Biometric pointing devices are not new in Senegal, being already widely used in many structures. In 2022, the town hall of Ziguinchor adopted this technology on the initiative of Ousmane SONKO, mayor of the town, and currently Prime Minister of the Republic of Senegal.
Today, rumors suggest that the new regime in place plans to extend their use to all public establishments. But what do we really know about these tools? And above all, what does Senegalese legislation say on this subject?
The biometric pointing device?
In our case, the biometric time clock is an electronic device allowing employees of a structure to identify themselves using their biometric characteristics. Its objective is to ensure better monitoring of worker attendance times.
More reliable than the attendance sheet or even the magnetic badge, the biometric time clock is almost impossible to circumvent, because it requires biometric characteristics specific to each individual, such as fingerprints, face, voice or iris. Consequently, the law regulates its use, particularly when it is implemented in workplaces.
Supervision of biometric devices in the workplace
Since 2008, Senegal has had a law on the protection of personal data, in this case Law No. 2008-12 of January 25, 2008 on the protection of personal data.
The Personal Data Protection Commission (CDP), as an independent administrative authority, ensures compliance with this law. Thus, depending on the nature of the data collected, it determines the applicable protection regime, as well as the formalities to follow.
Formalities prior to processing biometric data
The law on personal data provides for four (4) protection regimes: the exemption regime, the declaration regime, the authorization regime, as well as the opinion request regime. In accordance with article 20-5 of the aforementioned law, the processing of personal data including biometric data requires authorization from the Commission for the Protection of Personal Data (CDP).
Consequently, any organization, whether public or private, wishing to set up a device for collecting and processing biometric data, such as a biometric time clock, must send an authorization request to the CDP. This request is deemed favorable if the authority does not make a decision within two (2) months from receipt of said request.
Biometric data authorized for collection
In Senegal, the Commission for the Protection of Personal Data (CDP) recommends the use of biometric time clocks with fingerprints. In accordance with its general deliberation of April 13, 2023, only the collection of a maximum of two (02) fingerprints per employee or the palm print is authorized. However, upon presentation of legitimate reasons by the data controller, the CDP may authorize the collection of a maximum of three (03) fingerprints.
The person responsible for processing this data is therefore bound, among other things, by an obligation of security and confidentiality. In addition, it must guarantee that data subjects can exercise their rights, in particular the right of access, the right of opposition, as well as the right to rectification and deletion of their data subject to processing.
Also, before the implementation of a system for collecting and processing biometric data in workplaces, the CDP requires that the persons concerned be informed by memo, information note or any other duly notified document.
As for the collection of biometric data from the face, voice or even the iris, the CDP may exceptionally authorize their collection, provided that the device is installed in strategic or sensitive public establishments.
The retention period of biometric data
Under Article 35 of Law No. 2008-12 of January 25, 2008, personal data cannot be stored unlimitedly. They must in fact be kept for a period not exceeding the period necessary for the purposes for which they were collected or processed. Ex: personal data collected from a vehicle geolocation system must not be kept for more than 2 years. This duration is 3 months when the personal data comes from a video surveillance system.
With regard to biometric data, the law does not expressly set a retention period. However, this does not mean that data must be retained indefinitely. Indeed, in accordance with general deliberation No. 2021-558/CDP of December 30, 2021 of the CDP relating to the retention period of personal data, biometric data is retained during the presence of the persons concerned. In other words, they must be deleted as soon as the people concerned leave.
By Mamadou Lamine N. DIA, lawyer in Digital law.
