disclosure, or retention of the data is prohibited.

8.4. Right to erasure

In light of the provisions of Article 48 of the Law, any data subject may require that the data controller deletes their personal data if it is inaccurate, incomplete, unclear, or expired, or if the collection, usage, disclosure, or retention of the data is prohibited.

8.5. Right to object/opt-out

Pursuant to Article 45 of the Law, any data subject has the right to object, with legitimate reasons, to the processing of their personal data. The data subject also has the right to be informed before their personal data is communicated or used by a third party and also to object to the communication or the use of the personal data.

8.6. Right to data portability

Not applicable.

8.7. Right not to be subject to automated decision-making

Not applicable.

8.8. Other rights

Not applicable.

9. Penalties

There are two kinds of sanctions for non-compliance with data protection laws, administrative sanctions pronounced by the ANSICE and criminal sanctions pronounced by a judge.

Administrative sanctions

The following sanctions and remedies are made available to the ANSICE:

  • issue a warning to the data controller who does not comply with the obligations arising from the Law;
  • issue a formal notice to bring the processing into compliance with the Law within a prescribed timeframe;
  • impose penalties depending on the infringement of the Law;
  • restrict processing for a maximum of three years;
  • restrict the processing of certain personal data for a maximum of three months; and
  • prohibit, temporarily or permanently, processing that is contrary to the provisions of the Law.

Criminal sanctions

Pursuant to Article 82 of the Law, a judge can implement the following sanctions:

  • imprisonment from between three months to one year; and
  • fines between XAF 1 million (approx. $1,640) to XAF 10 million (approx. $16,450).

9.1 Enforcement decisions

Not available.