The main legislation in Mauritius is the DPA 2017. There are other specific sectoral data protection obligations that a controller must adhere to, for example:

• The Banking Act 2004, which regulates the confidentiality of customer information.
• The Information and Communication Technologies Act 2001, which imposes a duty of confidentiality on telecoms licensees relating to messages sent over their networks.

The DPA 2017 applies to a controller or a processor established in Mauritius. It also applies to a controller or processor who is not established in Mauritius if such controller or processor uses equipment in Mauritius for processing data other than for the purpose of transit through Mauritius. If this is the case, the controller or processor must nominate a representative established in Mauritius.

A “controller” is defined as “a person who, or public body which, alone or jointly with others, determines the purposes and means of the processing of personal data and has decision making power with respect to the processing”. 

A “processor” is defined as “a person who, or public body which, processes personal data on behalf of a controller”.

The personal data processed by a controller or a processor relates to the personal data of data subjects. The DPA 2017 defines a “data subject” as an “identified or identifiable individual, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual”. The “data subject” is a living individual.

The DPA 2017 has extraterritorial effect only to the extent that the foreign controller or processor uses equipment in Mauritius for processing personal data, other than for the purpose of transit through Mauritius. The DPO has not issued guidance on the determination of when the controller or processor makes use of equipment for the purpose of processing personal data. Since the provision of the DPA 2017 is based on Article 4 of EC Directive 95/46/EC on the protection of individuals regarding the processing of personal data and on the free movement of such data, the DPO would be guided by EU law and any explanation given by the Working Party under the Directive when it applied. The concept of “making use” presupposes two elements: some kind of activity which is undertaken by the controller or processor; and the intention of the controller or processor to process personal data. In other words, not any “use” of “equipment” within Mauritius triggers the application of the DPA 2017. Where the “use” of “equipment” leads to the application of the DPA 2017, the representative will act on behalf of the controller or processor with regard to the latter’s compliance with the DPA 2017 and they will need to nominate a representative in Mauritius.

The DPA 2017 applies to the processing of personal data, wholly or partly by automated means, and to any processing otherwise than by automated means where the personal data forms part of a filing system or is intended to form part of a filing system.

The term “processing” means “an operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”. The transfer of personal data outside Mauritius is regulated.

The DPA 2017 defines “personal data” as “any information relating to a data subject”; i.e., any information on the name, address and email address of an individual, and any information that can be attributed to a specific person. Examples of categories of personal data include:

• Biometric data. Any personal data relating to the physical, physiological or behavioural characteristics of a data subject which allow their unique identification, including facial images or dactyloscopic data.
• Genetic data. Personal data relating to the general characteristics of a data subject which are inherited or acquired and which provide unique information about the physiology or health of the data subject and which result, in particular, from an analysis of a biological sample from the data subject in question.
• Physical or mental health data. Personal data including information on the provision of healthcare services to the data subject, which reveals their health status.
• Special categories of personal data. Please refer to Question 6, below.

The DPA 2017 provides strict protection to special categories of personal data which are sensitive in nature, for example personal data pertaining to the data subject’s:

• racial or ethnic origin;
• political opinion or adherence;
• religious or philosophical beliefs;
• membership of a trade union;
• physical or mental health or condition;
• sexual orientation, practices or preferences;
• genetic data or biometric data uniquely identifying the data subject;
• commission or alleged commission of an offence; or
• proceedings for an offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in the proceedings.

The Data Protection Commissioner of Mauritius ("Commissioner") may determine that other types of personal data are sensitive personal data.

Personal data can be processed if any of the following is satisfied:

• Consent. Consent must be specific, freely given, informed and unambiguous: the consent must be given either by a statement or a clear affirmative action (e.g., providing an unticked box which the data subject must actively select), by which the data subject signifies their consent to their personal data being processed. Consent requests must not be bundled with terms and conditions. Wherever appropriate, granular consent requests must be given for different types of processing. The controller has the burden to prove that a data subject has given their consent for the processing of the personal data. The data subject may withdraw their consent at any time. However, the right to withdraw consent at any time does not affect the lawfulness of processing based on consent before its withdrawal. For a child who is under 16 years of age, consent must be given by the child’s parent or guardian. 
• Contractual. Contractual necessity can be relied upon if the controller must process the data subject’s personal data to fulfil a contract to which the data subject is a party or to take certain steps at the request of the data subject prior to entering into a contract. 
• Compliance with a legal obligation. This is a legal basis for the processing of personal data and is different from a contractual obligation.
• Protecting vital interests. The processing of the personal data of a data subject without their consent if such processing is necessary to protect their vital interest or that of another person.
• Public interest. Personal data may be processed for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The controller must be able to demonstrate that they are carrying out a task in the public interest or are exercising official authority.
• Other legal bases. Historical, statistical and scientific research are other legal bases for the processing of personal data, and these purposes may be exempted from the provisions of the DPA 2017 if security and organisational measures are implemented to protect the rights and freedoms of the data subjects involved.

In addition, personal data may be processed for:

• the protection of national security, defence or public security;
• the prevention, investigation, detection or prosecution of an offence, including the execution of a penalty;
• an objective of general public interest, including in the economic or financial interests of the State of Mauritius;
• the protection of judicial independence and judicial proceedings; or
• the protection of a data subject or the rights and freedoms of others.

Requirement of registration 

While the processing of personal data by a data subject during a purely personal or household activity is exempted under the DPA 2017, both the controller and the processor must register with the Commissioner before processing personal data. The processing of personal data without being registered is a criminal offence.

The services of a processor may only be used by a controller if an agreement is entered into which requires that the processor must act only on instructions given by the controller and must implement security and organisational measures to protect the processing of personal data.

Data protection principles

Both the controller and processor must process personal data in accordance with the following data protection principles: 

• Lawfulness, fairness and transparency. Data must be collected for legitimate purposes, and processed lawfully, fairly, and in a transparent manner.
• Purpose limitation. Personal data collected for a specified purpose(s) must not be further processed in a manner incompatible with the purpose(s).
• Data minimisation. Data that is processed must be limited to what is necessary and must not be held longer than is necessary for the purpose(s) for which the data has been collected.
• Accuracy. Data must be accurate and, where necessary, kept up to date and steps must be taken to erase or rectify inaccurate data without delay.
• Storage limitation. Data must not be kept longer than is necessary for the purpose(s) for which the data is processed. Where the purpose for keeping personal data has lapsed, the controller must destroy the data as soon as is reasonably practicable and shall notify any processor holding the data for them to destroy it.
• Security. The controller must adopt policies and implement appropriate security measures to demonstrate that the processing of personal data is performed in accordance with the DPA 2017.
• Accountability. The controller must take responsibility for what is done with the data and adopt policies and implement measures to demonstrate compliance. In the case of a personal data breach, the controller must — without undue delay and, where feasible, not later than 72 hours — notify the personal data breach to the Commissioner. Furthermore, where a processor becomes aware of a personal data breach, the processor must notify the controller without any undue delay describing the nature of the personal data breach including, if possible, the approximate number of data subjects and personal data records concerned.

A data subject has the following rights:

• Right to be informed. The controller must inform the data subject of the specific categories of personal data being processed and the reason for the processing. The data subject has the right to know to whom their personal data has been and will be disclosed, and for how long the personal data will be stored. 
• Right to access. Upon receiving a written request from a data subject, the controller must, free of charge, provide a confirmation as to whether the controller is processing personal data pertaining to them. The controller has one month to comply with the request. 
• Right to rectification and right to erasure. The data subject has the right to request that the controller rectify any inaccurate personal data that the controller holds on the data subject. The data subject can also request the controller to erase personal data concerning the data subject if, for example, the purpose of their collection is no longer necessary, or the data subject withdraws the consent on which the processing is based and there are no other legal grounds for the processing. 
• Right to object/opt-out. The data subject has the right to object in writing at any time to the processing of personal data concerning them unless the controller has compelling legitimate grounds for the processing which override the data subject’s interests, or the processing is required for the establishment, exercise or defence of a legal claim.
• Right to data portability. The DPA 2017 does not provide for data portability.
• Right not to be subject to automated decision-making. A data subject has the right not to be subject to a decision based solely on automated processing, including profiling which produces legal effects concerning them or significantly affects them. This prohibition does not apply where the decision is based on the data subject’s explicit consent, or any other circumstances specified in the DPA 2017. Automated processing of personal data intended to evaluate certain aspects relating to a data subject must not be based on special categories of personal data.
• Other rights. A data subject has the right to lodge a complaint with the Commissioner if they have concerns with the manner in which their personal data is being processed.

The DPA 2017 regulates direct marketing, which is defined as “the communication of any advertising or marketing material which is directed to any particular individual”. This definition also encompasses electronic marketing. There are no specific rules which apply depending on whether the means used to send marketing communications is by email, SMS, telephone or post, or if marketing communications are sent between business-to-consumer and business-to-business.

Under the DPA 2017, a data subject may object to the processing of their personal data for purposes of direct marketing, including profiling to the extent relevant. Where a data subject objects to the processing of personal data for the purpose of direct marketing, their personal data must no longer be processed for that purpose. 

A controller or processor may transfer personal data outside Mauritius if the data subject has given their explicit consent to the transfer. The transfer of personal data outside Mauritius is also permissible if:

• adequate proof of appropriate safeguards with respect to the protection of personal data has been given to the Commissioner;
• it is necessary:
  • for the performance of a contract between the data subject and the controller, or for the conclusion of a contract between the controller and another party made in the data subject’s interest;
  • for reasons of public interest as provided by law;
  • for the establishment, exercise or defence of a legal claim;
  • to protect the vital interests of the data subject or for other persons, where the data subject is physically or legally incapable of giving consent; or
  • for the purpose of compelling legitimate interests pursued by the controller or the processor which are not overridden by the interests, rights and freedoms of the data subjects concerned, provided that the transfer is not repetitive and concerns a limited number of data subjects, and the circumstances surrounding the transfer have been assessed and proof of appropriate safeguards for the protection of the personal data has been given to the Commissioner. 

Request of information 

Subject to the confidentiality obligations which a controller may have under specific legislation (see Question 1, above), the Commissioner can serve a notice on a person requesting any information that is necessary for the performance of their functions and exercise of their duties. A person who, without reasonable excuse, fails or refuses to comply with a notice, or who furnishes any information which the person knows to be false or misleading, commits a criminal offence.

Enforcement notice

If the Commissioner is of the opinion that a controller or a processor has contravened, is contravening, or is about to contravene the DPA 2017, an enforcement notice may be served on the controller or processor, requiring them to take such steps within such period specified in the notice. The Commissioner does not have power to impose penalties for non-compliance with the DPA 2017 or regulations made under it.

Investigation of complaints

The Commissioner may investigate a complaint under the DPA 2017 or any regulations made under it and for that purpose, order any person to attend a specified time and place for an oral examination, produce relevant documents or records, or provide a written statement under oath or affirmation. Any person who, without lawful or reasonable excuse, fails to attend a hearing before the Commissioner commits a criminal offence. 

Preservation order

The Commissioner may seek a preservation order from a judge for the expeditious preservation of data (including traffic data) if there is a reasonable ground to believe that the data is at risk of loss or modification. The preservation order is granted for a period not exceeding 90 days and may be extended.

Other powers

The Commissioner may designate an authorised officer to enter and search any premises for the exercise of a power under the DPA 2017 only on the authority of a warrant issued by a magistrate.

A breach of the DPA 2017 constitutes, in certain cases, a criminal offence and, on conviction, the offender may be sentenced to a fine or a term of imprisonment.

Examples of acts or omissions which constitute a criminal offence under the DPA 2017 include:

• Processing personal data without being registered: a fine not exceeding MUR 200,000 and imprisonment for a term not exceeding five years.
• Failure, without lawful or reasonable excuse, to attend a hearing, or to produce a document when required to do so by the Commissioner: a fine not exceeding MUR 50,000 and imprisonment for a term not exceeding two years.
• Failure, without reasonable excuse, or refusal to comply with an enforcement notice issued by the Commissioner or providing information which the person knows to be false or misleading: a fine not exceeding MUR 50,000 and imprisonment for a term not exceeding two years.
• Processing personal data (including special categories of personal data) in breach of the DPA 2017: a fine not exceeding MUR 100,000 and imprisonment for a term not exceeding five years.