Doing Business In... 2025

MAURITIUS Law and Practice Contributed by: Sameer K Tegally, Sonia Xavier and Ashvan Luckraz, Venture Law

vie privée ” (ie, every person is entitled to the protection of their private life). • Article 300 of the Mauritian Criminal Code makes it a criminal offence for certain cat - egories of professionals, who have been entrusted with confidential information by their clients, to disclose information obtained in confidence. The Act imposes strict duties on data controllers to ensure that all personal data is processed in compliance with the Act. Data controllers must be able to demonstrate that they have: • explicit, specified and legitimate purposes for the processing of personal data; • adopted policies to implement appropriate data security and organisational measures to protect personal data; • only processed data that is adequate, rel - evant and limited to what is necessary; • designated an officer responsible for data protection; and • processed the personal data in line with the data subjects’ rights. A data controller is defined as “any person who or public body which, alone or jointly with oth - ers, determines the purposes and means of the processing of personal data and has decision- making power with respect to the processing”. On 20 February 2025, the Mauritius Data Protec - tion Office (DPO) issued a communique speci - fying that, among other things, all public and private organisations, sociétés , partnerships, professionals such as doctors, lawyers, engi - neers, architects, notaries and sole traders such as jewellers, bookmakers and any other entity processing and collecting personal data of living individuals, are required to register themselves as a controller with the DPO.

The Act provides that it is a criminal offence for a data controller to disclose the personal data of its data subject(s) without any lawful excuse or where it is incompatible with the purposes for which the data was collected. Lawful excuses can be, for example: • compliance under the law; • performance of a contract signed with the data subject; and • protection of the vital interests of the data subject or another person. At the heart of the Mauritius data protection legislation is the notion of consent. On the one hand, the Act imposes a duty on data controllers and data processors – ie, those who process personal data on behalf of data controllers, to seek and obtain the consent of persons whose data they wish to process; on the other hand, it empowers data subjects to give and/or withdraw their consent at any point in time. A data subject is defined as a person who may be identified or may become identifiable by ref - erence to features, including their name, identi - fication number, location data and physiologi - cal, genetic, mental, economic, cultural or social identity. The consent given by data subjects should be free, specific, informed and unambiguous, and can be in the form of a statement or a clear affirmative action to signify their consent to the data controllers. Under the Act, any local or foreign individual or organisation handling or processing the personal data of a Mauritian data subject is required to obtain the data subject’s consent and register with the data protection commissioner of the Data Protection Office (Commissioner) in order

523 CHAMBERS.COM

Powered by