The primary function of this Data Protection Policy (the “Policy”) is to provide a control environment within the Firm in terms of the Data Protection Act 2017 of Mauritius (“DPA” or the “Act”). In addition, this Policy has been developed for the promotion of good practice within the Firm in relation to the collection, use, processing, handling and storage, amongst others, of personal client data by the employees. Staff members are expected under the Act to understand their role and accountabilities in relation to the enforcement and promotion of good data protection principles in their day-to-day activities.
It is the policy of the Firm that all personnel must comply with the policies and process standards as set out in this Policy, unless specific exceptions to the Policy set out herein have been explicitly agreed. Employees must familiarize themselves with these procedures and policies and the specific requirements of applicable laws and rules to their particular areas. Employees should also be aware of, and are expected to follow the established internal control procedures which are documented in this Policy.
Employees must review the policies and procedures set forth in this Policy at regular intervals and are required to comply with its requirements.
This Policy is not intended to be a fully comprehensive document addressing all legal, operational and practical aspects, related to the Act. Certain issues and/or aspects of the Act have not been dealt in fully as they still require further definition and/or clarification. These and other issues that will arise afterwards will be addressed and developed in this Policy as and when required over time.
Company employees who are of doubt in relation to the Data Protection principles applicable within the Firm should escalate their queries to the Compliance Department.
Personal data, which is the information relating to an identified or identifiable individual, is collected and used almost every day and everywhere. Personal data can be an individual's name, address, email or mobile number or location data, amongst others. As the value of personal data grows, the risks to personal data inevitably increase. In addition, with rapid technological change and innovation, controlling personal data is becoming more and more difficult especially with data intensive online activities. The new Act has been enacted to sustain and strengthen the control and personal autonomy of data subjects over their personal data. It has been designed to align with the key principles found in international laws namely the EU General Data Protection Regulation (GDPR) (EU) 2016/679.
A robust Data Protection Policy is of the utmost importance for the good conduct of the Firm's business and it is compulsory that each and every employee reads it carefully.
This Policy Ensures That The Firm:
- Complies with the DPA and follows good practice
- Protects the rights of staff, customers, business partners and third parties
- Stores and processes personal data in line with local and foreign laws
- Protects itself from the risks of a data or security breaches, amongst others
It is of critical importance that the policies and standards specified in this document be strictly adhered to by all staff members of the Firm. Failure to comply with same may lead to the Firm being exposed to a series of legal and regulatory risks.
Any failure to adhere to the requirements of this Policy will be regarded and treated as a disciplinary matter, and may lead to summary dismissal.
2. Definitions and Interpretation
In this Policy the following terms shall have the following meanings:
- 2.1 "Consent"
Means any freely given specific, informed and unambiguous indication of the wishes of a data subject, either by a statement or a clear affirmative action, by which they signify their agreement to personal data relating to them being processed
- 2.2 "Controller"
Means a person who or public body which, alone or jointly with others, determines the purposes and means of the processing of personal data and has decision making power with respect to the processing
- 2.3 "Data Subject"
Means an identified or identifiable individual, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual
- 2.4 "Physical or Mental Health"
In relation to personal data, includes information on the provision of health care services to the individual, which reveals his health status
- 2.5 "Personal Data"
Means any information relating to a data subject
- 2.6 "Processing"
Means an operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
- 2.7 "Processor"
Means a person who, or public body which, processes personal data on behalf of a controller
- 2.8 "Profilling"
Means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements
- 2.9 "Pseudonymisation"
Means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information and the additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable individual
- 2.10 "Special Categories of Personal Data"
In relation to a data subject, means personal data pertaining to:
- Their racial or ethnic origin
- Their political opinion or adherence
- Their religious or philosophical beliefs
- Their membership of a trade union
- Their physical or mental health or condition
- Their sexual orientation, practices or preferences
- Their genetic data or biometric data uniquely identifying them
- The commission or alleged commission of an offence by them
- Any proceedings for an offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any Court in the proceedings
- Such other personal data as the Data Protection Commissioner of Mauritius may determine to be sensitive personal data
- 2.11 "Third Party"
Means a person or public body other than a data subject, a controller, a processor or a person who, under the direct authority of a controller or processor, who or which is authorised to process personal data.
3. Principles of Processing of Personal Data
The object of the DPA is to provide for the protection of the privacy rights of individuals in view of the developments in the techniques used to capture, transmit, and manipulate, record or store data relating to individuals.
2.2 Bold Prime Ltd is a company registered in the Republic of Mauritius with registration No. GB20025993
To this end, the DPA is underpinned by 6 imperative principles (section 21 of the Data Protection Act 2017).
Specifically, section 21 of the Act requires that personal data be:
- Processed lawfully, fairly and in a transparent manner in relation to any data subject
- Collected for explicit, specified and legitimate purposes and not further processed in a Manner incompatible with those purposes
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- Accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data are erased or rectified without delay
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
- Processed in accordance with the rights of data subjects
These principles apply regardless of whether data is stored electronically, on paper or on other materials
4. Scope of The Policy
This Policy document applies to all forms of data that the Firm may hold in relation to identifiable individuals, even if that information technically may likely fall outside the scope of the DPA. These forms include and are not restricted to the following categories of personal data in relation to a data subject:
- Residential addresses
- Email addresses
- Telephone numbers
- Racial or ethnic origin
- Political opinion or adherence
- Religious or philosophical beliefs
- Membership of a trade union
- Physical or mental health or condition
- Sexual orientation, practices or preferences
- Genetic data or biometric data uniquely identifying him
- Commission or alleged commission of an offence by him
- Any proceedings for an offence committed or alleged to have been committed by a data subject, the disposal of such proceedings or the sentence of any Court in the proceedings
- Such other personal data as the Commissioner may determine to be sensitive personal data
- Any other information of a personal nature permitting the identification of an individual
5. Lawfulness, Fairness and Transparency
As a matter of policy, the Firm regards the lawful and correct treatment of personal information as indispensable in maintaining the confidence of the data subjects with whom we deal with. Staff members shall ensure at all times that personal data are collected only for the requirements of our business and only if the collection of the data is necessary for that purpose.
5.1 Data Limitation
Every staff member of the Firm has the responsibility for ensuring that data are collected, stored and handled appropriately and as per the set procedures stated herein.
Personal data must at all times be collected for explicit, specified and legitimate purposes and not further processed in a way incompatible with those purposes. As such, each staff member, business unit and/or department that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles mentioned therein.
5.2 Data Minimisation and Staff Duties
Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. Staff members must:
- Ensure that, in the course of their work duties, fair collection and use of personal information
- Specify the purposes for which information is being collected and used by the Company
- Collect and process appropriate information, and only to the extent that it is needed to fulfil their business and operational needs or to comply with any legal requirements
- Ensure that the rights of data subjects about whom information is held, can be fully exercised under the Act. Such rights include:
- Ensure that the rights of data subjects about whom information is held, can be fully exercised under the Act. Such rights include:
- The right of access to one's personal information
- The right to prevent processing in certain circumstances
- The rights to correct, rectify, block or erase information which is regarded as wrong information
- Take appropriate technical and organisational security measures to safeguard the Company's clients' personal information
- Ensure that personal information is not transferred abroad without suitable safeguards
The Firm's Board of Directors is ultimately responsible for ensuring that the Company meets its legal obligations.
The Legal Department shall, as and when required, be responsible for:
- Keeping the Board updated about data protection responsibilities, risks and issues
- Reviewing all data protection procedures and related policies, in line with an agreed schedule
- Arranging data protection training and advice for the people covered by this Policy
- Handling data protection questions from staff and anyone else covered by this Policy
- Dealing with requests from individuals to see the data the Firm holds about them (also called “subject access requests”)
- Checking and approving any contracts or agreements with third parties that may handle the Firm's sensitive data
5.3 General Staff Guidelines
The only people able to access data covered by this Policy should be those who need it for their work.
Personal data must not be shared informally. When access to confidential information is required, employees shall request it from their line managers. Employees should keep all data secure, by taking sensible precautions and following the standards of this Policy. In particular, strong passwords must be used and they should never be shared.
Personal data should not be disclosed to unauthorised people, either within the Firm or externally.
Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, personal data should be deleted and disposed of.
Employees should request help from their line manager or the Legal Department if they are unsure about any aspect of data protection.
When working with personal data, employees should ensure the screens of their personal computers and laptops are always locked when left unattended. Employees, laptops users in particulars, should not save copies of personal data to personal pen drives and other removable media without proper encryption.
Consent is any freely given, specific, informed and unambiguous indication of the wishes of a data subject, either by a statement or a clear affirmative action, by which the data subject signifies their agreement to personal data relating to them being processed.
6.1 Why is Consent Important?
Consent is one of the lawful bases for the processing of personal data. Given our willingness to continuously remain a DPA-compliant financial institution, the Firm will make every effort to give its clients ongoing control over how we use data subjects' data, thus ensuring that our organisation is thoroughly transparent and accountable.
Handling consent therefore builds customer trust and engagement and enhances the reputation of our operations. Relying on inappropriate or invalid consent could destroy trust, harm our reputation and might leave our Firm exposed to substantial fines.
Thus, when dealing with clients, staff members shall constantly have in mind the key elements of consent: it must be freely given, specific, informed and there must be an indication signifying agreement.
At the time of collection, data subjects should be readily informed about the right to withdraw their consent at any time. Consent shall therefore be:
- Specific, and unambiguous; by setting out the purpose of the various phases of the processing
- Informed; data subjects should be informed about the right to withdraw their consent at any time
- Clear; easy to withdraw without affecting the lawfulness of processing; as well as
- Verifiable; appropriate records shall be kept to demonstrate what the individual has consented to, including what they were told, when and how they consented
6.2 Collection of Consent
Consent shall be collected at the outset of establishing a client relationship.
6.3 When Consent Is Not Required?
There are certain specific cases provided for in section 28 of the Act where consent is not required.
Staff shall process clients' personal data only if:
- The data subject consents to the processing for one or more specified purposes
- The processing is necessary:
- For the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject before entering into a contract
- For compliance with any legal obligation to which the controller is subject
- In order to protect the vital interests of the data subject or another person
- For the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- The performance of any task carried out by a public authority
- The exercise, by any person in the public interest, of any other functions of a public nature
- For the legitimate interests pursued by the controller or by a third party to whom the data are disclosed, except if the processing is unwarranted in any particular case having regard to the harm and prejudice to the rights and freedoms or legitimate interests of the data subject
- For the purpose of historical, statistical or scientific research
6.4 Personal Data of Children
Pursuant to section 30 of the Act, staff members shall not process the personal data of a child below the age of 16 years unless consent is given by the child's parent or guardian. As such, staff members should obtain consent from whoever holds parental responsibility for them.
As a rule, Know Your Customer and Customer Due Diligence (“KYC/CDD”) measures shall be conducted on the child's parent or guardian to verify that the person giving the own consent in these circumstances is lawfully authorised to do so and doing so in the interests and benefits of the child.
7. Rights of Data Subjects
Section 37 of the Act provides that “every controller shall, on the written request of a data subject provide, at reasonable intervals, without excessive delay and, subject to subsection (7), free of charge, confirmation as to whether or not personal data relating to the data subject are being processed and forward to him a copy of the data.”
The above rights include the rights to access, rectify, erase and restrict the processing of personal data. The principle of “fair and transparent” processing means a client must be provided all relevant information in relation to the processing of his/her data, unless s/he already has this information.
Where the staff member obtains personal data directly from the data subject, the latter should be informed of the following rights under the law:
- The purpose/s for which the data are being collected
- The intended recipients of the data
- Whether or not the supply of the data by that data subject is voluntary or mandatory
- The existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal
- The existence of the right to request from the controller access to and rectification, restriction or erasure of personal data concerning the data subject or to object to the processing
- The existence of automated decision making, including profiling, and information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject
- The period for which the personal data shall be stored
- The right to lodge a complaint with the Data Protection Commissioner of Mauritius
- Where applicable, that the controller intends to transfer personal data to another country and on the level of suitable protection afforded by that country
- Any further information necessary to guarantee fair processing in respect of the data subject's personal data, having regard to the specific circumstances in which the data are collected
However, where the controller does not obtain personal data directly from the client, the latter shall, as soon as reasonably practicable, be informed of his/her rights.
8. Rights of Information and Access
Pursuant to the Act, an individual has the right to:
- Obtain confirmation whether his/her personal data are being processed
- Access the data (i.e. to a copy)
- Be provided with supplemental information about the processing
Access rights are intended to allow individuals to check the lawfulness of processing and the right to have a copy of their personal data. However, these rights should not adversely affect the rights of others.
How Should Such Request Be Handled?
A written request must be made to the privacy officer of the Firm by the data subject. A copy of the requested information will be provided without excessive delay and free of charge. Such confirmation shall include whether or not personal data relating to the data subject are being processed.
Depending on the request of the client, or in case the request is manifestly excessive, the Firm may charge a reasonable fee for providing the required information or taking the actions requested by the client.
8.1 Right of Rectification
An individual has the right to:
- Rectify inaccuracies in personal data held about them.
- Complete incomplete data
- Record a supplementary statement
Right of Erasure
Pursuant to with section 41 of the Act, the Firm has the right to erase personal data in the following circumstances:
- The data are no longer necessary in relation to the purpose for which they were collected or otherwise processed.
- The data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing
- The data subject objects to the processing of personal data and there are no overriding legitimate grounds for the processing
- The personal data have been unlawfully processed
In such instances, the Firm will also forthwith inform its authorised third parties processing the personal data that the data subjects have requested the erasure of any links to, or copy or replication of, their personal data.
However, such requests shall not be complied with where the processing of personal data is necessary for:
- Reasons of public interest in the field of public health
- The purpose of historical, statistical or scientific research
- Compliance with a legal obligation to process the personal data to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- The establishment, exercise or defence of a legal claim
8.3 Right to Object
Data subjects have the right to object in writing at any time to the processing of personal data concerning them.
For example, clients have the right to object to direct marketing which includes profiling.
For the avoidance of doubt, profiling is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict certain aspects concerning that person's performance at work, economic situations, health, personal preferences, interests, reliability, behaviour, location or movement.
8.3 Exercise of Rights
A data subject can, at any time, exercise their rights to access, rectify, erase or object to the processing of their personal data. The Firm will therefore also use reasonable means to verify the identity of the person making the request but should not keep or collect data just so as to be able to meet subject access requests. Data subjects will be required to fill-in and returned a signed copy of the Rights of Data Subject Form provided in Appendix 5.
9. Personal Data Breaches
A personal data breach is any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, client’s personal data being either transmitted, stored or otherwise processed.
Under Section 25 and 26 of the Act, the Firm shall, without undue delay, and where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Data Protection Commissioner.
Where a personal data breach is likely to result in a high risk to the rights and freedoms of a client, the Firm shall, after prior communication the Data Protection Commissioner of Mauritius, communicate the personal data breach to the client.
10. Transfer of Data Outside Mauritius
Personal data can be transferred to another country provided that the Firm has put in place appropriate safeguards with respect to the protection of the personal data and complies with the conditions of transfer established in section 36 of the DPA.
11. Data Storage
Personal data will be stored securely and will only be accessible to authorised staff. Information will be stored in compliance with the provisions of the Act.
When data is stored on paper, it should be classified and kept securely where unauthorised people cannot access or see it. These guidelines also apply to data that is usually stored electronically but has been printed out for some reasons:
- When not required, the paper or files should be kept in a locked drawer or filing cabinet.
- Employees must make sure that paper and printouts are not left in places where unauthorised people could see them, like on a printer.
- Data printouts should be disposed of as per the Data Disposal Policy.
When data is stored electronically, it must be protected, through at least one of the following means:
- Data should be protected by strong passwords that are changed regularly and never shared between employees.
- If data is stored on removable media (like a CD, DVD or portable storage drives or devices), these should be kept locked away securely when not being used.
- Data should only be stored on designated drives and servers, and should only be uploaded to an approved cloud computing service.
- Servers containing personal data should be sited in a secure location, away from general office space.
- Data should be backed up frequently. Those backups should be tested regularly, in line with the Firm's standard backup procedures.
- Data should never be saved directly to laptops or other mobile devices like tablets or smart phones.
- All servers and computers containing data should be protected by approved security software and a firewall.
12. Data Pseudonymisation
Data pseudonymisation, as defined in the Act, means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information and the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable individual.
By correctly pseudonymising or anonymizing its data, the Firm will have the ability to share, disseminate or publish a greater amount of personal data with fewer restrictions. Personal identifiers such as name, address, date of birth, reference number, amongst others, are removed from the data source thus allowing the information to be used for secondary purposes and made available within a controlled environment to other government agencies and/or local authorities for historical scientific research or for statistical purposes.
Anonymization is the process of removing, obscuring, aggregating and/or altering any identifiers in a dataset which can point to the particular person(s) the data relates to. In addition to the legal requirement to share information with government or local authorities, the Firm has additional regulatory obligations to ensure transparency in its processes and, as such, routinely publishes and distributes information as appropriate. As and when required, the Firm will therefore anonymize personal data in the course of its normal business activities.
12.2 Anonymization Process
The anonymization process will be strictly restricted to the IT department of the Firm. Therefore, the concerned staff will:
- Proceed with the anonymization in such a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate security (technical) or organizational measures
- Strictly abide to appropriate safeguards with respect to the protection and storage of the anonymized data.
13. Data Accuracy and Clean Desk Policy
Personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. In addition, it is the responsibility of each employee to take reasonable steps to ensure that personal data are:
- Held in as few places as necessary. Staff should not create any unnecessary additional data copies or sets.
- Updated at every available opportunity. For instance, by confirming a customer's details when s/he calls.
- Updated as inaccuracies are discovered. For instance, if a customer can no longer be reached on their stored telephone number, it should be removed from the database.
14. Data Privacy Office
14.1 Name and Contact Details of The Data Privacy Office
|Title/Department:||Head of Legal and Compliance|
14.2 Complaints and Queries
If you have any queries or complaints about our compliance with this Policy, or if you would like to make any complaints to us, you may contact the Data Privacy Office either by email at [email protected] or in writing to: