The History of Data Protection and Privacy in Seychelles
December 15, 2021 | 5 minutes read
Seychelles Data Protection Act 9 of 2003 is a data protection law that was passed in 2003. As is the case with many constitutions and similar legislation, the Constitution of the Republic of Seychelles states that citizens of the country have the right to personal privacy. As such, the Data Protection Act 9 of 2003 stands as the foremost legal means by which the personal data of data subjects within Seychelles is protected, and outlines the obligations and responsibilities that data controllers and processors within the country are required to adhere to. Moreover, the law always provide data subjects with a means to receive compensation should their rights be violated under the law.
What is the scope and application of the Data Protection Act 9 of 2003?
In terms of the personal scope of the law, the Data Protection Act 9 of 2003 applies to “data users, and ‘persons carrying on a computer bureau’.” Alternatively, the personal scope of the law does not “apply to a data user in respect of data held, or to a person carrying on a computer bureau in respect of services provided outside Seychelles, nor does it apply to data processed wholly outside Seychelles unless the data is used or intended to be used in Seychelles.” Furthermore, the territorial scope of the law is applicable in “circumstances where a person, who is not resident in Seychelles, controls or processes data through a servant or agent acting on his own account in Seychelles, the Act will apply.”
What are the requirements of data controllers and processors under the Data Protection Act 9 of 2003?
The Seychelles Data Protection Act 9 of 2003 does not provide definitions for the term data controller or data processor. Instead, the law uses the term data user, defined as “a person who holds data where he data forms part of a collection of data processed, or intended to be processed, by or on behalf of that person; that person (either alone, jointly, or in conjunction with other persons) controls the contents and use of the data comprised in the collection; and the collection of data processed is in a form that will be further processed on a subsequent occasion.”
As such, In a manner similar to that as the EU’s General Data Protection Regulation or GDPR, Seychelles Data Protection Act 9 of 2003 establishes various data protection principles that data users within the country are responsible for upholding when collecting and processing personal data. These principles include the following:
- All personal data must be collected and processed in a manner that is fair and lawful.
- Personal data may only be held for one or more specific and lawful purposes.
- Personal data that is held for any purpose may not be used or disclosed in a manner that is not consistent with said purpose.
- Personal data that is held for any purpose must be relevant, adequate, and non-excescive in relation to this purpose.
- All personal data that is held must be accurate and kept up to date where necessary.
- Personal data that is held for a purpose may not be kept for any period of time longer than is necessary to fulfill the purpose.
- “An individual shall be entitled, at reasonable intervals and without undue delay or expense: to be informed by any data user, as to whether he holds personal data relating to that individual; access to any such data held by a data user; and to have such data corrected or erased, where appropriate.”
- Data users must implement and maintain appropriate security measures to to ensure that personal data is protected against “unauthorised access, alteration, disclosure, or destruction of personal data, as well as accidental loss or destruction of the same.”
In addition to upholding the data protection principles listed above, data users operating within Seychelles are also responsible for maintaining a register for the purposes of providing data subjects with data processing notifications. Such notifications must provide various details to applicable data subjects, including the name and address of the data controller or processor, as description of the personal data that is being held and the proposed purpose for said data, a description of every source from which data has been collected or processed, and the name of every country outside of Seychelles in which personal data may be transferred to, among other pertinent details.
What are the rights of data subjects under Seychelles Data Protection Act 9 of 2003?
Under Seychelles Data Protection Act 9 of 2003, data subjects within the country are entitled to the following rights as it relates to the protection of their personal data:
- The right to be informed.
- The right to access.
- The right to rectification.
- The right to erasure.
- The right to seek compensation.
In terms of penalties relating to non-compliance with the law, Seychelles does not currently have a national authority that regulates data protection. However, Seychelles Data Protection Act 9 of 2003 does allow for the establishment of a Data Protection Commisioner, who has the authority to impose a variety of sanctions and punishments against data users within the country who violate the provsions of the law. Most notably, data subjects have the right to seek compensation, instance where they suffer “distress by reason of disclosure, access, loss, or destruction of his/her personal data”, or where the “destruction of his/her data is not authorised by the data user or person carrying out a computer bureau service.”
Despite the fact that Seychelles is a small nation of less than 100,000 residents, the country has nevertheless taken to legislative measures to ensure that their personal data of their citizens is protected, both domestically and internationally. What’s more, as their data protection legislation was passed more than fifteen years ago, the nation was very much ahead of the curve as it pertains to data protection and personal privacy. As such, the country of Seychelles is certain to consider passing new data protection laws in the upcoming years, as the world of personal privacy as it pertains to internet communications continues to evolve and grow.