Population: 98,235

Capital: Victoria

President: Danny Faure

2020 Freedom House Score: 72/100

Data protection law? Exists, but not enforced

The Seychellois Data Protection Act 2003 (DPA), which has yet to come into force after more than 15 years, is based on the 1984 UK Data Protection Act which was repealed decades ago. 

The DPA makes the scope of the Data Protection Commissioner’s authority quite small. The Commissioner cannot administer penalties, leaving much of the actual enforcement of the DPA to courts. The Commissioner’s independence is also not stipulated within the legislation. The language of the DPA—which refers to data users and computer bureaus, rather than data controllers and data processors— is dated and contributes to confusion. Despite the existence of this law, there is virtually no enforced legal protection for personal data in Seychelles today. 

Under the DPA, an individual has the right to: 

• be informed by any data user if he holds personal data about that individual; 
• access any such data; and 
• to have such data corrected or erased, where appropriate. 

Personal data is information relating to a living individual who can be identified from that information, or from that and other information in the possession of the data user. 

While sensitive personal data is not defined under the DPA, it recognises that additional safeguards may be necessary to protect personal data consisting of information concerning: 

• racial origin; 
• political opinions or religious or other beliefs;
• physical or mental health or sexual life; or 
• criminal convictions. 

Personal data processing must abide by the following principles: 

• personal data shall be processed fairly and lawfully;
• personal data shall be held only for one or more specified and lawful purposes; 
• personal data held for any purposes shall not be used or disclosed in any manner incompatible with those purposes; 
• personal data held for any purposes shall be adequate, relevant, and not excessive in relation to those purposes; 
• personal data shall be accurate and, where necessary, kept up to date; 
• personal data shall not be kept for longer than is necessary for the specified purposes; and
• appropriate security measures shall be taken against unauthorised access to, alteration, disclosure or destruction of personal data, and against accidental loss of personal data. 

The Data Protection Commissioner is charged with maintaining a register of data users to catalogue all handlers of personal data. If the Commissioner observes a user in violation of the DPA, the Commissioner may issue: 

• an enforcement notice requiring the person in breach to take such steps as necessary to comply with the principle or principles in question; or in more severe cases 
• a de-registration notice proposing to remove all or any of the particulars constituting the entry or any of the entries contained in the register in respect of that person. 

Failure to comply with an enforcement notice is an offence; but it constitutes a defence if the person charged can prove that they exercised all due diligence to comply with the notice in question. 

While the DPA does not restrict transfer of personal data to locations outside of the Seychelles, the Data Protection Commissioner may issue a transfer prohibition notice prohibiting a data user from conducting a transfer if the Commissioner feels that it would likely result in the violation of the data protection principles. Such a notice can either be absolute, or temporary until the data user has taken the specified measures to protect the interests of the relevant data subjects. 

There are no breach notification requirements stipulated under Seychellois law.