The financial sector deals massively with personal data, which is of a certain sensitivity for the individuals concerned. The processing of this data also represents a major challenge, insofar as it is coveted by people with varied profiles, particularly cybercriminals. This state of affairs has not escaped the attention of the Mauritius Data Protection Office (hereinafter “the DPO” or “the Office”), which took up the issue and published a guide to the processing of personal data in the financial sector in November 2023. An analysis of this guide shows that the Office first took care to list the categories of personal data concerned, before recalling the obligations and principles to be respected by data controllers. Finally, it has taken due account of the particularities of the financial sector.
The guide begins by defining personal data in accordance with Mauritian law . It then draws up a non-exhaustive list of personal data that is often processed in the financial sector. Although it is not necessary to go through the entire list drawn up by the Office, it is interesting to note that it covers a wide range of data, from simple personal data to financial data (bank card number, payment history, information on income, loans, KYC …), and identity data. Special emphasis is placed on sensitive data, within the meaning of Article 9 of the General Data Protection Regulation (GDPR), and data relating to criminal offences, such as the particular categories of personal data processed by financial institutions. Health data, biometrics and criminal records are cited as examples.
Secondly, once the categories of data concerned have been recalled, the Office goes back over the legal framework that applies to the processing of personal data in Mauritius.
• Registration. The first obligation is registration. Under Mauritian law , no one may act as data controller or data processor (in other words, process personal data) unless they have first registered with the DPO. Financial institutions therefore have a basic obligation to register with the DPO. This registration obligation is facilitated by the introduction of a digital platform (e-DPO).
• Key principles. Once the registration formalities have been completed, the data controller or processor must comply with the following key principles: transparency and lawfulness of processing, limitation and minimisation of data, accuracy, limitation of data retention periods, and respect for the rights of data subjects. The guide sets out to explain each of these principles.
• Data security and legal compliance. As data controllers, financial institutions must also define policies and take appropriate technical and organisational measures to demonstrate that the processing they carry out complies with the law. These measures primarily concern data security. Standards such as ISO 27001 and the National Institute of Standards and Technology Cybersecurity framework exist and are recommended in the guide. Other measures, such as establishing a register, drawing up an impact assessment (PIA or DPIA), or appointing a data protection officer, are also the responsibility of the data controller.
• Cloud computing and commercial prospecting. Where the use of the cloud involves data transfers, financial institutions must be able to provide proof of appropriate guarantees for data protection and security, or in case of doubt, seek the opinion of the DPO. In the case of commercial canvassing, they must obtain valid consent and be able to demonstrate this.
• Financial and criminal penalties. The guide also provides a table of the penalties provided for under Mauritian law in the event of non-compliance. Non-compliance or contraventions of the law are punishable, for example, by a fine of up to 200,000 rupees. Refusal to cooperate with the Data Protection Officer, illegal data processing and false declarations are also punishable by fines and even imprisonment.
• Other concepts. Finally, the guide underlines the conditions for consent, recalls the conditions for processing sensitive data, including children’s data, insists on the need for and conditions of notification of a data breach, and details the rights of data subjects, in particular the right of access, the right to erasure and the right to object.
The guide concludes by highlighting the particularities of the financial system: processing relating to money laundering and the financing of terrorism on the one hand, and financial technologies (fintechs) on the other.
• Money laundering and the financing of terrorism. Financial transparency, the fight against money laundering and the protection of privacy… The stakes involved in certain data processing operations in the financial sector are high. The DPO notes that this type of processing must have a clear and detailed legal basis, without failing to be necessary and proportional to the intended purpose. Free consent must be considered whenever possible. Otherwise, it is possible to base this type of processing on a “public interest mission” for public bodies or “legal obligations” for private bodies. Such processing helps to combat money laundering and the financing of terrorism by guaranteeing the existence of adequate, accurate and up-to-date information on the beneficial owners and control of legal entities. This information must be accessible to the competent authorities, for example by setting up a register of beneficial owners.
• Financial technologies (fintechs). Fintechs are companies that offer financial services using new technologies to compete with traditional methods. The technologies used are artificial intelligence, blockchain, big data and cloud computing. In addition to the above-mentioned key principles, the guide points out that fintechs must adopt an approach based on privacy by design, demonstrate fairness in processing and carry out regular compliance audits.
The DPO is working to raise awareness of personal data protection in Mauritius. Sector-specific details such as these are therefore of particular importance.
By Justin Yao KOUMAKO, PhD Student/Data Protection Officer.