Professional Documents
Culture Documents
DATA PROTECTION
ACT 2017
Presented By:
Mrs. J. Haulkhory and Mrs W. Khadun
5
DPA (Section) GDPR (Article)
6 - Investigation of complaints 40 - Codes of conduct (2)(k)
Amicable settlement of disputes and
conduct of hearings has been included.
48 - Certification 42 - Certification
8
The Data Protection Office
9
The Data Protection Office
(DPO)
▷ Public office which acts with complete
independence and impartiality.
• INVESTIGATION OF COMPLAINTS
III
IV • SENSITISATION/ TRAINING
12
Basic Concepts
• an identified or identifiable individual (any data which can
identify an individual),
• in particular by reference to an identifier such as a name,
an identification number, location data, an online identifier
Data or to one or more factors specific to the physical,
Subject physiological, genetic, mental, economic, cultural or social
identity of that individual.
13
Basic Concepts
14
Basic Concepts
• a person who or public body which, alone or
jointly with others, determines the purposes and
means of the processing of personal data and
Controller has decision making power with respect to the
processing.
15
Basic Concepts of Data
Protection
Case scenario – Processor –
who is he?
17
Application of the Act (1)
18
Application of the Act (2)
19
Non - Application of the Act
20
Registration of Controllers
and Processors
Sections 14 to 20
21
Registration
Should controllers and processors register with
the Data Protection Office? YES
Fill in
Application
Issuance of
Form and Effect Payment
Certificate
submit
documents
23
Registration
Can a management company (MC) register on
behalf of global business entity? YES, provided
that:
The MC clearly indicate that
it accepts “total legal
All personal data of the
responsibility” under the
global business entity are
DPA 2017 as controller of
centralised at the
the global business entities
management company.
and provide a list at
Registration and Renewal.
Sections 21 to 33
25
Obligations on controllers and
processors are related to:-
Principles relating to
processing of personal Designation of a data Collection of personal
data under the DPA protection officer data
Notification of Communication
Conditions for personal data breach personal data breach
consent to this office to data subject
26
Principles relating to
Processing of personal data (1)
• Employer can disclose salary details
Lawfulness, fairness
of employees to tax authorities,
and transparency
without consent.
Purpose limitation
Explicit, specified and • A General Practitioner cannot
legitimate purposes and disclose patients details to his wife
not processed in a way who owns a travel agency.
incompatible with the
purposes
Data minimisation
Adequate, relevant and • Office workers will not be queried
limited to what is about their health conditions
necessary, in relation to compared to a field worker.
the purposes
27
Principles relating to Processing
of personal data (2)
Storage limitation:
Storage of personal data • Deletion of details for staff who have
permitting Identification of left the organisation.
data subjects for no longer
than necessary
28
TO-DO List
29
Duties of Controllers – Section 22
30
Duties of Controllers – Section 22
Measures includes:
o implementing appropriate data security and
Measures include:
organisational measures;
o keeping of documentation as per section 33;
o Performing data protection impact assessment
as per section 34; Complying
Performing
o Comply with requirements with
of prior authorization
Implementing
data requirements Designating an
Keeping of as per section 35;
appropriate and consultation
protection of prior officer
data security documentation
o Designate an officerimpact
responsible for data responsible
authorization
and as per section
protection. assessments and for data
organisational 33
as per section consultation protection
measures
34 as per section
35
31
Who can be a Data Protection Officer(DPO)?
Mandatory appointment of an officer responsible for data
protection compliance issues.
As long as there is no conflict of interest with
his/her professional duties.
Existing Employee
External Officer
As long as there is a rigorous contract for
ensuring appropriate safeguards of
confidentiality 32
Roles of Data Protection Officer (DPO)
Inform and advise the controller/processor and the employees about the
obligations to comply with the DPA 2017
Train staff
Be the point of contact for the Data Protection Office and for individuals whose
data are processed
33
Responsibility of Controllers and
Processors and the DPO:
Controller or processor:
It is done for a
lawful purpose The collection
connected with of the data is
a function or necessary for
activity of the that purpose.
controller; and
35
Collection of personal data – Section
23 Details to be provided to the data subjects:
The organisation’s contact details and where applicable its representative
and any data protection officer;
3. Purpose/s of processing
7. What are the implications if you choose not to give your personal information?
9. Use of Cookies
15. Where the transfer of personal data abroad is being effected wherever applicable 37
Conditions for Consent - Section 24
▷ Consent must be freely given, specific, informed and
unambiguous.
○ either by a statement or a clear affirmative action to signify
agreement to personal data being processed
38
Lawful processing – Section 28
▷ No person shall process personal data unless the
data subject consents to the processing for one or
more specified purposes.
39
Notification & Communication of personal
data breach- Sections 25 & 26
42
Personal Data of child– Section
30
Children have the same rights as adults over their personal data.
43
Security of processing – Section
31
▷ Appropriate technical and organisational measures must
be implemented to prevent unauthorised access to,
alteration, disclosure, accidental loss and destruction of
personal data.
▷ Such measures include:
Ensure ongoing
Pseudonymisation and confidentiality, integrity,
encryption of personal availability, and
data resilience of processing
systems
Ability to restore
availability and access Process for regularly
to personal data in a testing, assessing, and
timely manner in the evaluating the
event of a physical or effectiveness of TOMs
technical incident
44
Security of processing – Section
31(Cntd)
If the controller is acts only on instructions received from the
using the controller and
services of a
processor, the
controller is still
responsible
under the DPA
for data implements appropriate security measures for
protecting any personal data processed
protection and so
must ensure
through a written
contract that the
processor
45
Prior security check – Section 32
▷ Provides for the power of the Data Protection
Commissioner to perform security checks and inspection
of the security measures imposed on the controller or
processor.
46
Record of processing operations –
Section 33
The new Act requires the controller and processor to keep records of
processing activities under its responsibility.
Such records Name and contact details of controller or processor or any representative
must include:
Purpose of processing
Retention schedules
Good practice to do a DPIA for any other major project which requires the
processing of personal data.
7) Data on vulnerable persons to whom the data relates (e.g. people with mental
illness, asylum seekers or elderly people, patients, children, etc.)
9) When the processing “prevents data subjects from exercising a right or using a
service or a contract”
49
Prior authorisation and consultation –
Section 35
According to Section ensure compliance of the intended
35, the controller or processing with the DPA and
processor must
seek authorisation
and consult the Data
Protection Office in particular to mitigate the risks
prior to processing involved for data subjects (individuals)
personal data in where the controller or processor
cannot provide for the appropriate
order to safeguards required for the transfer of
personal data to another country.
50
Transfer of personal data outside
Mauritius – Section 36
A controller or a processor may transfer personal data to another
country where the below conditions have been met –
There are proof of appropriate safeguards
Or Legal claims
52
Rights of Data Subjects
Right of access – S37
• A data subject has the right to obtain confirmation
that his/her personal data is processed and a copy
of the data free of charge within one month
following a written request.
Rectification –S39
• A data subject has the right to obtain from
controller rectification of inaccurate or incomplete
personal data concerning him/her without undue
delay.
53
Rights of Data Subjects
Erasure – S39
• Data subject may request that his/her personal
data are erased without undue delay if the
continued processing of those data is not
justified.
Object – S40
• A data subject has the right to object in writing
at any time the processing of personal data
relating to him/her free of charge.
54
Exercise of rights – Section 41
▷ Where a person is a minor or physically or
mentally unfit, a person duly authorised
(parents, guardian, legal administrator) can
exercise their rights on their behalf under
this part.
55
OTHER OFFENCES AND
PENALTIES
Sections 42 and 43
56
Unlawful disclosure of personal
data – Section 42
Any controller who, without lawful excuse,
discloses personal data in any manner that is
Controller incompatible with the purpose for which such
data has been collected shall commit an
offence.
57
Offences and Penalties –
Section 43
58
EXCEPTIONS AND
RESTRICTIONS
Sections 44
59
Exceptions and Restrictions – S44
Purely personal or household activity.
Section 48
61
Certification – Section 48
▷ To enhance transparency and compliance with the
Data Protection Act 2017, certification
• helps controllers or processors to
demonstrate accountability and compliance
with the Act
63
Thank you
Any questions?
Contact us:
Website : http://dataprotection.govmu.org
Email: dpo@govmu.org
Tel: 4600251
64