Seychelles - Data Protection Overview
1. Data Protection Status
1.1 Proposed Data Protection Law
The key piece of legislation is the Data Protection Act 2002 (Act 9 of 2003) ('the Act') which was enacted in 2003 to provide individuals with privacy rights regarding the processing of personal data, however, at the time of writing, the Act is not yet in force.
1.2 Current status and what needs to be done for it to come into force
The Act will come into operation on such date as notified by the Minister in the Official Gazette.
1.3 Implementation period (if known)
1.4 Constitutional provisions
As per Article 20(1)(b) of the Constitution of the Republic of Seychelles, every person has a right not to be subjected without their consent or an order of the Supreme Court, to the interception of the correspondence or other means of communication of that person either written, oral, or through any medium.
2. Key Definitions | Basic Concepts
2.1 Personal Data, Sensitive Data, Data Controller, Data Processor or equivalent terms
Personal Data: Data consisting of information which relates to a living individual who can be identified from that information or from other information in the possession of the data user, including any expression of opinion about the individual, excluding any indication of the intentions of the data user in respect of that individual.
Sensitive Data: This is not defined in the Act, however the Minister may, by order published in the Official Gazette, modify or supplement the data protection principles, as provided by Section 3 of the Act, for the purpose of providing additional safeguards in relation to personal data consisting of information relating to a data subject's racial origin, political opinions, religious or other beliefs, physical and mental health or sexual life, or criminal convictions.
Data Controller: There is no definition of 'data controller' in the Act.
Data Processor: There is no definition of 'data processor' in the Act.
Data User: A person who holds data where:
- the data forms part of a collection of data processed, or intended to be processed, by or on behalf of that person;
- that person (either alone, jointly, or in conjunction with other persons) controls the contents and use of the data comprised in the collection; and
- the collection of data processed is in a form that will be further processed on a subsequent occasion.
Computer Bureau: A person carries on a computer bureau if he/she provides other persons with services in respect of data, either as an agent by processing data held by others, or by allowing other persons to use the equipment in his possession, for the processing of data held by them.
3. Scope of Application
3.1 Who will the law/reg apply to?
When the Act comes into force, it will primarily apply to data subjects, data users, and 'persons carrying on a computer bureau’.
The Act does not apply to a data user in respect of data held, or to a person carrying on a computer bureau in respect of services provided outside Seychelles, nor does it apply to data processed wholly outside Seychelles unless the data is used or intended to be used in Seychelles. In circumstances where a person, who is not resident in Seychelles, controls or processes data through a servant or agent acting on his own account in Seychelles, the Act will apply.
3.2 What types of processing will be covered/exempted?
Under the Act, data processing means amending, augmenting, deleting or re-arranging data, or extracting information constituting data. In cases of personal data, processing also means performing any of those operations by reference to the data subject, however this will not apply to any operation performed only for the purpose of preparing the text of documents.
Note that personal data will be exempted from the Act's provisions regarding the regulation of data users and computer bureaux, where necessary to safeguard national security.
Additionally, personal data will be exempted from the Act's access provisions if:
- the information is held for;
- the prevention or detection of crime;
- the apprehension or prosecution of offenders; or
- the assessment or collection of any tax or duty;
- the information is necessary for the physical or mental health of a data subject;
- the information is modified (by order from the Minister) where the information is held by government departments, voluntary organisations, or other bodies as specified and deemed to be maintained for or acquired while undertaking social work. The exemption or modification is granted only if the provisions to the data are likely to prejudice the undertaking of social work activities;
- the information is held for the purpose of discharging statutory functions and the application of those provisions to the data is likely to prejudice the fulfilment of these functions. These functions encompass the protection of members of the public against financial loss due to dishonesty, incompetence, or malpractice by persons providing services in the banking, insurance, investment, or other financial services sector (the same also applies in the management of companies, or to the conduct of discharged and undischarged bankruptcies);
- the data consists of information maintained by a government department for the purposes of making appointments and has been received from a third party;
- the data consists of information in respect of which a claim to legal professional privilege could be maintained in legal proceedings; or
- the personal data is held by a data user for payrolls and accounts purposes only, or for domestic or other limited purposes.
4. Data Protection Authority | Regulatory Authority
4.1 Main regulator for data protection
Seychelles does not currently have a national data protection regulator; however, the Act provides for the establishment of the Data Protection Commissioner ('the Commissioner').
4.2. Main powers, duties and responsibilities
The Commissioner will be responsible for the maintenance of a registry comprising data users who hold personal data and persons carrying on a computer bureau providing services in respect of personal data, and the primary duty of the Commissioner will be to ensure that data protection principles are being properly observed by data users and persons carrying on a computer bureau.
When the Act comes into force, the Commissioner will be empowered to:
- serve enforcement notices on registered persons who have breached data protection principles;
- require that persons take measures within a certain time as specified in the notice, to comply with breached requirements;
- cancel any enforcement notice by written notification to the person on whom it was served; and
- serve a deregistration notice to persons who have breached or is in breach of any data protection principle or propose to remove the person from the register at the expiration of a period as mentioned in the notice, all or any of the particulars constituting the entry or any of the entries contained in the register with respect to that person.
4.3. Sanctioning powers
The Commissioner must consider the damage or distress endured or likely to be endured by any person due to that breach while deciding whether to serve an enforcement notice.
An enforcement notice in relation to a breach of the data protection principle 'data accuracy,' may direct a data user to rectify or erase the data and any other data held containing an expression of opinion which appears to be based on inaccurate data, or to take any steps necessary to comply with provisions of the Act or as directed in the notice.
The Commissioner must consider the damage or distress suffered, or likely to be suffered, by any person due to a breach of any of the data protection principles before serving a deregistration notice. Furthermore, the Commissioner must consider that compliance with the principle (or principles) in question cannot be adequately secured by the service of an enforcement notice.
Transfer prohibition notices
The Commissioner is empowered to serve a transfer prohibition notice if a data user intends to transfer personal data to a place outside Seychelles, and the Commissioner is satisfied that the transfer is likely to contravene or lead to a contravention of any data protection principle. The transfer prohibition notice may either prohibit the data user from transferring the data absolutely, or until he has taken steps (as specified in the notice), to protect the interests of the data subject(s) in question.
In deciding whether to serve a transfer prohibition notice, the Commissioner shall consider whether the notice is required for preventing damage or distress to any person and shall have regard to the general desirability of facilitating the free transfer of data between Seychelles and other countries.
When the Act comes into force, it will provide the following sanctions for non-compliance:
- a person guilty of an offence under any provision of the Act will be liable on conviction to a fine not exceeding SCR 20,000 (approx. €1,000); or
- a Court order providing that any material appearing to be connected with the commission of the offence, be forfeited, destroyed, or erased.
Where the offence has been committed by a corporate body and is proved to have been committed with the consent, involvement of, or attributable to any negligence on the part of, any director, manager, secretary, or similar officer of the body corporate or any person who was purporting to act in any such capacity, both the individual and the body corporate, shall be liable and the above sanctions imposed.
4.4 Issues which the regulator is to provide guidance/additional legislation
5. Controller and Processor Rights and Responsibilities
5.1 General incoming obligations (notification/registration with regulatory authorities, documentation, etc.)
Data controllers/ Data Processors
Neither a 'data controller' nor a 'data processor' is specifically defined and their obligations would be the same as those imposed upon a data user under the Act. The main obligations of data users are enshrined in the eight data protection principles set out in the Act's schedule, detailed below:
- information contained in personal data and the data itself shall be obtained and processed fairly and lawfully;
- personal data shall be held only for one or more specified and lawful purposes;
- personal data held for any purpose(s) shall not be used or disclosed in any manner incompatible with the defined purpose(s);
- personal data held for any purposes(s) shall be adequate, relevant, and not excessive;
- personal data shall be accurate and, where necessary, kept up to date;
- personal data held for any purpose(s) shall not be kept for longer than is necessary for the defined purpose(s);
- an individual shall be entitled, at reasonable intervals and without undue delay or expense:
- to be informed by any data user, as to whether he holds personal data relating to that individual;
- access to any such data held by a data user; and
- to have such data corrected or erased, where appropriate;
- personal data held by data users or in respect of which services are provided by persons carrying on computer bureau; and
- appropriate security measures shall be taken against unauthorised access, alteration, disclosure, or destruction of personal data, as well as accidental loss or destruction of the same.
The Act is silent on the ways by which data controllers and data processors relationships are managed through contractual agreements and the liabilities attached to them. However, any agreement pertaining to the control or processing of data would, in the author's view, be applicable as long as the provisions under the data transfer agreement do not contravene the principles of the Act and are in line with the local laws and requirements.
Personal data may be transferred internationally provided that the data user has named the jurisdiction it will be transferring the data to in the data register, which will also contain descriptions of the data being held.
The Commissioner may issue a transfer prohibition notice where it is believed that the data transfer outside of Seychelles is likely to contravene or lead to a contravention of any data protection principle. Such a notice would prohibit the transfer absolutely or until the data user has taken steps, as specified in the notice, for protecting the data subject's interests in question.
6. Data Subject Rights
An individual has the right to be informed by a data user as to whether the latter holds their personal data and can request a copy of this information. The request shall be made in writing, accompanied by the payment of a fee (not exceeding the prescribed maximum) and the data user shall comply with the request within 40 days of receipt of the same.
Furthermore, an individual whose personal data is held by a data user and who suffers damage by reason of the inaccuracy of the data, shall be entitled to compensation from the data user for that damage and/or any distress which the individual has suffered by reason of the inaccuracy.
The Act also provides for compensation for an individual:
- whose personal data is held by a data user or person carrying out a computer bureau service, in respect of which the data subject suffers damage by reason of the loss of his/her data; or
- where the destruction of his/her data is not authorised by the data user or person carrying out a computer bureau service; or
- who suffered distress by reason of disclosure, access, loss, or destruction of his/her personal data.
7. Data Protection Officer Appointment
8. Data Breach Notification
8.1 General obligation (yes/no)
No, the Act does not include a mandatory requirement to report data security breaches or losses to the Commissioner.
9. Sectoral Legislation
9.1 Financial Sector
9.1.1 Scope of application/key provisions
Central Bank of Seychelles Act, 2004
Under the Central Bank of Seychelles Act, 2004 (as amended) ('CBSA'), a member of the board of directors or an employee of the Central Bank of Seychelles ('CBS') shall not disclose to any person any confidential information relating to the affairs of the CBS, acquired during the performance of his/her duties under the CBSA or any other law. Note, that disclosure is authorised if required for the performance of his/her duties, or by law or court order.
Any person who fails to comply with the above shall be committing an offence and is liable, upon conviction, to pay a fine in the amount of SCR 20,000 (approx. €1,000) and to imprisonment for one year.
Anti-Money Laundering Act, 2006
The Anti-Money Laundering Act, 2006 ('AMLA') offers protection of identity and information. The AMLA does not allow the disclosure of any information that will identify or is likely to identify:
- any person who has handled a transaction in respect of which a suspicious transaction report has been made;
- any person who has prepared and made a suspicious transaction report; or
- any information contained therein.
However, exceptions apply where there is an investigation or prosecution of a person under the AMLA or any other legislation.
Financial Services Authority Act, 2013
The Financial Services Authority ('FSA'), under the Financial Services Authority Act, 2013 ('FSAA'), in performing its duties and discharging its functions, has a general power to request information under Section 15 of the FSAA. In particular, the FSA may request any person who carries out or is related to any business providing financial services, information that the FSA may require, unless the requested information is subject to legal professional privilege.
The FSAA provides under Section 20(4) that protected information shall not be disclosed by the recipient of that information, without the consent of the person from whom he obtained the information and if different, the person to whom it relates.
Section 20 of the FSAA provides that protected information means the information which relates to the affairs of the FSA, or to the business or other affairs of any person and is acquired by:
- the FSA;
- member of the board (including the Chief Executive Officer ('CEO'));
- an employee of the FSA;
- a person appointed as an examiner under Section 25 of the FSAA; and
- any other person acting under the authority of the FSA,
for the purposes of, or in the performance of his/her duties or functions under the FSAA, or any other financial services legislation, including any information obtained from a foreign regulatory authority or law enforcement authority.
Further, the FSA has the authority, under Section 22 of the FSAA, to issue guidelines concerning the disclosure of information under the FSAA.
Under Section 43(2) of the FSAA, any person who fails to comply with the above commits an offence which is punishable by a fine or to imprisonment for a term not exceeding two years. Furthermore, Section 43(6) of the FSAA provides that where the offence is committed by a corporate body, its directors, or any officers who knowingly authorised, permitted, or acquiesced in the commission of the offence, shall also be liable of the offence.
International Business Companies Act 2016
Section 378 of the International Business Companies Act, 2016 ('IBCA') provides that the CEO of the FSA and each officer, employee and agent of the FSA, shall not disclose to a third party any information or documents obtained whilst performing its functions under the IBCA.
However, disclosure shall be allowed where it is required under the IBCA, any other legislation in Seychelles, order of the Court, where prior written consent was obtained, or where the information disclosed is in statistical form which does not identify any company or person.
Any person who knowingly or recklessly makes a false, misleading or deceptive statement, or withholds any information, the omission of which makes the information misleading or deceptive, commits an offence and shall be liable to pay a fine in the amount not exceeding SCR 10,000 (approx. €500) under Section 259 of the IBCA.
Insurance Act, 2008
Section 121(1) of the Insurance Act, 2008 ('the Insurance Act') provides that the CBS, or its employee or its agent shall not disclose any information or document obtained during the performance of its functions, unless required by law or any other legislation in Seychelles.
Furthermore, under Section 121(2) of the Insurance Act, no disclosure shall be made in respect of any licensed insurer or insurance professional or policyholder, unless written consent is obtained. In the event that information disclosed is in statistical form, or any other form that does not enable the identity of any licensed insurer or other insurance professional or any policy holder to which the information relates to be ascertained, disclosure under the Insurance Act shall not be prohibited.
9.1.2 Case Law
9.1.3 Presence of a regulator, its role/powers
9.1.4 Key definitions
9.1.5 Data retention
9.1.6 Breach notification
9.1.7 Data transfer restrictions
9.2 Health and Pharma Sector
9.2.1 Scope of application/key provisions
There are no specific laws, regulations, or case law precedents which deal with data protection in relation to the health and pharma sector in Seychelles.
9.2.2 Case Law
9.2.3 Presence of a regulator, its role/powers
9.2.4 Key definitions
9.2.5 Data retention
9.2.6 Breach notification
9.2.7 Data transfer restrictions
9.3 Telecommunications Sector
There are no specific laws, regulations, or case law precedents which deal with data protection in relation to the telecommunications sector in Seychelles. The Department of Information Communications Technology ('DICT') released, on 14 January 2020, the draft Communications Bill 2020 ('the Draft Bill') for public consultation which may replace the Broadcasting and Telecommunications Act 2000. The Draft Bill seeks to revise the law regulating the broadcasting and electronic communications in Seychelles and establish a Communications Regulatory Authority. The Draft Bill also provides for rules in relation to protection of data and privacy of end users.
9.3.1 Scope of application/key provisions
The Act does not apply to a data user in respect of data held, or to a person carrying on a computer bureau in respect of services provided outside Seychelles, nor does it apply to data processed wholly outside Seychelles unless the data is used or intended to be used in Seychelles.
9.3.2 Case Law
9.3.3 Presence of a regulator, its role/powers
9.3.4 Key definitions
9.3.5 Data retention
9.3.6 Breach notification
9.3.7 Data transfer restrictions
10. Other Jurisdictional Issues
Section 68 of the Seychelles Employment Act 1995 requires every employer to keep a register of workers.
The register shall contain in respect of each worker the following information:
- the name, date of birth, national identity number and address;
- the occupation or previous occupation (if applicable);
- the date of engagement;
- the wages payable and any additional benefits or advantages;
- any disciplinary offences committed, the date thereof and the disciplinary measure taken, if any;
- any qualification attained by the worker during the employment of the worker under that employer; and
- such other particulars as may be prescribed.
Although not specifically provided in the Act, it is likely that the latter will apply to the gathering of information in respect of workers, as there is likely to be processing and use of personal data involved.
No data entry shall be retained in the data register after the expiration of the initial registration period except where a renewal application is made to the Commissioner.
The person applying for registration or a renewal application can specify an initial registration period or renewal period of less than five years, as long as it consists of one or more complete years. Subject to this requirement, the initial registration period and the period an entry can be retained subject to the renewal application is five years beginning on the date the entry was made, or the date the entry is due to be removed if it was not for the application.