Financial Crime World

Personal Data Protection Act Unveiled

In a major move to safeguard the rights of individuals, the government has introduced the Personal Data Protection Act, aimed at protecting personal data from unauthorized access, disclosure, alteration, destruction or loss.

What is a Personal Data Breach?

According to experts, a personal data breach occurs when there is an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. The Act imposes strict obligations on controllers and processors to ensure that processing of personal data is done in a fair and lawful manner.

Principles Relating to Processing of Personal Data

The Principles Relating to Processing of Personal Data require controllers/processors to ensure that processing is:

  • Lawful
  • Fair
  • Transparent
  • Adequate
  • Relevant
  • Accurate
  • Kept for as long as required
  • Proportionate to the purposes for which it is being processed

Controllers must also implement appropriate data security measures and maintain documentation.

The Act provides for conditions for consent, where consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her. In case of a breach, controllers must notify the Data Protection Office without undue delay.

Notification of Personal Data Breach

Notification of personal data breach is mandatory, where feasible, not later than 72 hours after having become aware of it. Controllers must also communicate the personal data breach to the data subject without undue delay, where that breach is likely to result in a high risk to the rights and freedoms of the individual.

Pseudonymisation

The Act introduces pseudonymisation, which involves processing personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, which is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable individual.

Data Protection Impact Assessments (DPIAs)

Data Protection Impact Assessments (DPIAs) must be carried out by controllers/processors prior to any potentially high-risk processing. The Act also provides for transfer of personal data abroad, but only if the controller has adduced appropriate safeguards with respect to the protection of personal data to the Data Protection Office or has complied with the conditions laid down in the provisions of this Act relating to the transfer of personal data outside Mauritius.

Rights of Data Subjects

The Act also enhances rights of data subjects, including:

  • Right of access
  • Right of rectification
  • Right of erasure or restriction of processing
  • Right to object

Controllers are obligated to provide free of charge to data subjects with access to their personal data and to be provided a copy of their data within one month following a written request.

Certification

In a move to ensure compliance, certification has been introduced to help controllers or processors demonstrate compliance with the Act and allow data subjects to quickly assess the level of data protection of relevant products and services.

For more information on the Personal Data Protection Act, contact the Data Protection Office at +230 4600251 or email dpo@govmu.org.