Understanding personal data protection in Senegal
🔎 Everything you need to know about the CDP (Personal Data Protection Commission), Law No. 2008-12, the obligations for startups, and the penalties for non-compliance in Senegal.
Introduction: Law No. 2008-12 in Senegal
Declaring your personal data processing activities to the Personal Data Protection Commission ("CDP") is mandatory if your startup processes personal data.
In addition, Law No. 2008-12 of January 25, 2008 on the protection of personal data (the "Law No. 2008-12") sets out further obligations when you process personal data or sensitive data.
What is personal data processing? Which form should you complete? What are your other obligations as a startup under this law? If you cannot answer these questions, this article will significantly broaden your knowledge on the subject.
In this article, we cover the regulatory framework applicable to launching an activity in Senegal, addressing:
- The scope of application of Law No. 2008-12 on personal data;
- The obligations to comply with under Law No. 2008-12 when carrying out personal data processing;
- The authority responsible for protecting personal data in Senegal;
- The applicable sanctions in the event of a violation of the personal data law in Senegal.
👉 If your startup operates across several African countries, also consult our articles on data protection in Morocco (CNDP) and Burkina Faso (CIL).
Who does Law No. 2008-12 apply to?
The Law No. 2008-12 on personal data protection applies to:
- entities that carry out personal data processing on Senegalese territory or in any place where Senegalese law applies;
- all companies whether or not located on Senegalese territory that process personal data of individuals located in Senegal.
What is personal data under Senegalese law?
Under Article 4 of Law No. 2008-12 on personal data protection, personal data means:
"Any information relating to an identified or identifiable natural person, directly or indirectly, by reference to an identification number or to one or more elements specific to their physical, physiological, genetic, psychological, cultural, social or economic identity."
This may include information such as:
- name,
- address,
- phone number,
- email address,
- date of birth,
- place of work,
- purchasing habits,
- location data, and much more.
How do I determine whether my startup carries out personal data processing?
Under Article 4 of Law No. 2008-12, the processing of personal data means:
"Any operation or set of operations […] whether or not carried out using automated or non-automated processes, applied to data, such as collection, use, recording, organization, storage, adaptation, modification, extraction, backup, copying, consultation, use, communication by transmission, dissemination or any other form of making available, alignment or interconnection, as well as the locking, encryption, erasure or destruction of personal data."
Accordingly, if you carry out an operation or set of operations consisting, for example, of collecting personal data, you may (subject to the exceptions set out in Law No. 2008-12) be considered as carrying out personal data processing.
Startups are often required to process personal data in the course of their day-to-day activities, in particular when:
- managing employee payroll;
- developing an e-commerce website;
- running marketing campaigns.
These activities require processing personal data such as: first and last name, date of birth, connection logs, email, photo, phone number, bank details, IP address.
Consequently, these data — which make it possible to identify or render identifiable the persons concerned (employees, customers or suppliers) — must be protected through the implementation of security and confidentiality measures.
What prior formalities must be complied with?
Prior declaration for personal data processing
Article 18 of Law No. 2008-12 provides that all personal data processing must be declared in advance before implementation to the Personal Data Protection Commission (the "CDP").
Accordingly, when starting your activity and wishing to carry out one or more personal data processing operations, you should in principle file a prior declaration of such processing with the CDP.
The startup makes this declaration by following the procedure established by the CDP. It must include, in particular, a commitment that the processing meets the requirements of the law.
📌 Procedure: the CDP acknowledges any declaration filing by a receipt. It then issues, within a period of one month, a receipt that allows the applicant to implement the processing without, however, exempting them from any of their responsibilities. This period may be extended once by a reasoned decision of the CDP. Only receipt of the acknowledgment gives the right to implement processing.
⚠️ Please note: for the most common categories of personal data processing whose implementation is not likely to infringe on privacy or freedoms, the CDP establishes and publishes standards designed to simplify or exempt the obligation to declare.
Prior authorization required from the CDP
It is important to note that the Senegalese personal data protection law pays particular attention to so-called "sensitive" personal data.
When it comes to the processing of sensitive data, meaning:
"All personal data relating to religious, philosophical, political or trade union opinions or activities, sexual or racial life, health, social welfare measures, prosecutions, criminal or administrative sanctions."
Prior authorization from the CDP must be obtained.
The CDP has a period of two (2) months from receipt of the request for an opinion or authorization. However, this period may be extended once by a reasoned decision of the CDP. Where the CDP has not ruled within these time limits, the authorization is deemed favorable.
What are the obligations towards consumers and customers?
Law 2008-12 establishes the rules for the processing of personal data in Senegal. It stipulates that personal data may only be collected, processed or used with the consent of the person concerned.
Companies that collect, process or use personal data must comply with the following legal obligations:
1. Personal data collection
Personal data must be collected for specified, explicit and legitimate purposes and may not be further processed in a manner incompatible with those purposes. They must be relevant, adequate and not excessive.
2. Obtaining consent
The consent of the person concerned must be obtained before collecting, processing or storing their personal data.
3. Security and confidentiality
Companies must implement appropriate technical and organizational measures to protect data against risks of loss, misuse, disclosure or unauthorized access (encryption, firewalls, internal policies).
4. Access to personal data
Data subjects have the right to access their personal data, correct it and delete it if necessary. Companies must put in place procedures to enable the exercise of these rights.
5. Personal data breach
Companies must notify regulatory authorities and the persons concerned in the event of a data breach. Rapid detection and notification procedures must be in place.
6. Subprocessors
Companies may use subprocessors to process personal data. Subprocessors must comply with all the legal obligations set out above.
Need help declaring your data processing activities to the CDP in Senegal?
If you would like support with your CDP formalities, fill in this questionnaire and we will get back to you promptly.
What is the CDP?
In Senegal, the protection of personal data is ensured by the Personal Data Protection Commission (CDP), established under the 2008 law on the protection of personal data.
The CDP is the independent regulatory authority responsible for ensuring compliance with personal data protection law.
Its mission is to inform data subjects and data controllers of their rights and obligations, and to ensure that information and communication technologies do not pose a threat to public freedoms and privacy.
CDP powers and attributions
Main missions of the CDP
The CDP has several powers and attributions to carry out its mission, including:
- Ensuring that personal data processing is implemented in accordance with the provisions of Law No. 2008-12;
- Publishing granted authorizations and issued opinions in the personal data processing register;
- Informing data subjects and data controllers of their rights and obligations. To this end, it:
- receives prior formalities for the creation of personal data processing;
- receives complaints, petitions and claims relating to the implementation of processing and informs their authors of the follow-up given;
- immediately informs the Public Prosecutor of any offenses of which it becomes aware;
- may, by specific decision, instruct one or more of its members or service agents to carry out verifications relating to any processing and obtain copies of any document useful to its mission;
- may impose a sanction on a data controller;
- responds to any request for an opinion.
Measures in the event of non-compliance with Law 2008-12
In the event of a violation of the personal data protection law, the CDP may take various measures:
- Warn or serve notice on the data controller;
- If the data controller fails to comply with the notice, the CDP may, following adversarial proceedings, impose the following sanctions:
- A provisional withdrawal of the authorization granted for a period of three (3) months, at the expiry of which the withdrawal becomes permanent;
- A financial penalty of between one (1) million and one hundred (100) million CFA francs.
- In urgent cases, where the implementation of processing or the use of personal data causes a violation of rights and freedoms, the CDP may decide:
- the suspension of the processing for a maximum period of three (3) months;
- the locking of certain personal data being processed for a maximum period of three months;
- the temporary or permanent prohibition of processing that is contrary to the provisions of the law.
The CDP therefore plays a crucial role in protecting personal data in Senegal and ensures that data controllers respect the rights of data subjects.
Who are the responsible parties within the company?
Obligations of the data controller
Under Article 4 of Law No. 2008-12, any natural or legal person, public or private, any other body or association that, alone or jointly with others, decides to collect and process personal data and determines the purposes thereof is a data controller.
The data controller must respect the rights of data subjects, including the right of access, rectification, and objection.
The Senegalese personal data protection law establishes specific obligations for data controllers, such as:
- the obligation to notify data breaches;
- the obligation to maintain processing records.
Obligations of the subprocessor
Under Article 4 of Law No. 2008-12, any natural or legal person, public or private, any other body or association that processes data on behalf of the data controller is a subprocessor.
Subprocessors must also respect these rights with regard to the data they process on behalf of the data controller.
Any processing carried out on behalf of the data controller by a subprocessor must be governed by a contract or legal act recorded in writing that binds the subprocessor to the data controller and provides in particular that the subprocessor acts only on the sole instructions of the data controller and that the obligations referred to in this article are equally incumbent on the subprocessor.
What is a Data Protection Officer (DPO)?
Companies may appoint a Data Protection Officer (DPO) to ensure compliance with personal data protection law.
The DPO may advise the company on matters relating to personal data protection and ensure that the rights of data subjects are respected.
What sanctions apply in the event of a violation?
In the event of a violation of personal data protection law in Senegal, sanctions may be applied. These sanctions are provided for by Article 39 of Law No. 2008-12 of January 25, 2008 on the protection of personal data.
⚠️ Criminal sanctions: in addition to the civil and administrative sanctions listed above, violations of Law No. 2008-12 of January 25, 2008 are provided for and punishable under the Penal Code as well as the Cybercrime Act.
✅ Competitive advantage: it is therefore essential to comply with Law No. 2008-12 — all the more so as doing so allows you to stand out from your competitors at both national and international level. In doing so, you gain an extremely positive competitive advantage in terms of reputation and brand image for your company. This demonstrates, in particular, exemplary management of the personal data processed on behalf of your clients, as well as adherence to security and confidentiality measures.
🚨 The information listed above does not constitute legal advice. To obtain a legal opinion on your specific situation or project, we recommend consulting a lawyer.
📚 Further reading
To go further, you may consult the following articles:
Looking for legal assistance in Senegal?
If you would like support on your personal data matters in Senegal (CDP declarations, authorizations, processing registers), fill in this questionnaire and we will get back to you promptly.
