Mauritius

DATA PROTECTION FACTSHEET

DATA PROTECTION LAW IN PLACE

DATA PROTECTION AUTHORITY APPOINTED

Download the Act

Fast Facts
Domestic Law
Privacy enshrined in Constitution: Yes, Mauritius protects the right to privacy of home and other property in Article 9 of the Constitution.

DPA legislation: Mauritius was among the first movers in the data privacy space in Africa, and as such, its regulations are robust, and in line with international standards. When the country enacted the Data Protection Act 2004 (DPA 2004), it became the first African country to establish the Office of the Data Protection Commissioner and make it operational.

As of January 2018, Mauritius regulates data protection under the Data Protection Act 2017 (DPA 2017), which repealed and replaced the former act, so as to align with the European Union General Data Protection Regulation 2016/679 (GDPR). The updates to the law include the implementation of data protection impact assessments, notification of personal data breaches, stricter security requirements attached to data processing, and clearer standards around the details of lawful processing.

Among other things, data subjects have the right to:
- have their personal data corrected;
- access their personal data;
- object in writing to the processing of their personal data, at any time;
- prevent processing of personal data for purposes of direct marketing; and
- object to a decision based solely on automatic processing that would significantly affect them or adverse legal repercussions.
International Commitments
Scope of Application

Applies to natural persons: Yes

Applies to juristic persons: Yes

Applies to public entities: Yes

Domestic/personal purposes exclusion: Yes

National security exclusion: Yes

Law enforcement exclusion: Yes

Cabinet or Executive Council exclusion: Partial

Judicial functions exclusion: Yes

Journalistic, literary or artistic purposes exclusion: No

Temporary copies exclusion: No

Other exclusion(s): Yes

Broad or vague exclusions: No

Applies to foreign entities: Yes

Excludes foreign entities that only transit personal data through the country: Yes
Personal Data
Personal data is any information relating to a data subject. Special categories of personal data consist of the following:
- racial or ethnic origin;
- political opinion or adherence;
- religious or philosophical beliefs;
- membership of a trade union;
- physical or mental health or condition;
- sexual orientation, practices or preferences;
- uniquely identifying genetic data or biometric data;
- the commission or alleged commission of an offence;
- any proceedings for an offence committed or alleged to have been committed by a person, the disposal of such proceedings or the sentence of any Court in the proceedings; or
- such other personal data as the Commissioner may determine to be sensitive personal data.
Special categories of personal data shall not be processed without affirmative consent from the data subject or unless an exception applies.
Collection and Processing
Collection must be for a lawful purpose allied to a function or activity of the data controller, and necessary for that purpose. If personal data is collected directly from the data subject, the data controller shall ensure that the data subject is informed of:
- the identity and contact details of the controller and, where applicable, its representative and any data protection officer;
- the purpose for which the data are being collected;
- the intended recipients of the data;
- whether the provision of the data by that data subject is voluntary or mandatory;
- the right to withdraw consent, at any time;
- the right to request access to and rectification, restriction or erasure of personal data concerning the data subject or to object to the processing;
- any automated decision making, including profiling, and information about the logic involved, as well as the significance and the perceived consequences of such processing for the data subject;
- the period for which the personal data shall be stored;
- the right to file a complaint with the Commissioner;
- if the controller intends to transfer personal data to another country, and the level of protection afforded by that country; and
- any further information necessary to guarantee fair processing of the data subject’s personal data under the circumstances.
If personal data is not collected directly from the data subject, the data controller or processor is responsible to make sure that the data subject knows of the matters above, and that the data is:
- processed lawfully, fairly, and transparently;
- collected for explicit, specified, and legitimate purposes and not further processed in a manner incompatible with those purposes;
- adequate, relevant, and limited to what is necessary for the purposes for which they are processed;
- accurate and kept current, ensuring that inaccurate personal data is erased or rectified, without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary; and
- processed in accordance with the rights of data subjects.
Transparency

Notification that data is being processed: Yes

Notification to DPA in event of data breach: Yes

Notification to data subject in event of data breach: Partial

Timeframe for notification is specified: Partial

Exceptions exist to breach notifications: Yes

Requires a data processing register: No

Register is publicly available: NA

Provides for terms of service icons: No

DPA must submit at least annual report: Yes

DPA report is made public: No
Accountability

Explicit provision for civil liability: No

Established/designates a Data Protection Authority: Yes

DPA is empowered to investigate: Yes

DPA is empowered to subpoena or request evidence: Yes

Law provides for criminal penalties: Yes

Law provides for administrative penalties: No

DPA is independently structured (does not exist within or receive instructions from another public body): No

DPA receives funding directly from the state budget/legislative body: Unclear

DPA may receive some forms of external funding/own revenue: Unclear

Adequate protections against undue removal: Unclear

Number of members in DPA: Unclear

Maximum term length for members of the DPA (years): Unclear
Participation
Cross-border Transfer
A controller or processor may transfer personal data to another country where any of the following apply:
- it has provided to the Commissioner proof of appropriate safeguards with respect to the protection of the personal data;
- the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of the transfer;
- the transfer is necessary:
  - to enter or perform a contract between the data subject and the controller, or a contract in the interest of the data subject;
  - for the public interest;
  - to advance a legal claim;
  - to protect the vital interests of the data subject or other persons, where the data subject cannot consent; or
  - for compelling legitimate interests pursued by the controller or the processor which do not override the interests, rights, and freedoms of the data subjects involved and where:
    
    the transfer is not repetitive and concerns a limited number of data subjects; and
    
    the controller or processor has assessed all the circumstances surrounding the transfer and has provided the Commissioner with proof of appropriate data protection safeguards; or
- the transfer is made from a register which, according to law, is intended to provide information to the public and which is open for consultation by the public or by any person who can demonstrate a legitimate interest.
Automated Processing

LEARN MORE ABOUT THE METHODOLOGY

Page last updated: 23 May 2022