What is a control mission?
Like many African and European countries, Senegal has set up a commission to protect the personal data of its citizens. The CDP (Commission for the Protection of Personal Data) has been in charge of this mission since 2008 and carries out controls on the data controllers of various organisations.
What is a control mission?
The control mission consists of an operation carried out by the Commission for the protection of personal data in places, establishments used for the implementation of personal data processing and websites processing personal data. It can therefore be exercised both on the spot and at a distance (online). In the context of a CDP inspection mission, carried out on the premises of the entity concerned, the members and agents of the CDP have access to any professional space concerned by the inspection mission, excluding parts of the private home.
What is the purpose of a monitoring mission?
The inspection mission is carried out by the CDP for the sole purpose of checking the compliance of the processing operation with the legislation. These missions are carried out subject to prior notification of the Public Prosecutor with territorial jurisdiction. Please note that in the event of breaches found during the inspection, certain sanctions may be imposed by the Commission.
CDP attributions
During an inspection mission, the CDP has the right to access and copy any document, regardless of its medium. They can collect, on the spot or by summons, any useful information and justification. They may access computer programmes and data, and request the transcription of any processing into appropriate documents that can be used directly for audit purposes.
In order to guide entities in their compliance process, but also with the aim of enlightening them as to the course of the controls, the CDP makes a plethora of compliance resources available to data controllers on cdp.sn.
What happens at the end of the control mission?
At the end of the control mission, a contradictory report is drawn up on the verifications and visits carried out. The Personal Data Commission may pronounce the following measures
1) a warning to the controller who does not comply with the obligations.
2) a formal notice to cease the infringements concerned within the time limit it sets.
3) a sanction against a controller
Finally, it is important to remember that personal data must be processed in compliance with the legislation in force and the rights of the persons concerned. This compliance with the legislation must take place before and even after being subject to a control mission, i.e. throughout the existence cycle of the processing.