Law 007/PR/2015

Law No. 007/PR/2015 of February 10, 2015 on the Protection of Personal Data

Flag of TD
ChadOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
February 10, 2015
Enacted
February 10, 2015
Enforcing Authority
Agence Nationale de Securite Informatique et de Certification Electronique (ANSICE)
Consent Model
Opt-in
Applies To
All data controllers and processors operating within Chad

Overview

Chad's Law 007/PR/2015, enacted in February 2015, establishes a dual enforcement system for data protection. ANSICE handles administrative sanctions while courts impose criminal penalties. The graduated administrative approach starts with warnings, escalates through formal notices and processing prohibitions, and finally applies monetary fines of XAF 1,000,000 to XAF 10,000,000. Criminal sanctions range from 3 months to 1 year imprisonment.

What This Means for Your Website

If your website processes personal data of Chadian visitors, consent is required before processing. Data must be collected lawfully, fairly, and non-fraudulently for explicit, specific, and legitimate purposes. Prior declaration or authorization from ANSICE is required. Data must be relevant, not excessive, accurate, and retained only as long as necessary.

Key Requirements

ANSICE enforces with graduated administrative sanctions and courts handle criminal penalties. Fines range from XAF 1M to XAF 10M with imprisonment of 3 months to 1 year. Prior declaration or authorization from ANSICE is mandatory. Data must meet standards of relevance, accuracy, and purpose limitation.

How ConsentStack Handles This

ConsentStack detects Chadian visitors and presents a compliant consent banner requiring affirmative opt-in before activating non-essential cookies and tracking technologies.

Penalties

Administrative: warnings, formal notices, temporary/permanent processing prohibition. Monetary: XAF 1,000,000-10,000,000. Criminal: 3 months to 1 year imprisonment.

Maximum Fine
FCFA 10,000,000 per violation

Key Requirements

  • Consent required for personal data processing
  • Data collected lawfully, fairly, and non-fraudulently
  • Data collected for explicit, specific, and legitimate purposes
  • Data must be relevant, not excessive, accurate, and kept up to date
  • Retention limited to what is necessary for purpose
  • Prior declaration or authorization from ANSICE

Notable Provisions

  • Dual enforcement: administrative penalties by ANSICE and criminal sanctions by courts
  • Graduated administrative approach: warning, formal notice, prohibition, then fines
  • Relatively modest fine ceiling (XAF 10M) compared to regional peers

Other Sub-Saharan Africa Regulations

POPIASouth Africa
Africa's most developed and actively enforced data protection law. POPIA establishes eight conditions for lawful processing and grants the Information Regulator broad enforcement powers including criminal sanctions. The inclusion of "online identifiers" in the definition of personal information means cookies are covered, and Section 69's direct marketing consent requirement is directly relevant to consent management.
NDPANigeria
One of Africa's most comprehensive data protection laws, with the GAID providing Africa's most detailed cookie consent framework. Essential cookies are exempt; non-essential cookies require conspicuous accept/reject banners. The NDPC enforces a two-tier penalty structure based on organizational significance.
Ghana Act 843Ghana
Ghana's foundational data protection law requires mandatory registration with the DPC before processing begins, with renewal every 2 years. Criminal penalties include up to 10 years imprisonment for serious violations. A new comprehensive bill is under consultation as of late 2025.
Kenya DPA 2019Republic of Kenya
Kenya's comprehensive data protection law establishes the ODPC as an independent enforcement authority. It uniquely calculates penalties using "whichever is lower" rather than the global norm of "whichever is higher." Mandatory registration of data controllers is required before processing, and consent serves as the primary legal basis for personal data collection.
Tanzania PDPA 2022United Republic of Tanzania
Tanzania's first comprehensive data protection legislation establishes the Personal Data Protection Commission as the supervisory body. It mandates DPO appointment for all controllers and processors, a broader requirement than most jurisdictions. Personal data must be processed lawfully with consent, and criminal penalties of up to 10 years imprisonment apply for violations.
Ivory Coast Law 2013-450Ivory Coast
Ivory Coast's data protection law features an escalating penalty structure with significant increases for repeat offenders — up to 5% of pre-tax sales or XOF 500 million. ARTCI has been active in issuing formal notices against online lending applications. Prior declaration or authorization from ARTCI is required.

Frequently Asked Questions

How does Chad enforce data protection?

Chad uses dual enforcement: ANSICE handles administrative sanctions (warnings, processing bans, fines) while courts impose criminal penalties (3 months to 1 year imprisonment).

What are the fines under Chad's law?

Monetary fines range from XAF 1,000,000 to XAF 10,000,000, with graduated administrative sanctions before fines are imposed.

Is prior authorization required in Chad?

Yes. Data controllers must obtain prior declaration or authorization from ANSICE before processing personal data.

Stay compliant with Law 007/PR/2015

ConsentStack helps you implement Opt-in consent for Chad automatically.

Get started free