PDPP Act 2025

Personal Data Protection and Privacy Act, 2025

Flag of GM
Republic of The GambiaOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
November 7, 2025
Enacted
November 7, 2025
Enforcing Authority
Information Commission (designated as National Data Protection Commission)
Consent Model
Opt-in
Applies To
All automated and non-automated processing of personal data within structured sets; excludes purely personal/household activities and anonymous data

Overview

The Gambia enacted its first comprehensive data protection law in November 2025, establishing a modern framework with GDPR-level penalties. The Personal Data Protection and Privacy Act designates the Information Commission as the National Data Protection Commission. Unlike most African data protection laws, the PDPP Act does not require prior registration before processing, instead focusing on accountability-based compliance with 72-hour breach notification requirements.

What This Means for Your Website

Websites collecting personal data from individuals in The Gambia must obtain freely given, specific, informed, and unambiguous consent. Unlike many African jurisdictions, you do not need to register with the Commission before processing. However, you must notify the Commission within 72 hours of discovering a data breach and notify affected individuals without undue delay for high-risk breaches. Data Protection Impact Assessments are required for high-risk processing activities.

Key Requirements

Consent must meet the GDPR-standard threshold of being freely given, specific, informed, and unambiguous. The penalty framework is among Africa's most severe: administrative fines of GMD 1 million or 5% of gross income, escalating to 4% of global turnover for serious violations. Criminal penalties include up to 10 years imprisonment for selling personal data, 7 years for obstruction of investigations, and 2 years for concealing data breaches. Breach notification must reach the Commission within 72 hours.

How ConsentStack Handles This

ConsentStack identifies visitors from The Gambia and presents an opt-in consent banner meeting the law's standard of freely given, specific, informed, and unambiguous consent. All non-essential scripts are blocked until consent is obtained. Consent records are stored with full audit trails including timestamps and preference details, supporting accountability requirements and breach notification compliance.

Penalties

Administrative: GMD 1,000,000 or 5% of gross income. Serious/aggravated: 4% of global turnover. Criminal: up to 5 years imprisonment; aggravated: up to 10 years plus GMD 10,000,000 for corporations. Concealing breach: 2 years. Obstruction: 7 years.

Maximum Fine
GMD10,000,000 aggregate
Revenue-based
4% of annual revenue

Key Requirements

  • Consent must be freely given, specific, informed, and unambiguous
  • No prior registration required before processing (departure from African trend)
  • 72-hour breach notification to Commission
  • Data subjects must be notified without undue delay for high-risk breaches
  • Data Protection Impact Assessments required for high-risk processing
  • Data subjects have comprehensive rights including access, rectification, and erasure

Notable Provisions

  • 4% global turnover penalty mirrors GDPR
  • Criminal penalties for selling personal data (up to 10 years)
  • Criminalization of concealing data breaches (2 years) and obstruction (7 years)
  • No prior registration requirement, unusual for Africa

Other Sub-Saharan Africa Regulations

POPIASouth Africa
Africa's most developed and actively enforced data protection law. POPIA establishes eight conditions for lawful processing and grants the Information Regulator broad enforcement powers including criminal sanctions. The inclusion of "online identifiers" in the definition of personal information means cookies are covered, and Section 69's direct marketing consent requirement is directly relevant to consent management.
NDPANigeria
One of Africa's most comprehensive data protection laws, with the GAID providing Africa's most detailed cookie consent framework. Essential cookies are exempt; non-essential cookies require conspicuous accept/reject banners. The NDPC enforces a two-tier penalty structure based on organizational significance.
Ghana Act 843Ghana
Ghana's foundational data protection law requires mandatory registration with the DPC before processing begins, with renewal every 2 years. Criminal penalties include up to 10 years imprisonment for serious violations. A new comprehensive bill is under consultation as of late 2025.
Kenya DPA 2019Republic of Kenya
Kenya's comprehensive data protection law establishes the ODPC as an independent enforcement authority. It uniquely calculates penalties using "whichever is lower" rather than the global norm of "whichever is higher." Mandatory registration of data controllers is required before processing, and consent serves as the primary legal basis for personal data collection.
Tanzania PDPA 2022United Republic of Tanzania
Tanzania's first comprehensive data protection legislation establishes the Personal Data Protection Commission as the supervisory body. It mandates DPO appointment for all controllers and processors, a broader requirement than most jurisdictions. Personal data must be processed lawfully with consent, and criminal penalties of up to 10 years imprisonment apply for violations.
Ivory Coast Law 2013-450Ivory Coast
Ivory Coast's data protection law features an escalating penalty structure with significant increases for repeat offenders — up to 5% of pre-tax sales or XOF 500 million. ARTCI has been active in issuing formal notices against online lending applications. Prior declaration or authorization from ARTCI is required.

Frequently Asked Questions

Does The Gambia require cookie consent?

The PDPP Act 2025 does not have specific cookie provisions, but personal data collected through cookies requires freely given, specific, informed, and unambiguous consent under the general processing rules.

What are the penalties under The Gambia's data protection law?

Administrative fines reach GMD 1 million or 5% of gross income. Serious violations face 4% of global turnover. Criminal penalties include up to 10 years imprisonment for selling personal data and 7 years for obstruction.

Do I need to register before processing data in The Gambia?

No. Unlike most African data protection laws, The Gambia's PDPP Act does not require prior registration before processing personal data, instead relying on an accountability-based compliance model.

How quickly must data breaches be reported in The Gambia?

Data breaches must be reported to the Information Commission within 72 hours of discovery. Affected individuals must be notified without undue delay for high-risk breaches. Concealing a breach is a criminal offence carrying up to 2 years imprisonment.

Stay compliant with PDPP Act 2025

ConsentStack helps you implement Opt-in consent for Republic of The Gambia automatically.

Get started