Law 2013-015

Law No. 2013-015 of May 21, 2013 on the Protection of Personal Data

Flag of ML
Republic of MaliOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
May 21, 2013
Enacted
May 21, 2013
Enforcing Authority
Autorite de Protection des Donnees a caractere Personnel (APDP)
Consent Model
Opt-in
Applies To
All data controllers and processors operating within Mali

Overview

Mali enacted Law 2013-015 in May 2013 to establish a comprehensive framework for personal data protection. The law created the Autorite de Protection des Donnees a caractere Personnel (APDP) as the national supervisory authority, although the APDP did not formally begin operations until 2016. The framework requires consent for data processing and imposes graduated penalties for non-compliance.

What This Means for Your Website

Websites collecting personal data from individuals in Mali must obtain opt-in consent before processing. You must declare your data processing activities to the APDP before collection begins. All personal data must be kept confidential, and appropriate technical measures must be in place to prevent unauthorized access, damage, or distortion of data.

Key Requirements

Data controllers must obtain consent and declare processing to the APDP. Security measures must prevent unauthorized third-party access. Penalties range from XOF 2.5 million to XOF 20 million, with additional sanctions including withdrawal of processing approval and imprisonment. The APDP follows a graduated enforcement model, beginning with warnings before escalating to formal injunctions and fines.

How ConsentStack Handles This

ConsentStack identifies visitors from Mali and displays an opt-in consent banner before any non-essential data processing occurs. Consent preferences are recorded with timestamps for audit purposes. The platform's configurable consent categories help you document the scope of your processing activities for APDP declarations.

Penalties

Monetary fines XOF 2,500,000-20,000,000; withdrawal of approval; formal injunctions; various terms of imprisonment

Maximum Fine
F CFA 20,000,000 aggregate

Key Requirements

  • Consent required for personal data processing
  • Confidentiality and security of personal data must be upheld
  • Technical and security measures required to prevent unauthorized access
  • Prior declaration to APDP required
  • Data subjects have rights of access, rectification, and objection

Notable Provisions

  • APDP launched three years after the law's enactment
  • Graduated enforcement: warning, formal notice, injunction, withdrawal of approval, then fines
  • Monetary fines range from XOF 2.5M to 20M

Other Sub-Saharan Africa Regulations

POPIASouth Africa
Africa's most developed and actively enforced data protection law. POPIA establishes eight conditions for lawful processing and grants the Information Regulator broad enforcement powers including criminal sanctions. The inclusion of "online identifiers" in the definition of personal information means cookies are covered, and Section 69's direct marketing consent requirement is directly relevant to consent management.
NDPANigeria
One of Africa's most comprehensive data protection laws, with the GAID providing Africa's most detailed cookie consent framework. Essential cookies are exempt; non-essential cookies require conspicuous accept/reject banners. The NDPC enforces a two-tier penalty structure based on organizational significance.
Ghana Act 843Ghana
Ghana's foundational data protection law requires mandatory registration with the DPC before processing begins, with renewal every 2 years. Criminal penalties include up to 10 years imprisonment for serious violations. A new comprehensive bill is under consultation as of late 2025.
Kenya DPA 2019Republic of Kenya
Kenya's comprehensive data protection law establishes the ODPC as an independent enforcement authority. It uniquely calculates penalties using "whichever is lower" rather than the global norm of "whichever is higher." Mandatory registration of data controllers is required before processing, and consent serves as the primary legal basis for personal data collection.
Tanzania PDPA 2022United Republic of Tanzania
Tanzania's first comprehensive data protection legislation establishes the Personal Data Protection Commission as the supervisory body. It mandates DPO appointment for all controllers and processors, a broader requirement than most jurisdictions. Personal data must be processed lawfully with consent, and criminal penalties of up to 10 years imprisonment apply for violations.
Ivory Coast Law 2013-450Ivory Coast
Ivory Coast's data protection law features an escalating penalty structure with significant increases for repeat offenders — up to 5% of pre-tax sales or XOF 500 million. ARTCI has been active in issuing formal notices against online lending applications. Prior declaration or authorization from ARTCI is required.

Frequently Asked Questions

Is cookie consent required in Mali?

Mali's Law 2013-015 does not have specific cookie provisions, but personal data collected through cookies falls under the general consent requirement. Opt-in consent is needed before processing.

What are the fines for data protection violations in Mali?

Monetary fines range from XOF 2,500,000 to XOF 20,000,000. The APDP can also withdraw processing approval, issue formal injunctions, and refer cases for criminal prosecution.

Who is the data protection authority in Mali?

The Autorite de Protection des Donnees a caractere Personnel (APDP) is Mali's supervisory authority. It was established by Law 2013-015 and became operational in 2016.

Stay compliant with Law 2013-015

ConsentStack helps you implement Opt-in consent for Republic of Mali automatically.

Get started free