Law 29-2019

Law No. 29-2019 of October 10, 2019 on the Protection of Personal Data

Flag of CG
Republic of the CongoOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
November 7, 2019
Enacted
October 10, 2019
Enforcing Authority
Commission de Protection des Donnees a Caractere Personnel (CPDCP) — NOT YET ESTABLISHED
Consent Model
Opt-in
Applies To
All entities processing personal data within the Republic of Congo

Overview

The Republic of Congo (Congo-Brazzaville) enacted Law 29-2019 in October 2019 to regulate personal data processing. The law establishes the Commission de Protection des Donnees a Caractere Personnel (CPDCP) as the supervisory authority, though this body has not yet been formally established. Penalties range from XOF 1,000,000 to XOF 100,000,000. The framework includes modern provisions such as DPO requirements and mandatory impact assessments for high-risk processing activities.

What This Means for Your Website

If your website collects personal data from visitors in the Republic of Congo, consent or a legal obligation is required for lawful processing. Data must be processed for specified purposes only, with appropriate security measures in place. While enforcement is non-existent without the CPDCP, the law establishes obligations on paper that may become enforceable once the authority is operational.

Key Requirements

Fines range from XOF 1M to XOF 100M. DPO appointment is required for public entities and large-scale data processing. Mandatory impact assessments apply to high-risk processing activities. Data subjects have rights of access, rectification, and deletion. Security measures must protect against unauthorized access, loss, or alteration.

How ConsentStack Handles This

ConsentStack detects visitors from the Republic of Congo and presents a consent banner requiring opt-in before non-essential data processing, ensuring readiness for future enforcement.

Penalties

XOF 1,000,000-100,000,000

Maximum Fine
F CFA 100,000,000 per violation

Key Requirements

  • Consent or legal obligation required for lawful processing
  • Purpose limitation: processing restricted to specified purposes
  • Data security measures against unauthorized access, loss, or alteration
  • DPO required for public entities and large-scale processing
  • Mandatory impact assessments for high-risk processing
  • Data subjects have rights of access, rectification, and deletion

Notable Provisions

  • Data Protection Commission (CPDCP) NOT YET ESTABLISHED
  • DPO requirement and mandatory impact assessments indicate modern framework
  • Fine ceiling of XOF 100M mirrors other francophone African countries

Other Sub-Saharan Africa Regulations

POPIASouth Africa
Africa's most developed and actively enforced data protection law. POPIA establishes eight conditions for lawful processing and grants the Information Regulator broad enforcement powers including criminal sanctions. The inclusion of "online identifiers" in the definition of personal information means cookies are covered, and Section 69's direct marketing consent requirement is directly relevant to consent management.
NDPANigeria
One of Africa's most comprehensive data protection laws, with the GAID providing Africa's most detailed cookie consent framework. Essential cookies are exempt; non-essential cookies require conspicuous accept/reject banners. The NDPC enforces a two-tier penalty structure based on organizational significance.
Ghana Act 843Ghana
Ghana's foundational data protection law requires mandatory registration with the DPC before processing begins, with renewal every 2 years. Criminal penalties include up to 10 years imprisonment for serious violations. A new comprehensive bill is under consultation as of late 2025.
Kenya DPA 2019Republic of Kenya
Kenya's comprehensive data protection law establishes the ODPC as an independent enforcement authority. It uniquely calculates penalties using "whichever is lower" rather than the global norm of "whichever is higher." Mandatory registration of data controllers is required before processing, and consent serves as the primary legal basis for personal data collection.
Tanzania PDPA 2022United Republic of Tanzania
Tanzania's first comprehensive data protection legislation establishes the Personal Data Protection Commission as the supervisory body. It mandates DPO appointment for all controllers and processors, a broader requirement than most jurisdictions. Personal data must be processed lawfully with consent, and criminal penalties of up to 10 years imprisonment apply for violations.
Ivory Coast Law 2013-450Ivory Coast
Ivory Coast's data protection law features an escalating penalty structure with significant increases for repeat offenders — up to 5% of pre-tax sales or XOF 500 million. ARTCI has been active in issuing formal notices against online lending applications. Prior declaration or authorization from ARTCI is required.

Frequently Asked Questions

Is the Republic of Congo's DPA operational?

No. The CPDCP mandated by Law 29-2019 has not yet been formally established, and enforcement is non-existent.

What are the penalties under Law 29-2019?

Fines range from XOF 1,000,000 to XOF 100,000,000 for data protection violations.

Does the law require a DPO?

Yes. DPO appointment is required for public entities and organizations engaged in large-scale data processing.

Stay compliant with Law 29-2019

ConsentStack helps you implement Opt-in consent for Republic of the Congo automatically.

Get started free