Data & Privacy · Gambia
Data protection & privacy laws in Gambia (2026)
Gambia shaded by its data & privacy status
The Gambia enacted its first comprehensive data-protection statute — the Personal Data Protection and Privacy Act, 2025 — passed unanimously by the National Assembly on 29 September 2025 and signed into law by President Adama Barrow on 7 November 2025. The Act establishes GDPR-aligned data subject rights, controller and processor obligations (including 72-hour breach notification), and cross-border transfer rules, designating the existing Information Commission as the independent supervisory authority. The law entered into force immediately with no transitional grace period.
Key points
The PDPP was passed unanimously on 29 September 2025 and assented to on 7 November 2025, making it Gambia's first comprehensive data-protection law. It covers automated processing and structured non-automated processing of personal data; purely personal or household activities are excluded.
The Information Commission — originally created under the Access to Information Act, 2021 — is designated as the data-protection authority, responsible for oversight, investigations, audits, public education, complaint handling, and imposing administrative fines. The dual mandate (access to information plus data protection) presents a resourcing challenge flagged by analysts.
Data subjects hold rights to be informed, to access their data, to rectification, erasure ('right to be forgotten'), restriction of processing, data portability, and objection to automated decision-making. Controllers must respond within one month, extendable under defined conditions.
Controllers must process on a lawful basis, conduct Data Protection Impact Assessments for high-risk activities, appoint a Data Protection Officer where required, and notify the Information Commission of data breaches within 72 hours. A stricter regime applies to sensitive categories including genetic, biometric, health, racial-origin, and political-opinion data.
The PDPP applies to controllers outside The Gambia whenever their processing relates to individuals within the country's jurisdiction — a broader extraterritorial reach than GDPR, which conditions applicability on the offering of goods/services or monitoring of behaviour.
Transfers abroad require the recipient country or organisation to offer an adequate level of protection; in its absence, Commission-approved safeguards (standard instruments or ad hoc agreements) are required. Administrative fines can reach the greater of GMD 1,000,000 (approx. EUR 11,500) or 5% of the prior year's gross income. Unlike many African peers, no prior registration with the Commission is required before commencing processing.
Gambia - other topics
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →