DATA PRIVACY AND PROTECTION IN MAURITIUS
Globalization and the accelerating pace of technological development have brought about new challenges for the safeguard of personal data. Through the Data Protection Act 2017 (DPA 2017), Mauritius has aligned its domestic laws with some of the most stringent international standards in relation to the processing of personal data and the protection of the rights of data subjects. The DPA 2017, itself inspired from the EU’s General Data protection Regulation, applies to entities established in Mauritius that process personal data, and to entities that use equipment located in Mauritius for the processing of personal data.
The Data Protection Office
The Data Protection Office is a statutory body which is entrusted with a wide range of enforcement powers to ensure that the principles of data protection are observed. It promotes awareness of data protection laws, ensures compliance with those laws, investigates complaints and cooperates with supervisory authorities of other countries. It is headed by the Data Protection Commissioner, who is a barrister of not less than 5 years’ standing.
Mandatory registration of data controllers and processors. The Data Protection Office maintains a Data Protection Register, which is a list of approved data controllers and processors, and which is available for inspection free of charge. No person is allowed to operate as data controller or processor in Mauritius unless duly approved by and registered with the Data Protection Office. As part of the registration process, data controllers and processors have an obligation to disclose to the Data Protection Office a description of the personal data to be processed as well as the purpose for which those data are to be processed.
Lawful processing of personal data
Broadly, an organization in Mauritius can only process personal data 1) when those data are required to allow the organization to perform a contractual obligation, or 2) when explicit consent has been obtained from the data subject for the purpose specified, or 3) to satisfy a legal obligation.
Rights of data subjects
The DPA 2017 strengthens the control of individuals over their personal data and provides enhanced rights to data subjects:
- Right to receive free of charge a copy of their personal data being held, and to information about the way those data are utilized;
- Right to correction and rectification of personal data;
- Right to erasure of personal data when the data is no longer relevant to the original purpose for processing the data, or when consent has been
withdrawn, in the absence of other legal grounds for maintaining the data; - Right to lodge a complaint with the Data Protection Commissioner.
Obligations of data controllers and processors
The DPA 2017 extends the scope of responsibilities for data controllers and processors:
- Appropriate data security arrangements: Data processors and controllers need to ensure that appropriate technical and organizational measures are
in place in order to maintain data security. - Lawful collection and processing of personal data: Personal data should only be collected for a legitimate purpose and in a transparent manner, in
accordance with the rights of data subjects. - International data transfer compliance: International data transfers are only allowed in restricted cases, such as where proof of appropriate safeguards protecting the personal data have been provided to the Data Protection Commissioner, or the data subject has given explicit consent to
the transfer and the Commissioner has given written authorization to the transfer for the stated purpose, or where the personal data is necessary in
the performance of a contractual obligation. - Mandatory data breach notification: Any personal data breach needs to be reported to Data Protection Commissioner within 72 hours of first noticing the breach, and to the individuals affected without undue delay if there is a likelihood that the personal data breach is likely to result in a high risk.
- Demonstrate compliance with the law: Controllers and processors have an obligation to document their compliance measures, the data processing
operations, the risk assessments made, the courses of action taken to address those risks, and to make the records available to the Data Protection Office on request.
Audit of systems
The Data Protection Office carries out periodical audits on the systems of data controllers and processors to ensure compliance with data protection
principles.
Complaints and sanctions
The Data Protection Commissioner is empowered to investigate complaints, to establish whether a breach under the Data Protection Act has been committed, and to refer matters to the Police for prosecution. Non-compliance with the DPA 2017 amounts to a criminal offence punishable by a fine of up to MUR 200,000 and a term of imprisonment of up to 5 years.
Convention 108
In 2016, Mauritius acceded to the Council of Europe’s Convention for Protection of Individuals with regard to Automatic Processing of Personal Data
(Convention 108), a binding international instrument protecting the rights of individuals in the collection and processing of their personal data.
Strong regulatory framework
Mauritius’s strong data protection framework backed by robust enforcement assists in building trust in the online business environment. Persons and
entities making use of the Mauritius jurisdiction have the added confidence and reassurance that their personal data and those of their clients will likely be safeguarded and protected according to the most stringent international norms.
DTOS provides valuable insights and value-added services to businesses with regard to their evolving present and future needs. Should you have any query in relation to the topic covered and require any assistance, please do not hesitate to contact us. We shall be pleased to assist you