Understanding Personal Data Protection in Burkina Faso
🔎 Everything you need to know about the CIL, Law No. 001-2021 on personal data in Burkina Faso, the rights of individuals, and the risks for companies in the event of non-compliance. Prior formalities, sanctions, fines — all you need to know.
Introduction: Law No. 001-2021 in Burkina Faso
Declaring your personal data processing activities to the Commission de l'informatique et des libertés ("CIL") is mandatory in Burkina Faso if your startup processes personal data.
Law No. 001-2021/AN on the protection of individuals with regard to the processing of personal data, dated 30 March 2021 (the "Law No. 001-2021"), imposes obligations on you when you process personal data or sensitive data. Its purpose is to protect the fundamental rights and freedoms of natural persons in relation to the processing of their personal data.
What constitutes personal data processing? Which form should you complete? What other obligations does Law No. 001-2021 impose on your startup? If you are unsure how to answer these questions, this article will significantly broaden your knowledge on the subject.
👉 If your startup operates across multiple African countries, see also our articles on personal data protection in Morocco (CNDP) and Senegal (CDP).
Who does Law No. 001-2021 apply to?
Law No. 001-2021 applies to:
- automated or non-automated processing of personal data where the data controller or processor is established in Burkina Faso, or where, without being established there, they fall under Burkina Faso's jurisdiction under public international law;
- data controllers or processors not established on Burkina Faso's territory who carry out processing operations from national territory, excluding transit data.
In other words, Law No. 001-2021 applies to you if your data controller is based in Burkina Faso and processes personal data (names, addresses, telephone numbers of your clients). If not based in Burkina Faso, they may nonetheless fall under its jurisdiction by virtue of an international convention ratified by Burkina Faso.
Who does the law not apply to?
Law No. 001-2021 does not apply to:
- processing carried out by a natural person solely for personal or domestic activities;
- temporary copies made in the context of technical transmission activities and the provision of access to a digital network, for the purpose of intermediate and transitory automatic storage of data solely to allow other service recipients the best possible access to information, except with regard to updates and security;
- processing of personal data carried out solely for literary, artistic, or journalistic purposes, in compliance with the ethical and professional rules of those professions, measures ensuring the protection of journalistic source confidentiality, and moderation rules applicable to discussion forums operated by news publishers.
What is personal data protection?
What is personal data under Burkinabè law?
Under Article 5 of Law No. 001-2021, personal data means:
"Any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identification number or to one or more elements specific to their physical, physiological, genetic, psychological, cultural, social, or economic identity."
This can include, for example: name, address, telephone number, email address, date of birth, place of work, purchasing habits, location data, and so on.
How do I determine whether my startup is processing personal data?
Under Article 5 of Law No. 001-2021, processing of personal data means:
"Any operation or set of operations, carried out with or without automated means, applied to personal data, such as collection, organisation, storage, adaptation, modification, saving, copying, consultation, recording, extraction, use, communication by transmission, dissemination or any other form of making available, alignment or interconnection, locking, encryption, erasure, or destruction."
You may therefore (subject to certain exceptions) be considered as processing personal data if you carry out any of the operations listed above.
What obligations must you comply with?
Categories of processing exempt from prior formalities
You are exempt from prior formalities with the CIL for personal data processing:
- whose specific purpose is solely to ensure the archiving of documents;
- implemented by an association or any non-profit organisation of a religious, philosophical, political, or trade union nature, provided that the processing corresponds to that organisation's purpose, concerns only its members, and is not to be communicated to third parties without their consent.
What prior formalities must be complied with?
The processing of personal data (subject to the exemptions above) must first go through one of the following 4 formalities:
Opinion request
For processing operations requiring the CIL's prior opinion.
Authorisation request
For sensitive or high-risk processing operations.
Standard declaration
The standard procedure for most processing operations.
Simplified declaration
For certain standard processing operations defined in advance.
How do I determine which formality applies?
You must either:
- File a standard declaration if the intended processing does not require (i) an authorisation or (ii) a legislative or regulatory act, and does not fall within the scope of exempt processing.
- Obtain prior authorisation if the intended processing involves:
- genetic or biometric data in the private sector and in health research;
- data relating to offences, convictions, or security measures in the private sector;
- the interconnection of files;
- a national identification number or any other identifier of the same nature in the public or private sector;
- biometric data in the private sector;
- data serving a public interest purpose, including for historical, statistical, or scientific purposes;
- administrative or private decision support involving an assessment of human behaviour, profiling or personality definition, or relying on artificial intelligence techniques for predictive purposes;
- transfers of data to a foreign country.
- Obtain a decision by legislative or regulatory act when processing is carried out on behalf of a public body (State, public establishment, local authority) or a private legal entity managing a public service. This applies to processing involving:
- state security, defence, or public safety;
- the prevention, investigation, detection, or prosecution of criminal offences, or the execution of criminal sentences or security measures;
- population census;
- personal data revealing religious, philosophical, political, or trade union beliefs or activities, sex life, race, health, morals, genetic or biometric data, social welfare measures, criminal or administrative prosecutions or sanctions;
- the processing of salaries, pensions, taxes, levies, and other settlements.
Whichever procedure applies, your startup must follow the process established by the CIL.
Content and procedure for the prior declaration
The prior declaration may be submitted to the CIL electronically or in paper form. It must include the information specified on the CIL's website.
Timeframe for receipt of acknowledgement
Unless a specific decision is made, the declaration acknowledgement is issued without delay. Upon receipt, the applicant may begin processing personal data. However, this does not exempt them from any of their responsibilities under the Law.
Need help declaring your data processing activities in Burkina Faso?
If you would like guidance with your CIL formalities, complete this questionnaire and we will get back to you promptly.
What is the CIL?
In Burkina Faso, the protection of personal data is ensured by the CIL (Commission de l'informatique et des libertés), established under Law No. 001-2021.
The CIL is the supervisory authority responsible for overseeing compliance with Law No. 001-2021, in particular by:
- informing all data subjects and data controllers of their rights and obligations;
- monitoring the use of information and communication technologies as applied to personal data processing.
📌 Legal status: the CIL is an independent administrative authority with administrative and management autonomy. It holds both regulatory powers and sanctioning powers.
Powers and responsibilities of the CIL
The CIL's missions
The CIL holds several powers and responsibilities in fulfilling its mission. It ensures that the use of information and communication technologies for personal data processing purposes poses no threat to individual or public freedoms or to privacy.
Where necessary, the CIL may instruct its members, assisted by officers and, where appropriate, experts, to carry out on-site verification and inspection missions in relation to any personal data processing operation.
Measures the CIL may take in the event of non-compliance
In the event of a breach of Law No. 001-2021, the CIL may impose the following administrative sanctions:
- Warning;
- Formal notice;
- Order to cease the processing in question;
- Locking of certain personal data;
- Flat-rate fine;
- Withdrawal of authorisation.
Breaches of the Law's provisions are also punishable under the criminal code in its provisions relating to offences in the field of information technology and the use of information and communication technologies.
⚠️ Emergency injunction: in the event of a serious and immediate infringement of the rights of data subjects, the President of the CIL or the person whose rights and freedoms have been violated may apply by way of emergency injunction to the competent court to order, where appropriate and under penalty, any measures necessary to safeguard those rights. Such persons may also claim compensation for damages suffered.
Serious breaches
The following acts constitute serious breaches:
- unfair collection or unauthorised communication of personal data to a third party;
- collection of sensitive data in breach of the legal conditions;
- collection or use of personal data resulting in a serious infringement of fundamental rights and freedoms, including the privacy of the data subject.
Who are the responsible parties within the startup?
Under Law No. 001-2021, your startup acts as:
- Data controller if, alone or jointly with others, it decides to collect and process personal data and determines the purposes and means of processing;
- Processor, if it processes data on behalf of the data controller.
Both the data controller and the processor are responsible for ensuring compliance with the obligation of security and confidentiality.
Obligations and duties of the data controller
The data controller is subject to the following obligations and duties:
- Prior declaration obligation for personal data processing activities;
- Obligation to obtain consent from the data subject;
- Duty of legitimacy and lawfulness of personal data processing;
- Duty to inform the data subject;
- Duty of security in personal data processing.
For further details, you can consult the full list of obligations on the CIL's website.
Relationship between the data controller and the processor
Where processing is carried out on behalf of the data controller, they must choose a processor that provides sufficient guarantees of protection. They must enter into an agreement with the processor specifying, in particular, the processing operations authorised and the fate of the data at the end of the contract.
What is a Data Protection Officer (DPO)?
Any data controller may appoint within their organisation a Data Protection Officer (DPO) responsible for ensuring compliance with the obligations set out in the Law.
What are the risks of non-compliance?
The fines that may be imposed by the CIL on any data controller found to have breached the provisions of the Law are listed below (non-exhaustive list):
| Offences | Fines (FCFA) |
|---|---|
Obstruction of the CIL's actions, through the following acts:
|
5 to 10 M |
|
5 to 20 M |
|
5 to 100 M |
| Processing of personal data concerning a natural person despite their objection, where that objection is based on legitimate grounds. | 2 to 5 M |
| The act of storing or retaining in computerised memory, outside the cases provided for by law, without the express consent of the person concerned, personal data that directly or indirectly disclose racial or ethnic origin, political, philosophical, or religious opinions, trade union membership, or morality. | 10 to 100 M |
In addition, the CIL may order:
- the confiscation of all physical media containing the personal data subject to the regulatory breach (manual files, magnetic disks and tapes), or order the erasure of such data;
- a ban on the convicted data controller from managing any personal data processing for a maximum of two years.
✅ Competitive advantage: complying with Law No. 001-2021 is essential. It sets you apart from competitors at national and international level, providing a highly positive competitive edge in terms of reputation and brand image. It demonstrates exemplary management of personal data processed on behalf of your clients, as well as adherence to security and confidentiality measures.
👀 Further reading
Looking for legal guidance in Burkina Faso?
If you would like support on personal data matters in Burkina Faso (CIL declarations, authorisations, transfers), complete this questionnaire and we will get back to you promptly.
