DLA Piper Intelligence

Data Protection
Laws of the World

Law

Mauritius
Mauritius

The Data Protection Act 2004, [Act 13 of 2004], (“Act”) was enacted on July 1, 2004 and partially came into force on December 17, 2004 and fully came into operation on February 6, 2009. The Act is largely based on the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

Last modified 26 Jan 2017
Law
Mauritius

The Data Protection Act 2004, [Act 13 of 2004], (“Act”) was enacted on July 1, 2004 and partially came into force on December 17, 2004 and fully came into operation on February 6, 2009. The Act is largely based on the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

Last modified 26 Jan 2017
Definitions

Definition of personal data

Personal data are data which relate to an individual who can be identified from those data, or data or other information, including an opinion forming part of a database, whether or not recorded in a material form, about an individual whose identity is apparent or can reasonably be ascertained from the data, information or opinion.

Definition of sensitive personal data

Sensitive personal data are personal data pertaining to the racial or ethnic origin, political opinion or adherence, religious belief or other belief of a similar nature, membership to a trade union, physical or mental health, sexual preferences or practices, commission or alleged commission of an offence or any proceedings for an offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceedings of the data subject.

Last modified 26 Jan 2017
Authority

Data Protection Office

5th Floor, Happy World House
Corner SSR and Sir William Newton Streets,
Port Louis, Mauritius


Tel: +230 212 22 18
Fax: +230 212 21 74

http://dataprotection.govmu.org/

Last modified 26 Jan 2017
Registration

A data controller (an individual or a group of persons who make a decision with regard to the purposes for which and in the manner in which any personal data are, or are to be, processed) as well as a data processor (a person, other than an employee of the data controller, who processes the data on behalf of the data controller) must be registered with the Data Protection Office (“DPO”). Registration is a period not exceeding one (1) year and on the expiry of such period, the relevant entry in the Data Protection Register which is kept and maintained by the DPO, is cancelled unless the registration is renewed.

Application for registration:

 

  1. a written application for registration is made to the Data Protection Commissioner (“Commissioner”).

     

  2. specific particulars must be furnished at the time of the application, depending on whether the application is being made by a data controller or a data processor.

 

If the application is being made by a data controller:

 

  •   name and address of the data controller;

     

  • if it has nominated a representative for the purposes of this Act, the name and address of the representative;

     

  • a description of the personal data being, or to be processed by or on behalf of the data controller, and of the category of data subjects, to which the personal data relate;

  •  a statement as to whether or not he holds, is likely to hold, sensitive personal data;

     

  • a description of the purpose for which the personal data are being or are to be processed;

  •  

     a description of any recipient to whom the data controller intends or may wish to disclose the personal data;

  • the names, or a description of, any country to which the data controller directly or indirectly transfers, or intends or may wish, directly or indirectly to transfer the data; and

  • the class of data subjects, or where practicable the names of data subjects, in respect of which the data controller holds personal data.

A data controller who, knowingly supplies false information for the purposes of an application for registration commits an offence and, on conviction, is liable to a fine not exceeding 100,000 rupees and to imprisonment for a term not exceeding 2 years.

If the application is being made by a data processor:

 

 

  • name and address of the data processor;

  •  a description of the personal data being, or to be processed, and the category of data subjects to which the personal data relate;

     

  • the country to which the data controller transfers, or intends to transfer, the personal data; and

     

  • a statement as to whether or not the data processor processes, or intends to process, sensitive personal data; and such other particulars as the Commissioner may require.

 

A data processor who knowingly supplies false information for the purposes of an application for registration commits an offence and, on conviction, is liable to a fine not exceeding 100,000 rupees and to imprisonment for a term not exceeding 2 years.  At the moment, there is no separate registration for data processors as most of them are also data controllers and are therefore registered as such.

 

Should a data controller or data processor intend to keep or process personal data or sensitive personal data for 2 or more purposes, an application for separate registration in respect of any of those purposes and entries must be made.

 

Upon the payment of the prescribed fee, the Commissioner grants an application for registration, unless she reasonably believes that (a) the particulars to be included in the Data Protection Register are insufficient or any other information required by the Commissioner either has not been furnished, or is insufficient (b) appropriate safeguards for the protection of the privacy of the data subjects concerned are not being, or will not continue to be, provided by the data controller, or (c) the person applying for registration is not a fit and proper person.

Last modified 26 Jan 2017
Data Protection Officers

The Act does not explicitly require the appointment of a data protection officer. However, the data controller must, at the time of making for registration, specify the name of a person who will supervise the application of the Act within the data controller’s organisation or nominate a representative in relation to the personal data with which the application for registration is concerned.

Last modified 26 Jan 2017
Collection & Processing

Personal data

 

Unless an exemption applies, a data controller cannot collect personal data unless the collection (a) is for a lawful purpose connected with a function or activity of the data controller, and (b) is necessary for that purpose.

 

At the time of collection, the data controller or any person acting on his behalf, must ensure that the individual is aware of certain information, for example (i) the fact that the data is being collected, (ii) the purpose or purposes for which the data is being collected, (iii) the intended recipients of the data, (iv) the name and address of the data controller, (v) whether or not the data collected shall be processed and whether or not the supply of the data by that data subject is voluntary or mandatory, (vi) the consequences if all or part of the requested data is not provided.

 

It is the duty of the data controller to take all reasonable steps to ensure that personal data within his possession is accurate and up-to-date.

 

Furthermore, as a general rule, a data controller cannot process the personal data of an individual unless the express consent of the individual has been obtained. There are certain exceptional cases in which personal data can be processed without the express consent of an individual, namely where the processing of personal data is necessary (a) for the performance of a contract to which the individual is a party, (b) in order to take steps required by the individual prior to entering into a contract, (c) in order to protect the vital interests of the individual, (d) for compliance with any legal obligation to which the data controller is subject, (e) for the purpose of making use of a unique identification number to facilitate sharing information and avoid multiple registrations among public sector agencies, (f) for the administration of justice, or (g) in the public interest.

 

Sensitive personal data

 

As a general rule, the processing of sensitive personal data cannot be processed unless the individual has given his express consent to the processing of the personal data or has made the data public.

 

However, there are certain exceptions to the general rule, for instance if such processing is:

 

  1. necessary (i) for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with his employment, (ii) in order to protect the vital interests of the data subject or another person in a case where consent cannot be given by or on behalf of the data subject, or the data controller cannot reasonably be expected to obtain the consent of the data subject, (iii) in order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld, (iv) for the performance of a contract to which the data subject is a party, (v) in order to take steps required by the data subject prior to entering into a contract, (vi) for compliance with a legal obligation to which the data controller is subject.

     

  2. carried out by any entity or any association which exists for political, philosophical, religious or trade union purposes in the course of its legitimate activities.

  3. in respect of the information contained in the personal data made public as a result of steps deliberately taken by the data subject.

  4. required by law.

Last modified 26 Jan 2017
Transfer

A data controller may only transfer personal data to another country if he has obtained the written authorisation of the Commissioner. However, personal data shall not be transferred to another country unless that country ensures an adequate level of protection for the rights of data subjects in relation to the processing of personal data. The adequacy of the level of protection of a country is assessed in light of all the circumstances surrounding the data transfer, having regard to the following: (a) the nature of the data, (b) the purpose and duration of the proposed processing, (c) the country of origin and country of final destination, (d) the rules of law, both general and sectoral, in force in the country in question, and any relevant codes of conduct or other rules and security measures which are complied with in that country.

                                        

It is to be noted that the transfer of personal data to another country not ensuring an adequate level of data protection may take place in the following circumstances:

 

  1. the data subject has given his consent to the transfer,

     

  2. the transfer is necessary (i) for the performance of a contract between the data subject and the data controller, or for the taking of steps at the request of the data subject with a view to his entering into a contract with the data controller, (ii) for the conclusion of a contract between the data controller and a person, other than the data subject, which is entered at the request of the data subject, or is in the interest of the data subject, or for the performance of such a contract, (iii) in the public interest, to safeguard public security or national security.

     

  3. the transfer is made on such terms as may be approved by the Commissioner as ensuring the adequate safeguards for the protection of the rights of the data subject.

Last modified 26 Jan 2017
Security

A data controller has a statutory obligation to take appropriate security and organisational measures for the prevention of unauthorised access to, alteration of, disclosure of, accidental loss, and destruction of the data in his control. Moreover, a data controller should also ensure that the measures provide a level of security appropriate to the harm that might result from the unauthorised access to, alteration of, disclosure of, destruction of the data and its accidental loss and the nature of the data concerned. In determining the appropriate security measures, in particular, where the processing involves the transmission of data over an information and communication network, a data controller shall have regard to (a) the state of technological development available, (b) the cost of implementing any of the security measures, (c) the special risks that exist in the processing of the data, (d) and the nature of the data being processed.

The Act imposes an obligation on every data controller and data processor to take all reasonable steps to ensure that any person employed by him is aware of and complies with the relevant security measures. If the services of a data processor are retained, the data controller shall choose a data processor providing sufficient guarantees in respect of security and organisational measures.

If the purpose for keeping personal data has lapsed, the data controller must destroy such data as soon as reasonably practicable and notify any data processor holding such data, who in turn must destroy the data specified by the data controller.

Last modified 26 Jan 2017
Breach Notification

There is no specific provision in the Act which provides for the reporting of data security breaches or losses of data to either the Commissioner or to data subjects. However, in its ‘Guidelines for Handling Privacy Breaches,’ (March, 2010), the DPO encourages organisations to inform the DPO to inform the Commissioner of material breaches so that the DPO is aware of such breaches.

Whilst there is no legal obligation to inform an individual of a data security breach concerning his or her personal data, the Guidelines provides that the organisation must notify the individual of the breach if it is necessary so as to avoid or mitigate harm to the individual.

Last modified 26 Jan 2017
Enforcement

The enforcement authority for the Act is, in the first place, the Commissioner. If the Commissioner is of the opinion that a data controller or a data processor has contravened, is contravening or is about to contravene the Act, the Commissioner may serve an enforcement notice on the data controller or the data processor, as the case may be, requiring him to take such steps within such time as may be specified in the notice.

 

The enforcement notice must:

 

  1. specify the provision of the Act which has been, is being or is likely to be contravened;

     

  2. specify the measures that shall be taken to remedy or eliminate the matter, as the case may be, which makes it likely that a contravention will arise;

  3. specify a time limit which shall not be less than 21 days within which those measures shall be implemented; and

  4. state that there is a right of appeal.

 

A person who, without reasonable excuse, fails or refuses to comply with an enforcement notice commits an offence, and, on conviction, is liable to a fine not exceeding 50,000 rupees and to imprisonment for a term not exceeding 2 years.

 

If the Commissioner has reasonable grounds to believe that data is vulnerable to loss or modification, she may make an application to a Judge in Chambers for an order for the expeditious preservation of such data. Upon being satisfied, the Judge in Chambers issues a preservation order specifying a period which is not more than 90 days during which the order shall remain in force. However, the time period may be extended beyond 90 days upon application by the Commissioner.

 

The Commissioner may carry out periodical audits of the systems of data controllers or data processors to ensure compliance with data protection principles laid down in the Act. Where the Commissioner is of the opinion that the processing or transfer of data by a data controller or data processor entails specific risks to the privacy rights of data subjects, she may inspect and assess the security measures taken prior to the beginning of the processing or transfer. Moreover, at any reasonable time during working hours, the Commissioner may carry out further inspection and assessment of the security measures imposed on a data controller or data processor.

 

For the purposes of gathering information or for the proper conduct of any investigation concerning compliance with the Act, the Commissioner may seek the assistance of such persons or authorities, as she thinks fit and that person or authority may do such things as are reasonably necessary to assist the Commissioner in the performance of the Commissioner’s functions. Upon the completion of an investigation which reveals that an offence has been committed under the Act or any regulations under the Act, the Commissioner shall refer the matter to the police.

 

The Commissioner may delegate any of her investigating and enforcement powers conferred upon her by the Act to any officer of her office and to any police officer designated by her for that purpose.

Last modified 26 Jan 2017
Electronic Marketing

The use of personal data for the purposes of electronic marketing is not prohibited by the Act. However, at any time, an individual may by way of written notice request a data controller to either stop or not to begin the processing of personal data in respect of which he is a data subject, for the purposes of direct marketing (i.e. the communication of any advertising or marketing material which is directed to any particular individual).

Upon receiving such a request, the data controller must as soon as reasonably practicable and in any event not more than 28 days after the request has been received (a) where the data is kept only for purposes of direct marketing, erase the data, and (b) where the data is kept for direct marketing and other purposes, stop processing the data for direct marketing.

The data controller must notify the data subject in writing of any action taken and where appropriate, inform him of the other purposes for which the personal data is being processed. Where a data controller fails to comply with a notice the data subject may appeal to the Information and Communication Technologies Appeal Tribunal.

Last modified 26 Jan 2017
Online Privacy

The Act does not contain specific provisions in relation to online privacy.

 

Last modified 26 Jan 2017
Contacts
Ammar Oozeer
Ammar Oozeer
Barrister & Partner
T (+230) 403 2400
Last modified 26 Jan 2017