Data Protection in Burkina Faso

Enforcement in Burkina Faso

The law empowers the CIL to impose various sanctions depending on the severity of the infringement. However, the level of enforcement remains quite low due to resource limitations and the fact that this field of law is still new to the administration and business and data subjects.

The CIL may, directly or through an expert authorized for this purpose, carry out checks and controls on any processing of personal data.

However, if the data controller initiates the inspection, he or she must pay the inspection fees, the amount of which is set by order of the Minister of Finance.

On completion of its checks and inspections, the CIL may impose the following administrative sanctions on offenders, without prejudice to criminal prosecution:

  • a warning;
  • formal notice;
  • injunction to cease data processing;
  • blocking of certain personal data;
  • lump-sum fines;
  • withdrawal of authorization.

The amount of the fine is proportionate to the seriousness of the breaches committed and to the benefits derived from the breach.

The sanctions provided for by law are imposed on the basis of a report drawn up by one of the members of the CIL, appointed by the Chairman. This report is sent to the data controller, who may submit observations and be represented or assisted at a hearing before the CIL.

The amount of the fixed fine provided for by law is proportionate to the seriousness of the breaches committed and the benefits derived from the breach. For the first offence, the fine is one percent of sales excluding tax for the last financial year for which the accounts have been closed. In the event of a repeat offence, the fine is five percent of sales excluding tax for the last financial year for which the accounts have been closed.  Fixed-rate fines are recovered as receivables from the State.

Financial penalties may also be imposed on any data controller, ranging from XOF five million (5,000,000) to XOF one hundred million (100,000,000).

Sanction by the data protection Authorities may be appealed before the competent administrative court.

Continue reading

  • no results

Previous topic
Back to top