A private Dakar clinic storing patient records on personal Google Drive faces XOF 100 million in CDP fines plus criminal prosecution since Law 2008-12 was reinforced by Decision 2020-058. In 2026, the CDP (Data Protection Commission) of Senegal has already sanctioned 8 healthcare facilities for hosting and consent violations. Senegalese clinics must get compliant.
TL;DR
- Law 2008-12 + Decision 2020-058: Senegal health data legal framework
- CDP Senegal: independent oversight authority, fines up to XOF 100M
- Hosting: Senegal, WAEMU, or equivalent-protection country (EU, Canada)
- HDS (Health Data Hosting certification) recommended for full EHR and imaging
- Anonymization mandatory once data is shared beyond the care team
The Senegalese legal framework in 2026
Personal data protection in Senegal rests on Law 2008-12 of 25 January 2008, supplemented by several CDP decisions including 2020-058 specific to health data. Senegal was the first West African country to set up a protection authority (CDP created 2008, operational since 2010).
The 6 fundamental principles
- Lawfulness: every processing rests on explicit consent, legal obligation, or healthcare mission.
- Purpose: data collected for a specific aim, no reuse without new consent.
- Proportionality: collect only what is strictly necessary for care.
- Accuracy: keep data current, rectify on patient request.
- Retention: no indefinite storage, statutory durations (10 years for medical records).
- Security: technical and organizational measures proportionate to risk.
European GDPR: why it also concerns Senegal
GDPR (EU Regulation 2016/679) applies extraterritorially in 3 cases critical for Senegalese clinics: (1) European patient treated in Senegal (tourist, expat), (2) data hosted in EU (DigitalOcean Paris, OVH France), (3) European providers (Brevo, Stripe, etc.). In practice, aiming GDPR compliance = reinforced CDP compliance.
CDP Senegal vs EU GDPR compared
| Criterion | CDP Senegal (2008-12) | EU GDPR (2016/679) |
|---|---|---|
| Max fine | XOF 100M or 1% revenue | EUR 20M or 4% global revenue |
| Breach notice | 72h to CDP | 72h to national CNIL |
| DPO mandatory | No (recommended) | Yes if risky processing |
| Right to erasure | Partial | Reinforced |
| Patient consent | Explicit | Explicit + granular |
| Hosting | Senegal/WAEMU/equivalent | EU or adequacy decision |
HDS hosting: the standard to aim for
The French HDS (Health Data Hosting) certification has become the de facto standard for serious clinics in Senegal. Relevant accessible HDS hosters: OVH (Roubaix, Strasbourg), Scaleway (Paris), Cloud Temple, Microsoft Azure France. Cost: generally +30 to +50% vs non-HDS cloud.
In Senegal: WAEMU zone alternatives
Senegal has no certified local HDS hoster yet in 2026, but 3 data centers in development (Diamniadio, Dakar Plateau, Rufisque) target certification by 2027. ADIE, Sonatel and Free Senegal operators offer CDP-compliant sovereign hosting without formal HDS certification.
Anonymization: key for research and sharing
As soon as a clinic shares patient data externally (research team, teleradiology second opinion, public stats), anonymization becomes a technical obligation. Three levels distinguish practices:
Need a professional website?
Kolonell builds websites that attract clients, optimized for the Sénégalese market. Free quote in 2 minutes.
- Pseudonymization: replace direct identifiers with a code, link kept. Reversible.
- Simple anonymization: remove names, addresses, precise dates. Residual reidentification risk.
- Strong anonymization: aggregation, generalization (age → bracket), quasi-identifier removal. Irreversible.
Steps for compliance in a clinic
- Step 1: name a data officer (doctor, administrator, or externalized DPO).
- Step 2: map all processing (Excel, EHR, CCTV, HR, marketing).
- Step 3: declare the main processing to CDP (online form, 2-month delay).
- Step 4: draft consent forms and a displayed privacy policy.
- Step 5: technically secure (TLS, encrypted backups, logged access, MFA).
- Step 6: train all staff yearly (training proofs to archive).
COSEC's role in compliance
The COSEC (Senegalese Council of Clinics) has published since 2023 a best-practice framework inspired by the French HAS and the WHO. While not legally binding, its adoption is a strong quality-assurance signal and conditions some insurance agreements (CSS, NSIA, AXA).
FAQ
Q: Must a 3-doctor clinic mandatorily name a DPO?
A: Law 2008-12 does not formally require it. GDPR mandates it once sensitive data processing is large-scale (typically >5,000 patients). In practice, an internal officer or externalized DPO (XOF 50K to 150K monthly) is recommended from 1,000 active patients.
Q: Can patient records be stored on Google Drive or Dropbox?
A: No, direct violation of Law 2008-12. These services do not provide the contractual location and security guarantees required. Use Microsoft 365 Business (with signed sub-processor contract) or a sovereign cloud instead.
Q: What to do in case of a patient data breach?
A: Notify CDP within 72h via the incident form. Inform affected patients if risk is high. Document the incident, remediation, timeline. Keep records for at least 5 years.
Q: How much for full compliance setup for a 5-practitioner clinic?
A: Plan XOF 2.5 to 6 million one-shot (audit + outsourced DPO 3 months + technical hardening + initial training) + XOF 50,000 to 150,000 monthly recurring (DPO follow-up, updates).
Conclusion
Health data compliance in Senegal is no longer optional: a major legal risk (XOF 100M fine), an ethical imperative (patient trust), and a commercial argument (insurers, international partners). Kolonell accompanies Senegalese clinics in their CDP and GDPR compliance end-to-end. Request a free audit or message WhatsApp +221 77 596 93 33.
Mohamed Bah
Fondateur, Kolonell
Passionate about digital and entrepreneurship in Africa, Mohamed has been helping Sénégalese businesses with their digital transformation since 2020. Founder of Kolonell, he believes every SME deserves a professional and accessible online présence.