SEYCHELLES
DATA PROTECTION FACTSHEET

-
Population: 98,462
Capital: Victoria
President: Wavel Ramkalawan
2021 Freedom House Score: 77/100
Data protection law? Yes, but data protection authority not yet appointed
-
Privacy enshrined in Constitution: Yes, Article 20 of the Constitution protects the right to privacy.
DPA legislation:
The Seychellois Data Protection Act 2003 (DPA) is based on the 1984 UK Data Protection Act, but is not yet in force as of the time of writing.
The DPA creates a Data Protection Commissioner’s with responsibility for regulating data protection, but gives the office relatively little authority. The Commissioner cannot administer penalties, leaving much of the actual enforcement of the DPA to the courts, and the Commissioner’s independence is not stipulated within the legislation. The language of the DPA—which refers to data users and computer bureaus, rather than data controllers and data processors — has been criticised for being dated and contributing to confusion. Despite the existence of this law, there is virtually no enforced legal protection for personal data in Seychelles today.
Under the DPA, an individual has the right to:
- be informed by any data user if he holds personal data about that individual;
- access any such data; and
- to have such data corrected or erased, where appropriate.
-
ICCPR: Acceded
Council of Europe Convention 108: No
Council of Europe Convention 185: No
Malabo Convention: No
ECOWAS Supplementary Act on Personal Data Protection: No
Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No
-
Applies to natural persons: Yes
Applies to juristic persons: Yes
Applies to public entities: Yes
Domestic/personal purposes exclusion: Yes
National security exclusion: Yes
Law enforcement exclusion: Yes
Cabinet or Executive Council exclusion: No
Judicial functions exclusion: No
Journalistic, literary or artistic purposes exclusion: No
Temporary copies exclusion: No
Other exclusion(s): No
Broad or vague exclusions: No
Applies to foreign entities: No
Excludes foreign entities that only transit personal data through the country: No
-
Under the DPA, personal data is information relating to a living individual who can be identified from that information, or from that and other information in the possession of the data user.
While sensitive personal data is not defined under the DPA, it recognises that additional safeguards may be necessary to protect personal data consisting of information concerning:
- racial origin;
- political opinions or religious or other beliefs;
- physical or mental health or sexual life; or
- criminal convictions.
-
Personal data processing must abide by the following principles:
- personal data shall be processed fairly and lawfully;
- personal data shall be held only for one or more specified and lawful purposes;
- personal data held for any purposes shall not be used or disclosed in any manner incompatible with those purposes;
- personal data held for any purposes shall be adequate, relevant, and not excessive in relation to those purposes;
- personal data shall be accurate and, where necessary, kept up to date;
- personal data shall not be kept for longer than is necessary for the specified purposes; and
- appropriate security measures shall be taken against unauthorised access to, alteration, disclosure or destruction of personal data, and against accidental loss of personal data.
-
Notification that data is being processed: Yes
Notification to DPA in event of data breach: No
Notification to data subject in event of data breach: No
Timeframe for notification is specified: NA
Exceptions exist to breach notifications: NA
Requires a data processing register: Yes
Register is publicly available: Yes
Provides for terms of service icons: No
DPA must submit at least annual report: Yes
DPA report is made public: Unclear
-
Explicit provision for civil liability: Yes
Established/designates a Data Protection Authority: Yes
DPA is empowered to investigate: Yes
DPA is empowered to subpoena or request evidence: Yes
Law provides for criminal penalties: Yes
Law provides for administrative penalties: No
DPA is independently structured (does not exist within or receive instructions from another public body): Unclear
DPA receives funding directly from the state budget/legislative body: Yes
DPA may receive some forms of external funding/own revenue: Unclear
Adequate protections against undue removal: No
Number of members in DPA: 1
Maximum term length for members of the DPA (years): Repeatedly renewable
-
Right of data subject to access a copy of their personal data: Yes
Right of data subject to request a correction of data: Yes
Right of data subject to request deletion of data: Yes
Justification required for a request for deletion: Yes
Defines the requirements for consent: No
DPA is mandated to participate in policy formulation: No
-
While the DPA does not restrict the transfer of personal data to locations outside of the Seychelles, the Data Protection Commissioner may issue a transfer prohibition notice prohibiting a data user from conducting a transfer if the Commissioner feels that it would likely result in the violation of the data protection principles. Such a notice can either be absolute, or temporary until the data user has taken the specified measures to protect the interests of the relevant data subjects.
-
Provides a right not to be subject to automated decision-making: No
Page last updated: 24 May 2022