Data protection & privacy laws in Guinea (2026)

Law L/2016/037/AN of 28 July 2016 is a two-part statute: Part 1 covers cybercrimes; Part 2 establishes a comprehensive personal-data protection regime including definitions, lawful-processing grounds (consent, legal obligation, public interest, contract, vital interests), and data-controller obligations.

The 2016 law mandated creation of an independent data-protection authority. As of 2025 it remains unoperationalised; the ARPT currently exercises de-facto oversight, and the CNT (National Transition Council) examined a dedicated draft law in 2024 to formally establish the APDP as an independent administrative authority with legal personality and financial autonomy.

On 14 April 2025, President Mamadi Doumbouya signed a decree defining conditions for collection, processing, conservation, and security of personal data nationally. It introduced an 18-character Personal Identification Number (NPI) assigned at birth, mandated secure double-entry authentication, and empowered the data authority to refer infringements to the prosecutor for immediate criminal sanctions.

The law defines a special category of sensitive data encompassing religious, political, trade-union, sexual, racial, health, and criminal-record information. Unlawful processing of sensitive personal data carries imprisonment of 1–7 years and fines of GNF 30,000,000–150,000,000.

The 2016 law grants individuals rights of access, rectification, and opposition. A Data Protection Officer (DPO) obligation exists under Article 14 et seq., requiring a qualified person be designated by data controllers.

Article 12 of Guinea's Constitution enshrines the right to privacy, providing the constitutional grounding for the statutory data-protection framework. Cross-border data transfers are regulated under the 2016 law, restricting transfers to countries without adequate protection.