Data protection & privacy laws in DR Congo (2026)

The Digital Code governs all digital activities and services carried out from or to the DRC by any natural or legal person, regardless of nationality or place of establishment. Title III contains the personal data protection regime covering collection, processing, storage, transfer, and data subject rights.

The Digital Code legally creates an independent Autorité de Protection des Données (APD) empowered to issue opinions, conduct investigations, and impose sanctions. As of 2025, no prime-ministerial decree has formally established the APD; a ministerial decree of August 2024 temporarily transferred APD functions to ARPTIC (Autorité de Régulation des Postes, Télécommunications et TIC).

Controllers must obtain consent before processing, respect principles of purpose limitation and data minimisation, and honour data subject rights of access, rectification, and erasure. The Code also imposes obligations on subcontractors/processors and covers electronic evidence and advertising.

Transfers of personal data outside DRC are generally prohibited unless the destination country provides equivalent protection or the competent digital ministry grants explicit authorisation—a requirement significantly more restrictive than many peer frameworks.

The APD (acting through ARPTIC in the interim) may impose financial penalties of 8 million to 200 million Congolese francs for non-compliance, as well as formal notices, injunctions to halt processing, and referrals to law enforcement.

The DRC deposited its instrument of ratification of the African Union Convention on Cybersecurity and Personal Data Protection (Malabo Convention) with the AU Secretary-General on 27 June 2025, binding itself internationally to further strengthen its domestic data-protection framework under Article 8 of that treaty.