Population: 98,462

Capital: Victoria

President: Wavel Ramkalawan

2021 Freedom House Score: 77/100

Data protection law? Yes, but data protection authority not yet appointed

Privacy enshrined in Constitution: Yes, Article 20 of the Constitution protects the right to privacy.

DPA legislation:

The Seychellois Data Protection Act 2003 (DPA) is based on the 1984 UK Data Protection Act, but is not yet in force as of the time of writing.

The DPA creates a Data Protection Commissioner’s with responsibility for regulating data protection, but gives the office relatively little authority. The Commissioner cannot administer penalties, leaving much of the actual enforcement of the DPA to the courts, and the Commissioner’s independence is not stipulated within the legislation. The language of the DPA—which refers to data users and computer bureaus, rather than data controllers and data processors — has been criticised for being dated and contributing to confusion. Despite the existence of this law, there is virtually no enforced legal protection for personal data in Seychelles today.

Under the DPA, an individual has the right to:

• be informed by any data user if he holds personal data about that individual;
• access any such data; and
• to have such data corrected or erased, where appropriate.

ICCPR: Acceded

Council of Europe Convention 108: No

Council of Europe Convention 185: No

Malabo Convention: No

ECOWAS Supplementary Act on Personal Data Protection: No

Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No

Applies to natural persons: Yes

Applies to juristic persons: Yes

Applies to public entities: Yes

Domestic/personal purposes exclusion: Yes

National security exclusion: Yes

Law enforcement exclusion: Yes

Cabinet or Executive Council exclusion: No

Judicial functions exclusion: No

Journalistic, literary or artistic purposes exclusion: No

Temporary copies exclusion: No

Other exclusion(s): No

Broad or vague exclusions: No

Applies to foreign entities: No

Excludes foreign entities that only transit personal data through the country: No

Under the DPA, personal data is information relating to a living individual who can be identified from that information, or from that and other information in the possession of the data user.

While sensitive personal data is not defined under the DPA, it recognises that additional safeguards may be necessary to protect personal data consisting of information concerning:

• racial origin;
• political opinions or religious or other beliefs;
• physical or mental health or sexual life; or
• criminal convictions.

Personal data processing must abide by the following principles:

• personal data shall be processed fairly and lawfully;
• personal data shall be held only for one or more specified and lawful purposes;
• personal data held for any purposes shall not be used or disclosed in any manner incompatible with those purposes;
• personal data held for any purposes shall be adequate, relevant, and not excessive in relation to those purposes;
• personal data shall be accurate and, where necessary, kept up to date;
• personal data shall not be kept for longer than is necessary for the specified purposes; and
• appropriate security measures shall be taken against unauthorised access to, alteration, disclosure or destruction of personal data, and against accidental loss of personal data.

Notification that data is being processed: Yes

Notification to DPA in event of data breach: No

Notification to data subject in event of data breach: No

Timeframe for notification is specified: NA

Exceptions exist to breach notifications: NA

Requires a data processing register: Yes

Register is publicly available: Yes

Provides for terms of service icons: No

DPA must submit at least annual report: Yes

DPA report is made public: Unclear

Explicit provision for civil liability: Yes

Established/designates a Data Protection Authority: Yes

DPA is empowered to investigate: Yes

DPA is empowered to subpoena or request evidence: Yes

Law provides for criminal penalties: Yes

Law provides for administrative penalties: No

DPA is independently structured (does not exist within or receive instructions from another public body): Unclear

DPA receives funding directly from the state budget/legislative body: Yes

DPA may receive some forms of external funding/own revenue: Unclear

Adequate protections against undue removal: No

Number of members in DPA: 1

Maximum term length for members of the DPA (years): Repeatedly renewable

Right of data subject to access a copy of their personal data: Yes

Right of data subject to request a correction of data: Yes

Right of data subject to request deletion of data: Yes

Justification required for a request for deletion: Yes

Defines the requirements for consent: No

DPA is mandated to participate in policy formulation: No

While the DPA does not restrict the transfer of personal data to locations outside of the Seychelles, the Data Protection Commissioner may issue a transfer prohibition notice prohibiting a data user from conducting a transfer if the Commissioner feels that it would likely result in the violation of the data protection principles. Such a notice can either be absolute, or temporary until the data user has taken the specified measures to protect the interests of the relevant data subjects.

Provides a right not to be subject to automated decision-making: No