South Africa and Mauritius

22 April - 06 May 2021



Meet the regulators in South Africa and Mauritius requiring companies to comply with their data privacy laws.

South Africa and Mauritius are two of only three countries in Africa’s Top 10 (ranked according to GDP per capita) with data privacy laws and a specialised Data Protection Authority to enforce them. This session will enable you to understand and to comply with the most significant privacy law issues for companies doing business in these jurisdictions.


Chair: Stewart Dresner, Chief Executive, Privacy Laws & Business

South Africa has a right to privacy in the Constitution. It adopted the Protection of Personal Information Act (POPIA) in 2013, and ratified the African Convention on Human Rights in 2014. South Africa is now “counting down the grace period” until the POPIA enters fully into force on 1st July this year. The Information Regulator’s aim is for companies operating in South Africa to use the next few months to review their operations against international best practice. The Information Regulator’s overall perspective has been explained by Professor Sizwe Snail ka Mtuze as “what is good for Europe is good for Africa also.”

Mauritius has a well-developed Data Protection Act, updated in 2017, and has signed the Council of Europe Convention 108 and its additional protocol in 2016, the second non-European country to do so after Uruguay. Mauritius ratified the Council of Europe Convention and its additional protocol on 4 September 2020 making it the first African country to do so. Now the government has applied for EU adequacy status. The context is that Mauritius is a popular place for outsourcing back office functions by companies, such as Accenture, PWC, EY, BDO, Apple and Marriott.

This event qualifies for 1 CPE Credit


  1. Differences most relevant for companies between the two national data privacy laws and the EU General Data Protection Regulation
  2. How the regulators educate the business community
  3. Typical complaints regarding companies
  4. How the regulators investigate complaints by individuals and enforce the law regarding companies
  5. Examples of cases which have required, or might in the future, require an appeal to a judicial proceeding
  6. How the data privacy law is being implemented by multinational companies operating in and conducting outsourcing to South Africa and Mauritius and common issues which need attention
  7. Links between the data privacy regulators and other regulatory authorities in each country
  8. Links between the data privacy regulators and other data privacy regulators in Africa, and in other regions of the world.

In addition, there are specific issues for each country.

South Africa Mauritius
  • Distinguishing the parts of POPIA which have already entered into force and those which will enter into force on 1st July this year
  • The Information Regulator’s investigation of breaches of the law, such as the Experian data breach.
  • Guidelines on the Registration of Information Officers and duties of an Information Officer under Section 55(1) of POPIA
  • The development of Codes of Conduct. Section 60 provides that a code must prescribe how the conditions are to be complied with within specific sectors as far as the processing of personal information is concerned. Have any codes been approved? If so, which? What has the Information Regulator learned from this process?
  • The role of the Data Protection Assessment Certificate in Mauritius and the criteria for assessment.
  • A progress report on discussions with the European Commission on an adequacy declaration for Mauritius
  • The significance of the Council of Europe Convention 108+ for Mauritius now that it has signed and ratified it



Session 1 - Recorded Thursday 22 April 2021


Session 2 - Recorded Thursday 6 May 2021

Follow up session to the webinar on 22 April, in which the privacy law regulators from South Africa and Mauritius answer the audience's questions from the previous session.