Act 001-2021

Act No. 001-2021/AN of March 30, 2021 on the Protection of Personal Data

Flag of BF
Burkina FasoOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
April 21, 2021
Enacted
March 30, 2021
Enforcing Authority
Commission de l'Informatique et des Libertes (CIL)
Consent Model
Opt-in
Applies To
All organizations processing personal data within Burkina Faso

Overview

Burkina Faso enacted Act 001-2021 to replace the previous 2004 data protection framework. The law established the Commission de l'Informatique et des Libertes (CIL) as the national supervisory authority with regulatory and sanctioning powers. It sets out comprehensive rules for personal data processing, including mandatory declarations, cross-border transfer requirements, and strict data localization for health data.

What This Means for Your Website

If your website collects personal data from visitors in Burkina Faso, you must obtain opt-in consent before processing. All data processing activities must be declared to the CIL. Cross-border data transfers require formal contracts with recipients, and transferred data must be encrypted. Health-related data must be stored on servers located within Burkina Faso. The law does not specifically address cookies or tracking technologies, but personal data collected through such means still falls under general consent requirements.

Key Requirements

Organizations must declare all processing activities to the CIL before collecting data. Consent is required as the primary legal basis for processing. Cross-border transfers demand contractual safeguards and encryption. Penalties reach 1% of turnover for first offences and 5% for repeat violations within five years. Data subjects have rights of access, rectification, and opposition to processing.

How ConsentStack Handles This

ConsentStack detects visitors from Burkina Faso and presents an opt-in consent banner before activating any non-essential data collection. Consent records are stored with full audit trails. The platform helps you document processing activities for CIL declarations and manage cross-border transfer compliance through configurable consent categories.

Penalties

Up to 1% of company turnover; 5% for repeat offences. Additional criminal penalties under Penal Code provisions for ICT offences.

Revenue-based
5% of annual revenue

Key Requirements

  • Mandatory declaration of personal data processing to CIL
  • Health data must be hosted in Burkina Faso (strict data localization)
  • Cross-border transfer contracts required with data recipients
  • Data encryption required for transferred data
  • Data subjects have rights of access, rectification, and opposition

Notable Provisions

  • Strict health data localization requirement
  • Law explicitly does not address cookies or location data
  • Turnover-based penalties with escalation for repeat offenders

Other Sub-Saharan Africa Regulations

POPIASouth Africa
Africa's most developed and actively enforced data protection law. POPIA establishes eight conditions for lawful processing and grants the Information Regulator broad enforcement powers including criminal sanctions. The inclusion of "online identifiers" in the definition of personal information means cookies are covered, and Section 69's direct marketing consent requirement is directly relevant to consent management.
NDPANigeria
One of Africa's most comprehensive data protection laws, with the GAID providing Africa's most detailed cookie consent framework. Essential cookies are exempt; non-essential cookies require conspicuous accept/reject banners. The NDPC enforces a two-tier penalty structure based on organizational significance.
Kenya DPA 2019Republic of Kenya
Kenya's comprehensive data protection law establishes the ODPC as an independent enforcement authority. It uniquely calculates penalties using "whichever is lower" rather than the global norm of "whichever is higher." Mandatory registration of data controllers is required before processing, and consent serves as the primary legal basis for personal data collection.
Ghana Act 843Ghana
Ghana's foundational data protection law requires mandatory registration with the DPC before processing begins, with renewal every 2 years. Criminal penalties include up to 10 years imprisonment for serious violations. A new comprehensive bill is under consultation as of late 2025.
Tanzania PDPA 2022United Republic of Tanzania
Tanzania's first comprehensive data protection legislation establishes the Personal Data Protection Commission as the supervisory body. It mandates DPO appointment for all controllers and processors, a broader requirement than most jurisdictions. Personal data must be processed lawfully with consent, and criminal penalties of up to 10 years imprisonment apply for violations.
Ivory Coast Law 2013-450Ivory Coast
Ivory Coast's data protection law features an escalating penalty structure with significant increases for repeat offenders — up to 5% of pre-tax sales or XOF 500 million. ARTCI has been active in issuing formal notices against online lending applications. Prior declaration or authorization from ARTCI is required.

Frequently Asked Questions

Does Burkina Faso require cookie consent?

While the law does not explicitly mention cookies, any personal data collected through cookies requires opt-in consent under the general data processing rules of Act 001-2021.

What are the penalties under Burkina Faso's data protection law?

Penalties reach up to 1% of company turnover for first offences and 5% for repeat offences. Additional criminal penalties may apply under Penal Code provisions for ICT-related violations.

Who enforces data protection in Burkina Faso?

The Commission de l'Informatique et des Libertes (CIL) is the national supervisory authority responsible for oversight, compliance monitoring, and enforcement of data protection in Burkina Faso.

Does Burkina Faso have data localization requirements?

Yes. Health data must be hosted within Burkina Faso under strict data localization rules. Other personal data transferred internationally requires encryption and formal transfer contracts.

Stay compliant with Act 001-2021

ConsentStack helps you implement Opt-in consent for Burkina Faso automatically.

Get started free