On December 22, 2023, the Official Gazette of the Republic of Seychelles published the Data Protection Act, 2023 (the Act) which entered into force on the same day. The Act was previously passed by the National Assembly on December 5, 2023.

In particular, the Act will apply to the processing of data within Seychelles by public or private bodies, exempting processing of personal data by authorities in the course of a criminal investigation, matters pertaining to national security, or processing by a natural person for personal activity.

Information Commission

The Act sets up the Information Commission as the competent authority to, among other things, enforce and implement the Act, promote public awareness, handle complaints from data subjects, conduct investigations, and impose fines.

Data protection principles

Furthermore, the Act outlines data protection principles, such as data retention, data quality, data minimization, purpose limitation, use and further disclosure limitation, transparency, data security and confidentiality, and proportionality and accountability.

Legal basis

Under the Act, personal data may be processed if:

• the data subject has provided consent;
• processing is necessary for the performance of contractual obligations between the data controller and the data subject;
• a specific law requires the processing by the data controller;
• processing is necessary to protect the vital interests of the data subject or of another natural person;
• processing is conducted in the context of public interest;
• processing responds to the legitimate interests of the data controller or a third party; and
• processing is necessary for the administration of justice, and public function in a state of emergency when the processing is conducted for the benefit of the data subject.

The Act prohibits the processing of special categories of personal data unless exceptions under Article 23(2) of the Act apply.

Data subject rights

The Act provides data subjects with the right to be informed, access, rectification, deletion, object to the processing of data, data portability, and to compensation.

Obligations of data controllers and processors

Notably, Article 34(1) of the Act requires the data controllers and processors to make all the information in their custody publicly available and develop a privacy policy that provides a detailed and accurate representation of the entity's data processing and data transfer activities.

Furthermore, data controllers must, among other things:

• implement technical and organizational measures in line with the privacy by design principle;
• engage a data processor that guarantees the security of processing and must put in place a contract with the data processor;
• maintain a record of processing activities, and the data processor must keep logs of processing operations;
• carry out a Data Protection Impact Assessment (DPIA) where the processing is likely to result in a high risk to the rights and freedoms of any individual;
• notify the data breach to the Information Commission, and if applicable, to the data subject; and
• under certain circumstances, designate a data protection officer (DPO).

Transfers of personal data

Under the Act, transfers of personal data are authorized under certain conditions, such as legal enforceability of system standards, by the Information Commission. The Information Commission may further specify, by regulations, the circumstances and restrictions of transfers to another country or international organization.

Enforcement and transitional period

The Information Commission is tasked to carry out enforcement and to impose fines under the Act. The Act foresees a transitional period of 18 months, beginning December 22, 2023, for data controllers or data processors to ensure conformity with the Act.

You can read the Act as published in the Official Gazette here.