Djibouti Digital Code 2025

Digital Code of the Republic of Djibouti (Data Protection Provisions)

Flag of DJ
Republic of DjiboutiOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
June 30, 2025
Enacted
June 30, 2025
Enforcing Authority
Commission Nationale de Protection des Donnees Personnelles (CNDP) — to be established
Consent Model
Opt-in
Applies To
All controllers and processors within Djibouti or processing data of Djiboutian residents

Overview

Djibouti's Digital Code, enacted June 30, 2025, introduces the country's first comprehensive data protection framework as part of a broader 156-article digital legislation. It establishes a GDPR-style regime with privacy by design requirements, data minimization by default, and 72-hour breach notification obligations. The Commission Nationale de Protection des Donnees Personnelles (CNDP) is designated as the independent supervisory authority, though it has not yet been operationally established. Penalties can reach up to 10 years imprisonment or 5% of turnover.

What This Means for Your Website

If your website processes data of Djiboutian residents, you should prepare for compliance with privacy by design principles, implement data minimization practices, and establish 72-hour breach notification procedures. Cross-border data transfers require adequate protection in the recipient country. While the CNDP is not yet operational, proactive compliance positions your organization ahead of enforcement.

Key Requirements

Privacy by design mandates technical and organizational measures from the design stage. Data minimization by default means only necessary data should be processed. Breach notification must reach the CNDP within 72 hours. Cross-border transfers require adequate protection. Consent is the default legal basis for processing. Data subjects have comprehensive rights under the framework.

How ConsentStack Handles This

ConsentStack helps organizations prepare for Djibouti's Digital Code requirements with a consent management platform that implements privacy by design principles. It provides a configurable consent banner for lawful data collection, records all consent decisions with timestamps, supports data minimization through granular consent categories, and maintains audit trails for future CNDP compliance reviews.

Penalties

Up to 10 years imprisonment; administrative fines up to DJF 70,000,000 (~$393,400) or 5% of turnover

Maximum Fine
DJF 70,000,000 aggregate
Revenue-based
5% of annual revenue

Key Requirements

  • Privacy by design: technical and organizational measures from the design stage
  • Data minimization by default — only necessary data processed
  • 72-hour breach notification to CNDP
  • Cross-border transfers only to countries with adequate protection
  • Consent required for personal data processing
  • Data subjects have comprehensive rights

Notable Provisions

  • GDPR-style framework with 72-hour breach notification and privacy by design
  • Part of a broader 156-article Digital Code
  • CNDP designated as independent body but not yet established
  • Among the higher penalty ceilings in East Africa

Other Sub-Saharan Africa Regulations

POPIASouth Africa
Africa's most developed and actively enforced data protection law. POPIA establishes eight conditions for lawful processing and grants the Information Regulator broad enforcement powers including criminal sanctions. The inclusion of "online identifiers" in the definition of personal information means cookies are covered, and Section 69's direct marketing consent requirement is directly relevant to consent management.
NDPANigeria
One of Africa's most comprehensive data protection laws, with the GAID providing Africa's most detailed cookie consent framework. Essential cookies are exempt; non-essential cookies require conspicuous accept/reject banners. The NDPC enforces a two-tier penalty structure based on organizational significance.
Ghana Act 843Ghana
Ghana's foundational data protection law requires mandatory registration with the DPC before processing begins, with renewal every 2 years. Criminal penalties include up to 10 years imprisonment for serious violations. A new comprehensive bill is under consultation as of late 2025.
Kenya DPA 2019Republic of Kenya
Kenya's comprehensive data protection law establishes the ODPC as an independent enforcement authority. It uniquely calculates penalties using "whichever is lower" rather than the global norm of "whichever is higher." Mandatory registration of data controllers is required before processing, and consent serves as the primary legal basis for personal data collection.
Tanzania PDPA 2022United Republic of Tanzania
Tanzania's first comprehensive data protection legislation establishes the Personal Data Protection Commission as the supervisory body. It mandates DPO appointment for all controllers and processors, a broader requirement than most jurisdictions. Personal data must be processed lawfully with consent, and criminal penalties of up to 10 years imprisonment apply for violations.
Ivory Coast Law 2013-450Ivory Coast
Ivory Coast's data protection law features an escalating penalty structure with significant increases for repeat offenders — up to 5% of pre-tax sales or XOF 500 million. ARTCI has been active in issuing formal notices against online lending applications. Prior declaration or authorization from ARTCI is required.

Frequently Asked Questions

Is Djibouti's Digital Code currently enforced?

The Digital Code was enacted June 30, 2025, but the designated supervisory authority (CNDP) has not yet been operationally established, limiting active enforcement.

What penalties does Djibouti's Digital Code impose?

Penalties include up to 10 years imprisonment and administrative fines up to DJF 70 million (approximately $393,400) or 5% of turnover.

Does Djibouti require privacy by design?

Yes, the Digital Code mandates technical and organizational measures from the design stage, along with data minimization by default.

Does the law apply to foreign companies?

Yes, the Digital Code applies to all controllers and processors within Djibouti or processing personal data of Djiboutian residents.

Stay compliant with Djibouti Digital Code 2025

ConsentStack helps you implement Opt-in consent for Republic of Djibouti automatically.

Get started free