Senegal’s Data Protection Act, a Comprehensive Data Privacy Law

Senegal’s Data Protection Act is a data privacy law that was passed in Senegal in 2008. The law governs the use of collection, storage, use, and disclosure of the personal data and information of Senegalese citizens. More specifically, the law sets forth the specific conditions for data processing, the rights of individuals under the law, and the obligations of data owners. Compared to many other privacy laws around the world such as the EU’s General Data Protection Regulation or GDPR or California’s Privacy Rights Act or CCPA, the Senegal Data Protection Act is less stringent and rigid. Nevertheless, the law does provide Senegalese residents a level of protection in regards to their personal data rights.

What is the scope and jurisdiction of Senegal’s Data Protection Act?

Under Senegal’s Data Protection Act, the following parties fall within the scope of the law:

• Data owners– under the law, data owners are defined as “an individual, the Senegalese state, a local community or a public or private corporation”.
• Data processors– under the law, data processors are defined as “a data processor is a subcontractor acting under the authority and instruction of the data owner”.

To this end, Senegal’s Data Protection Act also outlines the forms of personal data or information that are covered by the law. These forms of personal information include all data related to an identified or identifiable individual, reference to an identification number related to an individual, and one or more characteristics related to an individual including physical, social or economic, genetic, physiological, and cultural characteristics. What’s more, their law also sets the circumstances in which data controllers and processors can collect, store, and process the personal information of Senegalese citizens. These circumstances include:

• Personal information that was processed both lawfully, fairly, and with the consent of an individual.
• Personal information that is collected for explicit, legitimate, and specific purposes, and is subsequently processed in a manner that is both consistent and compatible with these purposes.
• Personal information that is relevant, adequate, non-excessive in relation to purposes for which said information was initially collected.
• Personal information that is complete, accurate, and kept up to date at all times.
• Personal information that is collected in a retained form that allows for it to be used to identify an individual for any period longer than is necessary for the specific purposes for which said information was collected.

Furthermore, there are certain exceptions under Senegal’s Data Protection Act in which the personal information of data subjects can be collected, used, and processed without their consent. These exceptions include:

• In order to comply with a legal obligation or requirement to which a data subject or individual may be subject to.
• In order to perform a public service action or undertaking that has been assigned or entrusted to a given data subject.
• If the processing of a data subject’s personal information is related to the honoring of a contract or pre-contractual measures that have been requested by the said data subject.
• If the processing of the personal information of a data subject is related to fundamental rights, liberties, or personal interests of the said data subject.

What information must be provided to data subjects when their personal information is collected?

Under Senegal’s Data Protection Act, business entities, organizations, and individuals who collect the personal data and information of Senegalese citizens are mandated to provide them with the following information at the point of collection:

• The identity of the data owner and any representatives or third parties.
• The purposes for which their personal data or information will be processed.
• The category of data that will be processed.
• Whether replies to a particular data owner’s questions are mandatory or optional, and the potential consequences that can result from refusing to answer any mandatory questions.
• The categories, receipts, or recipients of personal information that is to be collected.
• The right to object, given a legitimate reason or purpose, the collection of a data subject’s personal information.
• The right of a data subject to access their personal information and rectify said information if it is necessary.
• The duration for which the data subject’s personal information will be processed.
• Any details regarding the intended transfer of a data subject’s personal information.

Furthermore, there are also a variety of requirements that business entities and organizations must comply with and abide by in regard to data breaches. In the event that an entity that handles the personal information or data of Senegalese residents experiences a data breach, they are responsible for ensuring the following in regards to data subjects that may have been affected:

• That any individuals who may access a particular data system and only access data or information that is relevant to them.
• That the identity and interest of any third parties recipients of a data subject’s data can be verified.
• That the identity of any individuals who may have access and can in turn make changes to a data subject’s information can be verified.
• That no unauthorized persons will be able to the locations or equipment that is used for data processing.
• That no unauthorized persons are permitted to read, modify, move, copy, or destroy the data of a data subject.
• That all data introduced into a particular data system has been authorized.
• That a data subject’s data will not be read, modified, copied, or deleted without authorization during the communication or transport of said data.
• That all data obtained from a data subject is backed up with security copies.
• That all data obtained from a data subject is renewed and converted to an appropriate form to save said data.

What are the penalties for violating Senegal’s Data Protection Act?

In addition to placing requirements on data controllers and providing rights to data subjects, Senegal’s Data Protection Act also established the Senegalese Data Protection Authority or CDP to oversee and enforce violations of the law. Under the law, there are a variety of both monetary fines and legal penalties that can be imposed as a result of non-compliance. These fines and penalties include:

• The provisional withdrawal of a business entity or organization’s authority for a period of three months. This withdrawal of authority can also be made permanent if the business entity or organization in question continues to operate in non-compliance.
• The interrupting of a business entity or organization’s data processing functions for 3 months.
• The freezing of certain forms of personal information a data controller may possess for 3 months.
• The prohibiting, either temporarily or permanently, any form of data processing that does not comply with the rules and requirements outlined by Senegal’s Data Protection Act.
• CPD fines ranging from CFAfr1 million to CFAfr100 million.
• A prison term ranging from 6 months to 7 years.
• Criminal court fines ranging from CFAfr200,000 to CFAfr10 million.

While Senegal’s Data Protection Act may not be as robust as other comprehensive data privacy laws that have been passed in other countries in recent years, the law nevertheless provides Senegalese citizens with a variety of rights in regard to their personal data and information. Furthermore, as is the case with many other countries, Senegal continues to explore additional means to enhance the data privacy rights of its citizens, as evidenced by the country’s involvement in the Convention for the protection of individuals with regard to Automatic Processing of Personal Data in 2016. As such, Senegalese residents can rest assured that their government is doing everything possible to protect their data rights.