Mauritius’s Data Protection Act 2017

January 2018

View the original document

National Regulations

The Data Protection Act 2017 (DPA 2017) is Mauritius’s legislative framework designed to protect individuals’ personal data. The DPA 2017 applies to the processing of personal data by both automated and non-automated means, provided the data forms part of a structured filing system. It excludes processing by individuals for personal or household activities and certain intergovernmental data exchanges.

Key objectives of the DPA 2017

  • Enhance individual control: Empowers data subjects with greater autonomy over their personal information.​
  • Simplify regulatory environment: Streamlines data protection regulations to facilitate business operations in the digital economy.​
  • Facilitate safe data transfers: Promotes secure cross-border data flows, essential for global business engagements.​

Definitions

  • Personal data: Information relating to an identified or identifiable individual.​
  • Special categories of data: This includes data on racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sexual orientation, genetics, and biometrics.​
  • Data subject: An individual whose personal data is processed.​
  • Controller: Entity determining the purposes and means of processing personal data.​
  • Processor: Entity processing personal data on behalf of a controller.​

Data Protection Principles

Controllers and processors must adhere to principles ensuring that personal data is:​

  • Processed lawfully, fairly, and transparently: Ensuring clarity and honesty in data handling.​
  • Collected for specific, legitimate purposes: Avoiding use beyond the stated intent.​
  • Adequate, relevant, and limited: Collecting only necessary data.​
  • Accurate and up-to-date: Maintaining data correctness.​
  • Stored only as necessary: Retaining data only for as long as needed.​
  • Secured appropriately: Protecting data against unauthorised access and breaches.​

Rights of data subjects

Individuals are granted rights to:​

  • Access: Review their personal data held by controllers.​
  • Rectification: Correct inaccuracies in their data.​
  • Erasure: Request deletion of their data under certain conditions.​
  • Restriction of Processing: Limit how their data is used.​
  • Object: Oppose processing based on specific grounds.​
  • Not be subject to automated decisions: Avoid decisions made solely on automated processing that significantly affect them.

Obligations of controllers and processors

They are required to:​

  • Implement data protection measures: Ensure compliance with the DPA 2017.​
  • Maintain processing records: Document data processing activities.​
  • Conduct data protection impact assessments: Evaluate risks of high-risk processing activities.​
  • Notify breaches: Report data breaches to the Data Protection Office within 72 hours.​
  • Appoint Data Protection Officers: Designate personnel responsible for overseeing data protection compliance.​

Cross-border data transfers

Transfers of personal data outside Mauritius are permitted if:​

  • Adequate safeguards: Controllers provide appropriate protection measures.​
  • Specific conditions: Such as explicit consent from the data subject or necessity for contract performance.​

Enforcement and penalties

The Data Protection Office oversees compliance, with the Commissioner empowered to investigate complaints and enforce the Act. Non-compliance can result in fines of up to MUR 200,000 and imprisonment for up to five years.