Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Seychelles - Data Protection Overview
Back

Seychelles - Data Protection Overview

July 2024

1. Governing Texts

The key piece of legislation is the Data Protection Act, 2023 (the Act) which was enacted in 2023 to provide individuals with privacy rights regarding the processing of personal data.

The Act has been in force since December 22, 2023.

1.1. Key acts, regulations, directives, bills

As per Article 20(1)(b) of the Constitution of the Republic of Seychelles, every person has a right not to be subjected without their consent or an order of the Supreme Court of Seychelles (the Supreme Court), to the interception of the correspondence or other means of communication of that person either written, oral, or through any medium.

1.2. Guidelines

There are no guidelines pertaining to the data protection laws of Seychelles.

1.3. Case law

There is no case law in relation to the data protection laws of Seychelles.

2. Scope of Application

2.1. Personal scope

The Act applies to the processing of data through automatic or semi-automatic means, and to the processing of data through non-automatic means within Seychelles, which data forms part of a filing system whether managed by a private or public data controller.

The Act does not apply to the processing of personal data by relevant authorities in the course of a criminal investigation, matters that pertain to national security, and the processing of personal data by a natural person for personal activity.

In circumstances where a person, who is not resident in Seychelles, controls or processes data through a servant or agent acting on their own account in Seychelles, the Act will apply.

2.2. Territorial scope

The Act does not apply to a data user with respect to data held in respect of services provided outside of Seychelles. The Act also does not apply to data processed wholly outside Seychelles unless the data is used or intended to be used in Seychelles.

2.3. Material scope

Under the Act, the processing means an operation involving collection, recording, structuring, storage, adaptation, alteration, retrieval, consultation or use, disclosure by transmission, dissemination, or otherwise making available, alignment, combination, restriction, erasure, or destruction. The Act also defines personal data as any information relating to an identified or identifiable natural person.

Processing of personal data relating to criminal convictions and offenses or related security measures based on the principles for lawful processing under the Act must be carried out only under the control of official authority or when the processing is authorized by law providing for appropriate safeguards for the rights and freedoms of a data subject.

Every data controller and data processor must adhere to the principles under the Act for processing data quality, purpose limitation, use, and further disclosure limitation, transparency, data subject participation, proportionality, and accountability.

Personal data processed must be kept to the necessary minimum to meet the purposes specified by the data controller. Every data controller must disclose the specific purpose or purposes for data processing that must be compatible with the purposes of disclosure to third parties unless an additional legal basis for such disclosure is established.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The main national data protection regulator for Seychelles is the Information Commission of Seychelles (the Commission) established under the Act as the competent authority to enforce and implement the Act.

3.2. Main powers, duties and responsibilities

The Commission will be responsible to enforce and implement the Act by appointing its own officers and staff. In order to facilitate the implementation of the Act, the Commission must issue guidelines by consulting relevant public and private sector stakeholders. The Commission has the power to investigate and audit complaints received from a person in relation to offenses under the Act.

The powers and duties of the Commission under the Act, include, among other:

  • enforcement of the Act and any related regulations;
  • promote public awareness;
  • handle complaints from data subjects;
  • conduct investigations;
  • impose fines; and
  • perform such other functions as may be conferred upon it under any other written law.

More specifically, the Commission must:

  • issue and adopt rules and procedures, to allow it to exercise its functions under the Act, and amend such rules of procedures as appropriate;
  • determine the nature, process, and undertakings necessary to enable the Commission to discharge its mandate under the Act, including all work necessary for the promotion, monitoring, and protection of personal data and the rights conferred under the Act;
  • promote awareness of data controllers and data processors of their obligations under the Act;
  • promote self-regulation among data controllers and data processors including encouraging the establishment of data protection certification mechanisms and of data protection seals and marks, approve the criteria of certification, and where applicable, carry out a periodic review of certifications issued;
  • exercise control on all data processing operations, either of its own concurrence or at the request of a data subject and verify whether the processing of data is done in accordance with the Act;
  • promote public awareness, including to minors and the youth, on the risks, rules, safeguards and rights in relation to processing personal data, and in general to familiarize the general public with the provisions of the Act;
  • provide information to data subjects on the exercise of their rights and remedies under the Act;
  • advise other public institutions on measures and tools to protect personal data;
  • issue, on the Commission's own initiative or on request, opinions to the National Assembly or the Government, on any issue related to the protection of personal data;
  • undertake research and monitor relevant developments that can impact the protection of personal data, in particular, the development of information and communication technologies and commercial practices;
  • examine any proposal for automated decision-making or data linkage that may involve an interference with, or may otherwise have an adverse effect on the privacy of individuals, and ensure that any adverse effect of the proposal on the privacy of individuals is minimized; and
  • cooperate with supervisory authorities of other countries, to the extent necessary for the performance of its duties under the Act, in particular by exchanging relevant information in accordance with the laws and regulations of Seychelles.

In addition to the above, the Commission has the power to:

  • issue reprimands to a data controller or data processor where processing operations have infringed provisions of the Act;
  • order the data controller or data processor to comply with the data subject's requests to exercise their rights under the Act;
  • order the data controller to communicate a personal data breach to the data subject;
  • impose a temporary or definitive limitation including a ban on processing;
  • order the rectification or erasure of personal data or restriction of processing and the notification of such actions to recipients to whom the personal data have been disclosed;
  • impose an administrative fine in addition to, or instead of measures referred to in this section, depending on the circumstances of each individual case; and
  • order the suspension of data flows to a recipient in another country or to an international organization.

Enforcement notices

The power of the Commission includes the power to investigate complaints or information that an offense may have been, is being, or is about to be, committed under the Act. The designated officers shall have the right to obtain the information needed to carry out their duties and notify the data controller or data processor of the alleged infringement. If the Commission has information or receives a complaint that a data processor or data controller is contravening the Act, the Commission may, following an investigation or audit, serve that person with a written enforcement notice requiring them to take, within such time as is specified in the notice, such steps as are specified for securing compliance with the Act.

An enforcement notice must contain a statement of the provision of the Act that has been, is being, or is likely to be or to have been contravened, and specify the measures that must be taken to remedy or eliminate the situation that may cause the contravention to arise, specify a period which must not be less than 21 days within which those measures must be implemented, state that a right of appeal against the enforcement notice is available, and if such appeal is brought, such measure need not be taken pending the determination or withdrawal of the appeal.

Deregistration notices

The Commission may cancel an enforcement notice by written notification to the person on whom it was served, providing the reasons for the cancellation of the enforcement notice.

Transfer prohibition notices

Not applicable.

4. Key Definitions

Data controller: An individual or legal entity which alone, or jointly with others, determines the purposes and means of processing personal data and has decision making power with respect to the processing.

Data processor: Any natural or legal person who processes personal data for or on behalf of a data controller.

Personal data: Any information relating to an identified or identifiable natural person.

Sensitive data: Personal data related to the most private areas of the data subject's life, or whose misuse might lead to discrimination or involve a serious risk for the data subject.

Health data: There is no definition of 'health data' in the Act.

Biometric data: Personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person, which allows or confirms the unique identification of that natural person.

Pseudonymization: There is no definition of 'pseudonymization' in the Act.

Data subject: Any natural person whose personal data is being collected, processed, stored, or further distributed.

    Traffic data: Any computer data relating to a communication by means of a computer system generated by a computer system that formed a part in the chain of communication, indicating the communication's origin, destination, route, time, date, size, duration, or type of underlying service.

    5. Legal Bases

    Section 15(2) of the Act provides the legal bases of processing personal data. 

    5.1. Consent

    Personal data must only be processed with the explicit consent of the data subject and obtained in an informed and freely given manner. When consolidating data from multiple sources, data controllers must adopt a layered consent approach, allowing data subjects to select which categories of data and specific purposes they consent to. However, this approach does not apply in cases where restricting data items would hinder the intended processing purposes or where different categories of information complement each other to enhance data quality. Data subjects retain the right to withdraw their consent at any time, as prescribed. Data controllers are obligated to maintain evidence of consent for processing personal data. In instances where consent is not the legal basis for processing, data controllers must still provide sufficient information to data subjects about the processing activities. When data is not obtained directly from the data subject, a data controller must inform the data subject about the processing of data by a third party. In certain circumstances, personal information may be collected, used, or disclosed without the knowledge and consent of the individual to protect vital interests of the data subject or another individual. When data is not obtained from the data subject, such data must remain confidential in compliance with the law.

    Processing the personal data of children under 18 years of age requires consent from their parent or legal guardian, or verification of such consent if obtained from third parties, using appropriate technological means as available.

    5.2. Contract with the data subject

    Personal data may be processed when necessary to perform contractual obligations between the data controller and the data subject.

    5.3. Legal obligations

    Personal data may be processed if a specific law requires the processing of personal data by the data controller to comply with its provisions.

    5.4. Interests of the data subject

    Personal data may be processed if it is necessary to protect the vital interests of the data subject or of another natural person. Further, personal data may be processed when such processing is necessary for the administration of justice, or public function in a state of emergency when the processing is conducted for the benefit of the data subject.

    5.5. Public interest

    Personal data may be processed if it is conducted in the context of the public interest and a legal framework in support of such public interest.

    Retention of personal data shall be lawful where it is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller, or on the grounds of public interest in the area of public health, for archiving purposes in the public interest, for scientific or historical research purposes or statistical purposes or for the establishment or exercise or defense of legal claims. Processing of personal data relating to race, ethnic origin, biometrics, genetics, political opinions, religious or philosophical beliefs, or for the purpose of identifying a person's health or sex life is not prohibited where it is necessary for:

    • reasons of substantial public interest, on the basis of Seychelles law;
    • reasons of public interest in the area of public health, to protect against cross-border threats to health or to ensure high standards of quality and safety of health care and of medicinal products or medical devices; and
    • archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

    5.6. Legitimate interests of the data controller

    Personal data may be processed for the legitimate interests of the data controller or a third party.

    5.7. Legal bases in other instances

    Not applicable.

    6. Principles

    Every data controller and data processor must adhere to the principles under the Act for processing data quality, purpose limitation, use and further disclosure limitation, transparency, data subject's participation, proportionality, and accountability (Section 15(1) of the Act).

    7. Controller and Processor Obligations

    The Act obliges the data controllers/processors to make publicly available the type of information in their custody, and to adopt a privacy policy that provides a detailed and accurate representation of the entity’s data processing and data transfer activities. Entities engaging in high-risk data processing activities are required to conduct DPIAs. The Act also mandates prompt reporting of data breaches to the Commission and affected individuals. Certain organizations, based on their size and nature of data processing, are obligated to appoint a DPO under the Act.

    7.1. Data processing notification

    Powers and duties of the Commission include exercising control on all data processing operations, either of its own concurrence or at the request of a data subject, and verify whether the processing of data is done in accordance with the Act.

    Data controllers and data processors bear responsibility for the processing of personal data and must ensure accountability for their activities. They are required to implement measures that ensure data protection, including privacy by design principles and security measures. Data controllers are obligated to maintain comprehensive documentation and records of all data processing activities, as well as formalize contractual agreements with data processors and third-party service providers involved in outsourcing that involves access to or processing of personal data.

    7.2. Data transfers

    Part VII of the Act governs the transfer of personal data to third parties, particularly addressing cross-border data flows. It mandates that personal data cannot be transferred outside Seychelles unless the recipient country or territory guarantees a level of protection comparable to that ensured within Seychelles for the rights and freedoms of data subjects. The Commission determines this comparability based on factors such as the nature of the data, its intended purposes and duration of processing, the legal framework in the destination country, any applicable cross-border privacy rules, and relevant international data protection agreements. Special categories of personal data concerning Seychellois citizens require specific conditions for processing, including accountability by a designated data controller in Seychelles for cross-border transfers, intra-group transfers with headquarters outside Seychelles, and providing data subjects with comprehensive information about data processing locations as per statutory requirements. Additionally, the Commission is empowered to regulate transfers through specified circumstances and restrictions, authorizing transfers only under a certified cross-border privacy rules system that enforces legal standards on data controllers and processors, ensures proportional security measures, and may prohibit transfers where necessary in the public interest.

    7.3. Data processing records

    Each data controller must maintain a detailed record of all processing activities under their responsibility. If a DPO has been appointed by either the controller or the processor, they must promptly notify the officer of any updates, additions, or removals to this record. The controller's record should include the controller's name and contact details, and where applicable, those of any joint controllers or DPO, alongside the purposes of the processing, categories of recipients, descriptions of data subjects and their data, details on profiling, data transfers, legal bases for processing, expected data retention periods, and outlines of technical and organizational security measures. Similarly, each data processor must maintain a record of processing activities performed on behalf of a data controller, including the processor's own contact details and those of any sub-processors, the controller's details, processing activities conducted, data transfers as instructed by the controller, and security measures adopted. Both the data controller and processor are obligated to provide these records to the Commission upon request.

    7.4. Data protection impact assessment

    Where processing is likely to pose a high risk to individuals' rights and freedoms, the data controller must conduct a DPIA before commencing such processing. This assessment can cover a series of similar processing activities presenting comparable high risks. Situations requiring assessment include automated decision-making with legal or significant effects, extensive processing of sensitive data types, large-scale monitoring of public areas, or any other circumstances specified by the Commission. The assessment involves outlining the processing operations, their purposes, and the legitimate interests pursued, evaluating risks to data subjects' rights, proposing mitigating measures, and detailing safeguards and security measures to ensure compliance with data protection laws, considering the rights and interests of those affected. The data controller determines high-risk processing based on factors such as the nature, scope, context, and purposes of the processing.

    7.5. Data protection officer appointment

    The data controller must appoint a DPO under two main conditions, first, when their core activities involve large-scale and systematic monitoring of data subjects, or second, when their core activities involve large-scale processing of special categories of data as specified under the Act. For other activities not falling under these categories, the data controller may still appoint a DPO, subject to the same regulatory requirements as those specified for officers designated under the aforementioned conditions. When appointing a DPO, the data controller must consider the professional qualifications of the candidate, particularly their expertise in data protection law and practices, and their capability to perform the required tasks. It is clarified that the same individual may serve as a DPO for multiple data controllers, taking into account the organizational structure and size of each entity.

    The DPO is responsible for overseeing adherence to the data controller's policies concerning the protection of personal data and ensuring compliance with the provisions of the Act. Additionally, the DPO serves as the primary liaison with the Commission regarding processing issues, including consultations, investigations, audits, and other matters deemed relevant by the Commission under data protection laws. Furthermore, the DPO functions as the central point of contact for data subjects' complaints and is tasked with establishing effective mechanisms for managing and resolving disputes.

    7.6. Data breach notification

    In the event of a personal data breach, the data controller must promptly notify the Commission within 72 hours of becoming aware of the breach, if delayed, the notification must explain the reasons for the delay. The notification should detail the breach's nature, including the categories and approximate number of affected data subjects and records, provide contact information for further inquiries, outline the likely consequences of the breach, and describe measures taken or planned to address it and mitigate potential harm. The data controller is required to document breach information systematically to facilitate investigation, encompassing details of the breach, its impact, and remedial actions. Furthermore, both the data controller and data processor are obligated to cooperate with the Commission and other relevant authorities in investigating any data breaches.

    7.7. Data retention

    Personal data must be retained for the duration necessary to fulfil the purpose of its processing, following which it should be anonymized, archived, or if necessary, deleted from the database. Data controllers are required to implement procedures and mechanisms ensuring anonymization post-retention, employing techniques like data masking, pseudonymization, encryption, or removal of identifiable information. Extended retention of personal data is permissible under certain conditions, to uphold freedom of expression and information, comply with legal obligations, execute tasks in the public interest, manage public health issues, support archival, scientific, historical research, statistical purposes, or for legal claims. The Minister has authority to establish specific data retention periods for various purposes, aligning with Seychelles' legislation.

    7.8. Children's data

    Personal data of a child under 18 years of age must not be processed without the consent of their parent or legal guardian. The data controller must seek consent directly from parents or legal guardians, or verify such consent if data is acquired from third parties, using appropriate technological means as available.

    7.9. Special categories of personal data

    The Act includes specific provision for special categories of personal data and allows amendments or enhance data protection principles to provide additional safeguards in relation to personal data comprising information regarding a data subject's:

    • race;
    • political opinions or religious or other beliefs;
    • physical or mental health or sexual life; and
    • criminal convictions.

    However, these do not apply in the following circumstances:

    • the data subject has given explicit consent to the processing of that personal data for one or more specified purposes, unless the law otherwise provides that the prohibition under that subsection may not be lifted by the data subject;
    • processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the data controller or of the data subject in the field of employment and social security and social protection law;
    • processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
    • processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association, or any other not-for-profit body and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data is not disclosed outside that body without the consent of the data subject;
    • processing relates to personal data which is manifestly made public by the data subject;
    • processing is necessary for the establishment, exercise or defense of legal claims or whenever courts request it, acting in their judicial capacity;
    • processing is necessary for reasons of substantial public interest, on the basis of Seychelles law;
    • processing is necessary for the purposes of medical diagnosis, preventive or occupational medicine, for the assessment of the working capacity of the employee, the provision of health or social care or treatment, or the management of health or social care systems and services;
    • processing is necessary for reasons of public interest in the area of public health, to protect against cross-border threats to health, or to ensure high standards of quality and safety of health care and of medicinal products or medical devices;
    • processing is necessary for archiving purposes in the public interest, scientific, or historical research purposes or statistical purposes; or
    • processing is necessary to cover data relating to misconduct or inadequate behavior.

    7.10. Controller and processor contracts

    The processing activities of a data processor must be governed by a written contract with the data controller, specifying the subject matter and duration of the processing, the nature, and purpose of processing, types of personal data, and categories of data subjects involved, as well as the obligations and rights of both parties. The contract must ensure that the data processor, acts solely on instructions from the data controller, maintains confidentiality obligations for personnel handling personal data, assists the data controller in fulfilling data subject rights, upon conclusion of services, either deletes or returns the relevant personal data to the data controller and deletes any copies, unless legally required to retain them, provides necessary information to demonstrate compliance; and adheres to the contract terms when engaging other data processors. Additionally, the contract should stipulate that the data processor may transfer personal data to a third country or international organization only upon instruction from the data controller. If a data processor improperly determines the purposes and methods of processing, they are treated as a data controller. A data processor is considered a data controller if they interact with data subjects in their own capacity without disclosing, that they are acting on behalf of a data controller, even if a contract designates them as a data processor. Furthermore, any person with access to personal data under the authority of a data controller or processor may only process data as instructed or to meet legal obligations, and a data processor may retain blocked personal data as per specified regulations during their ongoing liability after their relationship with the data controller ends.

    8. Data Subject Rights

    Individuals can exercise rights such as access, rectification, deletion, blocking, opposition, and data portability either personally or through a legal representative, ensuring control over their personal information. Data controllers are mandated to provide information in clear, plain language and accessible formats, including electronically. They must facilitate data portability through application programming interfaces (APIs) for third-party access and verify the identity of requesters when necessary. Provision of information is generally free, though fees may apply to unfounded or excessive requests. Data subjects have the right to lodge complaints with the Commission for perceived breaches, with the Commission obligated to inform complainants about case progress and potential judicial remedies. Regulatory oversight under Ministerial regulations further safeguards data subjects' rights, setting limits on fees and outlining compliance timelines to enhance data protection practices rests of the data subject. 

    8.1. Right to be informed

    The Act requires data controllers and processors to make all the information in their custody publicly available and develop a privacy policy that provides a detailed and accurate representation of the entity's data processing and data transfer activities.

    The data controller must, for the purpose of enabling the exercise of a data subject's rights under the Act, give the data subject the following :

    • information about the legal basis for the processing;
    • information about the period for which the personal data will be stored or, where that is not possible, about the criteria used to determine that period;
    • where applicable, information about the categories of recipients of the personal data, including recipients in other countries or international organizations; and
    • such further information as may be necessary to enable the exercise of the data subject's rights.

    8.2. Right to access

    Under the Act, data subjects possess comprehensive rights regarding their personal data. They have the right to obtain confirmation from a data controller about whether their personal data is being processed, as well as access to the specific personal data being processed, including its origin and recipients, both domestically and internationally. Additionally, data subjects can request a list of recent data recipients and details on the purposes and legal basis for data processing, categories of personal data involved, and storage duration criteria. They also have rights to rectify or erase personal data, restrict processing, object to processing under legitimate circumstances, and request data portability mechanisms. The data controller may restrict information provision under specified conditions to safeguard official inquiries, public security, or the rights of others, informing the data subject promptly and providing avenues for recourse to the Commission or through judicial channels as outlined in the Act.

    8.3. Right to rectification

    The data subject has the right to request correction of their personal data if it is inaccurate, incomplete, or not current. Upon receiving such a request, the data controller must assess it and provide justification if they disagree with the correction. If the data subject remains dissatisfied with the explanation, they have the option to lodge a complaint with the Commission. Once the data is corrected, the data controller is obligated to inform the data subject of the correction and notify all other parties who accessed the data in the six months preceding the correction request receipt by the data controller.

    8.4. Right to erasure

    The data controller must promptly delete personal data under several circumstances: firstly, if processing the data would violate the date subject's right to be informed, right to access data, or right of rectification or correction. Secondly, if there is a legal obligation requiring the data's deletion. In cases where the data would otherwise need to be erased but must be retained for evidentiary purposes, the data controller is required to restrict its processing. Similarly, if a data subject disputes the accuracy of their personal data and its accuracy cannot be verified, the data controller must also restrict its processing. These actions, whether initiated by a data subject's request or not, align with the provisions of the Act aimed at safeguarding personal data.

    8.5. Right to object/opt-out

    The data subject has the right to restrict or halt the processing of their personal data by a data controller under specific conditions. Firstly, when the processing has fulfilled its purpose and further processing is unnecessary. Secondly, when the processing is based on a legal ground that is no longer valid. Thirdly, when the processing violates legal provisions. Additionally, the Minister, in consultation with the Commission, may establish regulations to implement measures ensuring the protection of data subjects' rights, freedoms, and legitimate interests in cases involving significant decisions made solely through automated processing.

    8.6. Right to data portability

    The data subject is entitled to:

    • request from the data controller access to personal data in a structured, machine-readable, and interoperable format; or
    • transfer personal data from one data controller to another.

    Data controllers must design systems for processing personal data that facilitate the exercise of data portability rights by the data subject. The Commission is tasked with providing guidance on the types of personal data that can be requested, the necessary security measures for infrastructure enabling data portability, and the compatibility of data formats.

    Additionally, the Commission will approve consent mechanisms and features applicable to data portability scenarios.

    8.7. Right not to be subject to automated decision-making

    Not applicable.

    8.8. Other rights

    Compensation for loss or unauthorized disclosure

    Any individual who suffers material or non-material harm due to a violation of the Act has the right to seek compensation from the data controller or data processor responsible for the damage incurred. A data controller involved in processing is liable for any harm resulting from processing activities that breach the Act. Meanwhile, a data processor bears liability if it fails to adhere to obligations specifically designated for processors or acts contrary to lawful instructions from the data controller. Exemption from liability is possible if the data controller or processor proves they are not responsible for the incident causing the damage. In cases where multiple controllers or processors are involved in the same processing and are jointly responsible for the harm, each party is liable for the entire compensation owed to the data subject. Should a controller or processor pay compensation under these circumstances, they are entitled to seek reimbursement from other parties involved based on their respective shares of responsibility. Legal actions to claim compensation must be pursued in the appropriate courts in Seychelles.

    9. Penalties

    The Act prohibits the unlawful disclosure of personal data in various contexts. Firstly, it specifies that a data controller commits an offense if they disclose personal data without lawful justification and in a manner incompatible with the original collection purpose. Similarly, a data processor violates the law if they disclose personal data processed without the prior authorization of the data controller. Additionally, any person who accesses or discloses personal data without authorization from the respective data controller or processor also commits an offense, unless acting within the scope of their employment or agency with the data handler. Furthermore, offering to sell personal data obtained through unlawful means constitutes an offense.

    The Act also addresses obstruction of the Commission or its authorized representatives in carrying out their duties, imposing penalties for such actions. It establishes penalties for offenses not specifically addressed elsewhere in the Act, including fines not exceeding SCR 200,000 (approx. $14,491) and potential imprisonment. The imposition of administrative fines for violations is outlined to ensure they are effective, proportionate, and dissuasive, considering factors such as the nature and severity of the infringement, measures taken to mitigate harm, and previous compliance history. The Act empowers the Commission to enforce penalties, ensuring procedural safeguards and judicial remedies are in place for due process.

    Infringements of the obligations of the data controller and the data processor under the Act be subject to administrative fines up to SCR 200,000 (approx. $14,491).

    Infringements of the following provisions of the Act shall be subject to administrative fines up to SCR 200,000 (approx. $14,491):

    • the basic principles for processing, including conditions for consent;
    • the data subjects' rights;
    • the transfers of personal data to a recipient in a third country or an international organization;
    • non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows; or
    • failure to provide access to the Commission during its investigation and audits 
    • In addition to any penalty of conviction to imprisonment not exceeding two years and fines as may be provided under the Act, the Court may:
      • order the forfeiture of any equipment or any article used or connected in any way with the Commission of the offense; or
      • order or prohibit the doing of any act to stop a continuing contravention.

    9.1 Enforcement decisions

    Not applicable.