A Legal Overview of the Data Protection Act By: Mrs D. Madhub Data Protection Commissioner

Similar documents
THE DATA PROTECTION BILL (No. XIX of 2017) Explanatory Memorandum

The Ministry of Technology, Communication and Innovation and The Data Protection Office. Workshop On DATA PROTECTION ACT 2017

PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2017 ARRANGEMENT OF SECTIONS PART I PRELIMINARY

Law Enforcement processing (Part 3 of the DPA 2018)

16 March Purpose & Introduction

General Rules on the Processing of Personal Data SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)...

SUBSIDIARY LEGISLATION DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) REGULATIONS

ARTICLE 29 Data Protection Working Party

Data Protection Bill [HL]

THE PROCESSING OF PERSONAL DATA (PROTECTION OF INDIVIDUALS) LAW 138 (I) 2001 PART I GENERAL PROVISIONS

Annex - Summary of GDPR derogations in the Data Protection Bill

Introduction. The highly anticipated text of the Irish Data Protection Bill 2018 has been published.

COMP Article 1. Article 1 Subject matter and objectives

SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)... 16

closer look at Rights & remedies

***I DRAFT REPORT. EN United in diversity EN 2012/0010(COD)

General Data Protection Regulation

GDPR. EU General Data Protection Regulation. ebook Version 1.2

Data Protection Bill [HL]

Data Protection Policy. Malta Gaming Authority

Data Protection Bill, House of Lords second reading Information Commissioner s briefing

REGULATION (EU) 2016/679 General Data Protection Regulation

CHAPTER [INSERT] DATA PROTECTION BILL Acts [insert] ARRANGEMENT OF SECTIONS PART I PART II

DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. of 24 October 1995

Mannofield Parish Church. Registered Scottish Charity No: SC (the Congregation ) Data Protection Policy

The Act on Processing of Personal Data

PROCEDURE RIGHTS OF THE DATA SUBJECT PURSUANT TO THE ARTICLES 15 TO 23 OF THE REGULATION 679/2016

DATA PROTECTION (JERSEY) LAW 2018

OTrack Data Processing Terms

Port Glasgow St Andrew s Data Protection Policy

Data Protection Policy

Personal Data Protection Act

EUROPEAN PARLIAMENT Committee on the Internal Market and Consumer Protection

An Bille um Chosaint Sonraí, 2018 Data Protection Bill 2018

Act No. 502 of 23 May 2018

ELECTRONIC DATA PROTECTION ACT An Act to provide for protection to electronic data with regard to the processing of electronic data in Pakistan

STATOIL BINDING CORPORATE RULES - PUBLIC DOCUMENT

5418/16 AV/NT/vm DGD 2

TECHNOLOGY AND DATA PRIVACY. Investigative Powers of the Data Protection Commissioner. by Peter Bolger, Jeanne Kelly

THE PERSONAL DATA (PROTECTION) BILL, 2013

Consolidated text PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2001 [CONSOLIDATED TEXT] NOTE

An Bille um Chosaint Sonraí, 2018 Data Protection Bill 2018

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April on the protection of natural persons

The modernised Convention 108: novelties in a nutshell

LAW OF THE REPUBLIC OF ARMENIA ON PROTECTION OF PERSONAL DATA CHAPTER 1 GENERAL PROVISIONS

Privacy International's comments on the Brazil draft law on processing of personal data to protect the personality and dignity of natural persons

Data Protection Act 1998 Policy

Consolidated text PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2001 * [CONSOLIDATED TEXT] NOTE

Data Protection Act 1998

International Privacy Laws: Those New EU Data Protection Regulations Do Apply to You!

Is information about legal entities personal data? No. The DPA only applies to information about individuals as opposed to legal entities.

Ireland passes Data Protection Act 2018 GDPR. Key provisions and amendments

PROTECTION OF PERSONAL INFORMATION ACT NO. 4 OF 2013

EUROPEAN COMMISSION DIRECTORATE-GENERAL JUSTICE

to the Government Gazette of Mauritius No. 14 of 14 February 2009

PROCEDURE (Essex) / Linked SOP (Kent) Data Protection. Number: W 1011 Date Published: 24 November 2016

Access to Personal Information Procedure

THE GDPR AND DFIR THE IMPACT OF THE EU GENERAL DATA PROTECTION REGULATION ON DIGITAL FORENSICS AND INCIDENT RESPONSE

Charities & Not-for-Profits Overview of Data Protection Law

DATA PROCESSING AGREEMENT. between [Customer] (the "Controller") and LINK Mobility (the "Processor")

Art. I Right to Access to Personal Data

An overview of the EU General Data Protection Regulation ( GDPR ) for media organisations

SKILLSTAR 2018 NONPROFIT KFT. DATA PROTECTION POLICY

ARTICLE 29 Data Protection Working Party

THE PERSONAL DATA PROTECTION BILL, 2018: A SUMMARY

PERSONAL DATA PROCESSING AGREEMENT

European College of Business and Management Data Protection Policy

ASSEMBLEIA DA REPÚBLICA [PORTUGUESE PARLIAMENT]

Identity Cards Bill EXPLANATORY NOTES. Explanatory notes to the Bill, prepared by the Home Office, are published separately as Bill 9 EN.

PE-CONS 71/1/15 REV 1 EN

RESTREINT UE/EU RESTRICTED

Agricultural Compounds and Veterinary Medicines Amendment Act 2007

9091/17 VH/np 1 DGD 2C

DATA PROTECTION (JERSEY) LAW 2005

International Mutual Funds Act 2008

CONVENTION FOR THE PROTECTION OF INDIVIDUALS WITH REGARD TO AUTOMATIC PROCESSING OF PERSONAL DATA [ETS No. 108] DRAFT EXPLANATORY REPORT 1

SAMOA INTERNATIONAL MUTUAL FUNDS ACT 2008

6153/1/18 REV 1 VH/np 1 DGD2

The Data Protection (Commencement, Amendment and. Transitional) (Bailiwick of Guernsey) Ordinance, 2018

GDPR and India. By ADITI CHATURVEDI Edited by AMBER SINHA. The Centre for Internet and Society, India

Factsheet on the Right to be

8557/16 SHO/ra 1 DGD 2

DATA PROTECTION (AMENDMENT) REGULATIONS Amendments to the Data Protection Regulations Insertion of new sections...

DATA PROTECTION LAWS OF THE WORLD. Ireland

ENERGY EFFICIENCY ACT

DATA PROCESSING AGREEMENT

PART I PRELIMINARY MATTERS

Interest Balancing Test Assessment regarding data processing for the purpose of the exercise of legal claims

SCHEDULE Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

BACKGROUND INFORMATION

How we use Personal Information

Information leaflet about processing of personal data for Newsletter Recipients (hereinafter Data Subject)

Federal Act on Data Protection (FADP) Section 1: Aim, Scope and Definitions

CONSULTATIVE COMMITTEE OF THE CONVENTION FOR THE PROTECTION OF INDIVIDUALS WITH REGARD TO AUTOMATIC PROCESSING OF PERSONAL DATA

DATA PROTECTION LAWS OF THE WORLD. Romania

Data Processing Agreement. <<Health Service Provider>> The National Message Broker Service known as Healthlink

EXECUTIVE SUMMARY. 3 P a g e

This unofficial translation is provided for information purposes only and has no legal force. Data Protection Act.

GENERAL PROTOCOL FOR SHARING INFORMATION BETWEEN AGENCIES IN KINGSTON UPON HULL AND THE EAST RIDING OF YORKSHIRE

Coordinated text from 10 August 2011 Version applicable from 1 September 2011

Transcription:

A Legal Overview of the Data Protection Act 2017 By: Mrs D. Madhub Data Protection Commissioner 06.02.2018

Overview The Data Protection Act 2017 Aim of the Act Major changes brought in the new Act Key Definitions New Definitions The Data Protection Office Registration of controllers and processors Obligations on controllers and processors Rights of Data Subjects Offences and penalties Exceptions and restrictions Certification Benefits of the new Act 2

The Data Protection Act 2017 Replaces the Data Protection Act 2004. Passed on 8 th December 2017 at the National Assembly and presidential assented on 23 rd December 2017. Came into force on 15 January 2018. 3

Aim of the Act To strengthen the control and personal autonomy of data subjects (individuals) over their personal data. To be in line with current relevant international standards, in particular the European Union s General Data Protection Regulation (GDPR) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. 4

Aim of the Act (Continued) To simplify the regulatory environment for business in our digital economy. To promote the safe transfer of personal data to and from foreign jurisdictions, given the diversification, intensification and globalisation of data processing and personal data flows. 5

Major changes brought in the new Act Existing data protection principles and key definitions such as consent and personal data have been modernised. Introduction of new concepts such as: Data Protection Impact Assessments (DPIA); Notification by controllers of personal data breaches to the Data Protection Office and data subjects; Voluntary certification mechanisms and data protection seals & marks for controllers; and Rights to object to automated individual decision-making including profiling. 6

Major changes brought in the new Act (Continued) Simplifying: the registration / renewal process of controllers and processors; the complaints mechanism and the procedures related to hearings conducted by the Data Protection Office; the ease of business, in particular in terms of free flow of data from EU or other parts of the world to Mauritius. 7

Key Definitions Controller A person who or public body which, alone or jointly with others, determines the purposes and means of the processing of personal data and has decision making power with respect to the processing. Processor A person who, or a public body which, processes personal data on behalf of a controller. Data Subject An identified or identifiable individual, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual. 8

New Definitions The following have been defined under the Interpretation section of the Data Protection Act 2017: Biometric data Encryption Genetic data Physical or mental health Personal data breach Profiling Pseudonymisation 9

The Data Protection Office A public office which acts with complete independence and impartiality. It is not subject to the control or direction of any other person or authority in the discharge of its functions. The head of the Office is the Data Protection Commissioner. 10

The Data Protection Office (Continued) Powers of the Data Protection Commissioner Part II of the Act deals with the powers of the Commissioner to enable her to carry out her functions under the Act. For instance, the Commissioner now has enhanced powers with regard to the handling of complaints, namely the amicable resolution of disputes whenever possible. 11

Registration of controllers and processors Should controllers and processors register with the Data Protection Office? YES PART III of the Act deals with the registration of controllers and processors. Section 14 provides: No person shall act as controller or processor unless he or it is registered with the Commissioner. The registration will be for a period not exceeding 3 years and on the expiry of such period, the relevant entry will be cancelled unless the registration is renewed. 12

Obligations on controllers and processors Principles relating to processing of personal data (Section 21) Controllers/processors need to ensure that processing of personal data is lawful, fair, transparent, adequate, relevant, accurate, kept for as long as required and proportionate to the purposes for which it is being processed. Duties of Controller (Section 22) The controller must ensure all personal data is processed in compliance with the Act, and be able to demonstrate compliance through a series of measures including implementing appropriate data security and organisational measures, keeping of documentation, designating a data protection officer, amongst others. 13

Obligations on controllers and processors (Continued) Collection of personal data (Section 23) The principles of fair and transparent processing require the controller to provide information about itself, the purposes of processing and explain to data subjects how their personal data will be processed (e.g. existence of automated decision-making including profiling), the consequences of such processing and their individual rights (e.g. existence of the right to withdraw consent). Conditions for consent (Section 24) Consent must be freely given, specific, informed and unambiguous. The controller must be able to supply evidence that consent has been obtained(verifiable). Consent can be withdrawn at any time. 14

Obligations on controllers and processors (Continued) Notification of a personal data breach to the Commission (Section 25) As soon as the controller becomes aware that a breach has occurred, the controller must notify the breach to the Data Protection Office without undue delay and, where feasible, not later than 72 hours after having become aware of it. Communication of a personal data breach to the data subject (Section 26) Controller should communicate to the data subject a personal data breach, without undue delay, where that breach is likely to result in a high risk to the rights and freedoms of the individual in order to allow him or her to take the necessary precautions (e.g., by replacing credit cards if the data subject s card details have been leaked). 15

Obligations on controllers and processors (Continued) Duty to destroy personal data (Section 27) Where the purpose for keeping personal data has lapsed, every controller shall destroy the data as soon as is reasonably practicable; and notify any processor holding the data. Lawful processing(section 28) The Act lays down the conditions for legal basis required for processing such as obtaining the consent of the data subject before any processing. 16

Obligations on controllers and processors (Continued) Special categories of personal data (Section 29) Previously known as sensitive personal data under the DPA. It now includes genetic data and biometric data where processed to uniquely identify a person. Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. 17

Obligations on controllers and processors (Continued) Personal data of child (Section 30) Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Parental consent must be obtained for children under the age of 16. The controller is also required to make reasonable efforts to verify that consent has been given by the holder of parental responsibility in light of available technology 18

Obligations on controllers and processors (Continued) Security of processing (Section 31) Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate security (technical) or organisational measures. These measures include: pseudonymisation and encryption of the personal data; on-going reviews of security measures; redundancy and backup facilities; and regular security testing. The Act contains special provisions when a processor is involved such as choosing a processor that provides sufficient guarantees about its security measures and written contracts to be signed. 19

Obligations on controllers and processors (Continued) Prior security check (Section 32) Provides for the power of the Data Protection Commissioner to perform security checks and inspection of the security measures imposed on the controller or processor. Record of processing operations(section 33) In order to demonstrate compliance with the Act, controller and processor should maintain records of processing activities under its responsibility. These records should be made available, on request, to the Data Protection Office. 20

Obligations on controllers and processors (Continued) Data Protection Impact Assessment (Section 34) In order to enhance compliance with this Act where processing operations are likely to result in a high risk to the rights and freedoms of individuals, the controller should be responsible for the carrying-out of a data protection impact assessment to evaluate, in particular, the origin, nature, particularity and severity of that risk. Such processing operations may include a bank that screens its customers against a credit reference database, or a medical company offering genetic tests directly to consumers in order to assess and predict disease / health risks, or a new data processing technology is being introduced, or a company building behavioural or marketing profiles based on usage or navigation on its website. 21

Obligations on controllers and processors (Continued) Prior authorisation and consultation (Section 35) Where a controller or processor does not provide for appropriate safeguards for the transfer of personal data to another country, the controller or processor must obtain authorisation from the Office before processing the personal data. Where a data protection impact assessment indicates that processing operations involve high risks, the controller or processor must consult the Office prior to processing. Example of when authorisation and consultation should be sought: When processing health data on a large scale as it is considered as likely to result in a high risk. 22

Obligations on controllers and processors (Continued) Transfer of personal data outside Mauritius (Section 36) Controller or processor must provide proof of appropriate safeguards to the Commissioner before transferring personal data to another country whenever required. In the absence of appropriate safeguards, the data subject should provide his consent (explicit) after having been informed of the possible risks of the transfer. Section 36 (1) (c) provides other conditions where transfer can be made for example for the conclusion of contract, public interest requirements amongst others. 23

Rights of Data Subjects Part VII of the Act stipulates the rights of data subjects; The Act has enhanced the rights to access, rectify, erase and restrict processing of personal data; New provisions have been made to cater for decisions which are based on automated processing and the right to object to the processing of personal data by individuals. 24

Rights of Data Subjects (Continued) Right of access (Section 37) The Act obliges controllers to provide free of charge to data subjects with access to their personal data and to be provided a copy of their data within one month following a written request. Automated individual decision making (Section 38) Data subjects now have the right not to be subject to a decision based solely on automated processing which produces legal effects concerning him or which significantly affect them (including profiling). 25

Rights of Data Subjects (Continued) Rectification, erasure or restriction of processing (Section 39) Data subjects have the right to: rectify inaccurate personal data; delete their personal data if the continued processing of those data is not justified; withdraw their consent; restrict the processing of their personal data (meaning that the data may only be held by the controller, and may only be used for limited purposes). 26

Rights of Data Subjects (Continued) Right to object (Section 40) Data subjects have the right to object, on grounds relating to their particular situation, to the processing of personal data. Following the individual's objection, the burden falls on the controller to establish why it should, nonetheless, be able to process the personal data. Exercise of rights (Section 41) Where a person is a minor or a physically or mentally unfit, a person duly authorised (parents, guardian, legal administrator) can exercise their rights on their behalf under this part. 27

Rights of Data Subjects (Continued) Controllers must (on written request): confirm if they process an individual s personal data; provide a copy of the data; provide supporting explanatory materials. Access rights are intended to allow individuals to: check the lawfulness of processing; have a copy of their personal data. Note: the rights should not adversely affect the rights of others. 28

Offences and Penalties There are various offences and criminal penalties under this Act which, in general if committed, is sanctioned by a court of law. Where no specific penalty is provided, any person who does not comply or contravenes this Act shall, on conviction, be liable to a fine not exceeding 200,000 rupees and to imprisonment for a term not exceeding 5 years. 29

Offences and Penalties (Continued) For e.g.: Offences Section 6: Investigation of Complaints Any person who fails to attend a hearing or to produce a document or other material when required to do so. Section 7: Power to require information Any person who fails or refuses to comply with a requirement specified in a notice, or who furnishes to the Commissioner any information which he knows to be false or misleading in a material particular. Penalties Liable to a fine not exceeding 50, 000 rupees and to imprisonment for a term not exceeding 2 years. Liable to a fine not exceeding 50, 000 rupees and to imprisonment for a term not exceeding 2 years. 30

Offences and Penalties (Continued) For e.g.: Offences Section 15: Application for registration Any controller or processor who knowingly supplies any information, during registration, which is false or misleading in a material particular. Section 17: Change in particulars Any controller or processor who fails to notify a change in particulars. Section 28: Lawful processing Any person who process personal data unlawfully. Penalties Liable to a fine not exceeding 100, 000 rupees and to imprisonment for a term not exceeding 5 years. Liable to a fine not exceeding 50, 000 rupees. Liable to a fine not exceeding 100, 000 rupees and to imprisonment for a term not exceeding 5 years. 31

Exceptions and Restrictions The processing of personal data by an individual in the course of a purely personal or household activity is exempted from the Data Protection Act. Sections 3(4) and 44 depict the types of processing of personal data which are exempted from this Act. In general, processing of personal data constitutes a necessary and proportionate measure in a democratic society for the following reasons: the protection of national security, defence or public security; the prevention, investigation, detection or prosecution of an offence, including the execution of a penalty; 32

Exceptions and Restrictions (Continued).. necessary and proportionate measure in a democratic society for the following reasons (Continued): an objective of general public interest, including an economic or financial interest of the State; the protection of judicial independence and judicial proceedings; the protection of a data subject or the rights and freedoms of others. 33

Exceptions and Restrictions (Continued) The processing of personal data for the purpose of historical, statistical or scientific research is exempted provided that the security and organisational measures are implemented to protect the rights and freedoms of data subjects involved. The controller or processor has a duty to secure the data to prevent its unlawful disclosure. For instance, appropriate technology such as pseudonymisation or encryption can be used to secure the data. 34

Certification To enhance transparency and compliance with the Data Protection Act 2017, certification (Section 48) has been introduced to: help controllers or processors to demonstrate accountability and compliance with the Act; build confidence and trust in the organisation with all stakeholders, as well as with the wider public; allow data subjects to quickly assess the level of data protection of relevant products and services; give legal certainty for cross-border data transfers; 35

Certification (Continued) The Data Protection Office encourages the establishment of data protection certification mechanisms, seals and marks. Certifications are voluntary but enable controllers and processors to demonstrate compliance with the Data Protection Act. Controllers or processors wishing to be certified must apply for certification with the Data Protection Office. Certificates will be issued by the Data Protection Office. Certifications will be valid for three years and are subject to renewal. 36

Benefits of the new Act Increased accountability of controllers will make organisations implement controlled business processes resulting in better organisation, greater productivity and efficiency, and higher level of security. Being compliant will also help organisations to gain and strengthen customer trust, confidence and loyalty. Enhanced data subjects rights will give individuals greater control over their personal data. The risk of data breaches will be minimised. 37

Benefits of the new Act (Continued) The legal and practical certainty for economic operators and public authorities will be reinforced. The new data protection framework will significantly improve the digital legal landscape to respond to the new EU requirements for adequacy, thereby attracting foreign investors. Certified organisations are recognised as providing adequate privacy protection thus giving legal certainty for cross-border data transfers. 38

Thank You

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback