Data protection & privacy laws in Mauritius (2026)

The Data Protection Act 2017 (Act 20/2017), proclaimed via Proclamation No. 3 of 2018 and effective 15 January 2018, is the single comprehensive law governing the collection, processing, storage, and transfer of personal data in Mauritius.

The Data Protection Office (DPO), an independent public body headed by the Data Protection Commissioner, registers data controllers/processors, investigates complaints, conducts audits, issues enforcement notices, and operates the e-DPO online platform (launched December 2022) for registrations and breach reports.

All data controllers and processors must register with the Commissioner before processing personal data, disclosing the categories of data and purposes of processing. Failure to register is a criminal offence punishable by a fine up to MUR 200,000 and/or up to five years' imprisonment.

Data subjects hold rights of access, rectification, erasure, restriction of processing, and objection, including a right to object to decisions based solely on automated processing (profiling) that significantly affect them — closely mirroring GDPR Chapter III rights.

Personal data may only be transferred outside Mauritius to countries providing an equivalent level of protection, or where the controller has provided appropriate safeguards to the Commissioner, or the data subject has given explicit informed consent — mirroring GDPR Chapter V adequacy and safeguard mechanisms.

The government's Digital Transformation Blueprint 2025–2029 (published May 2025, launched by the Office of the President) commits to amending the DPA 2017 for closer GDPR alignment, introducing regulations on data protection officers and online privacy, and establishing a Data Management Office — none yet in force as of May 2026.