If you sell to even one customer in France, Belgium, or Germany from your African site, EU GDPR applies to you. If you operate in Senegal, Law 2008-12 (Personal Data Protection Commission, CDP) also applies. Both = dual compliance.
TL;DR
- EU GDPR and Senegal Law 2008-12: ~80% overlap (consent, rights, security).
- Key differences: authority (CNIL vs CDP), sanctions, prior declarations.
- Concrete steps: processing register, consent, security, user rights.
GDPR scope for an African site
EU GDPR applies if:
- You offer goods/services to EU residents (EUR payment = strong signal)
- You track EU visitors' behavior (Google Analytics, Meta Pixel)
- You have an EU establishment
Practically, a kolonell.com site accessible from Paris with analytics enabled = GDPR applicable, even Dakar-incorporated.
Senegal Law 2008-12 scope
The Senegalese law applies:
- If the controller is established in Senegal
- If processing means are located in Senegal
- If processing concerns Senegalese residents
So a kolonell.com operated from Dakar = Law 2008-12 applies.
GDPR vs Law 2008-12 comparison
| Criterion | EU GDPR | Senegal Law 2008-12 |
|---|---|---|
| Authority | CNIL (FR), DPC (IE), etc. | CDP (Senegal) |
| Prior declaration | No (except DPIA) | Yes — declaration or CDP authorization before any processing |
| Breach notification | 72h | 72h too |
| Sanctions | Up to 4% global revenue | Up to 100M XOF |
| Local representative | If no EU establishment | Not mandatory if SN |
| Cross-border transfers | Adequate country or SCC | Case-by-case CDP authorization |
| Access right | 1 month | 1 month |
| Analytics cookies | Consent mandatory | Consent recommended |
| Minors | 16 years (15 FR) | 18 years |
Step 1 — processing register
Mandatory internal docs (GDPR art. 30 + Law 2008-12 art. 21):
`
PROCESSING #1 — E-commerce order management
- Purpose: contract execution
- Legal basis: contract execution
- Data: first/last name, email, phone, address, payment
- Recipients: internal team, carrier, payment provider
- Retention: 10 years (accounting obligation)
- Security: TLS encryption, access control, admin MFA
PROCESSING #2 — Marketing newsletter
- Purpose: commercial campaigns
- Legal basis: explicit consent
- Data: email, first name, preferences
- Recipients: Brevo (processor)
- Retention: until unsubscribe + 3 years
- Security: double opt-in, unsubscribe link in all emails
[etc...]
`
Practical tool: Notion or structured Google Sheet.
Step 2 — CDP declaration (Senegal only)
Procedure:
- Go to
cdp.sn→ "Controller area" - Create account (NINEA + RCCM)
- Declare each processing (online form)
- Receive receipt number
- Display "Declared CDP n°XXX" mention in privacy policy
Categories requiring prior authorization (not just declaration):
- Sensitive data (health, biometrics, political/religious opinions, offenses)
- Interconnected processing
- Transfers outside UEMOA
CDP review delay: 30-90 days.
Step 3 — consent and legal bases
For each processing, identify GDPR legal basis (art. 6):
| Processing | Recommended basis |
|---|---|
| Order management | Contract execution |
| Invoicing | Legal obligation (VAT, accounting) |
| Newsletter | Consent |
| Analytics cookies | Consent |
| Anti-fraud | Documented legitimate interest |
| Delivery tracking SMS/WhatsApp | Contract execution |
| Post-purchase review email | Legitimate interest (existing customer) or consent |
Step 4 — user rights
Implement /api/gdpr/request endpoint:
`ts
import { NextRequest, NextResponse } from 'next/server';
import { sendEmail } from '@/lib/email';
export async function POST(req: NextRequest) {
const { type, email, message } = await req.json();
// type: access | rectification | erasure | portability | objection
const token = await createMagicLink(email);
await sendEmail({
to: email,
Need a professional website?
Kolonell builds websites that attract clients, optimized for the Sénégalese market. Free quote in 2 minutes.
subject: 'GDPR request confirmation',
template: 'gdpr-confirm',
data: { token, type },
});
await sendEmail({
to: process.env.DPO_EMAIL,
subject: [GDPR] New ${type} request,
template: 'gdpr-notify',
data: { email, type, message, ip: req.ip },
});
return NextResponse.json({ ok: true, expectedDelay: '30 days' });
}
`
User page /my-data with buttons: "Download my data", "Edit", "Delete account", "Export (portability)".
Step 5 — minimum technical security
| Measure | Mandatory |
|---|---|
| TLS / HTTPS everywhere | ✓ |
| Hashed passwords (bcrypt/argon2) | ✓ |
| Admin MFA | ✓ |
| Sensitive data access logs | ✓ |
| Encrypted DB at-rest | Recommended |
| Daily encrypted backup | ✓ |
| Password policy (12+ chars) | ✓ |
| Regular pentests | Recommended |
Step 6 — breach handling
72h procedure on leak:
`
H+0 Breach detection
H+1 Crisis cell activation (DPO, IT, legal)
H+6 Scope + impact assessment
H+24 CDP/CNIL notification decision
H+48 Notification preparation
H+72 CDP notification (Senegal) + CNIL if EU concerned
D+7 Impacted customer communication
D+30 Post-incident report
`
Real case — Dakar fashion e-commerce leak (2025)
A Dakar e-commerce suffered a 12,000-customer email leak via misconfigured SSO. Consequences:
- CDP notification in 48h → symbolic 500K XOF fine (proactivity rewarded)
- No EU notification (no EU customers) → no CNIL fine
- Total incident cost: 8M XOF forensic audit + 2M XOF crisis comms + 6 months of trust setback
Compared to 50-100M XOF possible fine if cover-up detected.
FAQ
Q: Does GDPR apply to my site with no current EU customers?
A: No, unless you actively target EU (EN/DE/IT language, EUR currency, EU marketing). Otherwise, SN Law 2008-12 is enough.
Q: Need a DPO?
A: GDPR: yes if large-scale sensitive data or systematic monitoring. SN Law 2008-12: not mandatory but strongly recommended.
Q: Can data be hosted outside Senegal?
A: Yes, but CDP authorization required for transfers. For EU: check adequacy decision or SCCs.
Conclusion
Dual GDPR + Law 2008-12 compliance looks heavy at start but is well-paved road. 2-3 weeks initial setup, then light quarterly maintenance. Good investment vs potential 100× larger fines.
Mohamed Bah
Fondateur, Kolonell
Passionate about digital and entrepreneurship in Africa, Mohamed has been helping Sénégalese businesses with their digital transformation since 2020. Founder of Kolonell, he believes every SME deserves a professional and accessible online présence.
