Your Guide to Data Protection Obligations Under the Data Protection Act (DPA) 2017

Protecting personal data is more important than ever. Our simple guide explains what your organisation needs to know about the Mauritius Data Protection Act 2017. From understanding your legal duties to appointing a Data Protection Officer, we break it down in clear terms to help you protect privacy and stay on the right side of the law.

5/12/20252 min read

a golden padlock sitting on top of a keyboard

Your Guide to Data Protection Obligations Under the DPA 2017

Protecting your personal data is crucial. We have a refreshed framework since 2017 that upholds rights to privacy in line with global standards such as the EU General Data Protection Regulation (GDPR). It also facilitates secure data sharing with foreign jurisdictions, enabling growth in the digital economy.

Key Legal Obligations for Organisations

Any data controller or processor must ensure that personal data is:

Collected fairly and lawfully
Accurate, relevant and limited to what is necessary
Kept secure and confidential
Retained only as long as necessary
Processed with the data subject’s clear consent where required

Controllers must also:

Maintain records of processing activities
Conduct data protection impact assessments for high-risk processing
Notify the Data Protection Office of any data breach within 72 hours
Communicate serious breaches to affected data subjects
Appoint a Data Protection Officer (DPO)

Failure to comply can result in fines up to MUR 200,000 and imprisonment for up to five years.

Why is a Data Protection Officer required?

Appointing a Data Protection Officer (DPO) is mandatory to:

Advise and educate staff on data protection laws
Monitor internal compliance and conduct audits
Assist with risk assessments (Data Protection Impact Assessment)
Be the main point of contact for both the Data Protection Office and individuals whose data is being processed

It is important to note that while the DPO plays a central role in ensuring compliance, legal responsibility lies with the organisation, not the officer personally.

Who Can be a Data Protection Officer?

An organisation may appoint:

An existing employee, provided there’s no conflict of interest
An external consultant or service provider under contract
One DPO across multiple branches or subsidiaries, if easily accessible

DPOs must have:

A solid understanding of data protection laws, including the DPA and GDPR
Familiarity with the organisation’s business operations
Knowledge of data security practices and IT systems
Strong ethics and a commitment to data protection

Do Not Risk Non-Compliance. We Are Here to Help.

If your organisation is unsure whether it has met all its data protection obligations including registration, renewal or the appointment of a qualified DPO or even assuming the role of the DPO, VPR can help.

We offer:

Outsourced DPO services
Compliance reviews and advice
Help with registration and renewals
Training for your internal teams

Reach out to us and let us help you ensure your organisation stays compliant, protected and fully up-to-date with data protection requirements.