# THE DATA PROTECTION ACT2017
Act 20/2017
Proclaimed by [Proclamation No. 3 of 2018]w.e.f. 15 January 2018
Government Gazette of Mauritius No. 120 of 23 December 2017
I assent
BIBI AMEENAH FIRDAUS GURIB-FAKIM
22 December 2017
President of the Republic
ARRANGEMENT OF SECTIONS
Section
PART I PRELIMINARY
Short title 2. Interpretation
3Application of Act
PART II DATA PROTECTION OFFICE Sub-Part A Establishment of Data Protection Office
- Establishment of Office
Sub-Part B - Functions and Powers of Commissioner
- Functions of Commissioner
- Investigation of complaints
- Power to require information
8.Preservation Order 9. Enforcement notice 10.Power to seek assistance
Sub-Part C - Powers of Authorised Officers
1Power of entry and search 1.Obstruction of Commissioner or authorised officer Sub-Part D Delegation of Power .Delegation of power by Commissioner PART III REGISTRATION OF CONTROLLERS AND PROCESSORS 14.Controller and Processor
1Application for registration 1Issue of registration certificate 1.Change in particulars 1Renewal of registration certificate Cancellation or variation of terms and conditions of registration certificate Register of controllers and processors
# PART IV OBLIGATIONS ON CONTROLLERS AND PROCESSORS
21.Principles relating to processing of personal data .Duties of controller Collection of personal data 4.Conditions for consent 25.Notification of personal data breach 26.Communication of personal data breach to data subject 27.Duty to destroy personal data 28. Lawful processing 9.Special categories of personal data 30.Personal data of child 3Security of processing Prior security check .Record of processing operations
# PART V PROCESSING OPERATIONS LIKELY TO
# PRESENT RISK
34.Data protection impact assessment .Prior authorisation and consultation
# PART VI TRANSFER OF PERSONAL DATA OUTSIDE MAURITIUS
36.Transfer of personal data outside Mauritius
# PART VII RIGHTS OF DATA SUBJECTS
37.Right of access 38 Automated individual decision making Rectification, erasure or restriction of processing 40.Right to object 41.Exercise of rights
# PART VIII OTHER OFFENCES AND PENALTIES
4Unlawful disclosure of personal data Offence for which no specific penalty provided
# PART IX MISCELLANEOUS
- Exceptions and restrictions
45.Annual report 4. Compliance audit 47. Codes and guidelines 48. Certification
9.Confidentiality and oath 50.Protection from liability 51.Right of appeal 52.Special jurisdiction of Tribunal 53.Prosecution and jurisdiction 54. Certificate issued by Commissioner 55. Requlations 56. Repeal 57. Transitional provisions 58. Commencement SCHEDULE
# An Act
To provide for new legislation to strengthen the control and personal autonomy of data subjects over their personal data, in line with current relevant international standards, and for matters related thereto
ENACTED by the Parliament of Mauritius, as follows
PART I PRELIMINARY
# 1. Short title
This Act may be cited as theData Protection Act2017.
# 2. Interpretation
In this Act
"authorised officer" means an officer to whom the Commissioner has delegated his powers under section 13;
"biometric data" means any personal data relating to the physical, physiological or behavioural characteristics of an individual which allow his unique identification, including facial images or dactyloscopic data;
“collect” does not include receive unsolicited information;
"Commissioner" means the Data Protection Commissioner referred to in section 4;