You often hear: "GDPR is for European companies. We're in Casablanca / Dakar / Abidjan, doesn't concern us." That's a major legal mistake. GDPR has explicit extraterritorial reach. A Moroccan SME that sells an online product to a French customer faces the same rules as a Parisian company. And fines can reach 4% of global revenue.
In 2024 the CNIL sanctioned 21 non-European companies for a cumulative €14.3M. The trend is accelerating in 2025-2026. If you target Europe and are not compliant, it's no longer a question of if you'll be sanctioned but when.
The 3 cases where GDPR applies to an African business
GDPR applies to your company as soon as any one of the following three criteria is met.
- You offer goods or services to people located in the EU. The "targeting" criterion: if your site is in French, prices in euros, accepts European payments, or lists Europe as a delivery zone — you're targeted by GDPR.
- You monitor the behaviour of people located in the EU. Analytics, tracking cookies, retargeting ads aimed at Europeans — GDPR applies.
- You process data on behalf of a controller established in the EU. If you're a Dakar agency developing a site for a French SME, you're a processor under GDPR and must sign a DPA.
EU GDPR vs local African laws
Good news: most francophone African countries have adopted GDPR-inspired laws. Bad news: they don't replace, they add up. If you operate in both Africa and Europe, you must comply with both.
| Country / framework | Reference law | Authority |
|---|---|---|
| European Union | GDPR (Regulation 2016/679) | CNIL (France), CPVP (Belgium), PFPDT (Switzerland)... |
| Morocco | Law 09-08 + CNDP | CNDP — National Personal Data Protection Commission |
| Senegal | Law 2008-12 + CDP | CDP — Personal Data Commission |
| Ivory Coast | Law 2013-450 + ARTCI | ARTCI — Telecommunications Regulatory Authority |
| Tunisia | Law 2004-63 + INPDP | INPDP — National Instance for Personal Data Protection |
Common principles: legitimate purpose, explicit consent, right of access and erasure, processing register, breach notification. Differences: scope, fine amounts, international transfers. In practice, if you're GDPR-compliant, you're also compliant with nearly all local African laws.
The 8 concrete obligations to put in place
Here's the practical checklist. If all of these points are up to date on your site and in your processes, you're 90% compliant.
- Legal notice: company name, registration number, ICE (Morocco) / RCS (France), headquarters, publication director, hosting provider.
- Privacy policy: types of data collected, purposes, legal basis, recipients, retention period, user rights.
- Cookie consent banner: CNIL-compliant, with granular choice (analytics / marketing / functional), refusing as easy as accepting, no cookies dropped before choice.
- Processing register: internal document listing all data processing operations (customers, leads, employees, candidates…). Free CNIL template available.
- DPO or GDPR contact: mandatory for large-scale processing or sensitive data. Recommended in all cases.
- DPA contracts with your subprocessors: hosting, CRM, email marketing, analytics. All must sign.
- User request handling procedure: access, rectification, erasure, portability. Legal deadline: 30 days.
- Breach notification procedure: 72 hours to the supervisory authority if data leak. Incident plan prepared in advance.
Hosting and international transfers
This is one of the most misunderstood points. In theory GDPR requires that European personal data stays in the EU or in an "adequate" country. In practice, several options coexist in 2026.
- Direct EU hosting: OVH, Hetzner, Scaleway, Vercel EU. Simplest and most legally defendable option.
- Hosting in an adequate country (UK, Switzerland, Canada, Japan, South Korea…): allowed without additional formalities.
- US hosting with EU-US Data Privacy Framework (re-authorised in 2023): requires a certified provider and Standard Contractual Clauses (SCCs).
- Morocco/Africa hosting: allowed if you set up Standard Contractual Clauses (SCCs) between you and the host, plus a Transfer Impact Assessment (TIA).
Our recommendation at CodingArt for European clients: OVH or Vercel EU hosting by default. No additional formalities, maximum defendability, excellent latency.
Compliance tools and costs
| Tool / service | Annual cost | For whom |
|---|---|---|
| Tarteaucitron cookie banner (free) | €0 | SMEs up to 10K visitors/month |
| Axeptio cookie banner | €0 – 360/year | Sites up to 200K visitors/month |
| OneTrust cookie banner | €1,200 – 5,000/year | Enterprises, multi-site |
| CNIL privacy policy template | €0 | Everyone — starting point |
| Outsourced DPO (mutualised) | €1,500 – 6,000/year | SMEs 20-100 staff |
| Full GDPR audit by firm | €3,000 – 15,000 one-shot | Before opening EU market |
| GDPR-compliant OVH/Vercel EU hosting | €120 – 1,800/year | Everyone |
The 3 real risks if you're not compliant
- Financial fines: administrative fine up to €20M or 4% of global revenue, whichever is higher. The CNIL issued €290M in fines in 2024.
- User or competitor complaint: a single user can report your site to the CNIL. A competitor can also report you to disrupt your operations.
- Loss of B2B contracts: since 2020, large accounts (Total, BNP, Carrefour…) require a GDPR audit of their subprocessors. Non-compliant = no contract.
How CodingArt handles compliance for clients
All our sites shipped for European clients include by default: personalised legal notice and privacy policy, CNIL-compliant cookie banner (Tarteaucitron or Axeptio depending on traffic), pre-filled processing register, DPA template for your subprocessors, OVH/Vercel EU hosting, 1-hour team training on user request handling. It's included in the quote, not an extra.
Already have a site and doubts about your compliance? Ask us for a free mini GDPR audit (30 minutes) — we'll tell you where you stand and what to fix first.
Tags
