On June 22, 2023, the Cabinet of Seychelles approved Data Protection Bill, 2023, which was introduced on March 16, 2023, by the Department of Information Communications Technology. In particular, the bill is set to replace the Data Protection Act 2003 and seeks to promote and facilitate a responsible and transparent flow of information by private and public entities while ensuring respect for individual privacy, in line with the relevant international standards.

Scope

The bill would apply to the processing of data within Seychelles by public or private bodies. However, certain activities will be exempt from the application of the bill, including the processing of personal data by authorities in the course of a criminal investigation, matters pertaining to national security, or processing by a natural person for a personal activity.

Features of the bill

More specifically, the bill defines key terms, including 'data subject,' 'consent,' 'controller,' 'processor,' and 'biometric data,' and provides for the rights of children, and data subjects rights, including, among others, the right to erasure and the right to rectification.

Additionally, the bill lays down, among other things, the obligations of data controllers and processors, including maintaining records of processing activities, breach notification requirements, rules on security, and processing of special categories of data. Moreover, the bill would establish requirements for conducting a Data Protection Impact Assessment (DPIA), in particular, the obligation to consult the Commission prior to processing, if the DPIA indicates a high risk to the rights and freedoms of individuals. The bill also lays down rules regarding cross-border data transfers, tasks of a data protection officer (DPO), and administrative fines and imprisonment in case of infringement.

You can read the press release here and the bill here.