Join our community for free to access exclusive whitepapers, reports, and regulatory information.
By signing up you agree to OneTrust DataGuidance's Terms and Conditions and Privacy Policy.
Already have an account? Log in
There is a growing awareness of the importance of data protection in Mauritius. This takes the form of training, interviews, and publications in the media by the Data Protection Office (the Office). Training is also conducted by the private sector. Compliance teams ensure that their organizations comply with the data protection legislation. The current Data Protection Act 2017 (the Act) is aligned with international standards, namely the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) and the Convention for Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108). However, there are certain instances in the Act where the provisions are not exactly the same as contained in the GDPR.
On December 8, 2017, the National Assembly of Mauritius passed the Act, repealing the Data Protection Act 2004 (the 2004 Act). The Act obtained the President's assent on December 22, 2017, and was published in the Government Gazette on December 23, 2017. The Act came into force on January 15, 2018.
The Act has the objective to strengthen the control and personal autonomy of data subjects over their personal data in line with current relevant international standards and for matters related thereto.
The Office has published the following Guidelines:
Further guidance from the Office can be accessed through its website here.
Since the implementation of the 2004 Act there have been several cases concerning the constitutionality of the provision of the National Identity Card Act, Act 60 of 1985, which imposes an obligation to provide fingerprints and other biometric information and storage of the biometric information on the card:
The Act has also been used to compel a medical institution to disclose to a former patient her complete medical file and records.
In M. Currimjee-Jhuboo v. C-Care (Mauritius) Ltd. [2022 SCJ 284], an application was made for the disclosure of a patient's medical file and records. The defendant's claim that the defendant was not a controller under the Act was rejected by the judge who held that the medical institution determines the purposes and means of the processing of information pertaining to the medical diagnosis and the provision of health care and is therefore a controller.
At the level of the Office, complaints received relate to the use of CCTV cameras, and unlawful disclosure of, and access to, personal data.
The Act applies to a controller or a processor who is established in Mauritius and processes data in the context of that establishment. A person who is ordinarily resident in Mauritius or carries out data processing operations through an office branch or agency in Mauritius is treated as being established in Mauritius. The Act also applies to a controller or processor who is not established in Mauritius if they use equipment in Mauritius for processing data, other than for the purpose of transit through Mauritius. In the latter case, the controller or processor will have to nominate a representative which is established in Mauritius. The Act also applies to each Ministry or Government department which is treated separately from each other.
The Act does not have an extra-territorial effect.
The Act applies to the processing of personal data, wholly or partly by automated means and to any processing otherwise than by automated means where the personal data forms part of a filing system or is intended to form part of a filing system. The filing system must be a structured set of personal data that is accessible according to specific data. No exception to the Act is allowed except if it constitutes a necessary and proportionate measure in a democratic society for the following limited purposes specified in the Act:
Furthermore, the processing of personal data for the purpose of historical, statistical, or scientific research may be exempted from the provisions of the Act provided that security and organizational measures are implemented to protect the rights and freedoms of the data subjects.
The data protection authority is the Office, which is under the administrative control of the Data Protection Commissioner (DPC). To encourage compliance of data processing operations in accordance with the Act, the Office may lay down technical standards for data protection certification mechanisms and data protection seals and marks. The Office also issues Guidelines, see the section on guidelines above.
The DPC can exercise general power to request any personal information that is necessary or expedient for the performance of the DPC functions and exercise of duties under the Act. The DPC's power to obtain information is however subject to the confidentiality obligations which a controller may have under the following laws:
The DPC may investigate a complaint that the Act or any regulations that have been, are currently, or are about to be contravened unless the DPC is of the opinion that such complaint is frivolous or vexatious. Any person who, without lawful or reasonable excuse, fails to attend a hearing before the DPC commits a criminal offense. A person may refuse to answer any question or to give any evidence, if doing so, the person's actions can amount to self-incrimination.
If the DPC is of the opinion that a controller or a processor has contravened, is contravening, or is about to contravene the Act, the DPC may serve an enforcement notice on the controller or processor requiring them to take such steps within such period specified in the notice. The DPC also has the power to investigate an offense that may have been committed under the Act and may, for that purpose, seek the assistance of a person or an authority.
The DPC may inspect and assess security and organizational measures which a controller is required to have in place prior to starting the processing or transfer of personal data. The DPC is also empowered to carry out periodical audits of the systems of controllers to ensure compliance with the provisions of the Act. The DPC may designate an authorized officer to enter and search any premises only on the authority of a warrant issued by a magistrate. Where any information requested by an authorized officer is stored in a computer, disc, cassette, microfilm, or preserved by any mechanical or electronic device, the person to whom the request is made shall make the information available in a form that is visible, legible, and transferrable.
Data controller: The Act defines as 'controller' any person who or public body which, alone or jointly with others, determines the purposes and means of the processing of personal data and has decision-making power with respect to the processing.
Data processor: The Act defines as 'processor' any person who, or public body which, processes personal data on behalf of a controller.
Personal data: Any information relating to a data subject.
Sensitive data: 'Special categories of personal data' refer to personal data that is sensitive in nature, for example, the racial or ethnic origin of the data subject or the genetic data or biometric data uniquely identifying the data subject.
Health data: Includes information on the provision of health care services to the individual, which reveals their health status.
Biometric data: Any personal data relating to the physical, physiological, or behavioral characteristics of an individual which allow their unique identification, including facial images or dactyloscopic data.
Pseudonymization: The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information and the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable individual.
Consent is one lawful basis for processing. Consent must be freely given, informed, and an unambiguous indication of the data subject, either by a statement or a clear affirmative action, by which they signify their agreement to the processing of personal data pertaining to them. The controller bears the burden of proof for establishing the data subject's consent for the processing of personal data for a specified purpose.
The contractual necessity can be relied upon if the controller requires the processing of the data subject's personal data to perform a contract to which the data subject is a party, or to take certain steps at the request of the data subject prior to entering into a contract. The processing of personal data must be necessary.
Compliance with a legal obligation is a legal basis for the processing of personal data. This does not apply to a contractual obligation addressed in the subsection on contract with the data subject above.
The personal data of a data subject may be processed where this is necessary for the protection of the vital interests of the data subject or of another person.
The Act also allows for the processing of personal data for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The controller must be able to demonstrate that they are carrying out a task in the public interest or exercising official authority.
Personal data may be processed for the legitimate interests of the controller except if the processing is not warranted having regard to the harm and prejudice to the rights or interests of the data subject. Hence, the controller must balance their interests against the data subject's interest.
Historical, statistical, or scientific research is another legal basis for the processing of personal data.
Both the controller and processor must process personal data in accordance with the following data protection principles:
Section 15 of the Act requires that both the controller and the processor register with the DPC. The registration is valid for three years, but the DPC may, at any time during the three years, cancel or vary the registration certificate if the applicant has, in any way, been false or misleading on the application. The DPC keeps a Data Protection Register which is available for inspection free of charge.
The particulars which a controller or a processor must submit when applying for registration are:
Additionally, where, following the grant of an application by the DPC, there is a change to any of the particulars listed above, the controller or processor must, within 14 days of the date of the change, notify the DPC in writing of the nature and date of the change.
Registration and fees
Thereafter, If the DPC determines that an applicant has met the criteria for registration, the DPC will register the applicant as a controller or processor and issue a registration certificate, following the payment of a fee. In this regard, the holder of a registration certificate may apply for the renewal of the certificate not later than three months before the date of its expiry.
The Data Protection (Fees) Regulations 2020 ('the Regulations') have established new fees for the registration of controllers and processors which came into force on August 1, 2020. Such fees are set out in the Schedule of the Regulations and range from MUR 1,000 (approx. $22) to MUR 2,500 (approx. $55).
Accordingly, all controllers and processors were required to make a fresh registration as of August 1, 2020, in accordance with the Regulations the Communique on the Regulations.
Method
Applications for registration may be submitted online, by post, or in person at the Office, using the Registration/renewal of registration Controller Application Form or Registration/renewal of registration Processor Application Form, or, alternatively, register via the controller online portal here or the processor online portal here.
Specific penalties
Any controller or processor who knowingly supplies any information in the registration application, that is false or misleading in a material particular, commits an offense and will, on conviction, be liable to a fine not exceeding MUR 100,000 (approx. $2,205) and to imprisonment for a period not exceeding five years (Article 15(3) of the Act).
Any controller or processor who fails to inform the DPC of any change of the particulars within 14 days of the date of change commits an offense and will, on conviction, be liable to a fine not exceeding MUR 50,000 (approx. $1,100) (Article 17(3) of the Act).
For further information on penalties please see the section on penalties below.
A controller or processor may transfer personal data outside Mauritius if the DPC is provided with proof confirming that there are appropriate safeguards in place for the protection of personal data. Personal data may also be transferred outside Mauritius if, prior to such transfer, the data subject has been informed of any possible risks of the transfer and the data subject has given explicit consent to the transfer. If the controller or processor cannot provide for the appropriate safeguards in relation to the transfer of personal data to another country, the controller or processor, as applicable, must obtain the prior authorization of the DPC.
The transfer may also take place if it is necessary for the performance of a contract between the data subject and the controller, or for the taking of steps at the request of the data subject with a view to them entering into a contract with the controller.
The transfer of personal data to another jurisdiction can also be allowed on such terms as the DPC may approve for the protection of the rights of the data subjects. The DPC has the power to suspend or prohibit the transfer of data to another jurisdiction if the processor or controller is not able to demonstrate either the effectiveness of safeguards or the existence of compelling legitimate interest.
In addition, under the Guidelines on Outsourcing by Financial Institutions (revised in March 2018) (the BOM Outsourcing Guidelines) issued by the Bank of Mauritius (BOM), a financial institution must strictly adhere to the Act and ensure when storing customers' information on the cloud. The BOM Outsourcing Guidelines impose a series of conditions for the implementation of cloud-based services by financial institutions. As such, financial institutions should ensure that they are in possession of a certificate of conformity from a law practitioner certifying that the systems in place comply with data protection and other applicable laws.
A controller must keep a record of all processing operations, e.g., the names and contact details of the controller and processor if there is one, the purpose of the processing, policies, and mechanisms which demonstrate that the processing of personal data is in accordance with the Act. The controller must only collect personal data for a lawful purpose connected with an activity or function for the controller, whereby the collection of that data is necessary for the lawful purpose. When collecting personal data, the controller must ensure that the data subject is informed of its contact details together with the information necessary to guarantee fair processing.
The processor must also keep records of all processing operations that the processor carries out on behalf of the controller, e.g., the name and contact details of the controller and the purpose of the processing.
The controller has the burden of proof for establishing the data subject's consent to the process of personal data for a specified purpose.
If the data processing operations are likely to result in a high risk to the rights and freedoms of the data subject by virtue of nature, scope, context, and purposes, the controller must, before conducting the processing, carry out an assessment of the impact of the intended processing operations. A Data Protection Impact Assessment (DPIA)/Privacy Impact Assessment (PIA) must be reviewed if there is a significant change in the data processing operations. The Introductory Guide recommends the continuous execution of a DPIA/PIA on existing processing activities and depending on the nature of the processing including other circumstances, such as the frequency of change in the data processing operations, this review may be done every three years. According to the Introductory Guide to the Data Protection Act 2017, a DPIA/PIA should not be viewed as a one-off exercise.
In accordance with the Act, there is a compulsory requirement for the appointment of a data protection officer (DPO).
Every controller and processor is required to keep records that contain the name and contact details of the DPO. At the time of collecting personal data, the data subject must be informed of the identity and contact details of the DPO. The DPO must act with complete independence and impartiality. On March 19, 2019, the Office published guidance on the roles and responsibilities of the DPO (the DPO Guidance).
More specifically, the DPO Guidance highlights that the DPO must (Section 3 of the DPO Guidance):
It is to be noted that the Office allows an existing employee to act as a DPO as long as the professional duties of the employee are compatible with the duties of the DPO and do not lead to any situations of conflict of interest. In this regard, the DPO Guidance notes that a conflict of interest occurs when the DPO (Section 1(4) of the DPO Guidance):
In addition, the role of the DPO may be outsourced. The DPO is not personally responsible for non-compliance with the provisions of the Act by the controller or processor.
Location
A group of undertakings may appoint a single DPO, taking into account their organizational structure and size, provided that they are easily accessible from every establishment. The concept of accessibility has to take into account the tasks assigned to the DPO as a contact point for data subjects and the Office, as well as internally, for the controller/processor and the employees, who have to be informed and advised in their activities of processing personal data (Section 1(3) of the DPO Guidance).
In the case a single DPO has been appointed for a group of undertakings, the controller/processor must ensure that he/she is able to perform each assigned task, despite being responsible for different establishments or branches (Section 1(3) of the DPO Guidance).
The Act imposes a legal obligation on the controller to notify a personal data breach to the DPC without undue delay and, where feasible, no later than 72 hours after the controller has become aware of the breach. The processor must, once aware of a personal data breach, notify the controller without undue delay.
If the personal data protection breach is likely to result in a high risk to the rights and freedoms of the data subject, the controller, after having notified the DPC, must inform the data subject of the breach in clear language and without undue delay. There are circumstances which do not require the controller to notify the data subject of the personal data breach, for instance, if such notification would involve a disproportionate effort and the controller has made a public communication of the breach whereby the data subject is informed.
Sectoral obligations
The BOM Outsourcing Guidelines provide that a financial institution must report any unauthorized access or breach of confidentiality and security by an outsourcing service provider to the BOM, stating the action(s) it proposes should be taken to deal with the consequences. A mobile banking or mobile payment service provider which provides services to a customer who does not hold a bank account must submit monthly reports which must, among other things, cover any loss of confidential data, to the BOM.
There is no general data retention law in Mauritius. There are, however, sector-specific record-keeping requirements. For example, under Section 153 of the Income Tax Act 1995, records of employee emoluments must be kept for a period of at least five years. Under the Banking Act, a financial institution is required to keep a record for a period of at least seven years after the completion of the transactions to which it relates.
The processing of the personal data of a child below the age of 16 years is subject to the prior consent of the child's parent or guardian. A controller must make every reasonable effort to verify that consent has been given or authorized, taking into account available technology.
Special categories of personal data must not be processed unless the data subjects have given their consent for the processing, or any of the statutory exceptions applies, for instance, the processing is necessary for the establishment, exercise, or defense of a legal claim, or the processing relates to personal data which are manifestly made public by the data subject. The processing of special categories of personal data is also permissible if:
Where the controller uses the services of a processor, the controller must choose a processor that provides sufficient security and organizational measures to ensure the protection of personal data. In this respect, the controller and processor must enter into a written agreement in terms of which, the processor must act only on instructions given by the controller. The processor will have the same obligations that the controller has relating to the implementation of security and organizational measures to protect personal data from, among other things, unauthorized access or accidental loss of the data in the processor's control.
The controller must inform the data subject of the specific categories of personal data that is being processed and the reason for the processing. The data subject has the right to know who their personal data has been and will be disclosed to, and for how long the personal data will be stored. If it is not possible to determine how long the data will be stored, the data subject has the right to learn the criteria used to determine the period of keeping personal data.
A data subject may ask the controller, free of charge, for confirmation as to whether the controller is processing personal data pertaining to them. If they do, the data subject is entitled to receive from the controller a copy of such data. The controller has one month to comply with the request. A data subject may also, at any time, object in writing to the processing of their personal data unless the controller can demonstrate that there are compelling grounds for the processing that will override the data subject's right.
In addition, the data subject has the right to request that the controller rectify any inaccurate personal data that the controller holds on the data subject. The data subject can also request the controller to erase personal data concerning the data subject if, for example, the purpose of their collection no longer exists, or the data subject withdraws the consent on which the processing is based and there are no other legal grounds for the processing. Unless the controller has compelling legitimate grounds for the processing, the data subject has the right to object to the process in writing at any time.
Please see the section on the right to rectification above.
The data subject has the right to object at any time to the processing of personal data concerning them unless the controller has compelling legitimate grounds for the processing which override the data subject's interests, or the processing is required for the establishment, exercise, or defense of a legal claim.
The Act does not provide for data portability.
Under the Act, a data subject has the right not to be subject to a decision based solely on automated processing, including profiling which produces legal effects concerning them or significantly affects them. This prohibition does not apply where the decision is based on the data subject's explicit consent or any other circumstances specified in the Act.
Automated processing of personal data intended to evaluate certain aspects relating to a data subject must not be based on special categories of personal data.
A data subject has the right to lodge a complaint with the DPC if they have concerns with the manner their personal data are being processed.
A breach of the Act constitutes, in certain cases, a criminal offense and, on conviction, the offender may be sentenced to a fine or a term of imprisonment.
Examples of acts or omissions which constitute a criminal offense under the Act include the following:
Decision No. 15 (June 12, 2013): The DPC rejected the argument of the controller that the legal basis for the issuance of fidelity cards to customers was a contractual necessity, holding that a controller using contractual necessity as a legal basis cannot extend the application of that legal basis to justify the processing of personal data beyond what is necessary. The DPC held that the consent of the data subjects was required.
Decision No. 19 (May 16, 2014): Where an employee was dismissed from their employment because they refused to give their fingerprints for the recording of attendance, the DPC referring to the decision in S. and Marper v. The United Kingdom [2008] ECHR 1581, held that there was a breach of the 2014 Act because the employee did not consent to the employer collecting and processing their fingerprints and there was no legal basis for the employer to insist on the provision of the fingerprints for attendance.