Data & Privacy · Burundi
Data protection & privacy law in Burundi (2026)
Burundi shaded by its data & privacy status
Data protection in Burundi: comprehensive law, under Law No. 1/03 of 10 March 2026 on the Protection of Personal Data (Loi N°1/03 du 10 mars 2026 portant protection des données à caractère personnel), with oversight by an independent administrative authority placed under the Ministry of Digital Economy.
Burundi enacted its first comprehensive personal data protection law on 10 March 2026, after the National Assembly unanimously adopted the bill on 15 January 2026. The law, structured in eight chapters, establishes individual rights over personal data, obligations on data controllers, and a new independent supervisory authority. Prior to this law, data protection in Burundi was only addressed through scattered sectoral provisions in banking, health, and telecommunications legislation.
Key points
Law No. 1/03 was promulgated on 10 March 2026 and published on the official ARCT portal. The National Assembly adopted it unanimously on 15 January 2026, marking Burundi's first standalone data protection instrument.
The law defines personal data as any information linked to an identified or identifiable natural person, directly or indirectly, by reference to physical, genetic, social, cultural, or economic identity, a broad, GDPR-influenced definition.
The law creates a new independent administrative authority responsible for implementing data protection regimes, placed under the supervision of the Ministry of Digital Economy. No pre-existing dedicated data protection authority existed prior to this law.
The eight-chapter structure covers data subjects' rights (access, correction, erasure) and sets out binding obligations for data controllers. It establishes different protection regimes tailored to varying processing activities.
The law introduces specific criminal penalties for unlawful processing of personal data, designed to be compatible with Burundi's Penal Code and the existing Cybercrime Law, deterring abusive or illegal use of personal information.
Before the 2026 law, data protection obligations existed only in sector-specific rules: banking confidentiality (Law No. 1/17 of 22 August 2017), healthcare institution confidentiality, and telecommunications provisions, with no unified framework or data protection authority.
Burundi - other topics
Data & Privacy in other countries
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →