Hero Image
Regulation 2017 Data Governance
Source
The Data Protection Act, amended 2017

Mauritius

tag Created with Sketch Beta. Consent Data Data Processing Data Protection Data security Data Subject Personal Data

Definition of Data

Data means 'information recorded and in a form in which (a) (1) is capable of being processed by means of equipment operating automatically in response to instructions given for that purpose, and (2) is recorded with the intent of it being processed by such equipment; or (b) is recorded as part of a filing system or intended to be part of a relevant filing system.'

Main Focus of Document

To ensure the protection of personal data by public and private bodies and for other incidental connected purposes.

Target Beneficiaries or Sector

General Public

Key Elements

The Act provides legislation to strengthen the control and personal autonomy of data subjects over their personal data. Data is defined in the Act as 'information recorded and in a form which (a) is capable of being processed by means of equipment operating automatically in response to instructions given for that purpose, and is recorded with the intent of it being processed by such equipment; or (b) is recorded as part of a filing system or intended to be part of a relevant filing system.' 

The Act applies to the processing of personal data by automated means or otherwise (where the personal data form part of a filing system or are intended to do so). It applies to any controller or processor of personal data who is established in Mauritius and processes data in the country in the context of that establishment or is not established in Mauritius but uses equipment in the country for processing personal data (other than for transit through Mauritius).

The Act provides for the establishment of an independent Data Protection Office. In addition, it assigns functions and powers to a Commissioner to ensure compliance with the Act and its regulations, issue or approve Codes of Practice or Guidelines and maintain a register of controllers and processors. It also specifies conditions for registration and allocates powers and responsibilities to controllers, authorised officers and processors.

The Act specifies a range of duties of controllers, including to implement appropriate data security and organisational measures, keep a record of all processing operations, perform data protection impact assessments, comply with requirements for prior authorisation from, or consultation with, the Commissioner, and designate an officer responsible for data protection compliance issues. Restrictions are also placed on the collection of personal data, specifying the purposes for which such data can be collected and requirements for informing data subjects of the collection of their personal data. Conditions for consent to the processing of personal data are also stipulated, as are requirements for notification in instances of personal data breaches. The Act also spells out the duty to destroy personal data when the purpose of keeping the data has lapsed and sets requirements for the lawful processing of personal data. In addition, the Act addresses security and organisational measures for processing data in accordance with the nature of the data concerned.

The Act specifies conditions under which data protection impact assessments must be conducted. These are required to be carried out prior to processing in instances where processing operations are likely to present risks. It also specifies conditions under which personal data may be transferred outside Mauritius. These include the need to provide proof of appropriate safeguards and receive explicit consent from the data subject for the proposed transfer.

A number of rights are also specified for data subjects. These include rights of access, to not be a subject decision based solely on automated processing, to rectification, erasure or restriction of processing, and to object in writing to the processing of personal data.

 

 

Policy/Regulation Mirrors

n/a