Population: 16,743,930
Capital: Dakar

President: Macky Sall

2021 Freedom House Score: 71/100

Data protection law? Yes, with data protection authority appointed

Privacy enshrined in Constitution: Yes, the right to privacy is enshrined in Article 13 of the Senegalese constitution

DPA legislation: 2008 legal reforms saw the enactment of Law No. 2008-12 on the protection of personal data, as well as other ICT-related laws. The law entered into force in 2014, and the data protection commission known as the Commission des Données Personnelles (CDP) was established, with the CDP’s website being highly accessible and informative with regular reports about the activities of the CDP and resources for citizens looking to exercise their rights under the law. In early 2020, a new Personal Data Protection Bill of 2019 was published for comment as part of the government’s goal of upgrading the legal and institutional framework of the technology and telecommunications sector by 2025 as part of “Digital Senegal 2016-2025 Strategic Plan”. However, since then, the Bill does not appear to have progressed further.

Under Law No. 2008-12, an individual has the right to:

• be informed by any data controller if they hold personal data about that individual;
• access and know how personal data concerning them is being processed;
• object, for legitimate reasons, to the processing of personal data concerning them;
• have a data controller correct, supplement, update, lock, or delete personal data concerning him, if the data is inaccurate, incomplete, equivocal, or out of date, or if its collection, use, communication, or conservation is prohibited; and
• not be subject to a decision made on the sole basis of an automated processing that would produce adverse legal repercussions for them.

ICCPR: Ratified

Council of Europe Convention 108:Ratified

Council of Europe Convention 185: Ratified

Malabo Convention: Ratified

ECOWAS Supplementary Act on Personal Data Protection: Signed

Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): Ratified

Applies to natural persons: Yes

Applies to juristic persons: Yes

Applies to public entities: Yes

Domestic/personal purposes exclusion: Yes

National security exclusion: No

Law enforcement exclusion: No

Cabinet or Executive Council exclusion: No

Judicial functions exclusion: No

Journalistic, literary or artistic purposes exclusion: Yes

Temporary copies exclusion: Yes

Other exclusion(s): No

Broad or vague exclusions: No

Applies to foreign entities: Yes

Excludes foreign entities that only transit personal data through the country: Yes

Personal data is any information relating to a natural person identified, or directly or indirectly identifiable, by reference to an identification number or to one or more elements, specific to their physical, physiological, genetic, psychic, cultural identity, social or economic.

Sensitive data includes all personal data relating to religious, philosophical, or political opinions or activities, trade union membership, racial identity, sexual life, health, social measures, prosecutions, criminal or administrative sanctions.

Personal data processing is considered legitimate if there is consent from the data subject. This requirement may be waived where processing is necessary for:

• compliance with a legal obligation to which the controller is subject;
• the performance of a public interest mission or the exercise of public authority;
• the commencement or performance of a contract in the data subject’s interests or to which they are a party; or
• safeguarding the interests or fundamental rights and freedoms of the data subject.

Personal data processing must abide by the following principles:

• personal data must be collected, recorded, processed, stored, and transmitted fairly, lawfully, and not fraudulently;
• personal data must be collected for specific, explicit, and legitimate purposes and cannot be further processed in any manner incompatible with those purposes;
• personal data must be adequate, relevant, and not excessive in relation to those purposes;
• personal data must be accurate and updated, if necessary;
• personal data must be kept for a period not exceeding the period necessary for the purposes for which they were collected or processed; and
• personal data must be treated confidentially and be adequately protected, in particular where the processing includes data transmissions in a network.

Additionally, the law includes provisions concerning interconnection:

• Interconnection of files is allowed when it involves data controllers running services for the public interest, or when implemented by the state to support the administration of remote services within a framework of e-government.
• Interconnection of databases may only be implemented to achieve statutory objective or legitimate interests of data controllers.

Notification that data is being processed: Yes

Notification to DPA in event of data breach: No

Notification to data subject in event of data breach: No

Timeframe for notification is specified: NA

Exceptions exist to breach notifications: NA

Requires a data processing register: Yes

Register is publicly available: Yes

Provides for terms of service icons: No

DPA must submit at least annual report: Yes

DPA report is made public: Unclear

Explicit provision for civil liability: No

Established/designates a Data Protection Authority: Yes

DPA is empowered to investigate: Yes

DPA is empowered to subpoena or request evidence: Yes

Law provides for criminal penalties: Yes

Law provides for administrative penalties: Yes

DPA is independently structured (does not exist within or receive instructions from another public body): Yes

DPA receives funding directly from the state budget/legislative body: Yes

DPA may receive some forms of external funding/own revenue: Yes

Adequate protections against undue removal: Yes

Number of members in DPA: 11

Maximum term length for members of the DPA (years): 8

Right of data subject to access a copy of their personal data: Yes

Right of data subject to request a correction of data: Yes

Right of data subject to request deletion of data: Yes

Justification required for a request for deletion: Yes

Defines the requirements for consent: Yes

DPA is mandated to participate in policy formulation: Yes

Transfer of personal data to another country is allowed only when that country provides sufficient legal protection for privacy, freedoms and fundamental rights of individuals to the processing of personal data.

Transfer of personal data to a country where these protections are not provided for is possible when the data subject has expressly consented to the transfer, or to protect the data subject’s life, to safeguard the public interest, in exercise or defence of a legal claim, and in execution of a contract in data subject’s interest.

Provides a right not to be subject to automated decision-making: No