Understanding Personal Data Protection in Senegal

Understanding Personal Data Protection in Senegal

Declare your personal data processing operations to the Commission de Protection des Données Personnelles (“CDP“) is mandatory if your start-up processes personal data.

In addition, the law no. 2008-12 of January 25, 2008 on the protection of personal data (the “Law n°2008-12“) on the protection of personal data. provides for other obligations when you process personal or sensitive data.

What is personal data processing? Which form to fill in? What other obligations do I have as a start-up under this law? If you don’t know how to answer these questions, this article will considerably broaden your knowledge on the subject.

In this article, we take a look at the rules applicable to starting up a business in :

1. Thescope of Law n°2008-12 on personal data ;
2. Obligations to comply with Law no. 2008-12 when processing personal data;
3. The authority responsible for personal data protection in Senegal ;
4. Penalties applicable in the event of violation of the law on personal data in Senegal.

1. The scope of Law n°2008-12 on personal data

To whom does law n°2008-12 apply?

Law n°2008-12 on the protection of personal data applies:

• entities that process personal data on Senegalese territory. Senegalese territory or in any place where Senegalese law applies and ;
• all companies, whether or not located in Senegal , which process the personal data of people in Senegal.

What is personal data under Senegalese law?

According toe 4 de Law n°2008-12 on the protection of personal data, personal data means “any information relating to an identified or identifiable natural person, directly or indirectly, by reference to an identification number or to one or more factors specific to his or her physical, physiological, genetic, mental, cultural, social or economic identity”.

This may include information such as :

• The name,
• The address,
• Phone number,
• E-mail address,
• date of birth,
• the workplace,
• purchasing habits,
• location data and much more.

How can I determine whether my startup is processing personal data in accordance with Senegal’s Data Protection Act 2008-12?

Under the terms of article 4 of Law no. 2008-12, the processing of personal data means “.any operation or set of operations […] whether or not performed by automatic means, and applied to data, such as the collection, use, recording, organization, storage, adaptation, modification, retrieval, saving, copying, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, as well as the blocking, encryption, erasure or destruction of personal data”..

Thus, if you carry out an operation or set of operations consisting, for example, in collecting personal data, as defined below, then you may (subject to the exceptions mentioned in Law no. 2008-12) be considered as carrying out personal data processing.

Startups are often required to process personal data as part of their day-to-day activities, such as managing employee payroll, developing an e-commerce site or running marketing campaigns. These activities require the processing of personal data, for example: surname, first name, date of birth, connection log, e-mail, photo, telephone number, bank details, IP address.

Consequently, this data, which identifies or makes identifiable the persons concerned (e.g. employees, customers or suppliers), must be protected by the implementation of security and confidentiality measures.

2. What obligations do I have to comply with under Law no. 2008-12 when processing personal data?

What are the formalities to be complied with in Senegal before processing personal data?

Prior declaration to be made when processing personal data

Article 18 of Law no. 2008-12 stipulates that all personal data processing must be declared to the Commission des Données Personnelles (the “CDP”) prior to its implementation.

It is therefore advisable, a priori, when you start up your business and wish to carry out one or more personal data processing operations, to make a declaration of this or these operations in advance to the CDP.

The startup makes this declaration in accordance with the CDP procedure. In particular, the latter must include an undertaking that the processing complies with the requirements of the law.

The CDP confirms receipt of all declarations. Within one month, it will issue a receipt which can be used to verify the validity of the application.rmits the applicant to carry out the processing, but does not relieve him of any of his responsibilities. This period may be extended once by reasoned decision of the CDP. Only receipt of the receipt will entitle you to processing.

Please note: For the most common categories of personal data processing whose implementation is not likely to infringe privacy or freedoms, the CDP draws up and publishes standards designed to simplify or waive the obligation to declare.

Prior authorization from the Commission for Personal Data

It is important to note that Senegalese law on the protection of personal data pays particular attention to so-called “sensitive” personal data.

When processing sensitive data, i.e. “all personal data relating to religious, philosophical, political or trade-union options or activities, sexual or racial life, health, social measures, prosecutions, criminal or administrative sanctions”, prior authorization must be obtained from the CDP.

The CDP has a period of two (2) months from receipt of the request for an opinion or authorization. However, this period may be extended once by reasoned decision of the CDP. If the CDP has not made a decision within this timeframe, the authorization is deemed favorable.

What are my obligations to consumers/customers and my company under Law 2008-12?

Law 2008-12 lays down the rules for processing personal data in Senegal. It stipulates that personal data may only be collected, processed or used with the consent of the person concerned.

Companies that collect, process or use personal data must comply with the legal obligations set out in Senegalese law on the protection of personal data, including in particular:

• Collection of personal data Personal data must be collected for specified, explicit and legitimate purposes, and may not be further processed in a way incompatible with those purposes. Furthermore, the personal data collected must be relevant, adequate and not excessive in relation to the purpose for which it is collected.
• Obtaining consent Consent: the data subject’s consent must be obtained before personal data is collected, processed or stored.
• Security and confidentiality Data protection: companies must ensure that appropriate technical and organizational measures are in place to protect personal data against loss, misuse, disclosure or unauthorized access. This may include the use of technical measures such as encryption and firewalls, as well as internal policies and procedures to ensure data security and confidentiality.
• Access to personal data Data protection: data subjects have the right to access, correct and, if necessary, delete their personal data. Companies must therefore put in place procedures to enable data subjects to exercise these rights.
• Violation of personal data Companies must notify regulatory authorities and data subjects in the event of a data breach. Companies must therefore put in place procedures to detect data breaches and promptly notify those concerned.
• Subcontractors Data processing: companies may use subcontractors to process personal data. Subcontractors must comply with the legal obligations set out in the Personal Data Protection Act listed above.

3. Which authority is responsible for protecting personal data in Senegal?

In Senegal, personal data protection is ensured by the Commission de Protection des Données Personnelles (CDP), created under the 2008 law on personal data protection.

The CDP is the independent regulatory authority responsible for ensuring compliance with the law on the protection of personal data.

Its role is to inform data subjects and data controllers of their rights and obligations, and to ensure that ICTs do not pose a threat to civil liberties and privacy.

What are my obligations to consumers/customers and my company under Law 2008-12?

The CDP has a number of powers and duties to carry out its mission, including :

1. ensure that the processing of personal data is carried out in accordance with the provisions of Law n°2008-12;
2. publish authorizations granted and opinions issued in the personal data processing directory.
3. inform data subjects and data controllers of their rights and obligations. To this end:

• it receives formalities prior to the creation of personal data processing;
• it receives claims, petitions and complaints relating to the processing of personal data and informs their authors of the action taken;
• it immediately informs the public prosecutor of any offences of which it is aware;
• it may, by special decision, entrust one or more of its members or staff with the task of carrying out checks on any processing operation and, where appropriate, obtaining copies of any document or data medium relevant to its mission;
• it may impose a penalty on a data controller;
• it responds to all requests for advice.

What measures can the CDP take in the event of non-compliance with Law 2008-12?

In the event of a violation of the law on the protection of personal data, the CDP can take various measures, including :

1. Warn or give notice to the controller ;
2. If the data controller fails to comply with the formal notice sent to him/her, the CDP may, after an adversarial procedure, impose the following sanctions: A provisional withdrawal of the authorization granted for a period of three (3) months, at the end of which the withdrawal becomes definitive A fine of between one (1) million and one hundred (100) million FCFA;
3. In urgent cases, when the implementation of a processing operation or the use of personal data leads to a violation of rights and freedoms, the CDP may decide : interruption of processing for a maximum period of three (3) months; blocking of certain processed personal data for a maximum period of three months; temporary or definitive prohibition of processing contrary to the provisions of the law.

The CDP therefore plays a crucial role in the protection of personal data in Senegal, ensuring that data controllers respect the rights of data subjects.

5. Who in the company is responsible for protecting personal data?

The data controller’s obligations

According to article 4 of Law no. 2008-12, any natural person or legal entity, public or private, or any other body or association which, alone or jointly with others, takes the decision to collect and process personal data and determines the purposes thereof, is a data controller.

The data controller must respect the rights of data subjects, in particular the right of access, rectification and opposition.

The Senegalese law on the protection of personal data establishes specific obligations for data processors, such as:

• the obligation to notify data breaches; and
• the obligation to maintain data processing registers.

Subcontractor’s obligations

According to article 4 of Law n°2008-12, any individual or legal entity, public or private, or any other organization or association that processes data on behalf of the data controller is a processor.

Processors must also respect these rights with regard to the data they process on behalf of the controller.

Any processing carried out on behalf of the controller by a processor must be governed by a contract or a legal act recorded in writing which binds the processor to the controller and which stipulates in particular that the processor is acting solely on the instructions of the controller and that the obligations referred to in this article are also incumbent on the controller.

What is a Data Protection Officer?

Companies can appoint a Data Protection Officer (DPO) to ensure compliance with the Data Protection Act.

The DPO can advise the company on personal data protection issues and ensure that the rights of data subjects are respected.

6. What sanctions are applicable in the event of a violation of the law on personal data in Senegal?

In the event of violation of the law on the protection of personal data in Senegal, sanctions may be applied. These sanctions are provided for in article 39 of law no. 2008-12 of January 25, 2008 on the protection of personal data.

In addition to the civil and administrative penalties listed above, breaches of Law no. 2008-12 of January 25, 2008 are provided for and punished by the penal code and the law on cybercrime.

It is therefore essential to comply with Law n°2008-12, especially as this will enable you to stand out from your competitors both nationally and internationally. This gives you an extremely positive competitive edge, in terms of your company’s reputation and brand image. This demonstrates exemplary management of personal data processed on behalf of your customers, as well as compliance with security and confidentiality measures.

🚨The items listed above do not constitute legal advice. For legal advice on your situation or project, we recommend that you contact a lawyer.

📚Forfurther information, please consult the following articles:

• Learn how to comply with Ivorian law on the protection of personal data ;
• Declaring personal data processing in Morocco ;
• Learn how to comply with the European RGPD regulation.