The extra-territorial reach of GDPR means that in practice, many businesses operating internationally will need to adopt European data privacy standards, which are likely to become the default global standards.

In particular, the GDPR introduces new rights in terms of privacy rights, new obligations such as consent requirements, data breach notification, appointment of data processors and new processes. The GDPR is intended to provide much greater harmonisation and protection within the EU in respect of data privacy and security issues, allowing discretion to the States to implement the basic protection and safeguards of the GDPR into their national legislation.

GDPR incorporated into national legislation – The Data Protection Act 2017

In view of the major changes brought by the GDPR, with an extra-territorial reach, the data protection laws in Mauritius were amended to be in line with the GDPR, by virtue of the Data Protection Act 2017 (DPA), effective on the 15th January 2018.

The objective of the DPA was guided by the founding principle enshrined in the GDPR, being the protection and safeguard of privacy rights of individuals insofar as the processing and storage of personal data is concerned. The novel provisions of the DPA ensure lawfulness, fairness and transparency such that individuals are well informed and afforded protection for the confidentiality of their personal data in order to reduce the growing risks of data leaks in an age of ‘e-society’. The threshold requirements for obtaining free and unambiguous consent of individuals, who can withdraw the said consent at any time, reinforce an individual’s privacy rights to prevent any uninformed use of personal data, be it by mere inadvertence.

The major overhaul brought by the DPA is in the form of:

(i) Simplified and structured registration and renewal process of data controllers and processors;

(ii) Implementing a complaints’ mechanism;

(iii) Lawful processing of personal data;

(iv) Consent requirements of data subjects in order to process data;

(v) Extensive rights afforded to data subjects in terms of consent, rights of access, automated individual decision making, right to object to processing of personal data, rectification of incomplete or inaccurate data;

(vi) Safeguards imposed for the transfer of personal data outside the jurisdiction of Mauritius in terms of notification requirements to the Commissioner, limited and selective data transfer in view of specified purpose;

(vii) Improved digital legal landscape to respond to GDPR requirements for adequacy;

(viii) Minimised risk of data breaches and notification requirements of any data breach;

(ix) Wider interpretation of ‘data’ to include biometric and genetic data;

(x) Security of data processing by way of encryption and pseudonymisation of personal data;

(xi) Data Protection Impact Assessment in order to identify and mitigate the data protection risks;

(xii) Offences and penalties imposed for non- compliance with the DPA.

Conclusion

As a major financial hub and attractive offshore jurisdiction for investors, Mauritius was bound to incorporate the GDPR into its domestic laws, the more so to reaffirm its continued commitment in extending the fundamental right of freedom to privacy rights, already enshrined in its Constitution.

Share
Twitter LinkedIn Email Save as PDF
More Publications
14 May 2024

What are the tools to aid the arbitral process to combat the undesirable effects of parallel litigation?

The fundamental aspect of arbitration as an alternative dispute mechanism is that despite parties’...

29 Apr 2024

Appleby Mauritius Quarter One Newsletter 2024

As we navigate through this dynamic year, Appleby's first Mauritius newsletter of 2024 sees our team...

29 Apr 2024

Receivership: an enforcement mechanism for lenders

In a world of business, unforeseen circumstances can often arise that lead a company to financial di...

29 Apr 2024

The JCPC reaffirmed the exception to the bank secrecy rule

Further to the oral judgment of the Judicial Committee of the Privy Council (JCPC) on 06 July 2023 a...

26 Apr 2024

Regulation of Moneylending in Mauritius

Moneylending is a crucial credit device in the world of financial services which plays a significant...

26 Apr 2024

Katra Holdings Ltd v Standard Chartered Bank (Mauritius) Ltd [2024] UKPC 8 - case summary

The Privy Council set aside an appeal challenging a winding up order of a Mauritian company, Katra H...

26 Apr 2024

Statutory Demands - a Review of Recent Decisions

INSOLVENCY - The bankruptcy division of Mauritian Supreme Court re-affirms the test to determine the...

26 Apr 2024

Directors' Duties in the face of insolvency

The duties of directors in relation to companies in Mauritius are laid out under the Companies Act 2...

16 Apr 2024

Absence of assets in Mauritius – not a bar to the recognition and enforcement of foreign judgment

On 12 April 2024, the Mauritian Supreme Court confirmed in Hobler v Harker 2024 SCJ 159, that an app...

12 Apr 2024

Maximising Efficiency in Fund Termination Through Liquidating Trusts in Mauritius

When it comes to terminating a fund licensed under the laws of Mauritius (Company), one of the key r...