Population: 1,265,577

Capital: Port Louis

President (Acting): Barlen Vyapoory

2019 Freedom House Score: 89/100

Mauritius was among the first movers in the data privacy space in Africa, and as such, its regulations are robust, and in line with international standards. When the country enacted the Data Protection Act 2004 (DPA 2004), it became the first African country to establish the Office of the Data Protection Commissioner and make it operational.

As of January 2018, Mauritius regulates data protection under the Data Protection Act 2017 (DPA 2017), which repealed and replaced the former act, so as to align with the European Union General Data Protection Regulation 2016/679 (GDPR). The updates to the law include the implementation of data protection impact assessments, notification of personal data breaches, stricter security requirements attached to data processing, and clearer standards around the details of lawful processing.

Among other things, data subjects have the right to:

• have their personal data corrected;
• access their personal data;
• object in writing to the processing of their personal data, at any time;
• prevent processing of personal data for purposes of direct marketing; and
• object to a decision based solely on automatic processing that would significantly affect them or adverse legal repercussions.

Personal data is any information relating to a data subject. Special categories of personal data consist of the following:

• racial or ethnic origin;
• political opinion or adherence;
• religious or philosophical beliefs;
• membership of a trade union;
• physical or mental health or condition;
• sexual orientation, practices or preferences;
• uniquely identifying genetic data or biometric data;
• the commission or alleged commission of an offence;
• any proceedings for an offence committed or alleged to have been committed by a person, the disposal of such proceedings or the sentence of any Court in the proceedings; or
• such other personal data as the Commissioner may determine to be sensitive personal data.

Special categories of personal data shall not be processed without affirmative consent from the data subject or unless an exception applies.

Collection must be for a lawful purpose allied to a function or activity of the data controller, and necessary for that purpose. If personal data is collected directly from the data subject, the data controller shall ensure that the data subject is informed of:

• the identity and contact details of the controller and, where applicable, its representative and any data protection officer;
• the purpose for which the data are being collected;
• the intended recipients of the data;
• whether the provision of the data by that data subject is voluntary or mandatory;
• the right to withdraw consent, at any time;
• the right to request access to and rectification, restriction or erasure of personal data concerning the data subject or to object to the processing;
• any automated decision making, including profiling, and information about the logic involved, as well as the significance and the perceived consequences of such processing for the data subject;
• the period for which the personal data shall be stored;
• the right to file a complaint with the Commissioner;
• if the controller intends to transfer personal data to another country, and the level of protection afforded by that country; and
• any further information necessary to guarantee fair processing of the data subject’s personal data under the circumstances.

If personal data is not collected directly from the data subject, the data controller or processor is responsible to make sure that the data subject knows of the matters above, and that the data is:

• processed lawfully, fairly, and transparently;
• collected for explicit, specified, and legitimate purposes and not further processed in a manner incompatible with those purposes;
• adequate, relevant, and limited to what is necessary for the purposes for which they are processed;
• accurate and kept current, ensuring that inaccurate personal data is erased or rectified, without delay;
• kept in a form which permits identification of data subjects for no longer than is necessary; and
• processed in accordance with the rights of data subjects.

All data controllers and processors must register with the Commissioner, and registration is valid for three years. Failure to register or renew registration constitutes an offence under the DPA 2017, punishable by a fine not exceeding Rs200,000 or imprisonment for a term not exceeding five years. 

Each data controller must also appoint a data protection officer who is responsible for compliance issues related to data collection and processing.  

The Commissioner has enforcement power and may investigate complaints about regulatory violations. If the Commissioner believes that a controller or a processor has violated the DPA 2017, he, she or they may serve an enforcement notice on the data controller or processor, requiring that the defect is remedied by a certain deadline. Failing to comply with an enforcement notice is an offence punishable by a fine of up to Rs50,000 and up to two years in prison.  

If the Commissioner has reasonable grounds to believe that data is vulnerable to loss or modification, he, she or they may ask a judge for an order for the expeditious preservation of such data. The Commissioner may also carry out periodic audits of the systems and security measures used by data controllers and processors. 

Transfer of personal data to another country is allowed only when that country provides a level of protection equivalent to that put in place by the provisions of Book V. Before any transfer of personal data to another country or an international organization, the controller must obtain prior authorization from the APDP.

The transfer of personal data to a country which does not ensure an adequate level of protection may be permitted if the data subject has given consent to the transfer or whether such transfer is:

• necessary for the commencement or performance of a contract between the data subject and the data controller, or at the data subject’s request
• necessary for the execution or conclusion of a contract awarded in the interest of the data subject, or between the data controller and a third party
• required for the protection of an important public interest, or for the declaration, exercise, or defence of a right in judicial proceedings
• necessary to protect vital interests of the data subject
• made from a public register open to consultation with the general public or anyone who proves a legitimate interest, provided that that the conditions laid down by law for the consultation are met in the particular case

In the case of a personal data breach, the controller shall notify the Commissioner as soon as possible, and no later than 72 hours after becoming aware of it. If a processor learns of a breach, he, she or they shall notify the controller without any undue delay. Where a personal data breach is likely to result in a high risk to the rights and freedoms of a data subject, the controller will notify the data subject as soon as possible after notifying the Commissioner.

Notifying the data subject is not required if:

1. the controller has applied appropriate technical and organisational protection measures to the personal data affected by the breach;
2. the controller has mitigated the high risk to the rights and freedoms of the data subject; or
3. it would involve disproportionate effort and the controller has made a public communication or similar measure whereby the data subject is informed just as effectively.

Remember to include as much information as possible in your complaint, including:

• the name of the party that processed the data;
• their contact details, if known;
• a brief description of the violation; and
• the specific remedy that you are requesting.

E-mail your complaint to the Commissioner: [email protected]