September 2022

1. Governing Texts

The Democratic Republic of Congo ('DRC') consecrates the respect for private life and the secrecy of correspondence as a fundamental right. There is no specific constitutional Article on the protection of personal data and there is no specific and comprehensive legislative framework on data protection. In fact, the data protection rules are spread over several laws and Decree-Laws.

Specifically and most pressingly, data protection provisions are included in Law No. 20/17 of 25 November 2020 governing the telecommunication and information and communication technologies ('ICT') sector (only available in French here) ('Law No. 20/17'), with Title III concerning the protection of the private life and personal data.

Although Law No. 20/17 came into force on the day of its promulgation, it was only published in the Official Gazette of the DRC on 29 September 2021 and, like the national Customs Code, it includes a definition of personal data - both Law No. 20/17 and the Customs Code adopt the same concept of 'personal data'.

1.1. Key acts, regulations, directives, bills

Constitutional Provisions

The Constitution of the Democratic Republic of Congo (only available in French here) was enacted on 18 February 2006, as amended by the Law 11/002 of 20 of January 2011 ('the Constitution').

Article 31 of the Constitution, under the title 'Human Rights, fundamental freedoms and the duties of the citizen and the State,' chapter 'Civil and Political Rights,' establishes that: 'Everyone has the right to respect for his or her private life and the secrecy of the correspondence, telecommunication, or any other form of communication. This right may be only infringed in the cases provided by law'.

Law No. 20/17

Law No. 20/17 applies to:

• the various activities of the telecommunications and ICT sector in DRC territory, including the territorial waters and the contiguous continental shelf; and
• any processing of personal data by a natural person or legal entity established under public or private law on the central government, the provinces, and the decentralised territories, in the context of processing of data included in a file operated by a controller using processing mans located in DRC territory (except) for transit purposes. This applies regardless of whether the controller is established in the DRC or not.

Please note that this definition is a very ample one, and is typically found in general data protection laws, rather than sector-specific legal diplomas. However, Law No. 20/17 is very clear in its preamble, when stating that the law is specifically aimed at the electronic communications services sector.

Law No. 20/17 does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity, as long as the personal data concerned is not intended for systematic communication to third parties or for dissemination.

Rules on protection of personal data and private life can be found from Articles 126 to 133 of  Law No. 20/17 with the remainder of the Law No. 20/17 dealing with regulatory aspects of electronic communications services. Throughout these specific articles, different provisions protect personal data in the context of electronic communications, with a focus on the secrecy and privacy of telecommunications services the confidentiality of the correspondence and of personal data of users of telecommunications and ÍCT services is ensured, and exemptions to the secrecy of correspondence apply only at the request of the Public Prosecutor's Office or with prior authorisation from the judicial Court.

Additionally, any interception, listening, recording, transcription, and disclosure without prior authorisation of the 'Court de Cassation' (the highest jurisdiction in French-based legal systems) is prohibited. This authorisation can only be issued when some conditions are met, namely, that the authorisation must be necessary to access the information to ascertain the truth in judicial proceedings, and it must conform with formal requirements (such as the identification of the person concerned, the infraction which justifies the infringement of the right of confidentiality and the duration of the exception). In addition, it may only be renewable for a period of three months. The same conditions apply to the limitation of general personal data confidentiality principles.

Law No. 20/17 also establishes rules for cybersecurity, cryptology, and cybercrime, specifically providing for general obligations, by service providers to ensure the confidentiality and security of data (this does not include identification of specific programs or international certification protocols to be adopted by these entities). Note that, as a general rule, this matter is relegated to the Government of the Democratic Republic of the Congo for the preparation of macro-strategies and policies on this matter.

Other applicable laws

• Law No. 04/016 of 19 July 2009 concerning the fight against money laundering and terrorism funding (only available in French here) ('the AML Law') and Instruction N 15 from 15 December 2006 ('Instruction N15') enacted by the Central Bank of the DRC ('the Central Bank').

Law 10/002 of 20 August 2010 (only available in French here) establishing the Customs Code and Decree-Law 011/46 of 24 November 2011 (only available in French here) regarding the application measures of the Customs Code (jointly 'the Customs Regime'), both of which generally provide for overarching principles of protection of individual privacy and general rights to information.

1.2. Guidelines

Not applicable.

As there is currently no data protection authority, any decisions taken which impact on data protection matters, either directly or indirectly, will be taken by the sector-specific regulator, or by judicial and administrative authorities, in the event of litigation or dispute.

1.3. Case law

We are not aware of any relevant case law in the DRC regarding privacy and data protection matters, which may be due to the public/non-public format of official sources on these matters, as well as the absence of a specific legal framework aimed specifically at data protection, which may have an impact on public and private sensitivity on the matter regarding the possibility of initiating judicial procedures. Given the most recent data protection provisions on the matter of privacy in data telecommunications services, there may potentially be an increase in judicial dispute and/or administrative litigation on these matters in the future.

2. Scope of Application

2.1. Personal scope

On this point, there are two factors to consider

• the scope of application of legal obligations applicable, in general, to the processing of personal data - which is extremely limited or non-existent, since no comprehensive data protection legal framework exists in the country; and
• specific provisions applicable to providers of electronic communications services that process personal data.

2.2. Territorial scope

Not applicable as no comprehensive data protection legal framework exists in the country. In the context of the electronic communications sector, data protection obligations apply to any processing of personal data on the central government, the provinces and the decentralised territories.

2.3. Material scope

None in what concerns a general data protection law.

Law No. 20/17 applies where the data contained or intended to be contained in a file are processed automatically or not by a controller established or not in the DCR, using processing methods located in the territory, except for methods used only for transit purposes. In the latter case, the controller shall designate a representative established in the territory, without prejudice to any action that may be brought against him.

Additionally, rules of data protection will also apply in the case of transactions concerning state security, public order, defence, investigation and prosecution of criminal offences, even if related to an important economic or financial interest of the State, subject to the derogations established by the present law and to the specific provisions foreseen by other laws.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

Not applicable as no comprehensive data protection legal framework exists in the country.

Specifically for personal data processing in the context of Law 20/17, this law establishes the Regulatory Authority for Telecommunications and ICT – its mission is, inter alia, to ensure the regulation and supervision of the protection of personal data.

3.2. Main powers, duties and responsibilities

Although no general data protection authority exists, an order of the Minister of the Telecommunications and ICT sector may set the conditions and modalities of collection, recording, processing, storage and transmission of personal data.

4. Key Definitions

Data controller: No definition is provided under DRC law, without prejudice to the specific provisions in Law No. 20/17.

Data processor: No definition is provided under DRC law, without prejudice to the specific provisions in Law No. 20/17.

Personal data: none under a (non-existent) general data protection framework). Under Law No. 20/17 and the Customs Code, this is defined as any operation or set of operations which is performed upon data, whether or not by automatic means, such as collection, use, encryption, organisation, recording, adaptation, alteration, retrieval, storage, copy, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, as well as blocking, encryption, effectiveness or destruction of personal data.

Sensitive data: No definition is provided under DRC law.

Health data: No definition is provided under DRC law.

Biometric data: No definition is provided under DRC law.

Pseudonymisation: No definition is provided under DRC law.

Genetic data: Any data concerning hereditary characteristics of an individual or group of related individuals.

Data Subject: No definition is provided under DRC law.

Signature creation device: A set of personal encryption elements or configured set of equipment specifically for the creation of electronic signatures.

Signatory: A person who holds the information regarding the electronic signature and who is either acting on their own behalf, or for the person they represent.

Electronic signature: Data contained in a message, attached to a message or logically associated with a message, which can be used to identify the signatory.

Customs computer systems: All the computerised means and telecommunication to process, automatically store, and circulate customs information.

5. Legal Bases

5.1. Consent

Not applicable in what concerns a general data protection law. Under Law No. 20/17, personal data of consumers of electronic communication services may only be processed if the data subject has provided consent. Although not directly arising from Law No. 20/17, we note that some (limited) media vehicles have pointed that the consent required under this diploma must be interpreted similarly to the legitimacy requirements for consent under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').

5.2. Contract with the data subject

Not applicable.

5.3. Legal obligations

Not applicable.

5.4. Interests of the data subject

Not applicable.

5.5. Public interest

Not applicable.

5.6. Legitimate interests of the data controller

Not applicable.

5.7. Legal bases in other instances

Not applicable as a general principle. Under Law No. 20/17, personal data may be processed without consent of the person concerned, in specific circumstances and at the request of the Public Prosecutor's office.

6. Principles

Given the absence of a comprehensive legal framework in the country, it is not possible to determine data protection-oriented definitions and concepts for data protection and privacy. Any specific concepts or principles, with an impact on what would generally be considered personal data, are interpreted as relevant for the sector or area of economic activity at stake and determined on a case-by-case-basis.

For example, Law No. 20/17 establishes the confidentiality of personal data and imposes specific protection on special categories of data by prohibiting its processing. However, Law No. 20/17 does not provide for other specific principles which may only be inferred from the current rules and assessed on a case-by-case basis

7. Controller and Processor Obligations

7.1. Data processing notification

Not applicable.

7.2. Data transfers

Not applicable. Any such restrictions would be only those arising from international law, as per the country's constitutional principles, and/or international treaties and conventions to which the country is a party.

7.3. Data processing records

Not applicable.

7.4. Data protection impact assessment

Not applicable.

7.5. Data protection officer appointment

Not applicable.

7.6. Data breach notification

Not applicable.

7.7. Data retention

Not applicable.

7.8. Children's data

Not applicable. Any provisions regarding the processing of information regarding minors, or otherwise relating to the legal condition of minors, arises directly from national civil law.

7.9. Special categories of personal data

Not applicable as a general concept. However, under Law No. 20/17 the collection and processing of personal data concerning racial, ethnic or regional origin, affiliation, political opinions, religious or philosophical beliefs, trade union membership, sexual life, genetic data or, more generally, data concerning the state of health of an individual, is prohibited.

7.10. Controller and processor contracts

General principles of information security may generally be perceived as applying both to controllers and processors under sector-specific law (specifically, the banking and telecoms and ICT sector). Within the banking sector these apply indirectly to data protection matters, as they are addressed mainly at ensuring customer/individual information secrecy and regulatory confidentiality i.e. these obligations were not established directly from a data protection perspective, but rather as an obligation applicable to institutions processing privileged information, which must ensure that all handling of said information complies with security requirements across the line (this may include service providers, including those typically qualifiable as processors under generally accepted data protection concepts and principles).

8. Data Subject Rights

8.1. Right to be informed

This right is not included in a specific legal framework but should be considered by public and private entities in sector-specific provisions (for example, in the context of the public sector, as noted above in the section on key acts, regulations, directives, and bills above).

8.2. Right to access

Not applicable.

8.3. Right to rectification

Not applicable.

8.4. Right to erasure

Not applicable.

8.5. Right to object/opt-out

Not applicable.

8.6. Right to data portability

Not applicable.

8.7. Right not to be subject to automated decision-making

Not applicable.

8.8. Other rights

Under Law No. 20/17, consumers of electronic communication services have a general right to having their personal data protected.

9. Penalties

Not applicable in the context of a (non-existent) general data protection legal framework.

Without prejudice of the general powers of the Public Prosecutor's Office and of judicial police officers with general jurisdiction, the Regulatory Authority of the Telecommunications and ICT will appoint agents to investigate, detect, and prosecute offences relating to infringements of Law No. 20/17, which include the rules on the protection of privacy and personal data. When one of these agents is guilty of violating the secrecy of correspondence or manipulating personal data without prior authorisation shall be subject to a criminal offence in relation to the violation of correspondence.

In addition, any interception, listening, recording, transcription by means of any device to disclose a private communication or correspondence is punished with a penal servitude of one to three years and/or a fine of CDF 1 million (approx. €497) to CDF 10 million (approx. €4,980).

Finally, without prejudice to the payment of damages to the victim, any violation of the secrecy of correspondence or any manipulation of personal data without prior authorisation shall be punishable by a criminal offence on the part of the perpetrator and the employer must also pay a fine between CDF 50 million (approx. €24,889) to CDF 1 million (approx. €497).

9.1 Enforcement decisions

Not applicable. We are not aware of public judicial decisions with specific data protection aspects having been considered as a factor in the decision in the DRC.