DATA PROTECTION FACTSHEET
President: Macky Sall
2021 Freedom House Score: 71/100
Data protection law? Yes, with data protection authority appointed
Privacy enshrined in Constitution: Yes, the right to privacy is enshrined in Article 13 of the Senegalese constitution
DPA legislation: 2008 legal reforms saw the enactment of Law No. 2008-12 on the protection of personal data, as well as other ICT-related laws. The law entered into force in 2014, and the data protection commission known as the Commission des Données Personnelles (CDP) was established, with the CDP’s website being highly accessible and informative with regular reports about the activities of the CDP and resources for citizens looking to exercise their rights under the law. In early 2020, a new Personal Data Protection Bill of 2019 was published for comment as part of the government’s goal of upgrading the legal and institutional framework of the technology and telecommunications sector by 2025 as part of “Digital Senegal 2016-2025 Strategic Plan”. However, since then, the Bill does not appear to have progressed further.
Under Law No. 2008-12, an individual has the right to:
- be informed by any data controller if they hold personal data about that individual;
- access and know how personal data concerning them is being processed;
- object, for legitimate reasons, to the processing of personal data concerning them;
- have a data controller correct, supplement, update, lock, or delete personal data concerning him, if the data is inaccurate, incomplete, equivocal, or out of date, or if its collection, use, communication, or conservation is prohibited; and
- not be subject to a decision made on the sole basis of an automated processing that would produce adverse legal repercussions for them.
Council of Europe Convention 108:Ratified
Council of Europe Convention 185: Ratified
Malabo Convention: Ratified
ECOWAS Supplementary Act on Personal Data Protection: Signed
Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): Ratified
Applies to natural persons: Yes
Applies to juristic persons: Yes
Applies to public entities: Yes
Domestic/personal purposes exclusion: Yes
National security exclusion: No
Law enforcement exclusion: No
Cabinet or Executive Council exclusion: No
Judicial functions exclusion: No
Journalistic, literary or artistic purposes exclusion: Yes
Temporary copies exclusion: Yes
Other exclusion(s): No
Broad or vague exclusions: No
Applies to foreign entities: Yes
Excludes foreign entities that only transit personal data through the country: Yes
Personal data is any information relating to a natural person identified, or directly or indirectly identifiable, by reference to an identification number or to one or more elements, specific to their physical, physiological, genetic, psychic, cultural identity, social or economic.
Sensitive data includes all personal data relating to religious, philosophical, or political opinions or activities, trade union membership, racial identity, sexual life, health, social measures, prosecutions, criminal or administrative sanctions.
Personal data processing is considered legitimate if there is consent from the data subject. This requirement may be waived where processing is necessary for:
- compliance with a legal obligation to which the controller is subject;
- the performance of a public interest mission or the exercise of public authority;
- the commencement or performance of a contract in the data subject’s interests or to which they are a party; or
- safeguarding the interests or fundamental rights and freedoms of the data subject.
Personal data processing must abide by the following principles:
- personal data must be collected, recorded, processed, stored, and transmitted fairly, lawfully, and not fraudulently;
- personal data must be collected for specific, explicit, and legitimate purposes and cannot be further processed in any manner incompatible with those purposes;
- personal data must be adequate, relevant, and not excessive in relation to those purposes;
- personal data must be accurate and updated, if necessary;
- personal data must be kept for a period not exceeding the period necessary for the purposes for which they were collected or processed; and
- personal data must be treated confidentially and be adequately protected, in particular where the processing includes data transmissions in a network.
Additionally, the law includes provisions concerning interconnection:
- Interconnection of files is allowed when it involves data controllers running services for the public interest, or when implemented by the state to support the administration of remote services within a framework of e-government.
- Interconnection of databases may only be implemented to achieve statutory objective or legitimate interests of data controllers.
Notification that data is being processed: Yes
Notification to DPA in event of data breach: No
Notification to data subject in event of data breach: No
Timeframe for notification is specified: NA
Exceptions exist to breach notifications: NA
Requires a data processing register: Yes
Register is publicly available: Yes
Provides for terms of service icons: No
DPA must submit at least annual report: Yes
DPA report is made public: Unclear
Explicit provision for civil liability: No
Established/designates a Data Protection Authority: Yes
DPA is empowered to investigate: Yes
DPA is empowered to subpoena or request evidence: Yes
Law provides for criminal penalties: Yes
Law provides for administrative penalties: Yes
DPA is independently structured (does not exist within or receive instructions from another public body): Yes
DPA receives funding directly from the state budget/legislative body: Yes
DPA may receive some forms of external funding/own revenue: Yes
Adequate protections against undue removal: Yes
Number of members in DPA: 11
Maximum term length for members of the DPA (years): 8
Right of data subject to access a copy of their personal data: Yes
Right of data subject to request a correction of data: Yes
Right of data subject to request deletion of data: Yes
Justification required for a request for deletion: Yes
Defines the requirements for consent: Yes
DPA is mandated to participate in policy formulation: Yes
Transfer of personal data to another country is allowed only when that country provides sufficient legal protection for privacy, freedoms and fundamental rights of individuals to the processing of personal data.
Transfer of personal data to a country where these protections are not provided for is possible when the data subject has expressly consented to the transfer, or to protect the data subject’s life, to safeguard the public interest, in exercise or defence of a legal claim, and in execution of a contract in data subject’s interest.
Provides a right not to be subject to automated decision-making: No