INTRODUCTION
The Senegalese Personal Data Protection Commission (CDP) has released its fourth and final quarterly report for 2020. The report, dated 12th January, 2021, par for the course, is detailed and concisely lists out the activities of the Commission which according to the CDP’s report consists of plenary sessions, declarations, receipts, authorizations as well as warnings, complaints and requests for opinion. The report itself may be viewed here.
SUMMARY OF ACTIVITIES
The CDP fielded and responded to eight (8) requests for advice on a wide range of issues making reference to Law No. 2008-12 of January 25, 2008, the Senegalese Data Protection Law. Some of the questions are as follows:
- Can an employer demand to know the marital status as part of an application form?
- What is the declaration procedure for video surveillance systems and badge access systems?
In addition, it called upon eleven (11) organisations to declare their files and databases and held two (2) plenary sessions after which, eighty-nine (89) declaration receipts and fourteen (14) authorizations were issued to private and public organisations and persons for several activities regarding the processing of personal data such as:
- Video surveillance in private homes and public establishments to ensure the safety of goods and people.
- Free wifi connection for passengers of Senegalese buses and sending of advertising content to users of this free WiFi connection.
- Phone call recordings and the collection of email addresses and phone numbers.
The Commission also handled four (4) complaints and four (4) reports related to breaches and potential breaches of privacy by individuals and organisations such as:
- The opening of a fake account on Facebook for the First Lady of the Republic of Senegal.
- Dissemination on a YouTube page of a video invading the complainant’s privacy.
In one of the cases, the Commission declined to take action on a data breach report by a company due to its jurisdiction being restricted to natural persons. It however referred the company in question to the Special Cybersecurity Division (DSC) of the Police.
It also issued a warning against Orange Finances Mobiles Senegal (OFMS) for breaches of the law on the protection of personal data following the receipt of a complaint relating to the opening of an Orange Money account on her number, without her consent.
In the technical compliance, technological support and advice section, the report states that as part of its consulting, control, innovation and technology missions, the Information and Communication Technology Department (DTIC) worked on the following subjects:
- The implementation of the State IT Agency’s (ADIE) video conference system/Collaborative Tool to hold plenary sessions remotely for the duration of the pandemic.
- Support and compliance training.
- Tutorial for the declaration of personal data processing.
The CDP, supported by the Communication and Public Relations Department, also intends to launch a video communication campaign early this year, on the 2008 law relating to the processing of personal data to simplify the understanding of the 2008 law and facilitate compliance.
According to the report, the Directorate of Legal Affairs, Litigation and Compliance (DAJC) and the DTIC have contributed by giving some practical advice which includes such tips as the following:
- If you have a website, check if the site contains forms that collect personal data (contact form, online study / questionnaire / survey, order form for e-commerce sites, etc.). If so, inform your users of the collection and processing of their personal data, the name and contact of the data controller, the means and recourse to access, modify, delete their data (legal notices);
- When the data collected is used for purposes other than those initially intended or sent to third parties (EX: for advertising), make sure to obtain the user’s consent (EX: checkbox at the bottom of the contact form: I agree that my contacts will be used to receive your news / events / new products | I agree to receive advertising messages by SMS from your partners);
- To best secure your website and / or mobile application (make sure that minimum good security practices have been applied to guarantee the availability, integrity, confidentiality and traceability of your website / mobile application);
- General deliberation on the operation of geolocation systems to ensure that data controllers must ensure that personal data processing respects fundamental rights and freedoms in organisations using them to geolocate employee vehicles. After this deliberation, the CDP issued a general deliberation No. 2020-00491/CDP in order to regulate the use of geolocation systems, resulting in the processing of personal data and in order to better inform employers and employees about their rights and obligations.
- “Online security” awareness project in partnership with Facebook and BS Corp and in partnership with the Ministry of National Education, this nationwide program aims to promote cybersecurity among young students of Senegal and to change their perception of cyber threats, through education, awareness, and sharing of good practices.
Information about the program is available online on the dedicated social networks (Facebook/Instagram): MaVieEnLigne_sn.
- Technology watch procedure to stay informed of technological innovations and to follow the impact of personal data protection developments.
The report also mentioned several Communication and Awareness activities held and participated in by the CDP including but not limited to:
- Webinars from the Ministry of the Digital Economy and Telecommunications on “Cybersecurity of infrastructure and essential services in a pandemic context” and “The protection of children online: Issues and challenges”.
- Digital Education Campaign.
- Celebration of the International Day of the Girl.
Finally, the report outlined several initiatives and meetings aimed at partnership and cooperation with continental and intercontinental bodies such as the African Union (AU) and the Council of Europe.