Law: Data Protection Act, 2023 (the Act) 

Regulator: Information Commission of Seychelles (the Commission)

Summary: The Act was published in the Official Gazette of the Republic of Seychelles on December 22, 2023, and entered into force on the same day. However, the Act foresees a transitional period of 18 months, beginning December 22, 2023, for data controllers and processors to ensure conformity with the Act.

Notably, the Act will apply to both the public and private sectors. However, the Act exempts from its scope, the processing of personal data by authorities in the course of a criminal investigation, matters pertaining to national security, or processing by a natural person for personal activity. The Act lays down legal bases for processing, principles of processing, and data subject rights, including the right to be informed, access, rectification, deletion, object to the processing of data, data portability, and to compensation. The Act further specifies rules for cross-border transfer of data and empowers the Commission to further introduce regulations for the circumstances and restrictions of transfers. The Act additionally provides obligations of controllers and processors requiring controllers to, among other things, carry out a Data Protection Impact Assessment (DPIA) where the processing is likely to result in a high risk to the rights and freedoms of any individual and under certain circumstances, designate a data protection officer (DPO).

The Commission is the competent authority under the Act and has the power to, among other things, enforce and implement the Act and impose fines.