Seychelles - Data Protection Overview
1. Governing Texts
The key piece of legislation is the Data Protection Act 2002 (Act 9 of 2003) ('the Act') which was enacted in 2003 to provide individuals with privacy rights regarding the processing of personal data; however, at the time of writing, the Act is not yet in force.
The Act will enter into force on such date as notified by the Minister in the Official Gazette.
As per Article 20(1)(b) of the Constitution of the Republic of Seychelles, every person has a right not to be subjected without their consent or an order of the Supreme Court, to the interception of the correspondence or other means of communication of that person either written, oral, or through any medium.
There are no guidelines pertaining to the data protection laws of Seychelles.
1.3. Case law
There is no case law in relation to the data protection laws of Seychelles.
2. Scope of Application
When the Act comes into force, it will primarily apply to data subjects, data users, and 'persons carrying on a computer bureau'.
The Act does not apply to a data user in respect of data held, or to a person carrying on a computer bureau in respect of services provided outside Seychelles, nor does it apply to data processed wholly outside Seychelles unless the data is used or intended to be used in Seychelles. In circumstances where a person, who is not resident in Seychelles, controls or processes data through a servant or agent acting on his own account in Seychelles, the Act will apply.
The Act does not apply to a data user in respect to data held or to a person carrying on a computer bureau in respect of services provided outside of Seychelles. The Act also does not apply to data processed wholly outside Seychelles unless the data is used or intended to be used in Seychelles.
Under the Act, data processing means amending, augmenting, deleting or re-arranging data, or extracting information constituting data. In cases of personal data, processing also means performing any of those operations by reference to the data subject, however this will not apply to any operation performed only for the purpose of preparing text of documents.
Note that personal data will be exempted from the Act's provisions regarding the regulation of data users and computer bureaus, where necessary to safeguard national security.
Additionally, personal data will be exempted from the Act's access provisions if:
- the information is held for;
- the prevention or detection of crime;
- the apprehension or prosecution of offenders; or
- the assessment or collection of any tax or duty;
- the information is necessary for the physical or mental health of a data subject;
- the information is modified (by order from the Minister) where the information is held by government departments, voluntary organisations, or other bodies as specified and deemed to be maintained for or acquired while undertaking social work. The exemption or modification is granted only if the provisions to the data are likely to prejudice the undertaking of social work activities;
- the information is held for the purpose of discharging statutory functions and the application of those provisions to the data is likely to prejudice the fulfilment of these functions. These functions encompass the protection of members of the public against financial loss due to dishonesty, incompetence, or malpractice by persons providing services in the banking, insurance, investment, or other financial services sector (the same also applies in the management of companies, or to the conduct of discharged and undischarged bankruptcies);
- the data consists of information maintained by a government department for the purposes of making appointments and has been received from a third party;
- the data consists of information in respect of which a claim to legal professional privilege could be maintained in legal proceedings; or
- the personal data is held by a data user for payrolls and accounts purposes only, or for domestic or other limited purposes.
Note that personal data will be exempted from the Act's provisions regarding the regulation of data users and computer bureaux, where necessary to safeguard national security.
3.1. Main regulator for data protection
Seychelles does not currently have a national data protection regulator; however, the Act provides for the establishment of the Data Protection Commissioner ('the Commissioner').
3.2. Main powers, duties and responsibilities
The Commissioner will be responsible for the maintenance of a registry comprising data users who hold personal data and persons carrying on a computer bureau providing services in respect of personal data, and the primary duty of the Commissioner will be to ensure that data protection principles are being properly observed by data users and persons carrying on a computer bureau.
When the Act comes into force, the Commissioner will be empowered to:
- serve enforcement notices on registered persons who have breached data protection principles;
- require that persons take measures within a certain time as specified in the notice, to comply with breached requirements;
- cancel any enforcement notice by written notification to the person on whom it was served; and
- serve a deregistration notice to persons who have breached or is in breach of any data protection principle or propose to remove the person from the register at the expiration of a period as mentioned in the notice, all or any of the particulars constituting the entry or any of the entries contained in the register with respect to that person.
The Commissioner must consider the damage or distress endured or likely to be endured by any person due to that breach while deciding whether to serve an enforcement notice.
An enforcement notice in relation to a breach of the data protection principle 'data accuracy,' may direct a data user to rectify or erase the data and any other data held containing an expression of opinion which appears to be based on inaccurate data, or to take any steps necessary to comply with provisions of the Act or as directed in the notice.
The Commissioner must consider the damage or distress suffered, or likely to be suffered, by any person due to a breach of any of the data protection principles before serving a deregistration notice. Furthermore, the Commissioner must consider whether compliance with the principle(s) in question cannot be adequately secured by the service of an enforcement notice.
Transfer prohibition notices
The Commissioner is empowered to serve a transfer prohibition notice if a data user intends to transfer personal data to a place outside Seychelles, and the Commissioner is satisfied that the transfer is likely to contravene or lead to a contravention of any data protection principle. The transfer prohibition notice may either prohibit the data user from transferring the data absolutely, or until he has taken steps (as specified in the notice), to protect the interests of the data subject(s) in question.
In deciding whether to serve a transfer prohibition notice, the Commissioner shall consider whether the notice is required for preventing damage or distress to any person and shall have regard to the general desirability of facilitating the free transfer of data between Seychelles and other countries.
When the Act comes into force, it will provide the following sanctions for non-compliance:
- a person guilty of an offence under any provision of the Act will be liable on conviction to a fine not exceeding SCR 20,000 (approx. €1,000); or
- a Court order providing that any material appearing to be connected with the commission of the offence, be forfeited, destroyed, or erased.
Where the offence has been committed by a corporate body and is proved to have been committed with the consent, involvement of, or attributable to any negligence on the part of, any director, manager, secretary, or similar officer of the body corporate or any person who was purporting to act in any such capacity, both the individual and the body corporate, shall be liable and the above sanctions imposed.
4. Key Definitions
Personal data: Data consisting of information which relates to a living individual who can be identified from that information or from other information in the possession of the data user, including any expression of opinion about the individual, excluding any indication of the intentions of the data user in respect of that individual.
Sensitive data: This is not defined in the Act, however the Minister may, by order published in the Official Gazette, modify or supplement the data protection principles, as provided by Section 3 of the Act, for the purpose of providing additional safeguards in relation to personal data consisting of information relating to a data subject's racial origin, political opinions, religious or other beliefs, physical and mental health or sexual life, or criminal convictions.
Data subject: An individual who is the subject of personal data. The Act defines a 'data user' as a person who holds data where:
- the data forms part of a collection of data processed, or intended to be processed, by or on behalf of that person;
- that person (either alone, jointly, or in conjunction with other persons) controls the contents and use of the data comprised in the collection; and
- the collection of data processed is in a form that will be further processed on a subsequent occasion.
Computer Bureau: A person carries on a computer bureau if he/she provides other persons with services in respect of data, either as an agent by processing data held by others, or by allowing other persons to use the equipment in his possession, for the processing of data held by them.
5. Legal Bases
Under the Act, data processing means amending, augmenting, deleting or re-arranging the data or extracting the information constituting the data. Data processing in respect of personal data means performing any of the above operations by reference to a specific data subject. The Act excludes any operation performed for the purpose of preparing the text of documents from the ambit of data processing.
A data user shall not be obliged to disclose information relating to another individual who can be identified from information, unless he is satisfied that that the other individual has consented to the disclosure of the information to the person making the request.
The main obligations of data users are enshrined in the eight data protection principles set out in the Act's schedule, detailed below:
- information contained in personal data and the data itself shall be obtained and processed fairly and lawfully;
- personal data shall be held only for one or more specified and lawful purposes;
- personal data held for any purpose(s) shall not be used or disclosed in any manner incompatible with the defined purpose(s);
- personal data held for any purposes(s) shall be adequate, relevant, and not excessive;
- personal data shall be accurate and, where necessary, kept up to date;
- personal data held for any purpose(s) shall not be kept for longer than is necessary for the defined purpose(s);
- an individual shall be entitled, at reasonable intervals and without undue delay or expense:
- to be informed by any data user, as to whether he holds personal data relating to that individual;
- access to any such data held by a data user; and
- to have such data corrected or erased, where appropriate;
- personal data held by data users or in respect of which services are provided by persons carrying on computer bureau; and
- appropriate security measures shall be taken against unauthorised access, alteration, disclosure, or destruction of personal data, as well as accidental loss or destruction of the same.
7. Controller and Processor Obligations
Neither a 'data controller' nor a 'data processor' is specifically defined and their obligations would be the same as those imposed upon a data user under the Act.
The Act provides for the appointment of the Commissioner who will maintain a register of:
- data users who hold personal data; and
- persons running computer bureaus who provide services respecting personal data.
A data user or a data user who also carries on a computer bureau must be registered with the Office of the Commissioner. The Commissioner, on review of the application and receipt of all the requisite information, will make an entry in the register for each accepted application for registration.
The following details must be entered in the register:
- the name and address of the data user;
- a description of the personal data to be held by him and of the purpose or purposes for which the data is to be held or used;
- a description of every source from which he intends or may wish to obtain the data or the information to be contained in the data;
- a description of every person to whom he intends or may wish to disclose the data (otherwise than in cases of exempted from non-disclosure as provided by the Act);
- the name of every country outside Seychelles to which he intends or may wish directly or indirectly to transfer the data; and
- one or more addresses for the receipt of requests from data subjects for access to the data.
A registered person may at any time apply to the Commissioner for the alteration of any entries relating to that person. Where the alteration would consist of the addition of a purpose for which personal data are to be held, the person may make a fresh application for registration in respect of the additional purpose.
The Commissioner must as soon as practicable and in any case within the period of six months after receiving an application for registration or for the alteration of registered particulars, notify the applicant in writing whether his application has been accepted or refused. If the Commissioner notifies an applicant that his application has been accepted, the notification must state the particulars which are to be entered in the register, or the alteration which is to be made, as well as the date on which the particulars were entered or the alteration was made.
No entry will be retained in the register after the initial period of registration has been expired except in accordance with the renewal application made to the Commissioner.
The person making an application for registration or a renewal application may in his application specify the initial period of registration or as the case may be, as the renewal period, a period shorter than five years, being a period consisting of one or more complete years.
Personal data may be transferred internationally provided that the data user has named the jurisdiction it will be transferring the data to in the data register, which will also contain descriptions of the data being held.
The Commissioner may issue a transfer prohibition notice where it is believed that the data transfer outside of Seychelles is likely to contravene or lead to a contravention of any data protection principle. Such a notice would prohibit the transfer absolutely or until the data user has taken steps, as specified in the notice, for protecting the data subject's interests in question.
The laws of Seychelles do not extend further than what has been provided under Section 6.
The Act does not contain a requirement to conduct a Data protection impact assessment ('DPIA').
The Act does not contain a requirement for the appointment of a data protection officer.
The Act does not include a mandatory requirement to report data security breaches or losses to the Commissioner.
Please see the principles outlined in section on principles above.
The Act does not include any specific provision for special categories of personal data. However, once the Act is in force, it will allow the Minister to amend or enhance data protection principles to provide additional safeguards in relation to personal data comprising information regarding a data subject's:
- political opinions or religious or other beliefs;
- physical or mental health or sexual life; and
- criminal convictions.
The Act is silent on the ways by which data controllers and data processors relationships are managed through contractual agreements and the liabilities attached to them. However, any agreement pertaining to the control or processing of data would, in the author's view, be applicable as long as the provisions under the data transfer agreement do not contravene the principles of the Act and are in line with the local laws and requirements.
8. Data Subject Rights
A data user shall not be obliged to comply with a request:
- unless he is given the information he may reasonably require to satisfy himself as to the identity of the person making the request and to locate the information which that person seeks; and
- if he cannot comply with the request without disclosing information relating to another individual who can be identified from that information, unless he is satisfied that the other individual has consented to the disclosure of the information to the person making the request.
An individual has the right to be informed by a data user as to whether the latter holds their personal data and can request a copy of this information. The request shall be made in writing, accompanied by the payment of a fee, not exceeding the prescribed maximum, and the data user shall comply with the request within 40 days of receipt of the same.
An individual shall be entitled:
- to be informed by a data user whether the data held by the data user include personal data of which that individual is the data subject;
- to be supplied by a data user with a copy of the information constituting any such data held by the data user; and
- where any information referred to in paragraph (b) is expressed in terms which are not intelligible without explanation the information accompanied by an explanation of those terms.
Data subjects will have the right to be provided with a copy of the data being held by the data user pertaining to the data subject, in a form as to be interpretable by the data subject or accompanied with the relevant explanatory notes where the information is not comprehensible.
A data user shall be obliged to supply any information only in response to a request in writing and on the payment of such fee (not exceeding the prescribed maximum) as he may require.
Where personal data held by a data user is inaccurate, a data subject may apply to the Supreme Court for an order for the rectification or erasure of the data. The Supreme Court may order the erasure of personal data if it is satisfied that the data subject has suffered damages because of the disclosure of personal data or that there is a substantial risk of further disclosure of or access to the data.
Furthermore, an individual whose personal data is held by a data user and who suffers damage by reason of the inaccuracy of the data, shall be entitled to compensation from the data user for that damage and/or any distress which the individual has suffered by reason of the inaccuracy.
Please see section on the right to rectification above.
Compensation for loss or unauthorised disclosure
A data subject must be compensated by a data user or a person carrying on a computer bureau holding data in respect to which he is the subject, if he suffers from any damage caused by:
- loss of the data;
- destruction of the data without the authorisation of the data user or of the person carrying on the bureau; or
- disclosure of the data or access granted to the data without prior requisite authority.
The Act also provides for compensation for an individual:
- whose personal data is held by a data user or person carrying out a computer bureau service, in respect of which the data subject suffers damage by reason of the loss of his/her data; or
- where the destruction of his/her data is not authorised by the data user or person carrying out a computer bureau service; or
- who suffered distress by reason of disclosure, access, loss, or destruction of his/her personal data.