When the Personal Data Protection and Privacy Act, 2025 became law in The Gambia, it marked a major step in how the country manages personal information in an increasingly digital world. 

From SIM card registration and biometric voter rolls to mobile money transactions and hospital records, vast amounts of personal data are routinely collected and stored.

The law sets clear rules for how institutions should collect, use, store, and share personal information. It also gives individuals defined rights over their data and establishes a regulatory authority tasked with monitoring compliance and enforcing the law.

Yet, months after its enactment, many Gambians remain unaware of what the Act requires or how it affects them.

People often share personal information without knowing the protections in place or the remedies available if their data is misused. 

This explainer breaks down the Act, what it requires, and why it matters in everyday life.

What the Law Covers

At its core, the Act sets out the rules for how personal information should be collected, used, stored and shared. Personal data, such as names, phone numbers, identification details, financial records or medical information is increasingly gathered by both public institutions and private companies as part of everyday services. 

The law recognises that if such information is mishandled, it can expose individuals to risks ranging from identity theft and financial fraud to reputational harm. To address this, the Act establishes a framework intended to ensure that organisations treat personal data responsibly.

The law is built around three central objectives. First, it seeks to protect individuals’ privacy rights, recognising that personal information is closely connected to a person’s dignity, safety and autonomy.

By setting legal limits on how data can be used, the Act aims to give individuals greater control over information that relates to them.

Second, the Act promotes lawful and responsible data processing. In practical terms, this means organisations cannot collect or use personal information arbitrarily. 

They must have a clear and legitimate reason for gathering data, explain why it is needed, and ensure that it is only used for the purpose for which it was collected.

The law also requires institutions to follow proper procedures when handling such information, including keeping it secure and avoiding unnecessary or excessive collection.

Third, the Act establishes an independent oversight authority responsible for monitoring compliance and enforcing the law. This body is tasked with ensuring that institutions follow the rules governing data protection. 

It can investigate complaints, issue guidance on proper data practices, and take action where organisations fail to meet their legal obligations.

The Act applies broadly across both the public and private sectors. Government ministries and agencies, banks, telecommunications companies, hospitals, schools, non-governmental organisations and private businesses all fall within its scope. In effect, any institution that collects or processes personal data must comply with the law.

Under the Act, these organisations are required to clearly justify why they collect personal data, limit its use to specific and lawful purposes, and put safeguards in place to protect it from misuse, unauthorised access or disclosure. 

The intention is to ensure that as data becomes more central to modern life, the rights and privacy of individuals remain protected.

What Counts as Personal Data?

Personal data refers to any information that can be used to identify a person, either on its own or when combined with other details. 

Identification does not always require something as obvious as a full name or identification number. In many cases, smaller pieces of information when put together can reveal who someone is.

Common examples of personal data include basic identifying information such as a person’s name, national identification number, or Passport details. Contact information like phone numbers, residential addresses, and email addresses also fall within this category because they can be used to trace or contact a specific individual.

The definition also extends to more sensitive forms of identification. Biometric data, such as fingerprints or facial recognition records, is considered personal data because it is unique to each individual and often used for identity verification.

In the digital environment, personal data can also include online identifiers like IP addresses, account IDs, or device identifiers that are linked to a specific user.

Location information is another important category. Location data, whether collected through mobile devices, applications, or tracking technologies, can reveal where a person lives, works, or travels. Over time, such information can build a detailed picture of someone’s daily movements and habits.

For this reason, the Act adopts a broad understanding of what qualifies as personal data. Even information that appears minor on its own may still fall under the law if it can help identify someone when combined with other data. The goal is to ensure that individuals remain protected in an era where different pieces of information can easily be linked together to reveal personal identities.

Sensitive personal data 

Certain categories of personal data are considered especially sensitive because of the potential harm that could arise if they are misused or disclosed. For this reason, the law places stricter protections on what it describes as sensitive personal information. This type of data typically includes details about a person’s health and medical records, biometric identifiers such as fingerprints or facial recognition data, political opinions, religious or philosophical beliefs, ethnic or racial background, and criminal records.

Information in these categories is deeply connected to an individual’s identity and personal life. If it falls into the wrong hands or is used irresponsibly, it can expose people to discrimination, social stigma, reputational damage, or even threats to their safety. 

For example, unauthorised access to medical records could reveal private health conditions, while disclosure of political or religious beliefs might expose individuals to prejudice or targeted harassment.

Because of these risks, the Act requires organisations to meet a higher legal threshold before collecting, processing, or sharing sensitive personal data.

Institutions must have a clear and lawful basis for handling such information and must ensure that stronger safeguards are in place to protect it. These safeguards can include stricter access controls, enhanced security measures, and clear limitations on who can view or use the information.

In essence, while all personal data must be handled responsibly, sensitive personal information receives an additional layer of protection under the law due to the serious consequences that could arise from its misuse.

Who Must Comply?

The Act applies broadly to any organisation or individual that handles personal data as part of professional or institutional activities. This includes government ministries and state agencies, public institutions and non-governmental organisations, private companies such as banks and telecommunications providers, as well as hospitals, schools, and other service providers. 

In practice, if an institution collects, stores, analyses, or shares personal information about individuals, it is likely subject to the law.

Within this framework, the Act distinguishes between two key roles: data controllers and data processors. A data controller is the entity that decides why personal data is collected and how it will be used.

For example, a bank collecting customer information to open an account acts as a controller because it determines the purpose and method of processing the data. A data processor, on the other hand, handles personal data on behalf of the controller, such as a technology company storing the bank’s customer records on its servers.

Both roles carry legal responsibilities. Controllers must ensure that data is collected and used lawfully, while processors must handle the data securely and according to the controller’s instructions. Importantly, compliance with the Act is not optional, and it extends beyond government institutions to include private sector organisations that process personal information.

Core Principles of Data Protection

The Act outlines several guiding principles that institutions must follow when handling personal data. These principles are designed to ensure that information is treated responsibly and that individuals’ privacy rights are respected.

First, personal data must be collected lawfully and fairly. This means organisations must be transparent about what information they are gathering and why, and they must have a legitimate reason for doing so. Individuals should not be misled or kept in the dark about how their information is being used.

Second, the law emphasises purpose limitation. Information collected for one specific purpose should not later be used for unrelated purposes unless there is a clear legal basis for doing so. For instance, data collected to provide a service should not automatically be reused for marketing or other activities without proper justification.

The principle of data minimisation requires organisations to collect only the information that is truly necessary. Gathering excessive or irrelevant data increases the risk of misuse and undermines privacy protections

Institutions must also ensure accuracy, meaning that personal information should be kept correct and updated where necessary. Incorrect data can lead to serious consequences, especially in areas such as banking, healthcare, or immigration records.

Security is another key requirement. Organisations must protect personal data from unauthorised access, leaks, or cyberattacks by implementing appropriate technical and organisational safeguards.

Finally, the Act establishes retention limits. Personal data should only be kept for as long as it is needed for the purpose for which it was originally collected. Once that purpose is fulfilled, the data should be securely deleted or anonymised.

Your Rights as a Citizen

One of the central aims of the Act is to give individuals greater control over their personal information. Rather than leaving data management entirely in the hands of institutions, the law grants citizens several rights that allow them to understand and influence how their data is used.

The right to be informed means individuals are entitled to know when their personal data is being collected and why. Organisations must clearly explain how the information will be used and who may have access to it.

Through the right of access, individuals can request to see what personal information an organisation holds about them. This allows people to verify the accuracy of records and understand how their data is being processed.

If the information is incorrect or incomplete, individuals have the right to correction, allowing them to request that the data be updated. In some cases, individuals may also exercise the right to erasure, asking for their data to be deleted if it is no longer necessary or if it was collected unlawfully.

The Act also provides a right to object to certain forms of data processing, particularly where individuals believe the use of their information is unjustified or intrusive. Where institutions fail to comply with these rights, individuals can exercise the right to complain to the regulatory authority responsible for enforcing the law.

Together, these rights shift some control over personal data back to citizens, providing legal tools to challenge misuse and demand accountability.

The Data Protection Authority

The Act provides for the establishment of an independent Data Protection Authority responsible for overseeing how institutions collect, use, and safeguard personal information. 

The authority is expected to play a central role in implementing the law by monitoring compliance, investigating complaints, issuing regulations, and enforcing penalties where violations occur.

In practice, however, the institutional framework for the authority is still being developed. While the law creates the legal basis for the regulator, the full operational structure including staffing, systems, and enforcement mechanisms is being rolled out as part of the law’s implementation.

Once fully operational, the authority is expected to act as the country’s primary watchdog on data protection, ensuring that both public institutions and private companies comply with the rules governing personal information.

Its effectiveness will depend largely on its independence, resources, and ability to investigate violations and enforce the law consistently.

Its effectiveness will depend largely on its independence, resources, and ability to investigate violations and enforce the law consistently.

Data Security Obligations and Penalties

The Act places clear obligations on organisations to protect personal data from misuse or unauthorised access. This requires institutions to implement practical safeguards across both digital and physical systems.

For example, organisations must secure electronic databases and paper records, restrict access to sensitive information to authorised personnel, and ensure that employees are trained in proper data protection practices. They must also be able to detect and respond to data breaches and ensure that information shared with third parties remains adequately protected.

Failure to comply with these obligations can constitute an offence under the law. Violations may include the unlawful processing of personal data, the unauthorised disclosure of confidential information, refusal to comply with lawful instructions from regulators, or obstructing official investigations.

The law allows for sanctions against institutions or individuals who violate these rules. These penalties may include financial fines or other legal consequences, reinforcing that data protection is a mandatory obligation rather than a voluntary standard.

Why the Law Matters Now

The need for data protection has become increasingly urgent as The Gambia’s digital infrastructure expands. Many government services and private sector systems now rely on the collection and storage of large volumes of personal data.

Examples include biometric voter registration, SIM card registration systems, digital banking and mobile money platforms, electronic medical records, immigration and passport databases, and CCTV surveillance networks. 

At the same time, the rapid growth of social media and online platforms has increased the amount of personal information circulating in digital spaces.

While these technologies can improve efficiency and access to services, they also create new risks. Without strong safeguards, personal information can be misused for identity theft, discrimination, political profiling, reputational harm, or financial fraud.

The Act therefore establishes a legal framework designed to ensure that the growing use of data is managed responsibly and that individuals’ rights remain protected.

What It Means for Journalism

The law also has direct implications for journalists, newsrooms, and media organisations. Reporting frequently involves collecting and handling personal information, whether through interviews, documents, public records, or digital research.

Journalists must ensure that personal data is collected lawfully and transparently, and that it serves a legitimate journalistic purpose. 

When reporting involves sensitive information, such as health conditions, political views, religion, or ethnic identity, additional care is required to avoid legal or ethical violations.

At the same time, journalists must balance compliance with the law against the need to protect confidential sources. Source protection remains a cornerstone of investigative reporting, but news organisations must also ensure that sensitive information is stored securely and that access to research materials is carefully controlled.

Requests from individuals to access, correct, or delete information may also arise under the Act. 

Media organisations must handle such requests thoughtfully, ensuring that privacy rights are respected without undermining editorial independence or the public interest.

In many ways, the law formalises practices already considered part of responsible journalism: handling information ethically, safeguarding sources, and respecting individuals’ privacy while reporting accurately.

Key Issues to Watch

Like any legislation, the real impact of the Act will depend on how effectively it is implemented. Several questions remain central to assessing its success.

Observers will be watching whether the regulatory authority becomes fully operational and maintains genuine independence. 

Another critical factor is whether public institutions and private companies receive adequate training and guidance to comply with the law.

Public awareness is also crucial. Citizens need to understand their rights and how to exercise them if their personal data is mishandled. Transparency around data breaches and consistent enforcement across sectors will also determine whether the law achieves its intended goals.

Ultimately, the Act recognises that personal data is not merely administrative information. It is closely linked to individual dignity, autonomy, and security. The extent to which these principles are realised will depend on sustained enforcement, institutional accountability, and public engagement with the rights the law provides.