Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Collection and storage of data

Collection and management
In what circumstances can personal data be collected, stored and processed?

Personal data can be collected, stored and processed provided that:

  • data is collected and processed fairly and lawfully;
  • data is collected for specified, explicit and legitimate purposes and subsequently processed in a manner that is compatible with such purposes;
  • data is adequate, relevant and not excessive in relation to the purposes for which it was collected;
  • collected data is accurate, complete and kept up to date; and
  • collected data is retained in a form that allows the identification of individuals for a period that is no longer than necessary for the purposes for which it was collected.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

No.

Do individuals have a right to access personal information about them that is held by an organisation?

Yes.

Do individuals have a right to request deletion of their data?

Yes.

Consent obligations
Is consent required before processing personal data?

Yes.

If consent is not provided, are there other circumstances in which data processing is permitted?

Yes. Pursuant to Article 33 of the Data Protection Act, processing is permitted without consent:

  • in order to comply with any legal obligation to which the data owner is subject;
  • in order to perform a public service undertaking that has been entrusted to the data owner or the data recipient;
  • if the processing relates to the performance of a contract to which the individual is a party or of pre-contractual measures requested by him or her; or
  • if processing the data is subject to the interests and fundamental rights and liberties of the individual.

What information must be provided to individuals when personal data is collected?

The following information must be provided to individuals when personal data is collected:

  • the identity of the data owner and its representative (if any);
  • the purpose of the processing;
  • the category of data concerned;
  • whether replies to questions are mandatory or optional, as well as the possible consequences of failure to reply to a mandatory question;
  • the recipients or categories of recipient of the data;
  • the right to object, for a legitimate purpose, to the collection of such data;
  • the right to access the collected data and, if necessary, to have it rectified;
  • the duration of the processing; and
  • details of any intended transfer of the data.

Data transfer and third parties

Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?

A data owner cannot transfer data to another country unless the receiving country provides sufficient protection in relation to an individual's private life, liberties and fundamental rights (Article 9 of the Data Protection Act). The Senegalese Data Protection Authority (CDP) must be informed before any transfer, and authorisation must be sought.

The CDP can allow a transfer to a country that does not provide sufficient protection if the transfer:

  • has the individual's consent;
  • is timely and does not involve large amounts of data; and
  • is necessary to:
    • protect the individual's life;
    • protect the public interest;
    • comply with any obligations to allow the acknowledgment, exercise or defence of a legal right in court; or
    • perform an agreement between the data owner and the individual or pre-contractual measures taken on its request.

In addition, the CDP can allow the transfer of data to a country that lacks sufficient protection if the data owner can provide sufficient protection to individuals and the exercise of relating rights. 

Are there restrictions on the geographic transfer of data?

No.

Third parties
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

Yes. Under Article 39 of the Data Protection Act the data owner must offer adequate guarantees to ensure the implementation of security measures. The data owner must conclude a written contractual agreement with the third party, which must:

  • specify the third party's obligation regarding security protection;
  • provide that the third party can act only on the data owner's instructions; and
  • provide that the third party is bound by the security requirements set out in Article 71 of the Data Protection Act.

Click here to view the full article.