Mauritius: Overview of Vendor Privacy Contracts
1. Governing Texts
- The Data Protection Act 2017 ('the Act')
1.2. Regulatory authority guidance
1.3. Regulatory authority templates
Data controller: A person who or public body which, alone or jointly with others, determines the purposes and means of the processing of personal data and has decision making power with respect to the processing (Section 2 of the Act).
Data processor: A person who, or public body which, processes personal data on behalf of a data controller (Section 2 of the Act).
3.1. Are there requirements for a contract to be in place between a controller and processor?
Where the data controller is using the services of a data processor the data controller and the data processor are required to enter into a written contract (Section 31(4)(b) of the Act).
3.2. What content should be included?
The written contract shall provide that (Section 31(4)(b) of the Act):
- the data processor shall act only on instructions received from the data controller; and
- the data processor shall be bound by obligations devolving on the data controller under Section 31(1) of the Act with respect to implementing security measures.
4.1. Are processors required to assist controllers with handling of data subject requests?
The Act does not expressly provide a requirement for data processors to assist data controllers. With handling data subject requests but it provides that where a data controller determines that the purpose of keeping the personal data has elapsed, they are required to notify the data processor and the data processor is required to destroy the data specified as soon as reasonably practicable (Section 27(2) of the Act).
In addition, every data controller or data processor is obligated to ensure that the personal data they hold is accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay (Section 21(d) of the Act).
5.1. Are processors required to keep records of their processing activities?
Every data controller or data processor is required to maintain a record of all processing operations under their responsibility (Section 33(1) of the Act).
The record shall set out (Section 33(2) of the Act):
- the name and contact details of the data controller or data processor, and, where applicable, their representative and any data protection officer ('DPO');
- the purpose of the processing;
- a description of the categories of data subjects and of personal data;
- a description of the categories of recipients to whom personal data have been or will be disclosed, including recipients in other countries;
- any transfers of data to another country, and, in the case of a transfer referred to under Section 36 of the Act, the suitable safeguards;
- where possible, the envisaged time limits for the erasure of the different categories of data; and
- the description of the mechanisms referred to under Section 22(3) of the Act.
The data controller or data processor is also required, on request, to make the record available to the Office (Section 33(3) of the Act).
6.1. Are processors required to implement specific security measures? If so, what measures must be implemented?
Where a data controller is using the services of a data processor, they are obligated to choose a data processor who provides sufficient guarantees in respect of security and organisational measures so as to comply with Section 31(1) of the Act (Section 31(4)(a) of the Act).
In addition, a data controller or data processor shall, at the time of the determination of the means for processing and at the time of the processing (Section 31(1)(a) and (b) of the Act):
- implement appropriate security and organisational measures for;
- the prevention of unauthorised access to;
- the alteration of;
- the disclosure of;
- the accidental loss of; and
- the destruction of, the data in their control;
- ensure that the measures provide a level of security appropriate for:
- the harm that might result from:
- the unauthorised access to;
- the alteration of;
- the disclosure of;
- the destruction of the data; and
- its accidental loss and the nature of the data concerned.
- the harm that might result from:
The measures referred to under Section 31(1)(a) of the Act include (Section 31(2)(a) of the Act):
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
- a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Moreover, the Office may lay down technical standards for the requirements highlighted under Section 31(1)(a) of the Act (Section 31(2)(b) of the Act.
Furthermore, every data controller or data processor shall take all reasonable steps to ensure that any person employed by them is aware of, and complies with, the relevant security measures (Section 31(6) of the Act).
7.1. Are processors under an obligation to notify controllers in the event of a data breach? If so, are there timeframe and content requirements?
Where a data processor becomes aware of a personal data breach, he shall notify the data controller without any undue delay (Section 25(2) of the Act).
For further information see Mauritius – Data Breach.
8.1. Are subprocessors regulated? If so, what obligations are imposed?
9.1. Do transfer restrictions apply to processors? If so, what restrictions and what exemptions apply?
A data controller or data processor may transfer personal data to another country where (Section 36(1) of the Act):
- they have provided to the Commissioner proof of appropriate safeguards with respect to the protection of the personal data;
- the data subject has given explicit consent to the proposed transfer, after having been informed of the possible risks of the transfer owing to the absence of appropriate safeguards;
- the transfer is necessary:
- for the performance of a contract between the data subject and the data controller or the implementation of pre-contractual measures taken at the data subject’s request;
- for the conclusion or performance of a contract concluded in the interest of the data subject between the data controller and another person;
- for reasons of public interest as provided by law;
- for the establishment, exercise, or defence of a legal claim; or
- in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent; or
- for the purpose of compelling legitimate interests pursued by the data controller or the data processor which are not overridden by the interests, rights, and freedoms of the data subjects involved where:
- the transfer is not repetitive and concerns a limited number of data subjects; and
- the data controller and the data processor has accessed all the circumstances surrounding the data transfer operation and has, based on such assessment, provided to the commissioner proof of appropriate safeguards with respect to the protection of the personal data; or
- the transfer is made from a register which, according to law, is intended to provide information to the public and which is open for consultation by the public or by any person who can demonstrate a legitimate interest to the extent that the conditions laid down by law for consultation are filled in the particular case.
In addition, every data controller or data processor shall obtain authorisation from the Office prior to processing personal data in order to ensure compliance of the intended processing with the Act and in particular to mitigate the risks involved for the data subjects where a data controller or data processor cannot provide for the appropriate safeguards referred to under Section 36 of the Act in relation to the transfer of personal data to another country (Section 35(1) of the Act).
Lastly, the Commissioner may request a person who transfers data to another country to demonstrate the effectiveness of the safeguards or the existence of compelling legitimate interests and may, in order to protect the rights and fundamental freedoms of data subjects, prohibit, suspend, or subject the transfer to such conditions as he may determine (Section 36(4) of the Act).
10.1. Are processors required to assist controllers with regulatory investigations?
11.1. Are processors required to appoint a DPO / representative?
The Act does not expressly provide for the appointment of a DPO, but it stipulates that every data controller or data processor shall maintain a record of all processing operations under their responsibility and set out the name and contact details of the controller or processor, and, where applicable, their representative and any DPO (Section 33(3) of the Act).
For further information see Mauritius – Data Protection Officer Appointment.
12.1. Are controllers obliged to supervise or monitor processors' compliance with the law and contract?
Where a data controller is using the services of a data processor, they are required to choose a data processor who provides sufficient guarantees in respect of the security and organisational measures for the purpose of complying with Section 31(1) of the Act (Section 31(4)(a) of the Act).
Authored by OneTrust DataGuidance
DataGuidance's Privacy Analysts carry out research regarding global privacy developments, and liaise with a network of lawyers, authorities and professionals to gain insight into current trends. The Analyst Team work closely with clients to direct their research for the production of topic-specific Charts.