Compliance with Data Protection Regulations and Principles
The Data Protection Directive, officially Directive 95/46/EC, enacted in October 1995, is a European Union Directive which regulates the processing of personal data within the European Union and the free movement of such data to ensure the protection of fundamental rights and freedom of individuals.
The General Data Protection Regulation (“GDPR”), adopted in April 2016, has superseded the Data Protection Directive and became enforceable on 25 May 2018. On 25 January 2012, the European Commission (“EC”) announced it would be unifying data protection law across a unified European Union via a legislation called the GDPR. The EC's objectives with this legislation included:
• the harmonisation of 27 national data protection regulations into one unified regulation;
• the improvement of corporate data transfer rules outside the European Union; and
• the improvement of user control over personal identifying data.
The GDPR has set the scene for local Data Protection legislation and Regulations and Mauritius has accordingly followed suit as from early 2018.
By Anshinee Narsimooloo
Legal & Compliance Executive
HLB Risk & Compliance Consultancy Ltd
Overview of Data Protection in Mauritius
The right to privacy is expressly provided in Sections 3 and 9 of the Constitution of Mauritius and Article 22 of the Mauritian Civil Code. In 2004, Mauritius enacted the Data Protection Act 2004, which provided for the protection of the privacy rights of individuals in view of the developments in the techniques used to capture, transmit, manipulate, record or store data relating to individuals.
The Data Protection Act 2004 which was supposed to be adopted in 2009 no longer fitted Mauritius’ evolving digital context and was therefore repealed and replaced by the Data Protection Act 2017 (the “Act”) which came into force on the 15th of January 2018.
The new Act seeks to align the data protection framework in Mauritius with international standards, namely the GDPR. The GDPR intends to strengthen and unify data protection for all individuals within the European Union (EU) and addresses the export of personal data outside of the EU. It provides for a harmonisation of the data protection regulations throughout the EU, therefore makes it easier for non-European companies to comply with these regulations.
Data Protection Principles applicable to our local context
It is thus primordial that all organisations embark on this journey by giving effect to the abovementioned legislations while incorporating data protection principles into their internal policies and procedures. These principles are the backbone of the management of sensitive personal information and how it is exchanged and should be treated. So, what are they specifically?
Section 21 of the Act makes mention of six data protection principles which are listed as follows:
Principle 1: Lawful, Fair and Transparent Processing
Principle 2: Purpose Limitation
Principle 3: Data Minimisation
Principle 4: Accuracy
Principle 5: Storage limitation
Principle 6: Rights of data subjects
Organisations can now claim to better understand their responsibilities and continuously endeavour to improve their mode of operations by putting privacy and protection of individuals’ information at the forefront of their business activities. They have had the opportunity to assess and review their processes and also perform a greater scrutiny on the information they collect, use it for, share it with and to question themselves on whether they actually need all the data that they collect and process.
In putting a Data Protection Framework in practice, three main office bearers are identified in the Act which are explained below in turn:
- Data Controller - a person who or public body which, alone or jointly with others, determines the purposes and means of the processing of personal data and has decision-making power with respect to the processing.
- Data Processor - a person who, or public body which, processes personal data on behalf of a controller.
- Data Protection Officer - a person who is appointed by the company to inform and advise them as well as their employees on their obligations to comply with the relevant laws and other data protection standards.
What about you?
Have you implemented proactive measures to comply with the provisions of the Act such as the designation of specific office bearers or adopted adequate security and organisational measures to address personal data breaches? HLB Risk & Compliance Consultancy Ltd has a dedicated team of Data Protection consultants ready to assist you to comply with the above.
Please contact us on firstname.lastname@example.org or on +(230) 203 3900.