Chad - Data Protection Overview
1. Governing Texts
The development of online activities, such as sending e-mails and social networks facilitates the exchange of personal information and makes it public and accessible. This evolution of information and communication technology poses new challenges in terms of personal data protection.
By Law No. 007/PR/2015 on the Protection of Personal Data (only available to download in French here) ('the Law'), the Republic of Chad has organised the protection of personal data. The purpose of this law is to put in place a mechanism to protect private and professional life following the collection, processing, transmission, storage, and use of personal data, subject to the protection of public order.
The main laws relating to data protection are:
- Law No. 006/PR/2015 on the creation of the National Agency for Computer Security and Electronic Certification (only available to download in French and Arabic here);
- the Law;
- Law No. 008/PR/2015 on Electronic transactions (only available to download in French and Arabic here);
- Law No. 009/PR/ on Cybersecurity and Cybercrime (only available to download in French and Arabic here); and
- Law No. 001/PR/2017 on the Penal Code (only available to download in French here).
1.3. Case law
2. Scope of Application
The Law applies to any natural person, any legal entity under public or private law, and any state or local authority that collects, processes, transmits, stores, and uses personal data.
The Law applies to any collection, processing, transmission, storage, and use of personal data.
It also applies to any automated or non-automated processing of data contained or intended to be included in a file, with the exception of the processing of data used by a natural person exclusively for personal or domestic activities, provided that the data is not intended for systematic communication to third parties or for dissemination.
Finally, the Law applies to any processing of data concerning public security, defence, investigation and prosecution of criminal offences, or state security.
3.1. Main regulator for data protection
The regulatory authority for data protection in Chad is the Agence Nationale de Sécurité Informatique et de Certification Électronique ('ANSICE').
3.2. Main powers, duties and responsibilities
ANSICE is responsible for ensuring compliance, on the national territory, with the provisions of the Law. As such, it has the power to sanction any violation of the Law.
In addition, ANSICE gives notices, authorisations, and receives declarations according to the provisions of the Law.
4. Key Definitions
Personal data: Any information relating to a natural person, identified or identifiable directly or indirectly, by reference to an identification number or to one or more elements specific to their physical, physiological, genetic, psychological, cultural, social, and economic identity.
Sensitive data: Data relating to religious, philosophical, political, trade union opinions or activities, sex or racial life, health, social measures, prosecutions, and criminal or administrative charges.
Data controller: An Individual or public/private company, any other agency or association which, alone or jointly with others, takes the decision to collect and process personal data and determines the purposes thereof.
Data processor: Any individual, public/private company, or any other agency or association which processes data on behalf of the data controller and under their instructions.
Data subject: Any natural person who is the subject of processing of personal data.
Biometric data: Not applicable.
Health data: Any information concerning the physical and mental state of a data subject, including the aforementioned genetic data.
Pseudonymisation: Not applicable.
5. Legal Bases
The processing of personal data is considered legitimate if the data subject gives their consent.
Data protection principles
- the collection, recording, processing, storage, and transmission of personal data must be lawful, fair, and not fraudulent;
- data must be collected for specified, explicit, and legitimate purposes;
- data must be relevant and not excessive in relation to the purposes for which they are collected and further processed;
- data must be kept for a period not exceeding the period necessary for the purposes for which they were collected/processed;
- the data collected must be accurate and, if necessary, updated whenever necessary;
- the principle of transparency implies that the data controller must inform the data subject of any personal data processing operation that involves personal data; and
- Personal data must be treated confidentially and protected.
7. Controller and Processor Obligations
The Law provides for both a declaration and an authorisation regime:
The regime of authorisation
Pursuant to the provisions of Article 52 of the Law, the authorisation of the regulatory authority is required for the processing of any personal data relating to:
- genetic, biometric data, and research in the health field;
- offenses, convictions, or security measures;
- interconnection of files;
- national identification number or any other identifier of the same nature; or
- public interest in particular for historical, statistical, or scientific purposes.
The regime of declaration
Apart from the data provided for by the authorisation regime, any processing of personal data must be declared in a written form.
In light of Article 29 of the Law, the data controller cannot transfer personal data to another foreign country unless that country provides a sufficient level of protection for the privacy, fundamental rights, and freedoms of individuals.
Moreover, before any transfer of personal data abroad, the data controller must first inform the regulatory authority, ANSICE.
Article 63 of the Law lays down the principle of the obligation to retain data.
Chapter V of the Law (Articles 16 to 25) relates to the processing of special categories of data. These categories of data include, among others, biometric data and personal data which, if processed for what they are or contain, reveal racial or ethnic origin, parentage, political opinions, religious or philosophical beliefs, trade union membership, gender as well as the processing of data relating to health and sex life. The processing of this data is prohibited without the written consent of the person concerned or necessary.
In light of the combined provisions of Articles 15 and 62 of the Law, the relationships between the data controller and the data processor are managed through contractual agreements.
Such agreement has to contain a clause of the obligation's incumbent on the processor with regard to the protection of data security and confidentiality, providing that the data processor can only act on the instructions of the data controller.
8. Data Subject Rights
Pursuant to Article 35 and following of the Law, the data controller must inform the data subject of:
- the identity of the data controller and its representative (if any);
- the purposes of the processing;
- the category of data concerned;
- the recipients or categories of recipients of the data;
- the right to object to the collection of such data;
- the right to access the collected data and have it edited;
- the duration of the processing; and
- details on any intended transfer of the data.
Pursuant to Article 38 of the Law, data subjects have a right of access and they can obtain the following from the data controller:
- information allowing for data subjects to be aware of and the possibly to contest the processing;
- confirmation of whether their personal data forms part of the processing;
- a copy of their personal data as well as any available information on the origin of the data; and
- information relating to the purposes of the processing, categories of data processed, recipients, or categories of recipients, to whom the data are disclosed, and information relating to the transfer of personal data outside the country.
In light of the provisions of Article 48 of the Law, any data subjects may require that the data controller rectifies their personal data if it is inaccurate, incomplete, unclear, or expired, or if the collection, usage, disclosure, or retention of the data is prohibited.
In light of the provisions of Article 48 of the Law, any data subjects may require that the data controller deletes their personal data if it is inaccurate, incomplete, unclear, or expired, or if the collection, usage, disclosure, or retention of the data is prohibited.
Pursuant to Article 45 of the Law, any data subject has the right to object, with legitimate reasons, to the processing of their personal data. The data subject also has the right to be informed before their personal data is communicated or used by a third party and also to object the communication or the use of the personal data.
There are two kinds of sanctions for non-compliance with data protection laws, administrative sanctions pronounced by the ANSICE and criminal sanctions pronounced by a judge.
The following sanctions and remedies are available by the ANSICE:
- a warning to the data controller who does not comply with the obligations arising from the Law;
- a formal notice to put an end to the breaches concerned within the time limit which it fixes;
- penalties in accordance with the observed shortcomings;
- interruption of treatment for a maximum of three years;
- blocking for a maximum of three months of certain processed personal data; or
- temporary or permanent prohibition of processing contrary to the provisions of the Law.
Pursuant to Article 82 of the Law, a judge can take the following sanctions: imprisonment from between three months to one year; and fines between XAF 1 million (approx. €1,524) to XAF 10 million (approx. €15,244).
We could not find relevant case law.