Last modified 16 March 2026

Data Protection in Seychelles

Definitions in Seychelles

Download PDF

Download current country

Change countries

Change country

Law

Data protection laws in Seychelles

The Data Protection Act, 2023 (Act 24 of 2023) came into force on 22 December 2023.

The principal object of the Act is to protect personal data, regulate the processing of such data, confer rights on individuals in respect of their personal information, and establish a regulatory framework for oversight and enforcement through the Information Commission.

Related resources

Definitions

Definitions in Seychelles

Definition of personal data

The Act defines personal data as: “any information relating to an identified or identifiable individual.”

An identifiable individual is one who can be identified, directly or indirectly, particularly by reference to:

a name
an identification number
location data
an online identifier
one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that individual.

Definition of sensitive personal data

The Act further recognises special categories of personal data, which are afforded enhanced protection due to the sensitive nature of the information and the potential impact of misuse on the rights and freedoms of individuals.

These categories include personal data revealing:

racial or ethnic origin
political opinions
religious or philosophical beliefs
trade union membership
genetic data
biometric data used for identification
health data
data concerning a person’s sex life or sexual orientation.

Responsibility of organisations

While the Information Commission exercises regulatory oversight, the primary responsibility for ensuring the protection of personal data rests with organisations that process personal data, namely:

Data Controllers – entities that determine the purposes and means of processing personal data.
Data Processors – entities that process personal data on behalf of a controller.

Such entities are required to comply with the data protection principles and other obligations established under the Act.

Appointment of controllers, processors and other roles

The Act recognises functional roles within the data protection framework rather than requiring formal appointment or designation of such roles, except where the appointment of a Data Protection Officer (DPO) is required.

Under the Act, organisations are not required to formally appoint a data controller or data processor. These roles arise automatically depending on the function performed by the entity in relation to the processing of personal data.

Data Controller: A data controller is defined as the person or entity that determines the purposes and means of processing personal data.
Data Processor: A data processor is a person or organisation that processes personal data on behalf of the controller.

Related resources

Authority

National data protection authority in Seychelles

The Information Commission Seychelles is the independent supervisory authority responsible for overseeing the implementation and enforcement of the Data Protection Act.

The Commission is headed by the Information Commissioner, assisted by two Commissioners.

The principal functions of the Commission include:

Monitoring compliance: Ensuring that data controllers and data processors comply with the provisions of the Act.
Investigation of complaints: Receiving and investigating complaints from individuals whose rights under the Act may have been infringed.
Enforcement: The Commission is empowered to:
- issue enforcement notices
- require corrective measures
- conduct investigations and audits.
Promotion of public awareness: Promoting awareness and understanding of data protection rights and obligations among:
- the public
- government institutions
- private sector entities.
Advisory role: Providing guidance to the Government on policies, legislative initiatives, and best practices relating to data protection and privacy.

Related resources

Registration

Registration in Seychelles

The Act does not impose a general requirement for data controllers or data processors to register with the Information Commission. However, controllers and processors are required to maintain records of processing activities and remain subject to regulatory oversight by the Commission.

Related resources

Data protection officers

Data protection officers in Seychelles

Pursuant to Section 45 of the Act, a data controller or processor must designate a DPO where:

the core activities involve regular and systematic monitoring of data subjects on a large scale, or
the core activities involve large-scale processing of special categories of personal data.

The DPO functions as:

an internal compliance officer responsible for overseeing adherence to the Act; and
a point of contact and liaison with the Information Commission

Related resources

Collection and processing

Collection and processing in Seychelles

Personal data must be collected and processed in accordance with the data protection principles established under the Act, namely:

lawfulness, fairness and transparency
purpose limitation
data minimisation
accuracy
storage limitation
integrity and confidentiality (security)
accountability.

These principles govern the manner in which personal data may be collected, used, stored and disclosed.

Related resources

Transfer of personal data

Transfer of personal data in Seychelles

The Act permits the transfer of personal data outside Seychelles, provided that the transfer ensures an adequate level of protection for the rights and freedoms of data subjects.

Such transfers may occur where appropriate safeguards or legal mechanisms exist to ensure that personal data continues to receive an adequate level of protection once transferred outside the jurisdiction.

Related resources

Security

Security in Seychelles

The Act imposes obligations on data controllers and processors to implement appropriate technical and organisational measures to ensure the security of personal data.

These measures must protect personal data against:

unauthorised or unlawful processing
accidental loss
destruction or damage
unauthorised access or disclosure.

Related resources

Breach notification

Breach notification in Seychelles

The Act establishes breach notification obligations.

Where a personal data breach occurs that is likely to result in a risk to the rights and freedoms of individuals, the data controller must notify the Information Commission.

In circumstances where the breach is likely to result in a high risk to affected individuals, the controller may also be required to notify the affected data subjects.

Related resources

Enforcement

Enforcement in Seychelles

The Act establishes a regulatory enforcement regime administered by the Information Commission.

The Commission is vested with powers to:

conduct investigations
issue enforcement notices
require remedial measures
impose sanctions for contraventions of the Act

Related resources

Electronic marketing

Electronic marketing in Seychelles

The Act contains provisions relevant to direct electronic marketing, particularly where personal data is used for marketing communications.

While the Act primarily regulates the lawful processing of personal data, it also applies to electronic marketing activities to the extent that such activities involve the processing of personal data belonging to individuals.

Related resources

Online privacy

Online privacy in Seychelles

Although the Act does not contain a separate chapter specifically addressing online privacy, it protects online privacy through the general rules governing the collection, processing and security of personal data.

These provisions apply equally to personal data collected through:

websites
mobile applications
online platforms
other digital services

Related resources

Key contacts

Data protection lawyers in Seychelles

Jean-Marc B Lablache

Attorney

Victoria

Definition of personal data

The Act defines personal data as: “any information relating to an identified or identifiable individual.”

An identifiable individual is one who can be identified, directly or indirectly, particularly by reference to:

a name
an identification number
location data
an online identifier
one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that individual.

Definition of sensitive personal data

These categories include personal data revealing:

racial or ethnic origin
political opinions
religious or philosophical beliefs
trade union membership
genetic data
biometric data used for identification
health data
data concerning a person’s sex life or sexual orientation.

Responsibility of organisations

While the Information Commission exercises regulatory oversight, the primary responsibility for ensuring the protection of personal data rests with organisations that process personal data, namely:

Data Controllers – entities that determine the purposes and means of processing personal data.
Data Processors – entities that process personal data on behalf of a controller.

Such entities are required to comply with the data protection principles and other obligations established under the Act.

Appointment of controllers, processors and other roles

Data Controller: A data controller is defined as the person or entity that determines the purposes and means of processing personal data.
Data Processor: A data processor is a person or organisation that processes personal data on behalf of the controller.

Quick links

Data Protection in Seychelles

Definitions in Seychelles

Definition of personal data

Definition of sensitive personal data

Responsibility of organisations

Appointment of controllers, processors and other roles

Continue reading