MAURITIUS
DATA PROTECTION FACTSHEET
-
Population: 1,265,740
Capital: Port Louis
President: Prithvirajsing Roopun
2021 Freedom House Score: 87/100
Data protection law? Yes, with data protection authority appointed
-
Privacy enshrined in Constitution: Yes, Mauritius protects the right to privacy of home and other property in Article 9 of the Constitution.
DPA legislation: Mauritius was among the first movers in the data privacy space in Africa, and as such, its regulations are robust, and in line with international standards. When the country enacted the Data Protection Act 2004 (DPA 2004), it became the first African country to establish the Office of the Data Protection Commissioner and make it operational.
As of January 2018, Mauritius regulates data protection under the Data Protection Act 2017 (DPA 2017), which repealed and replaced the former act, so as to align with the European Union General Data Protection Regulation 2016/679 (GDPR). The updates to the law include the implementation of data protection impact assessments, notification of personal data breaches, stricter security requirements attached to data processing, and clearer standards around the details of lawful processing.
Among other things, data subjects have the right to:
- have their personal data corrected;
- access their personal data;
- object in writing to the processing of their personal data, at any time;
- prevent processing of personal data for purposes of direct marketing; and
- object to a decision based solely on automatic processing that would significantly affect them or adverse legal repercussions.
-
ICCPR: Ratified
Council of Europe Convention 108: Ratified
Council of Europe Convention 185: Ratified
Malabo Convention: Ratified
ECOWAS Supplementary Act on Personal Data Protection: No
Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): Ratified
-
Applies to natural persons: Yes
Applies to juristic persons: Yes
Applies to public entities: Yes
Domestic/personal purposes exclusion: Yes
National security exclusion: Yes
Law enforcement exclusion: Yes
Cabinet or Executive Council exclusion: Partial
Judicial functions exclusion: Yes
Journalistic, literary or artistic purposes exclusion: No
Temporary copies exclusion: No
Other exclusion(s): Yes
Broad or vague exclusions: No
Applies to foreign entities: Yes
Excludes foreign entities that only transit personal data through the country: Yes
-
Personal data is any information relating to a data subject. Special categories of personal data consist of the following:
- racial or ethnic origin;
- political opinion or adherence;
- religious or philosophical beliefs;
- membership of a trade union;
- physical or mental health or condition;
- sexual orientation, practices or preferences;
- uniquely identifying genetic data or biometric data;
- the commission or alleged commission of an offence;
- any proceedings for an offence committed or alleged to have been committed by a person, the disposal of such proceedings or the sentence of any Court in the proceedings; or
- such other personal data as the Commissioner may determine to be sensitive personal data.
Special categories of personal data shall not be processed without affirmative consent from the data subject or unless an exception applies.
-
Collection must be for a lawful purpose allied to a function or activity of the data controller, and necessary for that purpose. If personal data is collected directly from the data subject, the data controller shall ensure that the data subject is informed of:
- the identity and contact details of the controller and, where applicable, its representative and any data protection officer;
- the purpose for which the data are being collected;
- the intended recipients of the data;
- whether the provision of the data by that data subject is voluntary or mandatory;
- the right to withdraw consent, at any time;
- the right to request access to and rectification, restriction or erasure of personal data concerning the data subject or to object to the processing;
- any automated decision making, including profiling, and information about the logic involved, as well as the significance and the perceived consequences of such processing for the data subject;
- the period for which the personal data shall be stored;
- the right to file a complaint with the Commissioner;
- if the controller intends to transfer personal data to another country, and the level of protection afforded by that country; and
- any further information necessary to guarantee fair processing of the data subject’s personal data under the circumstances.
If personal data is not collected directly from the data subject, the data controller or processor is responsible to make sure that the data subject knows of the matters above, and that the data is:
- processed lawfully, fairly, and transparently;
- collected for explicit, specified, and legitimate purposes and not further processed in a manner incompatible with those purposes;
- adequate, relevant, and limited to what is necessary for the purposes for which they are processed;
- accurate and kept current, ensuring that inaccurate personal data is erased or rectified, without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary; and
- processed in accordance with the rights of data subjects.
-
Notification that data is being processed: Yes
Notification to DPA in event of data breach: Yes
Notification to data subject in event of data breach: Partial
Timeframe for notification is specified: Partial
Exceptions exist to breach notifications: Yes
Requires a data processing register: No
Register is publicly available: NA
Provides for terms of service icons: No
DPA must submit at least annual report: Yes
DPA report is made public: No
-
Explicit provision for civil liability: No
Established/designates a Data Protection Authority: Yes
DPA is empowered to investigate: Yes
DPA is empowered to subpoena or request evidence: Yes
Law provides for criminal penalties: Yes
Law provides for administrative penalties: No
DPA is independently structured (does not exist within or receive instructions from another public body): No
DPA receives funding directly from the state budget/legislative body: Unclear
DPA may receive some forms of external funding/own revenue: Unclear
Adequate protections against undue removal: Unclear
Number of members in DPA: Unclear
Maximum term length for members of the DPA (years): Unclear
-
Right of data subject to access a copy of their personal data: Yes
Right of data subject to request a correction of data: Yes
Right of data subject to request deletion of data: Yes
Justification required for a request for deletion: Yes
Defines the requirements for consent: Yes
DPA is mandated to participate in policy formulation: No
-
A controller or processor may transfer personal data to another country where any of the following apply:
- it has provided to the Commissioner proof of appropriate safeguards with respect to the protection of the personal data;
- the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of the transfer;
- the transfer is necessary:
- to enter or perform a contract between the data subject and the controller, or a contract in the interest of the data subject;
- for the public interest;
- to advance a legal claim;
- to protect the vital interests of the data subject or other persons, where the data subject cannot consent; or
- for compelling legitimate interests pursued by the controller or the processor which do not override the interests, rights, and freedoms of the data subjects involved and where:
- the transfer is not repetitive and concerns a limited number of data subjects; and
- the controller or processor has assessed all the circumstances surrounding the transfer and has provided the Commissioner with proof of appropriate data protection safeguards; or
- the transfer is made from a register which, according to law, is intended to provide information to the public and which is open for consultation by the public or by any person who can demonstrate a legitimate interest.
-
Provides a right not to be subject to automated decision-making: Yes
Page last updated: 23 May 2022