Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Senegal: CDP releases guidance on processing of biometric data in the workplace
On April 13, 2023, the Senegalese data protection authority (CDP) published its deliberation relating to the use of biometric devices in the workplace. The deliberation outlines general requirements for the processing of biometric data in areas such as the purpose of processing, proportionality, data retention, data security, and vendor management.
Scope of biometric processing
The deliberation provides that the use of devices allowing the collection and processing of biometric data, in the workplace, is only permitted to control entries and exits from the workplace and for access to professional IT devices and applications. In addition, the deliberation confirms that the biometric data of employees, trainees, temporary workers, and service providers can be collected; whereas the biometric data of visitors, consultants, and advisers who visit the workplace on an occasional basis should not be collected.
Data retention and security
Furthermore, data collected must be kept for a period that does not exceed the period necessary for the specified purposes, and deleted as soon as the person concerned leaves the organization. On data security, controllers should, among other things, not transmit data outside of the system, strictly manage physical and logical access to devices and databases by authorized persons, and ensure that equipment and devices are certified in terms of use and security.
Vendor management
In regard to vendor management, controllers must select a subcontractor who provides sufficient guarantees and who has a written commitment that binds the subcontractor to the controller, stating that the subcontractor acts only on the instruction of the same.
You can read the press release and the deliberation here, both only available in French.