Data Protection Act 2017
Mauritius Data Protection Act 2017 (Act No. 20 of 2017), as amended by the Data Protection (Amendment) Act 2022, a GDPR-aligned data protection law administered by the Data Protection Office and the Data Protection Commissioner; repealed the Data Protection Act 2004. Parts I-IX: preliminary; Data Protection Office; registration of controllers and processors; obligations (principles, lawful processing, consent, special categories, child's data, security, breach notification, records); risk processing and DPIA; transfer outside Mauritius; rights of data subjects; offences and penalties; miscellaneous.
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (7)
Mauritius DPA 2017: Part II - Data Protection Office and Commissioner
| Code | Title |
|---|---|
| MU-DPA17-s4-5 | Data Protection Office and functions of the Commissioner |
| MU-DPA17-s6-13 | Investigation, enforcement notices and powers of the Commissioner |
Mauritius DPA 2017: Part III - Registration of Controllers and Processors
| Code | Title |
|---|---|
| MU-DPA17-s14-20 | Registration of controllers and processors |
Mauritius DPA 2017: Part IV - Obligations on Controllers and Processors
| Code | Title |
|---|---|
| MU-DPA17-s21 | Principles relating to processing of personal data |
| MU-DPA17-s22-23 | Duties of controller and collection of personal data |
| MU-DPA17-s24 | Conditions for consent |
| MU-DPA17-s25-26 | Notification and communication of a personal data breach |
| MU-DPA17-s27 | Duty to destroy personal data |
| MU-DPA17-s28 | Lawful processing |
| MU-DPA17-s29 | Special categories of personal data |
| MU-DPA17-s30 | Personal data of a child |
| MU-DPA17-s31 | Security of processing |
| MU-DPA17-s33 | Record of processing operations |
Mauritius DPA 2017: Part V - Risk Processing (DPIA)
| Code | Title |
|---|---|
| MU-DPA17-s34-35 | Data protection impact assessment and prior consultation |
Mauritius DPA 2017: Part VI - Transfer Outside Mauritius
| Code | Title |
|---|---|
| MU-DPA17-s36 | Transfer of personal data outside Mauritius |
Mauritius DPA 2017: Part VII - Rights of Data Subjects
| Code | Title |
|---|---|
| MU-DPA17-s37 | Right of access |
| MU-DPA17-s38 | Automated individual decision making |
| MU-DPA17-s39 | Rectification, erasure or restriction of processing |
| MU-DPA17-s40-41 | Right to object and exercise of rights |
Mauritius DPA 2017: Part VIII-IX - Offences, Enforcement and Miscellaneous
| Code | Title |
|---|---|
| MU-DPA17-s42-43 | Offences and penalties (unlawful disclosure) |
| MU-DPA17-s44 | Exceptions and restrictions |
| MU-DPA17-s45-48 | Annual report, compliance audit, codes and certification |
Maps to 2 other frameworks
Frequently Asked Questions
What is Data Protection Act 2017?
Data Protection Act 2017 is a compliance framework from Mauritius with 7 domains and 22 controls. Mauritius Data Protection Act 2017 (Act No. 20 of 2017), as amended by the Data Protection (Amendment) Act 2022, a GDPR-aligned data protection law administered by the Data Protection Office and the Data Protection Commissioner; repealed the Data Protection Act 2004. Parts I-IX: preliminary; Data Protection Office; registration of controllers and processors; obligations (principles, lawful processing, consent, special categories, child's data, security, breach notification, records); risk processing and DPIA; transfer outside Mauritius; rights of data subjects; offences and penalties; miscellaneous. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does Data Protection Act 2017 have?
Data Protection Act 2017 has 22 controls organised across 7 domains. The largest domains are Mauritius DPA 2017: Part IV - Obligations on Controllers and Processors (10 controls), Mauritius DPA 2017: Part VII - Rights of Data Subjects (4 controls), Mauritius DPA 2017: Part VIII-IX - Offences, Enforcement and Miscellaneous (3 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does Data Protection Act 2017 map to?
Data Protection Act 2017 maps to 2 other compliance frameworks. The top mapping partners are GDPR (32% coverage), ISO 27701:2019 (5% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with Data Protection Act 2017 compliance?
Start your Data Protection Act 2017 compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about Data Protection Act 2017 requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 22 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 718 frameworks.
Get Started Free →Free forever — no credit card required