Data protection & privacy laws in Central African Republic (2026)

Loi No. 24.001, enacted January 2024, is the primary data protection instrument. It applies to any processing of personal data within CAR's territory or with effects there, including processing by public-security, defence, and judicial actors.

The law requires an independent administrative authority to be established within 12 months of enactment (i.e., by January 2025). That deadline was missed; as of early 2026 the authority does not yet exist and the Ministry of Digital Economy, Posts, and Telecommunications acts as interim overseer.

Processing must rest on one of six legal bases (consent, contract, legal obligation, vital interests, public interest/official authority, or legitimate interests). Data subjects hold rights of access, rectification, erasure, objection, and protection from solely automated decision-making.

Processing of special-category data (racial/ethnic origin, political opinions, religious beliefs, trade-union membership, genetic/biometric data, health data, sex life) is prohibited except under narrowly defined exceptions such as explicit consent, vital interests, or medical purposes.

Data controllers must appoint a resident Data Protection Officer who acts independently, maintains processing registers, and liaises with the supervisory authority. Prior consent is required for all direct-marketing communications across telephone, SMS, email, or social media.

Administrative fines reach up to 5% of the controller's annual turnover, supplemented by criminal penalties. Cross-border transfers of personal data are permitted only to countries offering a level of protection equivalent to that of CAR.