Mauritius - Data Protection Overview
1. Governing Texts
There is a growing awareness of the importance of data protection in Mauritius. This takes the form of trainings, interviews, and publications in the media by the Data Protection Office ('the Office'). Training is also conducted by the private sector. Compliance teams ensure that their organizations comply with the data protection legislation. The current Data Protection Act 2017 ('the Act') is aligned with international standards, namely the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and the Convention for Protection of Individuals with regard to Automatic Processing of Personal Data ('Convention 108'). However, there are certain instances in the Act where the provisions are not exactly the same as contained in the GDPR.
On December 8, 2017, the National Assembly of Mauritius passed the Act, repealing the Data Protection Act 2004 ('the 2004 Act'). The Act obtained the President's assent on December 22, 2017, and was published in the Government Gazette on December 23, 2017. The Act came into force on January 15, 2018.
The Act has the objective to strengthen the control and personal autonomy of data subjects over their personal data in line with current relevant international standards and for matters related thereto.
Lastly, please note that Mauritius signed, on September 4, 2020, the Protocol amending the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data ('Convention 108+').
The Office has published the following Guidelines:
- Introductory Guide to the Data Protection Act 2017 ('the Introductory Guide'): this Guide assists controllers and processors to implement the provisions of the Act;
- Factsheet on Legitimate Interests; and
- Guide on Data Protection for Health Data and Artificial Intelligence Solutions in the context of the COVID-19 Pandemic: this Guide helps controllers and processors to determine the basis for processing health data.
Further guidance from the Office can be accessed through its website here.
1.3. Case law
Since the implementation of the 2004 Act there have been several cases concerning the constitutionality of the provision of the National Identity Card Act, Act 60 of 1985, which imposes an obligation to provide fingerprints and other biometric information and storage of the biometric information on the card:
- Madhewoo M. v. The State of Mauritius & anor  UKPC 30;
- Jugnauth Pravin Kumar (Hon) v. The State of Mauritius & anor 2015 SCJ 178;
- Madhewoo M. v. The State of Mauritius & anor 2015 SCJ 177; and
- Madhewoo M. v. The State of Mauritius & anor 2013 SCJ 401.
At the level of the Office, complaints received relate to the use of CCTV cameras, unlawful disclosure of, and access to, personal data.
2. Scope of Application
The Act applies to a controller or a processor who is established in Mauritius and processes data in the context of that establishment. A person who is ordinarily resident in Mauritius or carries out data processing operations through an office branch or agency in Mauritius is treated as being established in Mauritius. The Act also applies to a controller or processor who is not established in Mauritius if they use equipment in Mauritius for processing data, other than for the purpose of transit through Mauritius. In the latter case, the controller or processor will have to nominate a representative which is established in Mauritius. The Act also applies to each Ministry or Government department which is treated separate from each other.
The Act does not have extra-territorial effect.
The Act applies to the processing of personal data, wholly or partly by automated means and to any processing otherwise than by automated means where the personal data forms part of a filing system or is intended to form part of a filing system. The filing system must be a structured set of personal data which is accessible according to specific data. No exception to the Act is allowed except if it constitutes a necessary and proportionate measure in a democratic society for the following limited purposes specified in the Act:
- for the protection of national security, defence, or public security;
- for the prevention, investigation, detection, or prosecution of an offence, including the execution of a penalty;
- for an objective of general public interest, including an economic or financial interest of the State of Mauritius;
- for the protection of judicial independence and judicial proceedings; or
- for the protection of a data subject or the rights and freedoms of others.
Furthermore, the processing of personal data for the purpose of historical, statistical, or scientific research may be exempted from the provisions of the Act provided that security and organizational measures are implemented to protect the rights and freedoms of the data subjects.
3.1. Main regulator for data protection
The data protection authority is the Office, which is under the administrative control of the Data Protection Commissioner ('DPC'). To encourage compliance of data processing operations in accordance with the Act, the Office may lay down technical standards for data protection certification mechanisms and data protection seals and marks. The Office also issues Guidelines, see section on Guidelines above.
3.2. Main powers, duties and responsibilities
The DPC can exercise general power to request any personal information that is necessary or expedient for the performance of the DPC functions and exercise of duties under the Act. The DPC's power to obtain information is however subject to the confidentiality obligations which a controller may have under the following laws:
- Section 26 of the Bank of Mauritius Act, Act No. 34 of 2004;
- Section 64 of the Banking Act 2004;
- Section 83 of the Financial Services Act 2007 (as amended);
- Section 30 of the Financial Intelligence and Anti Money Laundering Act 2002; and
- Section 81 of the Prevention of Corruption Act 2002.
The DPC may investigate a complaint that the Act or any regulations that have been, are currently, or about to be contravened, unless the DPC is of the opinion that such complaint is frivolous or vexatious. Any person who, without lawful or reasonable excuse, fails to attend a hearing before the DPC commits a criminal offence. A person may refuse to answer any question or to give any evidence, if doing so, the person's actions can amount to self-incrimination.
If the DPC is of the opinion that a controller or a processor has contravened, is contravening, or is about to contravene the Act, the DPC may serve an enforcement notice on the controller or processor requiring them to take such steps within such period specified in the notice. The DPC also has the power to investigate an offence which may have been committed under the Act and may, for that purpose, seek the assistance of a person or an authority.
The DPC may inspect and assess security and organizational measures which a controller is required to have in place prior to starting the processing or transfer of personal data. The DPC is also empowered to carry out periodical audits of the systems of controllers to ensure compliance with the provisions of the Act. The DPC may designate an authorized officer to enter and search any premises only on the authority of a warrant issued by a magistrate. Where any information requested by an authorized officer is stored in a computer, disc, cassette, microfilm, or preserved by any mechanical or electronic device, the person to whom the request is made shall make the information available in a form which is visible, legible, and transferrable.
4. Key Definitions
Data controller: The Data Protection Act defines as 'controller' any person who or public body which, alone or jointly with others, determines the purposes and means of the processing of personal data and has decision-making power with respect to the processing.
Sensitive data: 'Special categories of personal data' refer to personal data which is sensitive in nature, for example, the racial or ethnic origin of the data subject or the genetic data or biometric data uniquely identifying the data subject.
Biometric data: Any personal data relating to the physical, physiological, or behavioural characteristics of an individual which allow their unique identification, including facial images or dactyloscopic data.
Pseudonymization: The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information and the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable individual.
5. Legal Bases
Consent is one lawful basis for processing. Consent must be freely given, informed, and an unambiguous indication of the data subject, either by a statement or a clear affirmative action, by which they signify their agreement to the processing of personal data pertaining to them. The controller bears the burden of proof for establishing the data subject's consent for the processing of personal data for a specified purpose.
The contractual necessity can be relied upon if the controller requires the processing of the data subject's personal data to perform a contract to which the data subject is a party, or to take certain steps at the request of the data subject prior to entering into a contract. The processing of the personal data must be necessary.
Compliance with a legal obligation is a legal basis for the processing of personal data. This does not apply for a contractual obligation addressed in the section above.
The personal data of a data subject may be processed where this is necessary for the protection of the vital interests of the data subject or of another person.
The Act also allows for the processing of personal data for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The controller must be able to demonstrate that they are carrying out a task in the public interest, or exercising official authority.
Personal data may be processed for the legitimate interests of the controller except if the processing is not warranted having regard to the harm and prejudice to the rights or interests of the data subject. Hence, the controller must balance their interests against the data subject's interest.
Historical, statistical, or scientific research is another legal basis for the processing of personal data.
Both the controller and processor must process personal data in accordance with the following data protection principles:
- Lawfulness, fairness and transparency: Data must be collected for legitimate purposes, and processed lawfully, fairly and in a transparent manner;
- Purpose limitation: Personal data collected for a specified purpose(s) must not be further processed in a manner incompatible with the purpose(s);
- Data minimisation: Data that are processed must be limited to what is necessary – data must not be held more than needed for the purpose(s) for the data have been collected;
- Accuracy: Data must be accurate and, where necessary, kept up to date and steps must be taken to erase or rectify inaccurate data without delay;
- Storage limitation: Data must not be kept longer than is necessary for the purpose(s) for which the data are processed;
- Security: Appropriate security measures must be implemented to protect the personal data that are held. For example, measures must be implemented to prevent unauthorized access to, and the disclosure of personal data. These measures may include encrypting personal data and regularly testing and evaluating the effectiveness of the measures implemented; and
- Accountability: The controller must take responsibility for what is done with the data and adopt policies and implement measures to demonstrate compliance. If the processor becomes aware of a personal data breach, the processor must notify the controller without undue delay describing the nature of the personal data breach including, if possible, the approximate number of data subjects and personal data records concerned.
7. Controller and Processor Obligations
Section 15 of the Act requires that both the controller and the processor register with the DPC. The registration is valid for three years, but the DPC may, at any time during the three years, cancel or vary the registration certificate if the applicant has, in any way, been false or misleading on the application. The DPC keeps a Data Protection Register which is available for inspection free of charge.
The particulars which a controller or a processor must submit when applying for registration are:
- name and address;
- if they have been nominated as a representative for the purpose of the Act, the name and address of the representative;
- a description of the personal data being or to be processed by or on behalf of the controller or processor, and the category of data subjects to which the personal data relates;
- a statement as to whether it holds, or is likely to hold, special categories of personal data;
- a description of the purpose for which the personal data is to be processed;
- a description of any recipient to whom the controller intends or may wish to disclose the personal data;
- the name, or a description of, any jurisdiction to which the proposed controller intends or may wish, directly or indirectly, to transfer the data; and
- a general description of the risks, safeguards, security measures, and mechanisms to ensure the protection of personal data.
Additionally, where, following the grant of an application by the DPC, there is a change to any of the particulars listed above, the controller or processor must, within 14 days of the date of the change, notify the DPC in writing of the nature and date of the change.
Registration and fees
Thereafter, If the DPC determines that an applicant has met the criteria for registration, the DPC will register the applicant as a controller or processor and issue a registration certificate, following the payment of a fee. In this regard, the holder of a registration certificate may apply for the renewal of the certificate not later than three months before the date of its expiry.
The Data Protection (Fees) Regulations 2020 ('the Regulations') have established new fees for the registration of controllers and processors which came into force on August 1, 2020. Such fees are set out in the Schedule of the Regulations and range from MUR 1,000 (approx. $22) to MUR 2,500 (approx. $55).
Accordingly, all controllers and processors were required to make a fresh registration as of August 1, 2020, in accordance with the Regulations the Communique on the Regulations.
Applications for registration may be submitted online, by post, or in person at the Office, using the Registration/renewal of registration Controller Application Form or Registration/renewal of registration Processor Application Form, or, alternatively, register via the controller online portal here or the processor online portal here.
Any controller or processor who knowingly supplies any information in the registration application, which is false or misleading in a material particular, commits an offence and will, on conviction, be liable to a fine not exceeding MUR 100,000 (approx. $2,205) and to imprisonment for a period not exceeding five years (Article 15(3) of the Act).
Any controller or processor who fails to inform the DPC of any change of the particulars within 14 days of the date of change commits an offence and will, on conviction, be liable to a fine not exceeding MUR 50,000 (approx. $1,100) (Article 17(3) of the Act).
For further information on penalties please see the section on penalties below.
A controller or processor may transfer personal data outside Mauritius if the DPC is provided with proof confirming that there are appropriate safeguards in place for the protection of personal data. Personal data may also be transferred outside Mauritius if, prior to such transfer, the data subject has been informed of any possible risks of the transfer and the data subject has given their explicit consent to the transfer. If the controller or processor cannot provide for the appropriate safeguards in relation to the transfer of personal data to another country, the controller or processor, as applicable, must obtain the prior authorisation of the DPC.
The transfer may also take place if it is necessary for the performance of a contract between the data subject and the controller, or for the taking of steps at the request of the data subject with a view to them entering into a contract with the controller.
The transfer of personal data to another jurisdiction can also be allowed on such terms as the DPC may approve for the protection of the rights of the data subjects. The DPC has the power to suspend or prohibit the transfer of data to another jurisdiction if the processor or controller is not able to demonstrate either the effectiveness of safeguards, or the existence of compelling legitimate interest.
In addition, under the Guidelines on Outsourcing by Financial Institutions (revised in March 2018) ('the BOM Outsourcing Guidelines') issued by the Bank of Mauritius ('BOM'), a financial institution must strictly adhere to the Act and ensure when storing customers' information on the cloud. The BOM Outsourcing Guidelines impose a series of conditions for the implementation of cloud-based services by financial institutions. As such, financial institutions should ensure that they are in possession of a certificate of conformity from a law practitioner certifying that the systems in place comply with data protection and other applicable laws.
A controller must keep a record of all processing operations, e.g., the names and contact details of the controller and processor, if there is one, the purpose of the processing, policies and mechanisms which demonstrate that the processing of personal data is in accordance with the Act. The controller must only collect personal data for a lawful purpose connected with an activity or function for the controller, whereby the collection of that data is necessary for the lawful purpose. When collecting personal data, the controller must ensure that the data subject is informed of its contact details together with the information necessary to guarantee fair processing.
The processor must also keep records of all processing operations which the processor carries out on behalf of the controller; e.g., the name and contact details of the controller and the purpose of the processing.
The controller has the burden of proof for establishing the data subject's consent to the process of personal data for a specified purpose.
If the data processing operations are likely to result in a high risk to the rights and freedoms of the data subject by virtue of nature, scope, context, and purposes, the controller must, before conducting the processing, carry out an assessment of the impact of the intended processing operations. A Data Protection Impact Assessment ('DPIA')/Privacy Impact Assessment ('PIA') must be reviewed if there is a significant change in the data processing operations. The Introductory Guide recommends the continuous execution of a DPIA/PIA on existing processing activities and depending on the nature of the processing including other circumstances, such as the frequency of change in the data processing operations, this review may be done every three years. According to the Introductory Guide to the Data Protection Act 2017, a DPIA/PIA should not be viewed as a one-off exercise.
In accordance with the Act, there is a compulsory requirement for the appointment of a data protection officer ('DPO').
Every controller and processor is required to keep records that contain the name and contact details of the DPO. At the time of collecting personal data, the data subject must be informed of the identity and contact details of the DPO. The DPO must act with complete independence and impartiality. On March 19, 2019, the Office published guidance on the roles and responsibilities of the DPO ('the DPO Guidance').
More specifically, the DPO Guidance highlights that the DPO must (Section 3 of the DPO Guidance):
- inform and advise the controller, the processor, and their employees about their obligations to comply with the Act and other data protection laws;
- monitor compliance with the Act and other data protection laws;
- manage internal data protection activities;
- advise on DPIAs;
- train staff and conduct internal audits; and
- be the first point of contact for the Office and for individuals whose data are processed (employees and customers, amongst others).
It is to be noted that the Office allows an existing employee to act as a DPO as long as the professional duties of the employee are compatible with the duties of the DPO and do not lead to any situations of conflict of interest. In this regard, the DPO Guidance notes that a conflict of interest occurs when the DPO (Section 1(4) of the DPO Guidance):
- holds a position leading them to determine the purposes and the means of the processing of personal data;
- manages competing objectives which could result in data protection taking a secondary role to business interests; and
- when external, (as appointed according to Section 1(5) of the DPO Guidance) is asked by the controller/processor to represent them before a court in a case involving data protection issues.
In addition, the role of the DPO may be outsourced. The DPO is not personally responsible for non-compliance with the provisions of the Act by the controller or processor.
A group of undertakings may appoint a single DPO, taking into account their organizational structure and size, provided that they are easily accessible from every establishment. The concept of accessibility has to take into account the tasks assigned to the DPO as a contact point for data subjects and the Office, as well as internally, for the controller/processor and the employees, who have to be informed and advised in their activities of processing personal data (Section 1(3) of the DPO Guidance).
In the case a single DPO has been appointed for a group of undertakings, the controller/processor must ensure that he/she is able to perform each assigned task, despite being responsible for different establishments or branches (Section 1(3) of the DPO Guidance).
The Act imposes a legal obligation on the controller to notify a personal data breach to the DPC without undue delay and, where feasible, no later than 72 hours after the controller has become aware of the breach. The processor must, once aware of a personal data breach, notify the controller without undue delay.
If the personal data protection breach is likely to result in a high risk to the rights and freedoms of the data subject, the controller, after having notified the DPC, must inform the data subject of the breach in clear language and without undue delay. There are circumstances which do not require the controller to notify the data subject of the personal data breach, for instance, if such notification would involve a disproportionate effort and the controller has made a public communication of the breach whereby the data subject is informed.
The BOM Outsourcing Guidelines provide that a financial institution must report any unauthorized access or breach of confidentiality and security by an outsourcing service provider to the BOM, stating the action(s) it proposes should be taken to deal with the consequences. A mobile banking or mobile payment service provider which provides services to a customer who does not hold a bank account must submit monthly reports which must, among other things, cover any loss of confidential data, to the BOM.
There is no general data retention law in Mauritius. There are, however, sector-specific record-keeping requirements. For example, under Section 153 of the Income Tax Act 1995, records of employee emoluments must be kept for a period of at least five years. Under the Banking Act, a financial institution is required to keep a record for a period of at least seven years after the completion of the transactions to which it relates.
The processing of the personal data of a child below the age of 16 years is subject to the prior consent of the child's parent or guardian. A controller must make every reasonable effort to verify that consent has been given or authorized, taking into account available technology.
Special categories of personal data must not be processed unless the data subjects have given their consent for the processing, or any of the statutory exceptions applies, for instance the processing is necessary for the establishment, exercise, or defence of a legal claim, or the processing relates to personal data which are manifestly made public by the data subject. The processing of special categories of personal data is also permissible if:
- the processing is necessary for the purpose of preventive or occupational medicine or for the assessment of the working of an employee, or for medical diagnosis, or for the provision of health or social care systems and services, or pursuant to a contract with a health professional;
- for the purpose of carrying out the obligations and exercise of specific rights of the controller and/or of the data subject; or
- for protecting the vital interests of the data subject or of another person if the data subject is physically or legally incapable of giving consent.
Where the controller uses the services of a processor, the controller must choose a processor which provides sufficient security and organizational measures to ensure the protection of personal data. In this respect, the controller and processor must enter into a written agreement in terms of which, the processor must act only on instructions given by the controller. The processor will have the same obligations which the controller has relating to the implementation of security and organizational measures to protect personal data from, among other things, unauthorized access or accidental loss of the data in the processor's control.
8. Data Subject Rights
The controller must inform the data subject of the specific categories of personal data that is being processed and the reason for the processing. The data subject has the right to know who their personal data has been and will be disclosed to, and for how long the personal data will be stored. If it is not possible to determine how long the data will be stored, the data subject has the right to learn the criteria used to determine the period of keeping personal data.
A data subject may ask the controller, free of charge, for confirmation as to whether the controller is processing personal data pertaining to them. If they do, the data subject is entitled to receive from the controller a copy of such data. The controller has one month to comply with the request. A data subject may also, at any time, object in writing to the processing of their personal data unless the controller can demonstrate that there are compelling grounds for the processing which will override the data subject's right.
In addition, the data subject has the right to request that the controller rectifies any inaccurate personal data which the controller holds on the data subject. The data subject can also request the controller to erase personal data concerning the data subject if, for example, the purpose of their collection no longer exists, or the data subject withdraws the consent on which the processing is based and there are no other legal grounds for the processing. Unless the controller has compelling legitimate grounds for the processing, the data subject has the right to object to the process in writing at any time.
Please see section on the right to rectification above.
The data subject has the right to object at any time to the processing of personal data concerning them unless the controller has compelling legitimate grounds for the processing which override the data subject's interests, or the processing is required for the establishment, exercise, or defence of a legal claim.
The Act does not provide for data portability.
Under the Act a data subject has the right not to be subject to a decision based solely on automated processing, including profiling which produces legal effects concerning them or significantly affects them. This prohibition does not apply where the decision is based on the data subject's explicit consent or any other circumstances specified in the Act.
An automated processing of personal data intended to evaluate certain aspects relating to a data subject must not be based on special categories of personal data.
A data subject has the right to lodge a complaint with the DPC if they have concerns with the manner their personal data are being processed.
A breach of the Act constitutes, in certain cases, a criminal offence and, on conviction, the offender may be sentenced to a fine or a term of imprisonment.
Examples of acts or omissions which constitute a criminal offence under the Act include the following:
- failure, without lawful or reasonable excuse, to attend a hearing at the Office, or to produce a document when required to do so by the DPC. This will result in a fine not exceeding MUR 50,000 (approx. $1,100) and imprisonment for a term not exceeding two years;
- failure, without reasonable excuse, or refusal to comply with an enforcement notice issued by the DPC. This will result in a fine not exceeding MUR 50,000 (approx. $1,100) and imprisonment for a term not exceeding two years;
- knowingly providing information which is false or misleading at the time of registration. This will result in a fine not exceeding MUR 100,000 (approx. $2,205) and imprisonment for a term not exceeding five years; or
- processing personal data (including special categories of personal data) in breach of the Act. This will result in a fine not exceeding MUR 100,000 (approx. $2,205) and imprisonment for a term not exceeding five years.
Decision No. 15 (June 12, 2013): The DPC rejected the argument of the controller that the legal basis for the issuance of fidelity cards to customers was a contractual necessity, holding that a controller using contractual necessity as a legal basis cannot extend the application of that legal basis to justify the processing of personal data beyond what is necessary. The DPC held that the consent of the data subjects was required.
Decision No. 19 (May 16, 2014): Where an employee was dismissed from their employment because they refused to give their fingerprints for the recording of attendance, the DPC referring to the decision in S. and Marper v. The United Kingdom  ECHR 1581, held that there was a breach of the 2014 Act because the employee did not consent to the employer collecting and processing their fingerprints and there was no legal basis for the employer to insist on the provision of the fingerprints for attendance.