Data & Privacy · Central African Republic
Data protection & privacy law in Central African Republic (2026)
Central African Republic shaded by its data & privacy status
Data protection in Central African Republic: comprehensive law, under Loi No. 24.001 du janvier 2024 relative à la Protection des Données à Caractère Personnel (Law No. 24.001 on the Protection of Personal Data, January 2024); supervisory authority pending establishment under the Ministry of Digital Economy, Posts, and Telecommunications.
The Central African Republic enacted a comprehensive personal data protection law (Loi 24.001) in January 2024, establishing a GDPR-influenced framework covering lawful bases for processing, data subject rights, controller/processor obligations, and cross-border transfer restrictions. An independent supervisory authority was mandated to be created within 12 months of enactment, but as of early 2026 that authority has not yet been established, leaving interim oversight with the Ministry of Digital Economy. Constitutional privacy protection also exists under Article 16 (secrecy of correspondence).
Key points
Loi No. 24.001, enacted January 2024, is the primary data protection instrument. It applies to any processing of personal data within CAR's territory or with effects there, including processing by public-security, defence, and judicial actors.
The law requires an independent administrative authority to be established within 12 months of enactment (i.e., by January 2025). That deadline was missed; as of early 2026 the authority does not yet exist and the Ministry of Digital Economy, Posts, and Telecommunications acts as interim overseer.
Processing must rest on one of six legal bases (consent, contract, legal obligation, vital interests, public interest/official authority, or legitimate interests). Data subjects hold rights of access, rectification, erasure, objection, and protection from solely automated decision-making.
Processing of special-category data (racial/ethnic origin, political opinions, religious beliefs, trade-union membership, genetic/biometric data, health data, sex life) is prohibited except under narrowly defined exceptions such as explicit consent, vital interests, or medical purposes.
Data controllers must appoint a resident Data Protection Officer who acts independently, maintains processing registers, and liaises with the supervisory authority. Prior consent is required for all direct-marketing communications across telephone, SMS, email, or social media.
Administrative fines reach up to 5% of the controller's annual turnover, supplemented by criminal penalties. Cross-border transfers of personal data are permitted only to countries offering a level of protection equivalent to that of CAR.
Central African Republic - other topics
Data & Privacy in other countries
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →