Data protection & privacy laws in Mali (2026)

Law No. 2013-015 of 21 May 2013 on the Protection of Personal Data in the Republic of Mali is the omnibus data protection statute, covering collection, processing, storage, and transfer of personal data by both public and private actors.

The Autorité de Protection des Données à caractère Personnel (APDP) was created by the 2013 law and officially launched in March 2016. Its mandate includes registering processing activities, investigating complaints, issuing enforcement actions, advising government on data-related legislation, and promoting digital citizenship. In early 2026 it reviewed 500+ pending dossiers in its first ordinary session.

Data controllers must notify the APDP of the purposes of processing before collection (public-sector entities may substitute a formal agreement with the authority). Controllers must implement appropriate technical and organisational security measures and ensure data is not damaged, distorted, or unlawfully accessed by third parties.

Individuals hold rights to: be informed of collection and processing purposes; access their personal data; obtain rectification or erasure (false, inaccurate, or outdated data must be deleted within 30 days of request); and object to processing on legitimate grounds unless processing is based on a legal obligation.

Transfers of personal data to third countries are permitted only where the destination country provides an adequate level of legal protection for privacy, freedoms, and fundamental rights of individuals in relation to personal data processing — mirroring the adequacy-decision model.

Law No. 2017-070 of 18 December 2017 amended the 2013 law specifically regarding the functioning and organisation of the APDP. Law No. 2019-056 of 5 December 2019 on the Repression of Cybercrime contains additional provisions relevant to personal data protection in digital contexts.