Senegal CDP compliance: a strict legal framework poorly known in 2026
Law 2008-12 on personal data protection in Senegal was strengthened in 2024 by decree. The Personal Data Protection Commission (CDP) is the control authority. Sanctions can reach 100 million FCFA + processing ban.
Yet in 2026, only ~15% of Senegalese SMEs really comply. The compliance market represents ~3-5 billion FCFA / year and explodes following increasingly frequent CDP audits.
For companies processing European citizen data (export, e-commerce, EU service provision), European RGPD also applies (sanctions up to 4% global revenue).
H2: Scope of application in 2026
Who must comply with CDP in Senegal?
Any entity (public or private) processing personal data. In practice: almost any company (employees, clients, suppliers = personal data).
Who must also comply with European RGPD?
Senegalese companies that: export to EU, sell online to EU clients, provide services to EU clients, have EU subsidiaries, process EU employee data. ~15-20% of Senegalese SMEs are concerned.
When is a DPO (Data Protection Officer) mandatory?
In Senegal: if > 250 employees OR if sensitive data processing (health, biometric, criminal data, minors). In Europe: similar conditions + large-scale processing.
H2: The 8 main obligations
Obligation 1: Processing register. Internal document listing all data processing: nature, purpose, legal basis, retention duration, recipients, security measures. Mandatory for any company.
Obligation 2: Person information. Privacy policy mention visible on site, forms, contracts. Detailing user rights.
Obligation 3: User rights. Internal procedure to handle requests (access, rectification, deletion, portability, opposition). Legal response delay: 30 days.
Obligation 4: Data security. Technical measures (encryption, access control, backups) and organizational (policies, training). Level proportional to risk.
Obligation 5: Incident notification. Any incident impacting personal data must be notified to CDP within 72h. To concerned persons if high risk.
Obligation 6: Impact assessment (DPIA). For high-risk processing (massive video surveillance, biometric, profiling, sensitive data). Document evaluating risks + measures.
Obligation 7: Sub-processors. Written contracts with specific clauses for any sub-processor processing data for the company (cloud providers, outsourced payroll, etc.).
Obligation 8: ECOWAS-area transfers. Specific framework for transfers to non-protecting countries (standard contractual clauses, additional guarantees).
H2: The compliance process
Phase 1: Diagnosis (2-6 weeks). Mapping existing processing, identifying gaps, evaluating maturity. Deliverable: diagnostic report.
Phase 2: Action plan (1-2 weeks). Defining priority actions, calendar, budget, responsibilities. Deliverable: roadmap.
Phase 3: Implementation (3-12 months). Register creation, policy writing, training, procedure setup, technical securing, contract updates, etc.
Need a professional website?
Kolonell builds websites that attract clients, optimized for the Sénégalese market. Free quote in 2 minutes.
Phase 4: Maintenance (continuous). Register updates, continuous training, annual audits, user request management, incident management.
H2: Typical pricing and investments
SME < 50 employees. Diagnosis + compliance: 4-12 M FCFA. Annual maintenance: 2-5 M FCFA.
SME 50-250 employees. Diagnosis + compliance: 12-35 M FCFA. External or shared DPO: 8-18 M FCFA/year. Maintenance: 5-15 M FCFA/year.
SME > 250 employees. Diagnosis + compliance: 25-80 M FCFA. Dedicated DPO: 22-45 M FCFA/year (internal) or 18-32 M FCFA/year (external). Maintenance: 12-35 M FCFA/year.
Large companies (banks, telecoms). Complete programs: 80-380 M FCFA initial + 65-180 M FCFA/year maintenance.
H2: Compliance firm business model
For a firm wanting to position on CDP/RGPD compliance:
| Item | Upfront | Annual recurring |
|---|---|---|
| Institutional site + audit tools | 5,500,000 to 9,000,000 FCFA | 1,200,000 FCFA |
| Brand book + legal collateral | 2,200,000 FCFA | — |
| 4 compliance consultants (CIPP/E, CIPM, lawyers) | 800,000 FCFA recruitment | 140,000,000 FCFA salaries |
| 2 external DPOs | 400,000 FCFA recruitment | 80,000,000 FCFA |
| Tools (register management software, audit) | 8,000,000 FCFA | 12,000,000 FCFA |
| LinkedIn + editorial production | — | 12,000,000 FCFA |
Upfront investment: 16-19 million FCFA. Annual recurring: 245 million FCFA. For 25-45 diagnostic missions + 15-30 external DPO contracts = 380-580 million FCFA / year. Net margin 28-38% = 105-220 M FCFA / year.
FAQ
What difference between Senegalese CDP law and European RGPD?
Similar principles (consent, user rights, security). Differences: RGPD stricter on consent proof, broader mandatory DPIAs, heavier sanctions (4% global revenue). RGPD applicable to Senegalese companies processing EU citizen data.
What cost for a 100-employee SME in 2026?
Initial compliance: 12-25 M FCFA (diagnosis + 6-9 month implementation). Annual maintenance: 5-12 M FCFA. External DPO (1 day/week): 8-15 M FCFA/year.
Should you have an internal or external DPO?
For SMEs < 500 employees: external DPO (firm) often sufficient and more economical (8-25 M FCFA/year vs 25-45 M FCFA internal). For > 500 employees or high risk: dedicated internal DPO recommended.
How to prepare for a CDP audit?
1) Up-to-date processing register, 2) Visible privacy policy, 3) Documented user rights procedure, 4) Recent staff training, 5) Basic technical security (encryption, backups, access control), 6) Incident logs.
Real sanctions imposed by Senegal CDP in 2026?
Strong growth. In 2025: ~12 public sanctions, amounts 5-65 M FCFA. In 2026: forecast ~25-40 sanctions, potentially higher amounts (up to 100 M FCFA for serious cases). Compliance pressure increasing.
Let's talk about your case
If you are an SME in Senegal seeking CDP/RGPD compliance, or want to launch a compliance firm, we can design the diagnosis and implementation. WhatsApp +221 77 596 93 33.
Mohamed Bah
Fondateur, Kolonell
Passionate about digital and entrepreneurship in Africa, Mohamed has been helping Sénégalese businesses with their digital transformation since 2020. Founder of Kolonell, he believes every SME deserves a professional and accessible online présence.
