Senegal’s Data Protection Act, a Comprehensive Data Privacy Law

Senegal’s Data Protection Act, a Comprehensive Data Privacy Law

Senegal’s Data Protection Act is a data privacy law that was passed in Senegal in 2008. The law governs the use of collection, storage, use, and disclosure of the personal data and information of Senegalese citizens. More specifically, the law sets forth the specific conditions for data processing, the rights of individuals under the law, and the obligations of data owners. Compared to many other privacy laws around the world such as the EU’s General Data Protection Regulation or GDPR or California’s Privacy Rights Act or CCPA, the Senegal Data Protection Act is less stringent and rigid. Nevertheless, the law does provide Senegalese residents a level of protection in regards to their personal data rights.

What is the scope and jurisdiction of Senegal’s Data Protection Act?

Under Senegal’s Data Protection Act, the following parties fall within the scope of the law:

To this end, Senegal’s Data Protection Act also outlines the forms of personal data or information that are covered by the law. These forms of personal information include all data related to an identified or identifiable individual, reference to an identification number related to an individual, and one or more characteristics related to an individual including physical, social or economic, genetic, physiological, and cultural characteristics. What’s more, their law also sets the circumstances in which data controllers and processors can collect, store, and process the personal information of Senegalese citizens. These circumstances include:

Furthermore, there are certain exceptions under Senegal’s Data Protection Act in which the personal information of data subjects can be collected, used, and processed without their consent. These exceptions include:

What information must be provided to data subjects when their personal information is collected?

Under Senegal’s Data Protection Act, business entities, organizations, and individuals who collect the personal data and information of Senegalese citizens are mandated to provide them with the following information at the point of collection:

Furthermore, there are also a variety of requirements that business entities and organizations must comply with and abide by in regard to data breaches. In the event that an entity that handles the personal information or data of Senegalese residents experiences a data breach, they are responsible for ensuring the following in regards to data subjects that may have been affected:

What are the penalties for violating Senegal’s Data Protection Act?

In addition to placing requirements on data controllers and providing rights to data subjects, Senegal’s Data Protection Act also established the Senegalese Data Protection Authority or CDP to oversee and enforce violations of the law. Under the law, there are a variety of both monetary fines and legal penalties that can be imposed as a result of non-compliance. These fines and penalties include:

While Senegal’s Data Protection Act may not be as robust as other comprehensive data privacy laws that have been passed in other countries in recent years, the law nevertheless provides Senegalese citizens with a variety of rights in regard to their personal data and information. Furthermore, as is the case with many other countries, Senegal continues to explore additional means to enhance the data privacy rights of its citizens, as evidenced by the country’s involvement in the Convention for the protection of individuals with regard to Automatic Processing of Personal Data in 2016. As such, Senegalese residents can rest assured that their government is doing everything possible to protect their data rights.

Related Reads