Senegal: Data Security And Cybercrime In Senegal

Last Updated: 11 May 2018
Article by Leon Patrice Sarr

Jurisdiction snapshot

Trends and climate

Would you consider your national data protection laws to be ahead or behind of the international curve?

Senegalese national data protection legislation is behind the international curve. The law is silent on many issues, such as:

  • data protection for people under 18 years old;
  • the notification of breaches to the Senegalese Data Protection Authority;
  • cookie requirements; and
  • data transfer agreements.

These failings explain why the European Union does not consider Senegal to be a safe jurisdiction in terms of data protection. However, it has never been blacklisted.

Are any changes to existing data protection legislation proposed or expected in the near future?


Legal framework


What legislation governs the collection, storage and use of personal data?

The Senegalese laws on data protection are:

  • the Data Protection Act (Law 2008-12, January 25 2008);
  • the Decree on the Application of the Data Protection Act (2008-721, June 30 2008); and
  • the Cybercrime Law (Law 2008-10, January 25 2008).

The Data Protection Act and its decree set out:

  • the conditions for data processing;
  • the rights of individuals; and
  • the obligations of data owners.

The Data Protection Act also establishes the Senegalese Data Protection Authority (CDP).

The Cybercrime Law outlines the criminal offences relating to data processing and the applicable penalties.

Scope and jurisdiction

Who falls within the scope of the legislation?

The following parties fall within the scope of the legislation:

  • 'Data owner' – a data owner can be an individual, the Senegalese state, a local community or a public or private corporation.
  • 'Data processor' – a data processor is a subcontractor acting under the authority and instruction of the data owner.

What kind of data falls within the scope of the legislation?

All data relating to an identified or identifiable individual with reference to an identification number or one or many characteristics of his or her physical, physiological, genetic, psychical, cultural, social or economic identity falls within the scope of the legislation.

Are data owners required to register with the relevant authority before processing data?

Yes. The data owner must either notify the CDP or obtain authorisation from the CDP before processing data.

Is information regarding registered data owners publicly available?


Is there a requirement to appoint a data protection officer?

There is no obligation to appoint a data protection officer. However, Article 22 of the Data Protection Act states that the position of the person or the department which exercises the data access right must be communicated to the CDP.


Which body is responsible for enforcing data protection legislation and what are its powers?

The CDP is responsible for enforcing data protection legislation.

The CDP's enforcement powers are set out in Article 16 of the Data Protection Act. The CDP:

  • receives complaints relating to data processing;
  • informs the prosecutor of any breaches;
  • conducts on-site inspections to gather information for the prosecutor. If the landlord of the premises to be inspected objects, the inspection must be authorised by the president of the competent high court;
  • requests the communication of documents; and
  • imposes injunctions and fines for non-compliance with the Data Protection Act.

Collection and storage of data

Collection and management

In what circumstances can personal data be collected, stored and processed?

  • Personal data can be collected, stored and processed provided that:
  • data is collected and processed fairly and lawfully;
  • data is collected for specified, explicit and legitimate purposes and subsequently processed in a manner that is compatible with such purposes;
  • data is adequate, relevant and not excessive in relation to the purposes for which it was collected;
  • collected data is accurate, complete and kept up to date; and
  • collected data is retained in a form that allows the identification of individuals for a period that is no longer than necessary for the purposes for which it was collected.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?


Do individuals have a right to access personal information about them that is held by an organisation?


Do individuals have a right to request deletion of their data?


Consent obligations

Is consent required before processing personal data?


If consent is not provided, are there other circumstances in which data processing is permitted?

Yes. Pursuant to Article 33 of the Data Protection Act, processing is permitted without consent:

  • in order to comply with any legal obligation to which the data owner is subject;
  • in order to perform a public service undertaking that has been entrusted to the data owner or the data recipient;
  • if the processing relates to the performance of a contract to which the individual is a party or of pre-contractual measures requested by him or her; or
  • if processing the data is subject to the interests and fundamental rights and liberties of the individual.

What information must be provided to individuals when personal data is collected?

The following information must be provided to individuals when personal data is collected:

  • the identity of the data owner and its representative (if any);
  • the purpose of the processing;
  • the category of data concerned;
  • whether replies to questions are mandatory or optional, as well as the possible consequences of failure to reply to a mandatory question;
  • the recipients or categories of recipient of the data;
  • the right to object, for a legitimate purpose, to the collection of such data;
  • the right to access the collected data and, if necessary, to have it rectified;
  • the duration of the processing; and
  • details of any intended transfer of the data.

Data security and breach notification

Security obligations

Are there specific security obligations that must be complied with?

Yes. The data owner must prevent the amendment of or damage to the data, as well as access by non-authorised third parties. In addition, the data owner must ensure that:

  • persons with access to the system can access only the data relevant to them;
  • the identity and interest of any third-party recipients of the data can be verified;
  • the identity of persons accessing to the system (to view the data or add data) can be verified;
  • non-authorised persons cannot access the place and equipment used for data processing;
  • non-authorised persons cannot read, copy, modify, destroy or move data;
  • all data introduced in the system is authorised;
  • the data will not be read, copied, modified or deleted without authorisation during the transport or communication of the data;
  • the data is backed up with security copies; and
  • the data is renewed and converted to preserve it.

Breach notification

Are data owners/processors required to notify individuals in the event of a breach?

There is no general obligation to notify personal data security breaches to individuals.

Are data owners/processors required to notify the regulator in the event of a breach?

There is no general obligation to notify personal data security breaches to the Senegalese Data Protection Authority (CDP).

Electronic marketing and internet use

Electronic marketing

Are there rules specifically governing unsolicited electronic marketing (spam)?

Yes. The recipient must have agreed to receive unsolicited electronic marketing. However, prior approval is not required if one of the following two exceptions applies:

The information was collected directly from the recipient in accordance with the CDP's rules.

The recipient is already a customer of the company, the marketing messages relate to products or services that are similar to those that have previously been sent and the recipient has the option to object to the messages that are sent.


Are there rules governing the use of cookies?

There is no provision governing the use of cookies.

Data transfer and third parties

Cross-border data transfer

What rules govern the transfer of data outside your jurisdiction?

A data owner cannot transfer data to another country unless the receiving country provides sufficient protection in relation to an individual's private life, liberties and fundamental rights (Article 9 of the Data Protection Act). The Senegalese Data Protection Authority (CDP) must be informed before any transfer, and authorisation must be sought.

The CDP can allow a transfer to a country that does not provide sufficient protection if the transfer:

  • has the individual's consent;
  • is timely and does not involve large amounts of data; and
  • is necessary to:
  • protect the individual's life;
  • protect the public interest;
  • comply with any obligations to allow the acknowledgment, exercise or defence of a legal right in court; or
  • perform an agreement between the data owner and the individual or pre-contractual measures taken on its request.

In addition, the CDP can allow the transfer of data to a country that lacks sufficient protection if the data owner can provide sufficient protection to individuals and the exercise of relating rights.

Are there restrictions on the geographic transfer of data?


Third parties

Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

Yes. Under Article 39 of the Data Protection Act the data owner must offer adequate guarantees to ensure the implementation of security measures. The data owner must conclude a written contractual agreement with the third party, which must:

  • specify the third party's obligation regarding security protection;
  • provide that the third party can act only on the data owner's instructions; and
  • provide that the third party is bound by the security requirements set out in Article 71 of the Data Protection Act.

Penalties and compensation


What are the potential penalties for non-compliance with data protection provisions?

There are two kinds of penalty for non-compliance with data protection provisions: those set down by the Senegalese Data Protection Authority (CDP) and those ordered by the court.

CDP penalties

The CDP can order:

  • the provisional withdrawal of authorisation for three months – this withdrawal becomes permanent at the end of the three-month period if the data controller still does not comply with data protection laws; and
  • a fine of between CFAfr1 million and CFAfr100 million.

In urgent cases the CDP can also:

  • interrupt data processing for up to three months;
  • freeze certain kinds of data for up to three months; and
  • prohibit – temporarily or permanently – any processing that does not comply with CDP rules.

Court penalties

The court can impose one of more of the following penalties:

  • imprisonment of between six months and seven years; and
  • fines of between CFAfr200,000 and CFAfr10 million.


Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?

Yes, individuals can request compensation in court. The court has sole discretion as to the amount of compensation.


Cybersecurity legislation, regulation and enforcement

Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?

Senegal has not yet adopted a cybersecurity act, but in 2014 the government created the Cybersecurity National Centre and the ratification of the African Union Convention on Cybersecurity and Data Protection.

It also adopted the Cybercrime Law (2008-10), which completes the Penal Code and the Penal Procedures Code.

What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?

There is no regulatory considerations regarding cybersecurity in Senegal.

Which cyber activities are criminalised in your jurisdiction?

Cyber activities that are criminalised in Senegal include:

  • the unauthorised interception of communications;
  • the unauthorised access to computer systems;
  • the wilful destruction of computer data;
  • the distribution or publication of an intimate image without consent; and
  • the distribution or publication of child pornography.

Which authorities are responsible for enforcing cybersecurity rules?

No authority is responsible for enforcing cybersecurity rules.

Cybersecurity best practice and reporting

Can companies obtain insurance for cybersecurity breaches and is it common to do so?

So far, no insurer offers insurance for cybersecurity breaches.

Are companies required to keep records of cybercrime threats, attacks and breaches?


Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities?


Are companies required to report cybercrime threats, attacks and breaches publicly?


Criminal sanctions and penalties

What are the potential criminal sanctions for cybercrime?

The penalties are:

  • imprisonment of between six months and 10 years;
  • a fine of between CFAfr100,000 and CFAfr15 million; or
  • both.

What penalties may be imposed for failure to comply with cybersecurity regulations?

There is no penalty for failure to comply with cybersecurity regulations.

First published on 24 May 2017

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Practice Guides
by Mondaq Advice Centres
Relevancy Powered by MondaqAI
Related Topics
Related Articles
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions