The Mauritius Data Protection Act 2017 (DPA 2017) is Mauritius's principal data protection legislation, replacing the earlier Data Protection Act 2004. As an international financial centre and a hub for offshore business services, Mauritius has positioned itself as a jurisdiction with strong data protection credentials — essential for maintaining its competitiveness in global financial services. The DPA 2017 is administered by the Data Protection Office, headed by the Data Protection Commissioner. For financial services firms regulated by the Financial Services Commission (FSC), the DPA 2017 imposes obligations that intersect with FSC licensing requirements, anti-money laundering rules, and cross-border data flows. Penalties for non-compliance can reach up to MUR 200,000 (approximately USD 4,500) and imprisonment of up to 5 years. This guide provides a structured compliance framework with a particular focus on financial services organisations.

What Is the DPA 2017?

The Data Protection Act 2017 (Act No. 20 of 2017) came into force on 15 January 2018, replacing the Data Protection Act 2004. It modernises Mauritius's data protection framework to align with international standards, incorporating principles from the GDPR and the Council of Europe's Convention 108+.

The Act is administered by the Data Protection Office, headed by the Data Protection Commissioner. The Commissioner is appointed by the President on the advice of the Prime Minister and exercises independent supervisory functions including registration of data controllers, investigation of complaints, conducting audits, issuing enforcement notices, and imposing penalties.

Key definitions under the DPA 2017:

  • Personal data: Any information relating to a data subject from which the data subject can be identified, including by reference to an identifier such as a name, identification number, location data, online identifier, or factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of the data subject (Section 2)
  • Sensitive personal data: Personal data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life, genetic data, biometric data, and criminal records (Section 2)
  • Data controller: A person who, alone or jointly with others, determines the purposes and means of processing personal data (Section 2)
  • Data processor: A person who processes personal data on behalf of a data controller (Section 2)
  • Data subject: An identified or identifiable individual to whom personal data relates
i

Mauritius as a Data Protection Leader in Africa

Mauritius was one of the first African countries to enact comprehensive data protection legislation (DPA 2004) and has consistently updated its framework. The DPA 2017 positions Mauritius alongside the EU in terms of data protection standards, which is strategically important for the country's role as an international financial centre and a gateway for investment into Africa. Mauritius is also a signatory to the African Union's Malabo Convention on Cyber Security and Personal Data Protection.

Who Must Comply?

The DPA 2017 applies to the processing of personal data by a data controller or data processor established in Mauritius, or by a data controller not established in Mauritius that uses equipment in Mauritius for processing personal data (other than for transit purposes) (Section 3).

The Act applies to:

  • Financial services firms — banks, insurance companies, investment funds, management companies, corporate and trust service providers, and other FSC-licensed entities
  • Global business companies (GBCs) — entities licensed under the Financial Services Act operating in or through Mauritius
  • Other private sector organisations — including technology companies, retailers, and service providers
  • Public sector bodies — government ministries, departments, and statutory bodies
  • Non-profit organisations — NGOs, religious organisations, and community groups
  • Foreign organisations that use equipment in Mauritius for data processing

Exemptions are limited. Processing for purely domestic purposes, processing for journalistic, literary, or artistic purposes (subject to conditions), and certain processing for national security are exempt from some provisions but remain subject to core data protection principles.

Key Provisions

The DPA 2017 establishes a comprehensive framework of obligations for data controllers and processors.

Data Protection Principles (Section 22)

All processing of personal data must comply with the following principles:

  • Lawfulness, fairness, and transparency — Data must be processed lawfully, fairly, and in a transparent manner
  • Purpose limitation — Data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes
  • Data minimisation — Data collected must be adequate, relevant, and limited to what is necessary
  • Accuracy — Data must be accurate and, where necessary, kept up to date
  • Storage limitation — Data must not be kept for longer than is necessary for the purposes of processing
  • Integrity and confidentiality — Data must be processed in a manner that ensures appropriate security
  • Accountability — The data controller is responsible for and must demonstrate compliance with these principles

Registration of Data Controllers (Section 30)

Every data controller must register with the Data Protection Commissioner before processing personal data. The registration must include the identity of the controller, the purposes of processing, the categories of data, the categories of data subjects, the recipients of data, details of cross-border transfers, a description of security measures, and the proposed retention period. The Commissioner maintains a public register of data controllers.

Lawful Basis for Processing (Section 23)

Processing is lawful only if at least one of the following applies:

  • Consent — The data subject has given unambiguous consent for one or more specific purposes
  • Contract — Processing is necessary for the performance of a contract with the data subject
  • Legal obligation — Processing is necessary for compliance with a legal obligation
  • Vital interests — Processing is necessary to protect the vital interests of the data subject or another person
  • Public interest — Processing is necessary for the performance of a task in the public interest
  • Legitimate interest — Processing is necessary for the legitimate interests of the controller or a third party, except where overridden by the data subject's rights

Data Subject Rights (Part V)

The DPA 2017 grants data subjects the following rights:

  • Right of access — The right to obtain confirmation of processing and access to personal data (Section 41)
  • Right to rectification — The right to have inaccurate data corrected (Section 42)
  • Right to erasure — The right to have personal data erased in specified circumstances (Section 43)
  • Right to restrict processing — The right to restrict processing in certain circumstances (Section 44)
  • Right to data portability — The right to receive personal data in a structured, machine-readable format (Section 45)
  • Right to object — The right to object to processing, including for direct marketing (Section 46)
  • Rights relating to automated decision-making — The right not to be subject to decisions based solely on automated processing (Section 47)

Breach Notification (Section 37)

Data controllers must notify the Data Protection Commissioner of a personal data breach without undue delay and, where feasible, within 72 hours of becoming aware of it. Where the breach is likely to result in a high risk to data subjects, the controller must also notify the affected data subjects. The notification must include the nature of the breach, the categories and approximate number of data subjects concerned, the likely consequences, and the measures taken to address the breach.

Cross-Border Transfers (Section 36)

Personal data may be transferred to a country outside Mauritius only if the country ensures an adequate level of protection. The Commissioner publishes a list of countries that provide adequate protection. Where adequacy is not established, transfers may proceed with the data subject's consent, where necessary for a contract, or subject to approved safeguards such as standard contractual clauses. This is particularly important for financial services firms that routinely transfer data between Mauritius and other jurisdictions.

Financial Services Compliance

For organisations regulated by the Financial Services Commission (FSC), data protection compliance intersects with financial services regulation in several critical areas:

FSC Licensing and Data Protection

FSC-licensed entities — including management companies, corporate and trust service providers, investment funds, and insurance companies — process large volumes of personal data as part of their regulated activities. The DPA 2017 applies to all such processing, creating a dual compliance obligation: FSC regulatory requirements and DPA data protection requirements must be satisfied simultaneously.

AML/CFT and Data Protection

Financial institutions in Mauritius are subject to the Financial Intelligence and Anti-Money Laundering Act (FIAMLA) 2002 and its amendments. Customer due diligence (CDD), Know Your Customer (KYC), and suspicious transaction reporting all involve processing personal data. The DPA 2017's lawful basis of "legal obligation" covers processing required under FIAMLA, but organisations must ensure that data collected for AML purposes is not used for incompatible purposes and is retained only as long as required by law.

Global Business Companies

Mauritius-based Global Business Companies (GBCs) — licensed under the Financial Services Act — often manage investments, hold assets, and administer structures for international clients. These entities routinely engage in cross-border data transfers and must ensure compliance with the DPA 2017's transfer provisions. The adequacy of data protection in the receiving jurisdiction must be assessed, and appropriate safeguards must be in place.

Data Sharing within Corporate Groups

Financial services groups often share personal data between entities in different jurisdictions — for example, between a Mauritius-based management company and its parent or affiliates in other countries. Such intra-group transfers are subject to the same cross-border transfer rules as third-party transfers. Organisations should implement binding corporate rules or standard contractual clauses to facilitate compliant data sharing within their group.

!

FSC and Data Protection Commissioner May Both Investigate

A data protection failure at an FSC-licensed entity could trigger investigations by both the Data Protection Commissioner (under the DPA 2017) and the FSC (under the Financial Services Act and licensing conditions). This dual exposure means the consequences of non-compliance are amplified for financial services firms. A data breach or failure to implement adequate security measures could result in DPA penalties, FSC sanctions, and reputational damage. Integrated compliance management is essential.

Compliance Checklist

Use this structured checklist to assess and track your organisation's compliance with the Mauritius DPA 2017.

Registration & Governance

  • Register as a data controller with the Data Protection Commissioner (Section 30)
  • Include all required details in the registration — purposes, data categories, recipients, transfers, security measures, retention
  • Renew registration annually or as required
  • Designate a data protection officer or responsible person within the organisation
  • Develop and publish a data protection policy aligned with the DPA 2017
  • Establish a data governance structure with clear roles, responsibilities, and reporting lines

Lawful Processing & Consent

  • Identify and document the lawful basis for every processing activity (Section 23)
  • Where consent is relied upon, ensure it is freely given, specific, informed, and unambiguous
  • Implement a mechanism for data subjects to withdraw consent
  • Maintain consent records with timestamps and details
  • Ensure sensitive personal data is processed only on permitted grounds (Section 24)

Transparency & Notification

  • Draft and publish a privacy notice that complies with the Act's requirements
  • Provide the privacy notice at or before the point of data collection
  • Include purpose, categories, retention, rights, and transfer details
  • Review all data collection points for compliance

Security Safeguards (Section 35)

  • Implement appropriate technical and organisational measures to protect personal data
  • Conduct risk assessments to identify threats to data security
  • Deploy encryption, access controls, pseudonymisation, and intrusion detection
  • Regularly test and verify the effectiveness of security measures
  • Ensure data processors have adequate security through binding agreements (Section 34)

Data Subject Rights

  • Establish processes to receive and respond to access requests (Section 41)
  • Establish processes for rectification, erasure, restriction, portability, and objection requests
  • Define response timelines — the DPA 2017 generally requires responses within 30 days
  • Train staff on identifying and handling data subject requests

Breach Response

  • Develop a documented data breach response procedure
  • Notify the Data Protection Commissioner within 72 hours (Section 37)
  • Notify affected data subjects where the breach poses a high risk
  • Maintain a breach register recording all incidents
  • Conduct regular breach response exercises

Cross-Border Transfers

  • Identify all cross-border transfers of personal data (Section 36)
  • Verify the receiving country is on the Commissioner's adequacy list
  • Where adequacy is not established, implement SCCs, BCRs, or obtain consent
  • Document the lawful basis for each transfer
  • Include transfer provisions in data processing agreements

Financial Services Specific (if applicable)

  • Map DPA obligations alongside FSC licensing conditions
  • Ensure AML/KYC data is processed in compliance with both FIAMLA and DPA 2017
  • Implement appropriate safeguards for intra-group cross-border data transfers
  • Document the lawful basis for processing under both financial services regulation and data protection law
  • Report data protection incidents to both the Commissioner and the FSC where applicable

Data Protection Office

The Data Protection Office, headed by the Data Protection Commissioner, is the independent supervisory authority under the DPA 2017. Its functions include:

  • Registration — Maintaining the register of data controllers and processing registration applications
  • Complaint handling — Receiving and investigating complaints from data subjects
  • Auditing — Conducting compliance audits and inspections of data controllers
  • Enforcement — Issuing enforcement notices, imposing administrative penalties, and ordering remedial actions
  • Adequacy assessments — Determining which countries provide adequate data protection for cross-border transfers
  • Guidance — Issuing codes of practice, guidelines, and advisory opinions
  • International cooperation — Cooperating with foreign data protection authorities

The Commissioner has the power to enter premises, inspect records, and require data controllers to provide information. Obstruction of the Commissioner is an offence under the Act.

Penalties

The DPA 2017 provides for both administrative and criminal penalties:

Offence Penalty
Processing without registration Fine up to MUR 200,000 and/or imprisonment up to 5 years
Non-compliance with data protection principles Fine up to MUR 200,000 and/or imprisonment up to 5 years
Failure to notify a data breach Fine up to MUR 200,000 and/or imprisonment up to 5 years
Unlawful cross-border transfer Fine up to MUR 200,000 and/or imprisonment up to 5 years
Obstruction of the Commissioner Fine up to MUR 100,000 and/or imprisonment up to 2 years
Failure to comply with an enforcement notice Fine up to MUR 200,000 and/or imprisonment up to 5 years

The Commissioner can also:

  • Issue enforcement notices requiring specific remedial actions
  • Order the suspension of processing activities
  • Order the rectification, blocking, or erasure of data
  • Refer matters for criminal prosecution
  • Publish findings of investigations
i

Penalties May Seem Modest, but Reputational Risk Is High

While the maximum fine of MUR 200,000 (approximately USD 4,500) is modest compared to GDPR fines, the reputational consequences of a data protection failure in Mauritius can be severe — particularly for financial services firms. Loss of FSC licensing, client attrition, and damage to Mauritius's reputation as a compliant international financial centre can far exceed the statutory penalty. Financial services firms should treat data protection compliance as a strategic business imperative, not merely a regulatory obligation.

Mauritius DPA vs GDPR

Mauritius-based organisations that serve EU clients or have European affiliates often need to comply with both the DPA 2017 and GDPR. The DPA 2017 draws heavily from GDPR principles, but differences exist.

Area Mauritius DPA 2017 GDPR
Scope Data controllers established in Mauritius or using equipment in Mauritius Controllers/processors established in EU or processing data of EU residents
Regulator Data Protection Commissioner National Data Protection Authorities
Registration Mandatory registration of data controllers with the Commissioner No registration requirement (record-keeping obligation instead)
Lawful grounds 6 grounds under Section 23 6 grounds under Article 6
Breach notification 72 hours to the Commissioner (Section 37) 72 hours to the supervisory authority (Article 33)
Data portability Explicitly provided under Section 45 Explicitly provided under Article 20
Automated decision-making Rights under Section 47 Rights under Article 22
Maximum fine MUR 200,000 (~USD 4,500) and/or 5 years imprisonment EUR 20 million or 4% of global annual turnover
Criminal penalties Yes — imprisonment up to 5 years Generally no (left to member states)
Cross-border transfer mechanism Adequacy list, consent, contractual necessity, approved safeguards Adequacy decisions, SCCs, BCRs (Chapter V)
DPO requirement Not explicitly required, but recommended Required in certain circumstances (Article 37)

Organisations subject to both laws should map their controls to both frameworks. Using Dimeri, a single security control can be mapped to both Mauritius DPA and GDPR requirements — tested once and credited to both, eliminating duplicate compliance effort. This is particularly valuable for Mauritius-based financial services firms that serve European clients.

Ongoing Compliance

DPA 2017 compliance is an ongoing obligation. Here is how to maintain sustainable compliance:

1. Renew Registration Annually

Registration with the Data Protection Commissioner must be renewed. Monitor renewal deadlines and ensure registration remains current. Lapsed registration is an offence carrying significant penalties.

2. Integrate DPA Obligations into Your Risk Register

Treat every DPA obligation as a compliance risk with a named owner, deadline, mapped controls, and attached evidence. For FSC-licensed entities, map DPA obligations alongside FSC requirements in a unified register.

3. Monitor Cross-Border Transfer Adequacy

The Commissioner's adequacy list may change. Monitor updates to ensure your cross-border transfers remain compliant. Changes in adequacy status may require implementing new safeguards or revising data processing agreements.

4. Train Staff Continuously

Regular data protection training — at onboarding and annually thereafter — is essential. For financial services firms, training should cover both DPA requirements and the data protection aspects of AML/KYC procedures.

5. Use Technology to Automate Compliance

A compliance management platform like Dimeri links every DPA obligation to its controls, evidence, and owner — providing a live compliance dashboard and audit-ready reports on demand. For Mauritius-based financial services firms, Dimeri can map overlapping obligations from the DPA 2017, FSC requirements, and GDPR in a single register, eliminating duplicate effort and providing a unified compliance view.

Key Takeaways

  • The Mauritius DPA 2017 modernises the country's data protection framework, aligning it with GDPR standards and positioning Mauritius as a compliant international financial centre
  • Registration with the Data Protection Commissioner is mandatory for all data controllers — processing without registration carries penalties of up to MUR 200,000 and 5 years imprisonment
  • Financial services firms face dual compliance obligations — DPA 2017 requirements must be met alongside FSC licensing conditions and AML/CFT rules
  • Breach notification must be made within 72 hours to the Commissioner, with data subjects notified where the breach poses a high risk
  • Cross-border transfers are restricted to countries on the Commissioner's adequacy list, or subject to approved safeguards — critical for GBCs and financial services groups
  • While monetary penalties are modest (MUR 200,000), criminal penalties (up to 5 years imprisonment) and reputational risk — especially for FSC-licensed entities — make compliance a business imperative
  • Organisations subject to both DPA 2017 and GDPR can map shared controls to both frameworks, eliminating duplicate effort
  • Continuous compliance — supported by registration renewal, risk registers, staff training, and automated tracking — is essential for sustainable adherence

Frequently Asked Questions

Does the Mauritius DPA 2017 apply to Global Business Companies?

Yes. The DPA 2017 applies to every data controller established in Mauritius, which includes Global Business Companies (GBCs) licensed under the Financial Services Act. GBCs that process personal data — whether of clients, beneficial owners, or counterparties — must register with the Data Protection Commissioner and comply with all provisions of the Act. This is particularly important for GBCs that engage in cross-border data transfers, as the adequacy requirements under Section 36 apply to all transfers regardless of the entity's licensing status.

How do AML/KYC requirements interact with data protection in Mauritius?

Processing personal data for AML/KYC purposes is lawful under the DPA 2017's "legal obligation" ground, as FIAMLA imposes mandatory customer due diligence requirements. However, the data protection principles still apply: data collected for AML purposes must not be used for incompatible purposes, must be accurate, and must be retained only for as long as required by law (typically 7 years under FIAMLA). Organisations must also ensure that their privacy notices disclose AML-related processing and that security safeguards are proportionate to the sensitivity of the data involved.

Which countries are on the Commissioner's adequacy list?

The Data Protection Commissioner publishes and periodically updates the list of countries that provide an adequate level of data protection for the purposes of cross-border transfers under Section 36. The list generally includes EU/EEA member states and countries that have received adequacy recognition under similar frameworks. Organisations should check the Commissioner's current published list before initiating transfers and should have contingency safeguards — such as standard contractual clauses — in place in case a country's adequacy status changes.

Is a Data Protection Officer required under the Mauritius DPA?

The DPA 2017 does not explicitly mandate the appointment of a Data Protection Officer (DPO) for all data controllers, unlike the GDPR. However, appointing a DPO is strongly recommended — particularly for financial services firms and organisations that process large volumes of personal or sensitive data. A DPO can coordinate compliance efforts, manage data subject requests, liaise with the Commissioner, and ensure the organisation's data protection practices are continuously maintained. For FSC-licensed entities, demonstrating a proactive data protection governance structure can support regulatory relationships.

Can a data subject claim compensation under the Mauritius DPA?

Yes. The DPA 2017 provides data subjects with the right to seek compensation for damage suffered as a result of a violation of the Act. Data subjects may lodge a complaint with the Data Protection Commissioner, who has the power to investigate and order remedial measures. Additionally, data subjects may pursue civil remedies through the courts. For financial services firms, this creates a dual exposure: regulatory penalties from the Commissioner and potential civil litigation from affected data subjects. Having a robust compliance programme, documented processes, and adequate insurance coverage is essential.