Data & Privacy · Congo
Data protection & privacy laws in Congo (2026)
Congo shaded by its data & privacy status
The Republic of Congo (Congo-Brazzaville) has a standalone comprehensive personal-data protection law — Law No. 29-2019 — which entered into force on 25 November 2020 and replaced the earlier Law No. 4-2009 of 2009. It follows the Francophone-African model, requiring prior notification to the CNPD before processing, and grants data subjects a full set of rights. The CNPD is the designated independent supervisory authority, though its operational capacity and enforcement activity remain limited in practice.
Key points
Loi n° 29-2019 of 10 October 2019 on the protection of personal data was published in the Official Gazette (Journal Officiel n° 45-2019) and entered into force on 25 November 2020, superseding the 2009 framework law.
The Commission Nationale de Protection des Données à Caractère Personnel (CNPD) is established by Law 29-2019 as the independent supervisory body with powers to monitor processing, investigate complaints, and impose sanctions for non-compliance.
Processing of personal data requires the data subject's explicit consent or a legal basis under Article 7 of Law 29-2019; controllers must also file prior notifications with the CNPD before commencing data processing operations.
Articles 50–59 of Law 29-2019 guarantee data subjects the rights of access, rectification, erasure, and objection to processing of their personal data.
Data controllers are required to notify the CNPD of personal data breaches within 72 hours of becoming aware of the incident.
Despite the comprehensive text of Law 29-2019, the CNPD's operational standing and active enforcement record remain weak, with gaps in public awareness and regulatory capacity noted by independent observers.
Congo - other topics
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →