Introduction

On December 19, 2023, the Data Protection Act (“DPA” or “the Act”) was enacted following the conclusion of public consultation on the Data Protection Bill. In August 2023, the Department of Information and Communications Technology (DICT) issued a call to the public to submit comments on the draft bill, which was finally passed in December. The Act repeals the 2003 Data Protection Act (“repealed Act”), which was not implemented, despite being one of the earliest attempts to enact a law in Africa. The enactment of the Act signifies a renewed commitment to data protection, the principles for processing personal data in the digital age and the country’s digital economy agenda. The Act significantly improves the repealed Act as it now addresses the gaps in the former, for example, it creates a data protection authority to enforce the law, provides more data subject rights, and addresses the mechanisms for cross-border data transfer. The Act provides an 18-month transition period for data controllers and processors to comply.

Key provisions

• Scope of application - Section 3

The Act applies to the processing of personal data through automated or semi-automated means,  and where the data form part of a filing system within the territory of Seychelles. Unlike other laws with clear extraterritorial application, the Act diverges. The implication is that the territorial scope suggests it may not apply to data controllers and processors outside Seychelles. The provision is similar to the one in the repealed Act. 

• Establishment of the data protection authority - Section 5

The Act designates the Information Commission (“the Commission”) as the regulatory body responsible for enforcing the Act. Although the Information Commission was created under the Access to Information Act, the Act designates it as the data protection authority. This is similar to what is obtained in other African countries, like South Africa, where an existing authority is designated as the data protection authority. The designation is a departure from the older law that did not specify the agency to enforce it.

The Information Commission has the authority and responsibility to establish and implement additional rules, regulations, and procedures to aid the Act’s implementation, conduct investigations and audits, raise public awareness, impose fines, and cooperate with foreign supervisory authorities. In addition, the Commission can request a preliminary injunction from the court and issue enforcement notices.

• Data retention - Section 16

The Act mandates that data controllers store data only for the period it is needed, and once it is no longer needed, it must be deleted, archived, or anonymised. The data controller must also adopt procedures, mechanisms, and processes to ensure that data remains anonymous once the retention period has elapsed, using techniques such as data masking, pseudonymisation, encryption, or the removal of personally identifiable information, among others.

• Obligation to ensure accountability - Section 21

The DPA requires data controllers to demonstrate accountability by implementing measures that guarantee data protection by design, keeping accurate records and documentation of all processing activities, and executing formal contractual agreements with data processors and third parties providing outsourcing services requiring access to or processing personal data.

• Processing of sensitive personal data - Section 22

The Act prohibits the processing of sensitive personal data, except when consent has been obtained or when processing is necessary for employment and social protection law, vital interests, processing by non-profit organisations, legal claims, public interest, archival purposes, or to cover data related to misconduct and inadequate behaviour. The final exception implies that the processing of sensitive data is allowed when it's necessary to address misconduct or inadequate behaviour. However, the Act does not clearly define what constitutes misconduct or inadequate behaviour.

• Processing of children’s data - Section 23

Under the DPA, a child is defined as an individual who is younger than 18 years old. Consequently, to process a child's data, the DPA requires data controllers to obtain consent from the parent or legal guardian or verify that consent has been obtained where the personal data is obtained from a third party. However, the Act does not provide a mechanism for verifying children’s age or verifying the validity of consent obtained from third parties.

• Notification for data breach - Sections 43-44

Like most data protection laws, data controllers have 72 hours after discovering a breach that may put the rights and freedoms of data subjects at risk to notify the supervisory authority. It also allows for an extension of the time frame for notification, during which the data controller must provide an explanation for the delay. Additionally, the Act requires controllers to promptly notify data subjects in cases where the breach is expected to have a negative impact on a significant number of data subjects. However, the Act does not specify the time frame for the extension of notice time or the time for notifying data subjects.

• Designation of a person responsible for ensuring safe custody of data - Section 33

The DPA mandates data controllers to designate one or two persons responsible for ensuring compliance with the Act, and these persons shall not delegate the responsibility to another person. This person shall ensure safe custody of personal data entrusted to the controller. The business contact information of at least one of the persons must be made available to the public for direct contact. By the provisions of the Act, all organisations processing personal data will be required to designate this person (s).

• Data logging and blocking - Sections 38-39

A data controller is required to keep logs of its processing activities. Unlike the record of processing activities, the logs contain details of consultations and disclosures, which shall be used to verify the lawfulness of processing and self-monitoring, ensuring the integrity and security of personal data and criminal proceedings. These logs are open to the Commission on request.

The Act also mandates data controllers to block access to personal data when it becomes subject to rectification or erasure. This ensures compliance with the processing principles and that data subjects effectively exercise their rights.

• Designation of a data protection officer - Sections 45 - 46

The DPA mandates data controllers whose core processing activities require regular and systematic monitoring of data subjects on a large scale or processing special categories of personal data on a large scale to appoint a data protection officer. An organisation may also appoint a DPO that falls outside the stipulated criteria. The DPO shall oversee compliance with the Act, liaise with the commission and be the contact person for data subjects.

• Cross-border data flows - Section 47

The Act stipulates a general rule restricting personal data transfers outside the Seychelles. However, it provides that international transfers can be concluded where the recipient country affords a “comparable level of protection” for the rights of data subjects in relation to personal data. The Act provides for the reliance on any existing cross-border privacy rules (CBPR) scheme, among others, as the basis for determining a comparable level of protection for personal data. Seychelles is the first African country to recognise the CBPR mechanism in its law specifically. The provision is also different from the old law, which did not have a provision for international data transfer.

Aligning with the new DPA

To align with the provisions of the Seychelles DPA, businesses will need to undertake several key steps:

• Establish or update data protection policies: Review existing data protection policies to ensure they comply with the DPA’s requirements, focusing on data retention, processing of sensitive data, children’s data, and breach notification procedures. Policies should clearly articulate how data is collected, used, stored, and disposed of in adherence to the principle of data minimisation.
• Data mapping and risk assessment: Conduct comprehensive data mapping exercises to understand the flow of personal data within and outside the organisation. This will help identify potential risks to data subjects’ rights and freedoms and implement mitigating measures.
• Designate a data protection officer (DPO) and responsible persons: For businesses falling within the criteria specified by the DPA, appointing a DPO is mandatory. This role involves overseeing data protection strategy and compliance and serving as a point of contact for the Information Commission and data subjects. All organisations processing personal data will also swiftly designate individuals who will be responsible for the safe custody of personal data within the organisation.
• Implement technical and organisational measures: Invest in technology and processes that ensure data security, including encryption, anonymisation, and secure data storage solutions. Establishing data protection by design and by default should be a cornerstone of all data processing activities.
• Training and awareness: Develop comprehensive training programs for employees to raise awareness about their roles and responsibilities under the DPA. Regular training ensures that the workforce is knowledgeable about data protection principles and the importance of compliance. 
• Review and revise contracts: Scrutinise agreements with third-party vendors, processors, and international partners to ensure they include necessary DPA compliance clauses. This includes data processing agreements articulating each party's personal data protection responsibilities.
• Breach response plan: Develop and test a breach response plan to ensure prompt action in the event of a data breach. This plan should include procedures for internal reporting, assessment, notification to the Information Commission, and communication with affected data subjects.
• Implement a mechanism for managing data subject rights: To effectively fulfil the rights of data subjects as provided under the DPA, organisations must implement a process for receiving, logging, and responding to data subject rights requests. This will involve different processes that ensure the proper assessment and fulfilment of requests. Organisations may adopt a manual or automated system, such as ticketing, to track requests and properly account for them.

Conclusion

The Seychelles Data Protection Act 2023 enactment represents a significant milestone in the country's approach to data protection, replacing the outdated 2003 Act with a modern framework that addresses the complexities of data processing in the digital age. The Act introduces comprehensive provisions that impact businesses significantly, mandating them to implement stringent data protection measures, appoint data protection officers, and ensure compliance with data retention, processing, and cross-border transfer regulations. Aligning with the Act's provisions allows businesses to achieve several goals: complying with legal requirements, demonstrating a commitment to safeguarding personal data, enhancing consumer trust, and contributing to the development of a secure digital economy in Seychelles. The 18-month transition period offers businesses a timely opportunity to review and adjust their data processing practices, ensuring they are well-positioned to meet the challenges and responsibilities outlined in the Act. Proactive engagement and compliance will empower businesses to navigate the new regulatory landscape effectively. This approach can be leveraged as an opportunity to strengthen their data governance frameworks and gain a competitive advantage.

‍