Digital Code Title III

Ordonnance-Loi No. 23/010 of March 13, 2023 Establishing the Digital Code (Title III: Data Protection)

Flag of CD
Democratic Republic of the CongoOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
March 13, 2023
Enacted
March 13, 2023
Enforcing Authority
Data Protection Authority (mandated but NOT YET ESTABLISHED); Autorite de Regulation du Numerique (ARN) for digital market oversight
Consent Model
Opt-in
Applies To
All entities processing personal data within the DRC through digital or non-digital means

Overview

The Democratic Republic of the Congo enacted its Digital Code in March 2023, with Title III dedicated to data protection. Rather than standalone legislation, data protection provisions are embedded within this comprehensive digital governance framework. The law mandates creation of a dedicated Data Protection Authority, though this body has not yet been established. Penalties range from CDF 8,000,000 to CDF 200,000,000. Multiple institutional bodies including ARN, ANCE, and ANC were created for different aspects of digital governance.

What This Means for Your Website

If your website processes personal data of DRC visitors, consent is required before processing. Data must be collected for specified and legitimate purposes with appropriate security measures. Prior notification or authorization may be required. However, the absence of an operational DPA limits practical enforcement at this stage.

Key Requirements

Penalties range from CDF 8M to CDF 200M. Data controllers must obtain consent, implement security measures, and respect data subject rights of access, rectification, and deletion. Cross-border transfers are subject to restrictions. Prior notification or authorization from the supervisory authority is required once it becomes operational.

How ConsentStack Handles This

ConsentStack detects DRC-based visitors and displays a compliant consent banner requiring opt-in before activating non-essential cookies and data processing, preparing your website for future enforcement.

Penalties

CDF 8,000,000-200,000,000

Maximum Fine
CDF 200,000,000 per violation

Key Requirements

  • Consent required for personal data processing
  • Data collected for specified and legitimate purposes only
  • Data security measures mandatory
  • Prior notification or authorization requirements
  • Data subjects have rights of access, rectification, and deletion
  • Cross-border transfer restrictions

Notable Provisions

  • Data protection embedded within a broader Digital Code
  • DPA mandated but not yet established
  • Multiple institutional bodies created (ARN, ANCE, ANC) for digital governance
  • Entered into force on date of approval

Other Sub-Saharan Africa Regulations

POPIASouth Africa
Africa's most developed and actively enforced data protection law. POPIA establishes eight conditions for lawful processing and grants the Information Regulator broad enforcement powers including criminal sanctions. The inclusion of "online identifiers" in the definition of personal information means cookies are covered, and Section 69's direct marketing consent requirement is directly relevant to consent management.
NDPANigeria
One of Africa's most comprehensive data protection laws, with the GAID providing Africa's most detailed cookie consent framework. Essential cookies are exempt; non-essential cookies require conspicuous accept/reject banners. The NDPC enforces a two-tier penalty structure based on organizational significance.
Ghana Act 843Ghana
Ghana's foundational data protection law requires mandatory registration with the DPC before processing begins, with renewal every 2 years. Criminal penalties include up to 10 years imprisonment for serious violations. A new comprehensive bill is under consultation as of late 2025.
Kenya DPA 2019Republic of Kenya
Kenya's comprehensive data protection law establishes the ODPC as an independent enforcement authority. It uniquely calculates penalties using "whichever is lower" rather than the global norm of "whichever is higher." Mandatory registration of data controllers is required before processing, and consent serves as the primary legal basis for personal data collection.
Tanzania PDPA 2022United Republic of Tanzania
Tanzania's first comprehensive data protection legislation establishes the Personal Data Protection Commission as the supervisory body. It mandates DPO appointment for all controllers and processors, a broader requirement than most jurisdictions. Personal data must be processed lawfully with consent, and criminal penalties of up to 10 years imprisonment apply for violations.
Ivory Coast Law 2013-450Ivory Coast
Ivory Coast's data protection law features an escalating penalty structure with significant increases for repeat offenders — up to 5% of pre-tax sales or XOF 500 million. ARTCI has been active in issuing formal notices against online lending applications. Prior declaration or authorization from ARTCI is required.

Frequently Asked Questions

Does the DRC have a standalone data protection law?

No. Data protection provisions are embedded within Title III of the comprehensive Digital Code enacted in March 2023.

Is the DRC's data protection law enforced?

Enforcement is limited. The designated Data Protection Authority has not yet been established, though the law is technically in force.

What are the penalties under the DRC Digital Code?

Fines range from CDF 8,000,000 to CDF 200,000,000 for data protection violations.

Stay compliant with Digital Code Title III

ConsentStack helps you implement Opt-in consent for Democratic Republic of the Congo automatically.

Get started free