Senegal was one of the first West African countries to adopt a comprehensive personal-data framework: Law No. 2008-12 of 25 January 2008 and the Commission de protection des Données Personnelles (CDP), the independent authority enforcing it. Any organization collecting or processing data of Senegalese residents — banks, insurers, telecom operators, e-merchants, employers — falls within its scope.
Key obligations
- Prior formalities with the CDP: filing of processing operations, authorization for sensitive data (health, biometrics, judicial data).
- Lawful basis and defined purpose: collect only what is necessary, retain it only as long as justified.
- Information and individual rights: access, rectification, objection — with processes able to answer within reasonable timeframes.
- Security and confidentiality: technical and organizational measures proportionate to risk.
- Strict framing of cross-border transfers to countries lacking adequate protection.
GDPR and Senegalese law: dual compliance
Many Senegalese organizations also process data of European residents — diaspora customers, partners, subsidiaries. They then face both GDPR and Senegalese obligations. Rather than two parallel frameworks, we recommend one common foundation aligned with the strictest standard: a single processing register, impact assessments for high-risk processing, clear processor governance, and a data-breach process able to meet the shortest notification deadlines.
Data protection is not merely a legal topic: it is a matter of commercial trust. In banking as in insurance, proving that customer data is governed, traceable and protected is becoming a differentiator in tenders.
Optima Advisory builds end-to-end personal-data compliance programs: processing mapping, CDP formalities, policies and procedures, staff awareness and breach-response testing.
