Senegal Law 2008-12

Law No. 2008-12 of January 25, 2008 Relating to the Protection of Personal Data

Flag of SN
SenegalOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
January 25, 2008
Enacted
January 25, 2008
Enforcing Authority
Commission de Protection des Données Personnelles (CDP)
Consent Model
Opt-in
Applies To
All data controllers and processors operating within Senegal

Overview

Senegal's data protection law has among the harshest criminal penalties in West Africa — up to 7 years imprisonment. The CDP can provisionally withdraw processing authorization for 3 months, making it permanent if non-compliance persists. Prior declaration is required before any processing begins.

What This Means for Your Website

  • Prior declaration to the CDP is required before processing personal data
  • Consent is the primary legal basis for data collection
  • Criminal penalties reach up to 7 years imprisonment — among West Africa's harshest
  • The CDP can provisionally or permanently withdraw processing authorization
  • Cross-border transfers require CDP authorization

Key Requirements

The CDP enforces the law with administrative fines of XOF 1M-100M and criminal penalties of 1-7 years plus fines. The graduated enforcement approach includes provisional authorization withdrawal (3 months) becoming permanent if non-compliance continues.

How ConsentStack Handles This

ConsentStack applies consent-based processing for Senegalese visitors meeting the CDP's declaration and consent requirements.

Penalties

Administrative fines XOF 1M-100M. Criminal: 1-7 years imprisonment plus XOF 500,000-10M. Provisional/permanent withdrawal of authorization.

Maximum Fine
XOF100,000,000 per violation

Key Requirements

  • Prior declaration to CDP required before processing
  • Consent of data subjects required for lawful processing
  • Data subject rights: access, rectification, objection
  • Cross-border transfers subject to CDP authorization
  • Sensitive data requires enhanced protections
  • Security measures mandatory

Notable Provisions

  • Among harshest criminal penalties in West Africa — up to 7 years
  • CDP can withdraw authorization provisionally then permanently
  • Early West African data protection law
  • French data protection tradition influence

Other Sub-Saharan Africa Regulations

POPIASouth Africa
Africa's most developed and actively enforced data protection law. POPIA establishes eight conditions for lawful processing and grants the Information Regulator broad enforcement powers including criminal sanctions. The inclusion of "online identifiers" in the definition of personal information means cookies are covered, and Section 69's direct marketing consent requirement is directly relevant to consent management.
NDPANigeria
One of Africa's most comprehensive data protection laws, with the GAID providing Africa's most detailed cookie consent framework. Essential cookies are exempt; non-essential cookies require conspicuous accept/reject banners. The NDPC enforces a two-tier penalty structure based on organizational significance.
Ghana Act 843Ghana
Ghana's foundational data protection law requires mandatory registration with the DPC before processing begins, with renewal every 2 years. Criminal penalties include up to 10 years imprisonment for serious violations. A new comprehensive bill is under consultation as of late 2025.
Kenya DPA 2019Republic of Kenya
Kenya's comprehensive data protection law establishes the ODPC as an independent enforcement authority. It uniquely calculates penalties using "whichever is lower" rather than the global norm of "whichever is higher." Mandatory registration of data controllers is required before processing, and consent serves as the primary legal basis for personal data collection.
Ivory Coast Law 2013-450Ivory Coast
Ivory Coast's data protection law features an escalating penalty structure with significant increases for repeat offenders — up to 5% of pre-tax sales or XOF 500 million. ARTCI has been active in issuing formal notices against online lending applications. Prior declaration or authorization from ARTCI is required.
Tanzania PDPA 2022United Republic of Tanzania
Tanzania's first comprehensive data protection legislation establishes the Personal Data Protection Commission as the supervisory body. It mandates DPO appointment for all controllers and processors, a broader requirement than most jurisdictions. Personal data must be processed lawfully with consent, and criminal penalties of up to 10 years imprisonment apply for violations.

Frequently Asked Questions

How severe are Senegal's privacy penalties?

Among the harshest in West Africa: up to 7 years imprisonment plus XOF 500K-10M fines. The CDP can also withdraw processing authorization.

Must processing be declared in Senegal?

Yes. Prior declaration to the CDP is required before any personal data processing begins.

Who enforces data protection in Senegal?

The CDP (Commission de Protection des Données Personnelles) handles complaints, enforces compliance, and can withdraw processing authorization.

Stay compliant with Senegal Law 2008-12

ConsentStack helps you implement Opt-in consent for Senegal automatically.

Get started free