Data protection & privacy laws in Gabon (2026)

Law No. 001/2011 of 25 September 2011 on personal-data protection, as substantially amended by Law No. 025/2023 of 9 July 2023, constitutes the comprehensive legal framework governing collection, processing, storage and transfer of personal data.

The APDPVP (Autorité pour la Protection des Données Personnelles et de la Vie Privée) is an independent administrative authority established by the 2023 law, replacing the former CNPDCP. It informs data subjects and controllers of rights/obligations and monitors compliance.

Data subjects hold rights to information, access, rectification, erasure, restriction of processing, data portability, objection, and compensation — a set closely modelled on GDPR. Controllers may override the right to object only on demonstration of overriding legitimate grounds.

Data controllers must notify the APDPVP without undue delay following a personal-data breach, including details of the breach's nature, categories and approximate number of affected individuals, and remediation measures. Where the breach poses a high risk to individuals, data subjects must also be notified individually.

Transfer of personal data abroad is permitted only to countries offering an adequate level of protection for privacy and fundamental rights. Transfers to non-adequate countries require specific safeguards or authorisation from the APDPVP.

Administrative penalties under the 2023 law range from 1 million to 100 million CFA francs (approx. USD 1,650–165,000), with additional fines of up to 10 million CFA francs for serious violations; criminal liability provisions also apply.