Law: Law No 2008-12 of 25 January 2008 Concerning Personal Data Protection (the Law) and Decree No 2008-721 of 30 June 2008 Concerning Law Enforcement, Relating to Application of the Data Protection Law (only available in French here)

Regulator: Senegalese data protection authority (CDP)

Summary: The Law No 2008-12 of 25 January 2008 Concerning Personal Data Protection (the Law) provides an essential data protection framework applicable to both public and private organizations. The Law requires data processing notifications/authorizations, sets out fundamental data subject rights, and regulates data transfers. The Law does not, however, establish breach notification requirements or address matters such as data protection officer appointments.

The Senegalese data protection authority (CDP) enforces the Law and is relatively active in issuing guidance on the implementation of the Law and secondary regulation. In particular, the CDP publishes detailed quarterly activity reviews which cover all complaints, investigations, authorization applications for data processing, and key developments. The CDP has the power to impose administrative fines for infringement of the Law, which may range from XOF 1 million (approx. $1,634) to XOF 100 million (approx. $163,429).

Senegal is also a party to many international agreements. Specifically, it ratified the Convention on Cyber Security and Personal Data Protection (the Malabo Convention) in August 2016, and in the same year, it acceded to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108). Senegal is also a signatory of the Economic Community of West African States (ECOWAS) Supplementary Act A/SA. 1/01/10 on Personal Data Protection within ECOWAS of 16 February 2010.