Data Protection Law now in force in Seychelles
In a significant move to safeguard the privacy and security of its citizens’ personal information, Seychelles introduced the new Data Protection Act, 2023 (DPA) in December 2023, which is now in force. The DPA repeals the Data Protection Act 2003 which was enacted but never implemented in practice.
The Seychelles Data Protection Act is designed to align with global best practices in privacy laws and marks a crucial step towards establishing a robust framework for the responsible handling of personal data within Seychelles, promoting responsible flow of information by the private and public entities, and enhancing transparency and accountability in data handling practices.
Key features of the Data Protection Act (DPA):
Scope and Applicability
The DPA applies to individuals as well as public and private entities that collect, process, or store personal data in Seychelles. The DPA specifically excludes from its purview, the processing of personal data by relevant authorities in the course of a criminal investigation; matters that pertain to national security; and the processing of personal data by a natural person for a personal activity.
Data Protection Principles
Similar to the European Union’s General Data Protection Regulation (GDPR), the DPA requires the explicit consent of data subjects (i.e., individuals whose data is being collected, stored and processed) before collecting and processing their personal data. Controllers and/or processors have the duty to inform the data subject on the reasons for collecting their data, and ensuring data quality, security and confidentiality.
Data Subject Rights
The DPA empowers individuals with greater control over their personal information and data subjects now have the right to be informed, to access, rectify, and erase their data. Additionally, they have the right to restrict or object to the processing of their data and the right to demand compensation for any unlawful processing.
Obligations of Data Controllers/ Processors
The DPA obliges the data controllers/ processors to make publicly available the type of information in their custody, and to adopt a privacy policy that provides a detailed and accurate representation of the entity’s data processing and data transfer activities. Entities engaging in high-risk data processing activities are required to conduct Data Protection Impact Assessments. The DPA also mandates prompt reporting of data breaches to the Information Commission and affected individuals. Certain organisations, based on their size and nature of data processing, are obligated to appoint a Data Protection Officer under the DPA.
Cross-Border Data Transfers
The DPA incorporates measures to regulate the transfer of personal data outside Seychelles. Entities engaged in cross-border data transfers must adhere to specific safeguards and mechanisms to ensure the continued protection of personal information, aligning with international data protection standards.
Enforcement and Penalties
The Information Commission of the Seychelles has been designated as the competent authority to enforce and implement the DPA and empowered to conduct audits, investigations, impose penalties on entities that violate the DPA.
Transitional Provisions
All data controller or data processors have been provided with a transitional period of 18 months (from 22 December 2023) to ensure that their activities conform to the DPA.
As organisations adapt to these new regulations, public awareness and education regarding data protection rights and best practices would be key in empowering individuals with the knowledge needed to safeguard their own privacy and building a privacy-conscious society. The introduction of comprehensive data protection legislation in Seychelles reflects the government’s commitment to safeguarding the privacy of its citizens and security of personal information and positions Seychelles as a responsible participant in the global digital landscape.
