Data protection & privacy laws in Burundi (2026)

Law No. 1/03 was promulgated on 10 March 2026 and published on the official ARCT portal. The National Assembly adopted it unanimously on 15 January 2026, marking Burundi's first standalone data protection instrument.

The law defines personal data as any information linked to an identified or identifiable natural person, directly or indirectly, by reference to physical, genetic, social, cultural, or economic identity — a broad, GDPR-influenced definition.

The law creates a new independent administrative authority responsible for implementing data protection regimes, placed under the supervision of the Ministry of Digital Economy. No pre-existing dedicated data protection authority existed prior to this law.

The eight-chapter structure covers data subjects' rights (access, correction, erasure) and sets out binding obligations for data controllers. It establishes different protection regimes tailored to varying processing activities.

The law introduces specific criminal penalties for unlawful processing of personal data, designed to be compatible with Burundi's Penal Code and the existing Cybercrime Law, deterring abusive or illegal use of personal information.

Before the 2026 law, data protection obligations existed only in sector-specific rules: banking confidentiality (Law No. 1/17 of 22 August 2017), healthcare institution confidentiality, and telecommunications provisions — with no unified framework or data protection authority.