Scribd
Upload
23 views

Template On Data Protection Policy - DPA 2017

Mauritius DPA 2017

Uploaded by

Ismael Dulloo
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
23 views

Template On Data Protection Policy - DPA 2017

Mauritius DPA 2017

Uploaded by

Ismael Dulloo
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

TEMPLATE FOR DATA PROTECTION POLICY

This is a model policy and is intended for guidance only. Any organisation
using this document should customise it to meet their specific
circumstances and/or requirements.

1. Introduction
This policy describes how personal information is collected and handled to
meet the organisation’s data protection standards and comply with the
law.

2. Controller
<<organisation>> is a controller under the Data Protection Act
2017(DPA), which means that it determines the purposes and means of
the processing of personal data and has decision making power with
respect to the processing.

3. Data Collection
i. What data do you collect from data subject (employees,
non-employees)?
Example: We collect the following personal data from you: your
name, postal address, telephone number, email address, stay
information, credit and debit card number.
ii. Why are we collecting your data?
Example: We process your data on the basis of your consent and
for the purposes of carrying out reservations, for concluding and
fulfilling the contracts related

Please refer to section 23 (2) of the Data Protection Act 2017


regarding information to be provided to data subjects upon
collection of their personal data.

4. How do we process your data?


Explain how data collected will be processed in your organisation. Do not
forget to mention the retention period.

5. Data Disclosure
In certain circumstances, the Data Protection Act 2017 allows personal
data to be shared among public sector agencies without the consent of
the data subject. State to which organisation and for what purposes data
will be disclosed.

1 | Page
6. Data Security
Describe how <<organisation>> is committed to ensuring the security
of personal data in order to prevent unauthorised access, accidental
deletion and malicious hacking attempts.
Example: The computers storing the information are kept in a secure
environment with restricted physical access. We use secure firewalls and
other measures to restrict electronic access. If the data must be
transferred to a third party, we require them to have in place similar
measures to protect your personal data.

7. What are your rights? (Data Subjects’ rights)


I. As per the Data Protection Act 2017, all individuals who are the
subject of personal data held by <<organisation>> are entitled to
 request access to their personal data.
 request rectification or erasure of their personal data.
 request restriction of processing of their personal data.
 object to the processing of their personal data.
 request withdrawal of consent.
II. Ensure that individuals are aware of their rights and that they
understand how to exercise such rights.
III. Indicate to the individuals how to make a request relating to any of
the rights listed above. No administration fee must be charged for
considering and/or complying with such a request unless the request
is deemed to be manifestly excessive in nature.
IV. As per section 37 (4) of the DPA, where the personal data are not or
have not been collected from the data subject, the controller shall not
be required to provide information where the processing is expressly
prescribed by law or this proves to be impossible or involves a
disproportionate effort.
You should include this subsection 37(4) as well if this is applicable in
your context.

Example of statement for this section: You have the right to access your
data, to obtain a copy of your data, to request their erasure or
rectification and the right not to be subject to a purely automated
decision without having your views taken into consideration. You also
have the right to object to the processing, withdraw your consent and
lodge a complaint with the Data Protection Office should you consider
that this data processing is in violation of the law.
You may contact us at Email address with your requests. We must
answer your request within one month, but if your request is too

2 | Page
complex or we receive too many other requests we will inform you that
this period may be extended by a further two months.

8. Links to another website


Inform the individuals that the website may contain links to other websites
of interest. However, once they have used these links to leave the site,
they should note that <<organisation>> does not have any control over
that other website. Therefore, <<organisation>> cannot be responsible
for the protection and privacy of any information which they provide
whilst visiting such sites and such sites are not governed by this privacy
statement.

9. Compliance with Data Protection Act 2017


All processing of personal data by <<organisation>> will be done in
compliance with the Data Protection Act 2017.

10. Conclusion
This policy will be updated as and when required to reflect best practice in
data management, security and control and to ensure compliance with
any changes or amendments made to the Data Protection Act 2017.

3 | Page
Glossary of Terms:
Data Protection Act 2017: In Mauritius, the law which governs the
protection of personal data is the Data Protection Act (DPA) 2017.

Controller means a person who or public body which, alone or jointly


with others, determines the purposes and means of the processing of
personal data and has decision making power with respect to the
processing.

Data Subject (Individual) means an identified or identifiable


individual, in particular by reference to an identifier such as a name, an
identification number, location data, an online identifier or to one or more
factors specific to the physical, physiological, genetic, mental, economic,
cultural or social identity of that individual.

Personal Data means any information relating to a data subject.

Special categories of data in relation to a data subject means personal


data pertaining to:
a) his racial or ethnic origin;
b) his political opinion or adherence;
c) his religious or philosophical beliefs;
d) his membership of a trade union;
e) his physical or mental health or condition;
f) his sexual orientation, practices or preferences;
g) his genetic data or biometric data uniquely identifying him;
h) the commission or alleged commission of an offence by him;
i) any proceedings for an offence committed or alleged to have been
committed by him, the disposal of such proceedings or the
sentence of any Court in the proceedings; or
j) such other personal data as the Commissioner may determine to be
sensitive personal data

Processing means an operation or set of operations performed on


personal data or sets of personal data, whether or not by automated
means, such as collection, recording, organisation, structuring, storage,
adaptation or alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making available, alignment
or combination, restriction, erasure or destruction.

4 | Page

You might also like