Code du Numerique

Law No. 2017-20 of April 20, 2018 on the Digital Code in the Republic of Benin (Book V: Personal Data Protection), as amended by Law No. 2020-35 of January 6, 2021

Flag of BJ
Republic of BeninOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
April 20, 2018
Enacted
April 20, 2018
Enforcing Authority
Autorite de Protection des Donnees a caractere Personnel (APDP)
Consent Model
Opt-in
Applies To
All public and private bodies processing personal data through automated or non-automated means within Benin

Overview

Benin took a unique approach by embedding data protection provisions within its comprehensive Digital Code (Code du Numerique) rather than enacting standalone legislation. Book V of the Code, enacted in April 2018 and amended in January 2021, establishes the Autorite de Protection des Donnees a caractere Personnel (APDP) as the national supervisory authority. The framework covers both automated and non-automated processing of personal data across public and private sectors.

What This Means for Your Website

If your website collects personal data from individuals in Benin, you must declare your processing activities to the APDP before collection begins and obtain opt-in consent from visitors. Data breaches must be reported to the APDP Commissioner without delay. The law applies to both automated and non-automated processing, meaning any form of personal data collection on your website falls within scope. Security safeguards for stored data are mandatory.

Key Requirements

Prior declaration to the APDP is mandatory before any data processing begins. Consent is the primary legal basis. Data breach notification must be made to the APDP Commissioner without delay. First-offence penalties reach up to XOF 50 million, while repeat offences within 5 years can attract fines of XOF 100 million or 5% of pre-tax sales. Data subjects have rights of access, rectification, and opposition to the processing of their data.

How ConsentStack Handles This

ConsentStack identifies visitors from Benin using geo-detection and displays an opt-in consent banner before activating non-essential tracking or analytics. Consent records with timestamps and preferences are stored for audit compliance. The platform's consent management workflow supports the documentation needed for APDP declarations and helps you respond promptly to data subject rights requests.

Penalties

First offence: up to XOF 50,000,000. Repeat offence within 5 years: up to XOF 100,000,000 or 5% of pre-tax sales (capped at XOF 100M)

Maximum Fine
XOF100,000,000 aggregate
Revenue-based
5% of annual revenue

Key Requirements

  • Prior declaration to APDP required before processing
  • Data breach notification to APDP Commissioner without delay
  • Both automated and non-automated processing covered
  • Consent required for lawful processing
  • Data subjects have rights of access, rectification, and opposition
  • Security safeguards mandatory

Notable Provisions

  • Data protection embedded within broader Digital Code rather than standalone law
  • Escalating penalty structure with 5% revenue cap for repeat offenders
  • Amended in 2021 to strengthen provisions

Other Sub-Saharan Africa Regulations

POPIASouth Africa
Africa's most developed and actively enforced data protection law. POPIA establishes eight conditions for lawful processing and grants the Information Regulator broad enforcement powers including criminal sanctions. The inclusion of "online identifiers" in the definition of personal information means cookies are covered, and Section 69's direct marketing consent requirement is directly relevant to consent management.
NDPANigeria
One of Africa's most comprehensive data protection laws, with the GAID providing Africa's most detailed cookie consent framework. Essential cookies are exempt; non-essential cookies require conspicuous accept/reject banners. The NDPC enforces a two-tier penalty structure based on organizational significance.
Ghana Act 843Ghana
Ghana's foundational data protection law requires mandatory registration with the DPC before processing begins, with renewal every 2 years. Criminal penalties include up to 10 years imprisonment for serious violations. A new comprehensive bill is under consultation as of late 2025.
Kenya DPA 2019Republic of Kenya
Kenya's comprehensive data protection law establishes the ODPC as an independent enforcement authority. It uniquely calculates penalties using "whichever is lower" rather than the global norm of "whichever is higher." Mandatory registration of data controllers is required before processing, and consent serves as the primary legal basis for personal data collection.
Tanzania PDPA 2022United Republic of Tanzania
Tanzania's first comprehensive data protection legislation establishes the Personal Data Protection Commission as the supervisory body. It mandates DPO appointment for all controllers and processors, a broader requirement than most jurisdictions. Personal data must be processed lawfully with consent, and criminal penalties of up to 10 years imprisonment apply for violations.
Ivory Coast Law 2013-450Ivory Coast
Ivory Coast's data protection law features an escalating penalty structure with significant increases for repeat offenders — up to 5% of pre-tax sales or XOF 500 million. ARTCI has been active in issuing formal notices against online lending applications. Prior declaration or authorization from ARTCI is required.

Frequently Asked Questions

Does Benin require cookie consent?

Benin's Code du Numerique does not specifically mention cookies, but any personal data collected through tracking technologies requires opt-in consent under the general data processing provisions of Book V.

What are the penalties under Benin's data protection law?

First offences face fines up to XOF 50 million. Repeat offences within 5 years can reach XOF 100 million or 5% of pre-tax sales, capped at XOF 100 million.

Who enforces data protection in Benin?

The Autorite de Protection des Donnees a caractere Personnel (APDP) is the national supervisory authority established under Book V of the Code du Numerique.

What makes Benin's data protection law unique?

Rather than enacting standalone legislation, Benin embedded data protection provisions within its broader Digital Code (Code du Numerique), covering data protection alongside e-commerce and cybersecurity regulations.

Stay compliant with Code du Numerique

ConsentStack helps you implement Opt-in consent for Republic of Benin automatically.

Get started free