Data Protection Act 2017​​ Mauritius

    Overview

    Mauritius' Data Protection Act 2017 (Act No. 20 of 2017), enacted on December 8, 2017, and effective from January 15, 2018, regulates the collection, processing, storage, and transfer of personal data. The law aligns with international standards and strengthens individual control over personal data. The Data Protection Office (DPO), led by the Data Protection Commissioner, is responsible for enforcement. 

     

    Regulation Summary

    Timeline
    • December 8, 2017: Law enacted.
    • December 23, 2017: Published in the Government Gazette.
    • January 15, 2018: Law came into effect.
    What Businesses Are Affected
    • All organizations processing personal data in Mauritius, including both public and private entities.
    • Foreign businesses processing data of Mauritian residents, if they operate within Mauritius or use local infrastructure.
    • Entities handling sensitive data such as biometric, health, financial, or government-related information.
    Exemptions
    • Personal or household use of personal data.
    • Government agencies processing data for national security, taxation, or law enforcement purposes.
    • Data processing for journalistic, artistic, or academic research purposes, provided it adheres to legal safeguards.
    Responsibilities for Businesses
    • Lawful Processing: Businesses must obtain consent or rely on a valid legal basis for processing personal data.
    • Purpose Limitation: Data may only be collected and processed for a specific, legitimate purpose.
    • Data Security: Organizations must implement safeguards to prevent unauthorized access, leaks, or breaches.
    • Accountability: Businesses must document data processing activities, designate responsible personnel when required, and report data breaches to the Data Protection Office within 72 hours of becoming aware of the incident, as required by law.
    Specific Responsibilities for Website Owners
    • Cookie Consent: Websites must obtain user consent for non-essential cookies and tracking technologies.
    • Privacy Notice: Websites must provide a transparent and accessible privacy policy.
    • User Rights Portal: Individuals should be able to submit and manage data access, correction, and deletion requests.
    • Secure Data Transmission: Websites must ensure encryption and protective measures for handling personal data online.
    Additional Requirements
    • Cross-Border Data Transfers: Personal data transfers outside Mauritius are permitted only if the recipient country ensures an equivalent level of data protection. Additionally, the Data Protection Commissioner may impose specific conditions for such transfers to ensure compliance with legal safeguards.
    • Data Protection Officer (DPO): Required for businesses engaging in large-scale or sensitive data processing.
    • Impact Assessments: Mandatory for businesses conducting high-risk data processing, including profiling and automated decision-making.
    • Sensitive Data Handling: Processing of special categories of personal data—including racial origin, political opinions, religious beliefs, union membership, genetic and biometric data, health, and sexual life—is strictly prohibited unless exceptions apply, such as explicit consent, public interest, medical necessity, or legal obligations.
    Data Subject Rights
    • Access: Individuals can request copies of their personal data.
    • Rectification: Right to correct inaccurate or incomplete data.
    • Erasure: Right to request deletion of personal data under certain conditions.
    • Portability: Right to obtain and transfer personal data.
    • Objection: Right to refuse processing for marketing or automated decision-making.
    • Restriction: Right to request limitations on data processing in specific cases.
    Enforcement
    • Regulatory Body: The Data Protection Office (DPO) oversees compliance and enforcement.
    • Fines: Violations can result in fines based on a percentage of company revenue or a fixed amount, with penalties ranging from 50,000 to 200,000 Mauritian Rupees (~$1,100 to $4,500 USD).
    • Sanctions: Businesses may face suspension of data processing activities, and responsible individuals may be subject to criminal penalties, including imprisonment for severe breaches.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596