1. Governing Texts

1.1. Legislation

• Articles 17 to 20, 22, 23, 29, and 30 of Law N 2008-12 of January 25 2008 Concerning Personal Data Protection ('the Law')
• Decree No 2008-721 of 30 June 2008 Concerning Law Enforcement, Relating to Application of the Data Protection Law (only available in French here) ('the Decree')

1.2. Regulatory authority guidance

The Senegalese data protection authority ('CDP') has issued:

• Expanded definitions of key terms within the Law, including on authorisation applications (only available in French here);
• Guidance on formal requirements prior to processing (only available in French here);
• Guidance on data controller requirements and a simplified procedure notification of processing of non-sensitive personal data (only available in French here); and
• Communiqué specifying that in cases where subcontractors are employed, the issuance of authorisations is subject to the compliance of subcontractors (only available in French here).

2. Definitions

Data controller: A party 'responsible for the processing' is the natural or legal person, public or private, or any other organism or association which, alone or jointly with others, decides to collect and to process personal data and determines the purposes (Article 4(15) of the Law).

Data processor: A 'subcontractor' is any natural or legal entity, public or private, or any other body or association which processes data for the person in charge of the treatment (Article 4(16) of the Law).

3. Notification

Any processing of personal data requires prior notification to the CDP (Article 18 of the Law). Applications for notification must include information regarding (Article 22 of the Law):

• the identity and the address of the person in charge of the processing or, if it is not established in Senegal, those of the duly authorised representative;
• the purpose(s) of the processing as well as the general description of its functions;
• the interconnections envisaged or any other form of linking with other processing;
• the personal data processed, their origin and the categories of persons involved in the processing;
• the data retention period;
• the department(s) responsible for implementing the processing and the categories of persons who, because of their duties or for the purposes of the service, have direct access to data;
• the recipients authorised to receive the data;
• the function of the person or service to which the right of access is exercised;
• the measures taken to assure safe processing and storage of data;
• the use of a subcontractor; and
• proposed transfers of personal data to a third country, subject to reciprocity.

The CDP has one month to acknowledge receiving the notification by issuing a receipt. This period can be extended once. The receipt allows the data controller to start the processing and confirms that it is legitimate (Article 18 of the Law and Article 24 of the Decree).

Where the CDP's issues its receipt electronically, the data controller may request a paper copy (Article 24 of the Decree).

Furthermore, in the event of an extension for the response period, the CDP will notify the data controller (Article 29 of the Decree).

4. Other Requirements

Prior authorisation

The processing of the following types of data require prior authorisation from the CDP (Article 20 of the Law):

• genetic data and data in the field of health research;
• personal data regarding offences, convictions, or security measures;
• processing of personal data for the purpose of interconnection files, as defined in Article 54 of the Law;
• national identification number or other general identification;
• biometric data; and
• personal data on public interest grounds especially for historical, statistical, or scientific purposes.

The applications for notification and requests for authorisation must include information regarding (Article 22 of the Law):

• the identity and the address of the person in charge of the processing or, if it is not established in Senegal, those of the duly authorised representative;
• the purpose(s) of the processing as well as the general description of its functions;
• the interconnections envisaged or any other form of linking with other processing;
• the personal data processed, their origin and the categories of persons involved in the processing;
• the data retention period;
• the department(s) responsible for implementing the processing and the categories of persons who, because of their duties or for the purposes of the service, have direct access to data;
• the recipients authorised to receive the data;
• the function of the person or service to which the right of access is exercised;
• the measures taken to assure safe processing and storage of data;
• the use of a subcontractor; and
• proposed transfers of personal data to a third country, subject to reciprocity.

The CDP is obliged to render a decision regarding authorisation within two months from the receipt of the request for authorisation. This period may be extended once. Nevertheless, if the CDP does not issue the receipt within the prescribed period, it is deemed that the authorisation is granted (Article 23 of the Law).

The applications for notification and requests for authorisation or opinion regarding the processing of genetic data or personal data for the medical research sector must include information regarding (Article 33 of the Decree):

• the identity and the address of the data controller and the person in charge of the research, their titles, experience, and role, as well as the categories of individuals responsible for carrying out the processing and those able to access the collected data;
• the research protocol or useful elements for indicating the aim of the research, the categories of stakeholders, the observation or investigatory methods, the origin and nature of the collected data, the bases for collecting them, the duration of the research, and data analysis methods;
• where applicable, opinions provided by scientific or ethical committees; and
• where applicable, the scientific or technical justification for any derogation from the obligation to encrypt data allowing the identification of individuals or the prohibition to store such data longer than the period necessary for the research.

5. Exemptions

Exceptions

The data controller and data processor are exempted from the authorisation requirement by the CDP in the following cases (Article 17 of the Law):

• the data processing is carried out by a natural person in the exclusive setting of personal or household activity, provided that the data are not intended for systematic communication to third parties or for broadcasting;
• in case of temporary copies made in the course of the technical transfer activities and providing access to a digital network for the automatic, intermediate, and transient data and the sole purpose of allowing other recipients of the service the best access possible to the transmitted information;
• the processing has the sole purpose of keeping a register that is intended exclusively for public information and is open to public consultation or any person with a legitimate interest; or
• the processing is implemented by an association or non-profit organisation and religious, philosophical, political union, when such data is consistent with the statutory duties of that association or organisation, and if they are regarding their members and must not be disclosed to third parties.

For the most common categories of the processing of personal data, implementation of which is not likely to infringe the privacy or freedoms of the data subject, the CDP publishes standards to simplify or exempt from the reporting obligation (Article 19 of the Law).

Simplified reporting procedure

The following data processing activities may utilise a simplified reporting procedure (Article 23 of the Decree):

• processing activities carried out by public and private bodies for the purposes of managing their employees;
• processing activities carried out in the workplace for the purposes of controlling access to the same, timetables, and catering; and
• processing activities carried out in the context of using fixed or mobile telephone services in the workplace.

6. Penalties

If a data controller or data processor does not comply with the obligations under the Law, the CDP may issue a warning or a formal notice to cease the alleged breach in the prescribed period of time (Article 29 of the Law). If the notice is not complied with, the CDP may impose the following sanctions (Article 30 of the Law):

• a temporary withdrawal of the authorisation for a period of three months after the expiry of which, the withdrawal becomes final; and
• a monetary penalty of CFA 1 million (approx. €1,524) to CFA 100 million (approx. €152,449).

Any decision of the CDP will be provided to the data controller as well as any data subjects and published in the Official Journal (Article 30 of the Decree).

7. How To

• Authorisation and notification forms (only available in French here)

Notifications or requests for authorisation must be sent to the CDP either electronically or by post (Article 28 of the Decree).

Authored by OneTrust DataGuidance

DataGuidance's Privacy Analysts carry out research regarding global privacy developments, and liaise with a network of lawyers, authorities and professionals to gain insight into current trends. The Analyst Team work closely with clients to direct their research for the production of topic-specific Charts.