Mauritius DPA 2017

Data Protection Act 2017 (Act No. 20 of 2017)

Flag of MU
Republic of MauritiusOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
January 15, 2018
Enacted
January 1, 2017
Enforcing Authority
Data Protection Office (DPO); courts impose penalties (DPO cannot impose fines directly)
Consent Model
Opt-in
Applies To
All data controllers and processors operating within Mauritius

Overview

Mauritius's Data Protection Act 2017 (Act No. 20 of 2017) modernized the country's privacy framework by replacing the earlier 2004 Act with GDPR-aligned provisions. Effective January 15, 2018, it is enforced through a unique model where the Data Protection Office investigates but courts impose penalties. Mandatory registration with the DPO is required before any data processing begins. As a Council of Europe Convention 108 member, Mauritius demonstrates strong alignment with European data protection standards.

What This Means for Your Website

If your website processes personal data of Mauritius residents, you must register with the Data Protection Office before any processing, obtain consent as a legal basis for collection, and implement appropriate security measures. Data subjects have rights to information, access, rectification, and erasure. Cross-border data transfers require adequacy determinations.

Key Requirements

Registration with the Data Protection Office is mandatory before processing personal data. Consent is required for lawful processing. Data subjects have comprehensive rights including information, access, rectification, and erasure. Data security measures must be implemented. Cross-border transfers are subject to adequacy requirements. Certain processing activities require DPO appointment.

How ConsentStack Handles This

ConsentStack helps organizations comply with Mauritius's DPA 2017 by providing a consent management banner that captures lawful consent. It maintains detailed records of all consent decisions with timestamps for DPO registration compliance, supports data subject rights workflows, and provides audit trails that satisfy the court-enforced penalty framework.

Penalties

MUR 50,000 and/or 2 years imprisonment (general violations); MUR 100,000 and/or 5 years imprisonment (serious violations); MUR 200,000 and/or 5 years (failure to register)

Maximum Fine
MUR200,000 per violation

Key Requirements

  • Mandatory registration with Data Protection Office before processing
  • Consent required for lawful processing
  • Data subjects have rights to information, access, rectification, and erasure
  • Data security measures mandatory
  • Cross-border transfers subject to adequacy requirements
  • DPO appointment required for certain processing activities

Notable Provisions

  • Courts impose penalties rather than the DPO — unusual enforcement model
  • Council of Europe Convention 108 member, aligning with European standards
  • Replaced the DPA 2004 with a GDPR-aligned framework

Other Sub-Saharan Africa Regulations

POPIASouth Africa
Africa's most developed and actively enforced data protection law. POPIA establishes eight conditions for lawful processing and grants the Information Regulator broad enforcement powers including criminal sanctions. The inclusion of "online identifiers" in the definition of personal information means cookies are covered, and Section 69's direct marketing consent requirement is directly relevant to consent management.
NDPANigeria
One of Africa's most comprehensive data protection laws, with the GAID providing Africa's most detailed cookie consent framework. Essential cookies are exempt; non-essential cookies require conspicuous accept/reject banners. The NDPC enforces a two-tier penalty structure based on organizational significance.
Ghana Act 843Ghana
Ghana's foundational data protection law requires mandatory registration with the DPC before processing begins, with renewal every 2 years. Criminal penalties include up to 10 years imprisonment for serious violations. A new comprehensive bill is under consultation as of late 2025.
Kenya DPA 2019Republic of Kenya
Kenya's comprehensive data protection law establishes the ODPC as an independent enforcement authority. It uniquely calculates penalties using "whichever is lower" rather than the global norm of "whichever is higher." Mandatory registration of data controllers is required before processing, and consent serves as the primary legal basis for personal data collection.
Tanzania PDPA 2022United Republic of Tanzania
Tanzania's first comprehensive data protection legislation establishes the Personal Data Protection Commission as the supervisory body. It mandates DPO appointment for all controllers and processors, a broader requirement than most jurisdictions. Personal data must be processed lawfully with consent, and criminal penalties of up to 10 years imprisonment apply for violations.
Ivory Coast Law 2013-450Ivory Coast
Ivory Coast's data protection law features an escalating penalty structure with significant increases for repeat offenders — up to 5% of pre-tax sales or XOF 500 million. ARTCI has been active in issuing formal notices against online lending applications. Prior declaration or authorization from ARTCI is required.

Frequently Asked Questions

Do I need to register before processing data in Mauritius?

Yes, mandatory registration with the Data Protection Office is required before any personal data processing begins.

What are the penalties under Mauritius's DPA 2017?

Penalties range from MUR 50,000 and/or 2 years imprisonment for general violations to MUR 200,000 and/or 5 years for failure to register. Courts impose penalties, not the DPO.

Is Mauritius aligned with European data protection standards?

Yes, Mauritius is a member of the Council of Europe Convention 108, signaling strong alignment with European data protection principles.

Does Mauritius's DPA apply to foreign companies?

The DPA applies to all data controllers and processors operating within Mauritius, which can include foreign entities processing data in the country.

Stay compliant with Mauritius DPA 2017

ConsentStack helps you implement Opt-in consent for Republic of Mauritius automatically.

Get started free