Doing Business In... 2025

MAURITIUS Law and Practice Contributed by: Sameer K Tegally, Sonia Xavier and Ashvan Luckraz, Venture Law

8.3 Role and Authority of the Data Protection Agency The Act has established the Data Protection Office (DPO) in Mauritius, which is empowered to act with complete independence and impar - tiality. The main roles and functions of the DPO are to ensure compliance with the Act, issue codes of practice and guidelines, maintain a register of controllers and processors, investigate com - plaints and co-operate with supervisory authori - ties of other countries. The DPO is headed by the Commissioner, who is given wide powers under the Act to: • carry out periodical audits of information systems and security measures used by data controllers or processors; • exercise control of all data processing opera - tions, either of his/her own motion or at the request of data subjects; • promote self-regulation among controllers and processors; • undertake research into, and monitor devel - opments in, data processing, and ensure that there is no significant risk or adverse effect of any developments on the privacy of individu - als; • examine any proposal for automated decision-making or data linkage that may involve interference with, or otherwise have an adverse effect on, the privacy of individu - als and ensure that any adverse effect of the proposal on the privacy of individuals is minimised; • investigate any complaint or information that gives rise to a suspicion that an offence may have been, is being or is about to be commit - ted under the Act;

to act as a data controller or processor in Mau - ritius. With regard to the transfer of personal data out - side Mauritius, a controller or a processor may transfer personal data to another country, sub - ject to any of the following: • There is proof of appropriate safeguards. • They have explicit consent from the data subject. • They have a contract with the data subject. • It is of public interest as provided by law. • There are legal claims. • It is of vital interest to the data subject. • There are compelling legitimate interests of The Act applies to any data controllers or pro - cessors established in Mauritius and any data controller or processor not established in Mau - ritius but using equipment in Mauritius for pro - cessing personal data of Mauritian residents. In other words, the Act not only applies to organisations located within Mauritius but also to organisations located outside Mauritius if they offer goods or services to, or monitor the behav - iour of, Mauritian data subjects. the controllers or processors. 8.2 Geographical Scope Within that framework, the Act imposes an obligation on such foreign controllers and pro - cessors to explain to Mauritian data subjects how their personal data will be processed, give details on the purposes of the processing and inform them of the right to withdraw their con - sent at any point in time.

524 CHAMBERS.COM

Powered by