Personal Data Protection in Senegal: Law 2008-12, the CDP and Compliance for SMEs

Many Senegalese business owners are surprised to discover that collecting a simple email via a contact form places them within the scope of a law. Senegal in fact adopted a data protection framework very early: Law 2008-12 of 25 January 2008 on the protection of personal data, and the creation of a dedicated authority, the Personal Data Protection Commission (CDP). This framework is not a distant formality: it sets concrete obligations for any organization that processes data, including the SME running a website.

This article explains, without jargon, what the law requires and what a Senegalese business must put in place on its site to be compliant and, above all, to earn the trust of its visitors.

What Law 2008-12 Says

Law 2008-12 establishes that everyone has the right to the protection of their personal data. A personal data point is any information that identifies a person, directly or indirectly: name, email, phone number, address, but also less obvious data such as an IP address or a login identifier.

The processing of this data (collection, recording, storage, use) is governed by several principles: collection must have a legitimate, specified purpose, be proportionate (only what is necessary is collected), the data must be accurate and kept for a limited duration, and its security must be ensured.

The Role of the CDP

The Personal Data Protection Commission is the Senegalese authority responsible for enforcing the law. Its main missions:

• Receive the declarations of data processing that organizations must submit.
• Inform and advise data controllers and the public.
• Audit and, where applicable, sanction breaches.
• Receive complaints from individuals whose rights are not respected.

Ignoring the CDP is therefore not a prudent option for a business that intends to last.

The Prior Declaration

The law provides that personal data processing be subject to a prior declaration to the CDP. Concretely, a business collecting and processing data via its site (forms, newsletter, customer accounts, payment) must complete this step. The CDP provides procedures to do so. It is an often-overlooked step but an integral part of compliance, and one that becomes a credibility argument with demanding clients or partners.

Consent: The Cornerstone

One of the central principles is that, in many cases, data collection must rest on the free, informed and specific consent of the person. This has direct consequences for site design:

• No pre-ticked boxes: the user must actively tick to accept, for example, receiving a newsletter.
• Clear information at the moment of collection: why this data, for what, how long stored.
• The ability to refuse without losing access to the essential service, when the processing is not necessary.

Cookies and Tracking

Cookies and other trackers (analytics, advertising, social networks) collect data about visitors. Best practice, aligned with international standards and the spirit of the law, is to:

• Inform visitors of cookies via a clear banner.
• Obtain consent before placing non-essential cookies (non-anonymized audience measurement, advertising).
• Allow choice: accept, refuse, or configure.
• Document this consent.

An "all or nothing" banner that leaves no option to refuse is not good practice. The visitor must be able to browse even if they refuse non-essential cookies.

The Rights of Individuals

The law grants people rights that your site must let them exercise concretely:

• Right of access: to know what data you hold about them.
• Right of rectification: to correct inaccurate data.
• Right to object: to refuse a processing, notably for prospecting purposes.
• Right to erasure: to request deletion of their data.

In practice, this means providing a contact point (often a dedicated email, mentioned in the privacy policy) and an internal process to handle these requests within a reasonable time.

What an SME Must Concretely Put in Place

Here is the minimum list of actions for a Senegalese SME site:

• A clear, accessible privacy policy, explaining what data is collected, why, for how long, who has access and how to exercise rights.
• A cookie banner with a real choice to accept or refuse non-essential trackers.
• Compliant forms: purpose stated, no pre-ticked box, collection limited to the necessary.
• The declaration to the CDP of the processing(s).
• Securing the data: HTTPS, restricted access, backups, serious hosting.
• A defined retention period, applied, rather than keeping everything indefinitely.
• A register of processing, even a simple one, to know what you collect and why.

Mini Case Study: DakarTalents Recruitment Firm

DakarTalents, a recruitment firm, was collecting hundreds of CVs through a form with no stated purpose, no privacy policy, and no declaration. Beyond the legal risk, their candidates were starting to ask questions about what happened to their data. We put in place a clear privacy policy, a form with explicit consent and stated purpose, a twenty-four-month retention period for applications, a deletion-on-request process, and supported the declaration to the CDP. Unexpected result: transparency became a sales argument. Candidates entrusted their data more readily, and client companies, reassured by the firm rigor, signed more easily.

Compliance as a Competitive Advantage

Too many businesses see data protection as a constraint. That is a mistake in perspective. In a market where digital trust is being built, displaying a real privacy policy, asking for honest consent and respecting individuals rights is a differentiator. Customers, partners and large accounts increasingly scrutinize these aspects. Compliance done well protects against risk and attracts trust.

FAQ

Is my small brochure site with just a contact form concerned?

Yes. The moment you collect a name, email or number, you process personal data and Law 2008-12 applies. A privacy policy and a compliant form are required.

What does a non-compliant business risk?

The CDP can audit and sanction breaches. Beyond the sanction, the risk is reputational: a leak or a complaint durably damages customer trust.

Do I really have to declare my processing to the CDP?

The law provides for a prior declaration of data processing. It is a step to complete, part of compliance and a mark of seriousness.

How do I handle cookie consent?

Inform via a banner, obtain consent before placing non-essential cookies, and leave a real option to refuse. The visitor must be able to browse even if they refuse.

How long may I keep the data?

For as long as needed for the stated purpose, not indefinitely. Define a retention period per type of data and apply it, with deletion or anonymization at the end.

Let's talk about your project. Bring your site into compliance with Law 2008-12 and the CDP, and turn trust into a commercial asset. WhatsApp +221 77 596 93 33.