Under Senegalese law it is possible to transfer personal  data to a third country. When transferring data to a foreign country, the controller is required to submit a duly motivated request to the Personal Data Protection Commission if the transfer lacks an adequate level of protection. This request is possible only when the controller provides a sufficient guarantee of protection of the rights of the data subject regarding compliance with the privacy of the fundamental rights and freedoms of individuals concerned and the exercise of the corresponding rights.

The level of protection in question is assessed in the light of, inter alia, the security measures, the specific processing characteristics such as its purpose, duration, nature, origin and the destination of the processed data.¹

There are a number of obligations that affect the controller. The data transfer can only be made in a country that offers the same guarantees of protection as Senegal unless the request is accepted.

In derogation of the obligation of the recipient country of the data subject of the transfer, the law provides for the possibility of transferring data to a third country which does not offer the same level of protection, subject to certain conditions.

Indeed, this transfer must be punctual, non-massive and the person to whom the data relates must express his / her consent to a transfer of these data. It must also be expressed if the transfer is necessary to one of the following conditions:

• to safeguard the life of this person;
• the safeguarding of the public interest;
• compliance with obligations to ensure the recognition, exercise or defense of a right to justice;
• to the execution of a contract between the controller and the person concerned, or
• pre-contractual measures taken at the request of the latter.