Select a location

This selection will switch the site from presenting information primarily about Mauritius to information primarily about . If you would like to switch back, you may use location selection options at the top of the page.


New data protection regulations

By Shalinee Dreepaul Halkhoree

The new Data Protection (Fees) Regulations 2020 (GN No. 152 of 2020) (the New Regulations), made under section 55 of the Data Protection Act 2017 (the DPA 2017) is in force since 1 August 2020. The New Regulations provide for the fees which are payable to the Data Protection Office (the DPO) for registration as a controller or processor, fees for renewal of registration and fees for obtaining certified copies of entries in the register. Alongside, the DPO came up with new registration forms which were much awaited as registration of controllers was still being done by filling up registration forms made under the repealed Data Protection Act 2004, which was a very awkward situation, to say the least. The new registration forms cater not only for registration of controllers but also registration of processors, which never existed before, although processors are required under the law to register with the Data Protection Commissioner (the Commissioner) just as controllers.

It is understood from the communique issued by the DPO dated 20 July 2020 that all controllers and processors need to register themselves by submitting fresh applications. Controllers and processors have a moratorium of three months from 1 August 2020 to do so. This would mean that not only controllers and processors who were never registered should register themselves, but controllers who were already duly registered or who have renewed their registration and their renewal has not yet lapsed, will also need to register themselves anew within this moratorium of three months. It is further understood from the DPO that no waiver (in part or in full) on the registration fees will be given for those whose registration has not yet expired or whose renewal has not yet lapsed. This unfortunately may create a situation where diligent controllers will be paying twice for a few overlapping months and we verily hope that this unfair situation is cured by the DPO. For those controllers who never registered themselves, we have been made to understand by the DPO that no additional fees and/or penalties will need to be paid for all the years the controller should have registered itself but did not do so.

The New Regulations provide for revised registration and renewal fees, which vary depending on the number of employees employed by the controller/processor. The fee structure, both for registration and renewal as controller and processor is Rs1,000 where the number of employees is five or less; Rs1,500 where the number of employees is between six to 25 and Rs2,500 for those employing more than 25 employees.

The registration is valid for a period of three years, in line with section 16(2) of the DPA 2017 and renewal needs to be applied for not later than three months before its expiry. It is to be noted that henceforth, only a single application needs to be submitted, whether be it for employees or non-employees. Previously a distinction was made between employee data and non-employee data and as such, up to two distinct applications for registration were required to be submitted.

The controller/processor needs to provide all safeguards, security measures and mechanisms which has been implemented to protect personal data of its data subjects on the new registration form. These safeguards may for example be physical access control, visitor’s logbook, firewall, antivirus, encryption of data, employee awareness programs, adherence to Privacy Policy and Information Security Policy, to name but a few. Furthermore, whenever personal data is being transferred outside Mauritius (to be stored in a cloud-based storage, for example), it is important to disclose in the registration form, the country where the data will sit.

The new application forms as well as the guides to assist in filling up the registration forms for controllers and processors are available on the homepage of the DPO website.

Failure to register after the moratory period may amount to an offence under the DPA 2017 and consequently a fine not exceeding 200,000 rupees and imprisonment for a term not exceeding five years on conviction may be imposed.