Senegal's Commission de Protection des Données (CDP) issued 14 sanctions in 2025, totalling over XOF 180 million (EUR 274,000). A single Dakar e-commerce shop was fined XOF 25 million for missing a processing register and collecting IBANs without legal basis. Law 2008-12 is no longer dormant — it has turned into a concrete operational risk for any Senegalese SME touching customer data.
TL;DR
- Legal framework: Law 2008-12 of 25 January 2008 plus implementing decree 2008-721
- Supervisory authority: CDP Senegal, chaired by Awa Ndiaye since 2024
- Maximum fine: XOF 100 million or 5% of annual turnover
- Key duties: processing register, data subject information, DPO above 10,000 records
- CDP grace period after notification: 3 to 6 months
Senegal's legal framework in 2026
Law 2008-12 predates the European GDPR by ten years. It rests on the same principles — purpose limitation, proportionality, retention, data subject rights — but the sanctions regime stayed quiet for years. Since 2023, CDP has built up enforcement capacity and publishes its rulings on cdp.sn.
Decree 2008-721 details how processing activities must be declared. Every controller either declares or requests prior authorisation from CDP depending on data sensitivity. An e-commerce SME collecting name, phone, address and IBAN triggers at least three distinct processing activities.
Senegal vs EU at a glance
| Criterion | Law 2008-12 Senegal | GDPR EU |
|---|---|---|
| Entry into force | 25 January 2008 | 25 May 2018 |
| Authority | CDP | CNIL, AEPD, etc. |
| Maximum fine | XOF 100M or 5% turnover | EUR 20M or 4% turnover |
| Mandatory DPO | Above 10,000 individuals | Above 5,000 records/year |
| Breach notification | 72 hours | 72 hours |
| Out-of-zone transfer | CDP authorisation | Adequacy decision |
The processing register — the cornerstone
The processing register is the first document CDP requests in any audit. It lists every processing activity: who, what, why, how long, possible transfers.
- Identify activities: CRM, newsletter, billing, HR, CCTV, analytics cookies
- Document each one: purpose, legal basis, data categories, recipients, retention
- List processors: Brevo, Stripe, Google Analytics, AWS, Hetzner, OVH
- Map flows: where is data stored — Senegal, France, USA?
- Keep current: review every 6 months at minimum
A spreadsheet or Notion page is enough to start. Budget two person-days for a standard SME of 5 to 15 employees.
DPO and mandatory designation
The Data Protection Officer role becomes mandatory in Senegal above 10,000 data subjects or for sensitive processing (health, biometrics, criminal records). For a mid-sized e-commerce SME, the DPO can be outsourced: budget XOF 600,000 to 1,200,000 per year (EUR 915 to 1,830) for a shared DPO.
Recommended DPO profile
A solid Senegalese DPO blends three skills: legal (law 2008-12 plus GDPR), technical (application security, encryption), and organisational (awareness, audit). Profiles often come from ESMT, CESAG or UCAD with a CIPP/E or AFNOR DPO certification.
CDP sanctions: the 2025-2026 reality
Need a professional website?
Kolonell builds websites that attract clients, optimized for the Sénégalese market. Free quote in 2 minutes.
Across 14 sanctions in 2025, the recurring grounds were: collection without prior notice (8 cases), missing register (7), excessive retention (5), absent security measures (4). Amounts range from XOF 5 to 50 million for SMEs, up to 100 million for telcos.
Investigations usually start with a customer complaint (unwanted newsletter, refused access request) or a competitor tip-off. CDP recruited 12 investigators in 2024 — practical capacity is 40 to 60 cases per year.
90-day compliance plan
| Week | Action | Deliverable |
|---|---|---|
| W1-W2 | Audit current state | Processing map |
| W3-W4 | Processing register | Signed document |
| W5-W6 | Legal notices and privacy policy | Updated site pages |
| W7-W8 | Technical hardening | HTTPS, MFA, encrypted backups |
| W9-W10 | Rights procedures | Access and deletion form |
| W11-W12 | Team training | 2h workshop plus quiz |
FAQ
Q: Is a 5-person SME really concerned?
A: Yes, as soon as it handles customer or prospect data, even 100 records. The law has no minimum threshold, only relaxed formalities.
Q: Must every processing activity be declared to CDP?
A: Prior declaration was streamlined in 2024. For ordinary processing (CRM, payroll, newsletter), an internal register is enough. Prior authorisation is still required for sensitive data (health, biometrics, criminal records).
Q: How much does a CDP audit cost in Senegal?
A: A full audit by a specialised firm runs between XOF 1,500,000 and 4,000,000 (EUR 2,300 to 6,100) for an SME of 10 to 30 employees. Guided self-assessment costs XOF 300,000 to 800,000.
Q: Can customer data be hosted on AWS Europe?
A: Yes, but the transfer outside ECOWAS must be documented in the register and disclosed in the privacy policy. AWS Paris and Hetzner Germany are common, accepted choices.
Conclusion
CDP will not wait for SMEs to mature on regulation — it is already enforcing. Compliance remains reachable: 90 days of structured work is enough to move from zero to a defensible posture. Kolonell delivers end-to-end CDP compliance: audit, register, outsourced DPO, technical hardening. Request a free audit or message WhatsApp +221 77 596 93 33.
Mohamed Bah
Fondateur, Kolonell
Passionate about digital and entrepreneurship in Africa, Mohamed has been helping Sénégalese businesses with their digital transformation since 2020. Founder of Kolonell, he believes every SME deserves a professional and accessible online présence.
