Mauritius - Data Subject Access Request

26 October 2025 by S. Moonesamy

Data Protection in Mauritius

The Data Protection Act 2004 (Mauritius) gave a person (data subject) the right to request to access his/her information. The data controller was requires to comply with the request within 28 days according to the guidelines published by the Data Protection Office (Mauritius). The Data Protection Act 2004 was replaced by the Data Protection Act 2017. The 2017 enables a data subject to exercise rights, e.g. right of access to his/her personal data.

Data Subject Access Request in Ireland

The Irish Data Protection Commission stated that under Article 15 of the General Data Protection Regulation (GDPR) you have a right to obtain a copy of any information relating to you which is kept on computer or in a structured manual filing system or intended for such a system.

Adequacy Decision

Dentons stated in an article that despite the various similarities in Mauritian and EU data protection legislation, the European Commission has not yet recognized Mauritius as an adequate jurisdiction. It means that there has not been an adequacy decision by the European Commission to confirm whether, for example, data subject rights in Mauritius are effective and enforceable as in the European Economic Area.

Information Request

I sent an email to the Data Protection Commissioner (Mauritius)'s Office on 7 October to raise two concerns and enquired about the following:

• Does a customer has a right to access information about the third-parties with whom subscriber data is shared?
• Does a customer have any means of redress if a company is unwilling to disclose the identity of the third-parties?

I did not receive any reply to the questions listed above. I sent another email to the Data Protection Commissioner (Mauritius)'s Office on 13 October to inform it that I sent a request to a company on 5 September and to ask for an update about the status of my request. I did not receive any reply.

Timeline

• Subject Access Request to data controller - 5 September 2025
• Email to Data Protection Commissioner - 7 October 2025
• Email reminder to Data Protection Commissioner - 13 October 2025

Conclusion

The Mauritius data protection law provides for data subject to exercise his/her rights to send a subject access request (SAR). However, there isn't adequate empirical evidence to assess whether it actually works.

A person (data subject) faces a dilemma. He/she may be discouraged from exercising his/her rights under the Data Protection Act 2017 (Mauritius) given that the law has not been proven to be effective. It could be argued that the rights of the person were not infringed because there wasn't any data protection complaint.

References

1. "Data Protection - Your Rights - Volume 3", Data Protection Office
2. "Subject Access Request - what are they and how can I make one?", Data Protection Commission, Ireland

Mauritius - Data Subject Access Request