May 2023

1. Governing Texts

The development of online activities, such as sending e-mails and social networks facilitates the exchange of personal information and makes it public and accessible. This evolution of information and communication technology poses new challenges in terms of personal data protection.

By Law No. 007/PR/2015 on the Protection of Personal Data (only available to download in French Here)  (the Law), the Republic of Chad has organized the protection of personal data. The purpose of this law is to put in place a mechanism to protect private and professional life following the collection, processing, transmission, storage, and use of personal data, subject to the protection of public order.

1.1. Key acts, regulations, directives, bills

The main laws relating to data protection are:

• Law No. 006/PR/2015 on the creation of the National Agency for Computer Security and Electronic Certification (only available to download in French and Arabic here);
• Legal order No. 009/PCMT/2022 modifying Law No 006/PR/2015 on the creation of the National Agency for Computer Security and Electronic Certification;
• the Law
• Decree No. 75 laying down the provisions for the application of Law No. 07 on the protection of personal data (only available to download in French and Arabic here)
• Law No. 008/PR/2015 on Electronic transactions (only available to download in French and Arabic here);
• Law No. 009/PR/2015 on Cybersecurity and Cybercrime (only available to download in French and Arabic here); and
• Legal order No. 008/PCMT/2022 on Cybersecurity; and 
• Law No. 001/PR/2017 on the Penal Code (only available to download in French here).

1.2. Guidelines

Not applicable.

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

The Law applies to any natural person, any legal entity under public or private law, and any state or local authority that collects, processes, transmits, stores, and uses personal data.

2.2. Territorial scope

Not applicable.

2.3. Material scope

The Law applies to any collection, processing, transmission, storage, and use of personal data.

It also applies to any automated or non-automated processing of data contained or intended to be included in a file, with the exception of the processing of data used by a natural person exclusively for personal or domestic activities, provided that the data is not intended for systematic communication to third parties or for dissemination.

Finally, the Law applies to any processing of data concerning public security, defense, investigation and prosecution of criminal offenses, or state security.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The regulatory authority for data protection in Chad is the Agence Nationale de Sécurité Informatique et de Certification Électronique ('ANSICE').

3.2. Main powers, duties and responsibilities

ANSICE is responsible for ensuring compliance, on the national territory, with the provisions of the Law. As such, it has the power to sanction any violation of the Law.

In addition, ANSICE gives notices, authorizations, and receives declarations according to the provisions of the Law.

4. Key Definitions 

Personal data: Any information relating to a natural person, identified or identifiable directly or indirectly, by reference to an identification number or to one or more elements specific to their physical, physiological, genetic, psychological, cultural, social, and economic identity.

Sensitive data: Data relating to religious, philosophical, political, trade union opinions or activities, sex or racial life, health, social measures, prosecutions, and criminal or administrative charges.

Data controller: An Individual or public/private company, or any other agency or association which, alone or jointly with others, takes the decision to collect and process personal data and determines the purposes thereof.

Data processor: Any individual, public/private company, or any other agency or association which processes data on behalf of the data controller and under their instructions.

Data subject: Any natural person who is the subject of the processing of personal data.

Biometric data: Not applicable.

Health data: Any information concerning the physical and mental state of a data subject, including the aforementioned genetic data.

Pseudonymisation: Not applicable.

5. Legal Bases

5.1. Consent

The processing of personal data is considered legitimate if the data subject gives consent.

5.2. Contract with the data subject

Not applicable.

5.3. Legal obligations

Not applicable.

5.4. Interests of the data subject

Not applicable.

5.5. Public interest

Not applicable.

5.6. Legitimate interests of the data controller

Not applicable.

5.7. Legal bases in other instances

Not applicable.

6. Principles

Data protection principles

• the collection, recording, processing, storage, and transmission of personal data must be lawful, fair, and not fraudulent;
• data must be collected for specified, explicit, and legitimate purposes;
• data must be relevant and not excessive in relation to the purposes for which they are collected and further processed;
• data must be kept for a period not exceeding the period necessary for the purposes for which they were collected/processed;
• the data collected must be accurate and, if necessary, updated whenever necessary;
• the principle of transparency implies that the data controller must inform the data subject of any personal data processing operation that involves personal data; and
• Personal data must be treated confidentially and protected.

7. Controller and Processor Obligations

7.1. Data processing notification

The Law provides for both a declaration and an authorization regime:

The regime of authorization

Pursuant to the provisions of Article 52 of the Law, the authorization of the regulatory authority is required for the processing of any personal data relating to:

• genetic, biometric data, and research in the health field;
• offenses, convictions, or security measures;
• interconnection of files;
• national identification number or any other identifier of the same nature; or
• public interest in particular for historical, statistical, or scientific purposes.

The regime of declaration

Apart from the data provided for, by the authorization regime, any processing of personal data must be declared in a written form.

7.2. Data transfers

In light of Article 29 of the Law, the data controller cannot transfer personal data to another foreign country unless that country provides a sufficient level of protection for the privacy, fundamental rights, and freedoms of individuals.

Moreover, before any transfer of personal data abroad, the data controller must first inform the regulatory authority, ANSICE.

7.3. Data processing records

Not applicable.

7.4. Data protection impact assessment

Not applicable.

7.5. Data protection officer appointment

Not applicable.

7.6. Data breach notification

Not applicable.

7.7. Data retention

Article 63 of the Law lays down the principle of the obligation to retain data.

7.8. Children's data

Not applicable.

7.9. Special categories of personal data

Chapter V of the Law (Articles 16 to 25) relates to the processing of special categories of data. These categories of data include, among others, biometric data and personal data which, if processed for what they are or contain, reveal racial or ethnic origin, parentage, political opinions, religious or philosophical beliefs, trade union membership, gender as well as the processing of data relating to health and sex life. The processing of this data is prohibited without the written consent of the person concerned or necessary.

7.10. Controller and processor contracts

In light of the combined provisions of Articles 15 and 62 of the Law, the relationships between the data controller and the data processor are managed through contractual agreements.

Such agreement has to contain a clause of the obligations incumbent on the processor with regard to the protection of data security and confidentiality, providing that the data processor can only act on the instructions of the data controller.

8. Data Subject Rights

8.1. Right to be informed

Pursuant to Article 35 and following the Law, the data controller must inform the data subject of:

• the identity of the data controller and its representative (if any);
• the purposes of the processing;
• the category of data concerned;
• the recipients or categories of recipients of the data;
• the right to object to the collection of such data;
• the right to access the collected data and have it edited;
• the duration of the processing; and
• details on any intended transfer of the data. 

8.2. Right to access

Pursuant to Article 38 of the Law, data subjects have a right to access and they can obtain the following from the data controller:

• information allowing for data subjects to be aware of and the possibility to contest the processing;
• confirmation of whether their personal data forms part of the processing;
• a copy of their personal data as well as any available information on the origin of the data; and
• information relating to the purposes of the processing, categories of data processed, recipients, or categories of recipients, to whom the data are disclosed, and information relating to the transfer of personal data outside the country.

8.3. Right to rectification

In light of the provisions of Article 48 of the Law, any data subjects may require that the data controller rectifies their personal data if it is inaccurate, incomplete, unclear, or expired, or if the collection, usage, disclosure, or retention of the data is prohibited.

8.4. Right to erasure

In light of the provisions of Article 48 of the Law, any data subjects may require that the data controller deletes their personal data if it is inaccurate, incomplete, unclear, or expired, or if the collection, usage, disclosure, or retention of the data is prohibited.

8.5. Right to object/opt-out

Pursuant to Article 45 of the Law, any data subject has the right to object, with legitimate reasons, to the processing of their personal data. The data subject also has the right to be informed before their personal data is communicated or used by a third party and also to object to the communication or the use of the personal data.

8.6. Right to data portability

Not applicable.

8.7. Right not to be subject to automated decision-making

Not applicable.

8.8. Other rights

Not applicable.

9. Penalties 

There are two kinds of sanctions for non-compliance with data protection laws, administrative sanctions pronounced by the ANSICE and criminal sanctions pronounced by a judge.

Administrative sanctions

The following sanctions and remedies are available by the ANSICE:

• a warning to the data controller who does not comply with the obligations arising from the Law;
• a formal notice to put an end to the breaches concerned within the time limit which it fixes;
• penalties in accordance with the observed shortcomings;
• interruption of treatment for a maximum of three years;
• blocking for a maximum of three months of certain processed personal data; or
• temporary or permanent prohibition of processing contrary to the provisions of the Law.

Criminal sanctions

Pursuant to Article 82 of the Law, a judge can take the following sanctions: imprisonment from between three months to one year; and fines between XAF 1 million (approx. €1,524) to XAF 10 million (approx. €15,244).

9.1 Enforcement decisions

We could not find relevant case law.