DRC Law and Practice Contributed by: Serge Nawej Tshitembu, Xavier Huberland, Daniel Yamba and Katerina Papachristou, ProximA International
son, regardless of their legal status, their nation - ality, or that of their shareholders or managers, and regardless of the location of their registered office or principal establishment. It establishes extraterritorial applicability, meaning that any foreign company targeting, offering goods or services to, or processing personal data of, indi - viduals located in the DRC must comply with its data protection provisions. This approach aligns with international standards, such as the General Data Protection Regulation’s territorial scope in the European Union. For example, foreign e-commerce platforms selling products to customers in the DRC, global streaming services collecting personal data from DRC users, or international telecoms or satellite companies processing DRC customer data are subject to the Digital Code. Such companies are required to implement compliance measures, including ensuring lawful processing, respecting data subjects’ rights and potentially appointing a local representative, in line with the requirements of the Digital Code. 8.3 Role and Authority of the Data Protection Agency The Data Protection Authority (APD – Autorité de Protection des Données ) has been established under the Digital Code to oversee data protec - tion compliance in the DRC. However, it is not yet operational, as its organisation and function - ing must still be defined by a ministerial decree. The APD is expected to have the following key roles and powers: • Oversight and enforcement: monitoring com - pliance with the Digital Code, investigating complaints, conducting audits, and ensuring that data controllers and processors adhere to data protection obligations;
• Issuing guidelines and regulations: providing detailed guidance, regulations and recom - mendations to clarify the implementation of the Digital Code and address emerging data protection issues; • Advisory role: advising the government on legislative and administrative measures related to data protection and providing guid - ance to data controllers and data subjects on their rights and obligations; • Public awareness: promoting public under - standing of data protection rights and respon - sibilities; • International co-operation: collaborating with other data protection authorities to facilitate cross-border enforcement and information exchange; and • Sanctioning powers: imposing administrative fines, issuing warnings and corrective meas - ures, and potentially ordering the suspension of data processing activities in cases of non- compliance. Currently, the interim authority overseeing data protection matters is the Ministry of Posts, Tel - ecommunications, New Information and Com - munication Technologies. Given the repressive (rather than educational) nature of the DRC’s enforcement environment, ProximA International DRC has taken proactive steps by organising awareness sessions aimed at key sectors such as banking institutions and mobile network operators, which manage large volumes of sensitive personal data. These ini - tiatives are designed to mitigate the risk of sanctions resulting from common or systemic breaches. In such a context, anticipation and internal compliance readiness are essential to navigating the complexities of the country’s administrative practices and ensuring business continuity.
251 CHAMBERS.COM
Powered by FlippingBook