Privacy Legislation and personal data law in Mauritius

Privacy Legislation and personal data law in Mauritius

The Data Protection Act 2017 is a data protection and privacy law that was passed in Mauritius in 2017. As has been with case with many privacy laws that have been passed in recent years, the Data Protection Act 2017 was drafted in a manner that would align that law with the European Union’s General Data Protection Regulation or GDPR. Moreover, the Data Protection Act 2017 also aligns with the Convention for Protection of Individuals with regard to Automatic Processing of Personal Data or the modernized Convention 108 for short. However, there are certain provisions within the Data Protection Act 2017 that differ from European data privacy standards. As such, the Data Protection Act 2017 establishes the requirements for the collection and processing of personal data in Mauritius.

How are data controllers and processors defined under the law?

Under the Data Protection Act 2017, data controllers are defined as a “person who or public body which, alone or jointly with others, determines the purposes and means of the processing of personal data and has decision-making power with respect to the processing”. On the contrary, a data processor is defined as “Any information relating to a data subject”. Furthermore, thE Data Protection Act 2017 defines personal data rather broadly to mean any “information relating to a data subject”. Additionally, the law defines sensitive personal data to mean “personal data which are sensitive in nature, for example, the racial or ethnic origin of the data subject or the genetic data or biometric data uniquely identifying the data subject”.

In terms of the scope and applicability of the Data Protection Act 2017, the personal scope of the law applies to all data controllers and processors who are established within Mauritius and process data within the country. While the law does not have any territorial jurisdiction as it relates to foreign countries and nations, individuals, or entities who are not physically located with Mauritius but still make use of equipment the country must also comply with the law unless this equipment is used strictly for the purposes of transit. As it relates to the material scope of the law, all processing of personal data, whether said processing is done through automated or non-automated means, must be conducted in accordance with the provisions and regulations set forth by the Data Protection Act 2017.

What are the obligations of data controllers and processors under The Data Protection Act 2017?

As The Data Protection Act, 2017 was drafted to align with the provisions of the EU’s GDPR law, the Act establishes various principles in relation to the safeguarding of personal data. These principles include:

What are the rights of data subjects under the Data Protection Act 2017?

Under the Data Protection Act 2017, data subjects within Mauritius are entitled to the following data protection and privacy rights:

In terms of the enforcement of the law, the Data Protection Act 2017, the law is enforced by the Mauritanian Data Protection Commissioner or DPC for short. As such, the DPC has the authority to impose the following fines and penalties as it relates to non-compliance with the law:

Though Mauritius is a small island nation with a population of fewer than two million people, the country has passed data protection legislation that puts them on par with many larger countries around the world. As such, the Data Protection Act 2017 is the primary means by which the collection, processing, and dissemination of personal data are governed within the country. In passing such legislation, Mauritius is one of the many countries in the world that have drawn great influence from the EU’s GDPR law. More importantly, Mauritian citizens cant rest assured that their personal data will be protected when they disclose it to data controllers and processors.

Related Reads