Comoros Data Protection Law 2021

Law on the Protection of Personal Data (June 29, 2021)

Flag of KM
Union of the ComorosOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
June 29, 2021
Enacted
June 29, 2021
Enforcing Authority
Competent authority designated under the law (not operational)
Consent Model
Opt-in
Applies To
All data controllers and processors through automated or non-automated means; broad extraterritorial scope covering foreign entities processing data of Comorian individuals

Overview

The Union of the Comoros enacted a comprehensive data protection law on June 29, 2021, establishing broad territorial scope that covers foreign entities processing data of Comorian individuals. The law requires consent or a lawful basis for data processing and mandates 72-hour breach notification aligning with GDPR standards. However, it remains effectively unenforced because no operational supervisory authority has been established, making practical compliance demands minimal at present.

What This Means for Your Website

If your website collects data from Comorian residents, the law technically applies to you through its broad extraterritorial scope. While enforcement is currently non-existent due to the absence of a supervisory authority, best practice is to implement basic consent mechanisms and data protection practices in anticipation of future enforcement. The 72-hour breach notification and cross-border transfer restrictions exist on paper.

Key Requirements

Consent or a lawful basis is required for data processing. Breach notification must be made within 72 hours. Cross-border transfers require adequate protection in the recipient country or appropriate safeguards such as standard contractual clauses. The law has broad territorial scope covering entities outside Comoros. Data subjects have rights of access, rectification, and deletion. Data security measures are mandatory.

How ConsentStack Handles This

ConsentStack helps organizations prepare for the Comoros data protection law by providing a consent management platform that captures lawful consent. Even though enforcement is currently inactive, ConsentStack's consent banner, timestamped records, and audit trails position your website for compliance when supervisory authority operations begin.

Penalties

Fines escalating by severity and frequency of breach; operational restrictions possible. Specific amounts not publicly detailed.

Key Requirements

  • Consent or lawful basis required for data processing
  • 72-hour breach notification to relevant authorities
  • Cross-border transfers require adequate protection or appropriate safeguards
  • Broad territorial scope covering entities outside Comoros processing Comorian data
  • Data subjects have rights of access, rectification, and deletion
  • Data security measures mandatory

Notable Provisions

  • Law enacted but NOT ENFORCED — no operational supervisory authority
  • Broad extraterritorial scope unusual for a small island nation
  • 72-hour breach notification aligns with GDPR standards
  • Risk-based approach to cross-border transfers

Other Sub-Saharan Africa Regulations

POPIASouth Africa
Africa's most developed and actively enforced data protection law. POPIA establishes eight conditions for lawful processing and grants the Information Regulator broad enforcement powers including criminal sanctions. The inclusion of "online identifiers" in the definition of personal information means cookies are covered, and Section 69's direct marketing consent requirement is directly relevant to consent management.
NDPANigeria
One of Africa's most comprehensive data protection laws, with the GAID providing Africa's most detailed cookie consent framework. Essential cookies are exempt; non-essential cookies require conspicuous accept/reject banners. The NDPC enforces a two-tier penalty structure based on organizational significance.
Ghana Act 843Ghana
Ghana's foundational data protection law requires mandatory registration with the DPC before processing begins, with renewal every 2 years. Criminal penalties include up to 10 years imprisonment for serious violations. A new comprehensive bill is under consultation as of late 2025.
Kenya DPA 2019Republic of Kenya
Kenya's comprehensive data protection law establishes the ODPC as an independent enforcement authority. It uniquely calculates penalties using "whichever is lower" rather than the global norm of "whichever is higher." Mandatory registration of data controllers is required before processing, and consent serves as the primary legal basis for personal data collection.
Tanzania PDPA 2022United Republic of Tanzania
Tanzania's first comprehensive data protection legislation establishes the Personal Data Protection Commission as the supervisory body. It mandates DPO appointment for all controllers and processors, a broader requirement than most jurisdictions. Personal data must be processed lawfully with consent, and criminal penalties of up to 10 years imprisonment apply for violations.
Ivory Coast Law 2013-450Ivory Coast
Ivory Coast's data protection law features an escalating penalty structure with significant increases for repeat offenders — up to 5% of pre-tax sales or XOF 500 million. ARTCI has been active in issuing formal notices against online lending applications. Prior declaration or authorization from ARTCI is required.

Frequently Asked Questions

Is the Comoros data protection law enforced?

No, the law was enacted in 2021 but remains effectively unenforced because no operational supervisory authority has been established.

Does the Comoros law have extraterritorial scope?

Yes, the law has broad territorial scope covering foreign entities processing personal data of Comorian individuals, which is unusual for a small island nation.

What breach notification timeline does the Comoros require?

The law mandates 72-hour breach notification to relevant authorities, aligning with GDPR standards.

Should I comply with the Comoros law now?

While enforcement is inactive, implementing basic consent mechanisms is recommended as a best practice to prepare for future enforcement when the supervisory authority becomes operational.

Stay compliant with Comoros Data Protection Law 2021

ConsentStack helps you implement Opt-in consent for Union of the Comoros automatically.

Get started free