In light of the EU General Protection Regulation (“GDPR”), which came into effect on 25 May 2018, Mauritius has implemented the Data Protection Act 2017 (the “DPA”), which came into effect on 15 January 2018 (repealing the previous Data Protection Act 2004). The DPA strengthens the control and personal autonomy of data subjects over their personal data in line with international standards, namely with the GDPR and the European Convention for Protection of Individuals with regards to automatic processing of personal data. The DPA also aims to align the Mauritius provisions for data protection with the current and challenging technological and other advancements that have occurred.
In this document, the terms “personal data” and “personal information” are used interchangeably.
Our Commitment to Data Protection
ESTONE LIMITED is committed to safeguard personal information of its clients and contacts. We value your privacy and care on how your personal data is treated. While collecting, processing and managing all such information, we have processes in place to ensure that such information is kept securely on our systems and in compliance with the DPA.
The aim of this notice is to explain to you as Data Subject what kind of personal information we gather on you, why and how we process it as Data Controller.
Collection of personal data
We have a data protection policy (the “Data Protection Policy”) in place which governs, inter alia, the use and storage of our clients’ and contacts’ personal data. All personal data are processed at our registered office in Mauritius.
We may collect personal information you give us, or which is given to us by third parties, which will be required for the setting up and/or management of a structure in Mauritius or any other services provided by ESTONE LIMITED to its clients, necessary for the provision of investment services and compliance with legal requirements.
Disclosure of personal data to third parties
We may need to share your personal data with third parties, which assist us in fulfilling our responsibilities regarding our business relationship with you and for the purposes listed above, ESTONE LIMITED may disclose your personal data to the following third parties:
• We may also make certain personal data available to third party service providers and agents who provide services to us. When we share with these third parties, we do so on a need-to-know basis and under clear contractual terms and instructions for the processing of your personal data.
• We may also make certain personal data available to third party companies that provide us due diligence and financial crime screening database.
• We may also be required to disclose your personal data to other third parties such as lawyers, bankers, consultants, insurers, auditors as well as public and government authorities.
We require our service providers and other third parties to keep your personal data confidential and that they only use the personal data in furtherance of the specific purpose for which it was disclosed. We have written agreements in place with our processors to ensure that the comply with these privacy terms.
Personal data security
We are legally obliged to provide adequate protection for the personal data we hold. We have put in place appropriate security measures to prevent your personal data from being subject to any accidental or unlawful destruction, loss, alteration and any unauthorised disclosure or access.
We have also put in place procedures to deal with any suspected data security breach and will notify you and the Data Protection Office of a suspected breach where we are legally required to do so.
Our security policies and procedures cover:
• Access to personal data
• Computer and network security
• Back up of data
• Incident management
• Physical security
• Protection of physical records
When we contract with third parties, we impose appropriate security, privacy and confidentiality obligations on them to ensure that personal data that we remain responsible for is kept secure.
Your data protection rights
Under the GDPR and the DPA, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information:
a. Right to erasure of your personal data
b. Right of access to your personal data
c. Right to rectification of your personal data
d. Right to restriction of processing
e. Right to object to processing
f. Right to data portability
g. Right to withdraw consent
How long we keep your personal data
Under Mauritius law, we are required to keep personal data as follows:
• As long as one is a client and contact of ESTONE LIMITED
• Where the purpose for keeping personal data has lapsed, ESTONE LIMITED will destroy data as soon as is reasonably practicable and notify any processor holding the data to destroy the data as specified by ESTONE LIMITED.
• When a person is no more a client of ESTONE LIMITED, for a period not exceeding ten (10) years in line with the prevailing law of Mauritius and its data protection policy. After this period, such personal data will be destroyed.
Where you have consented to receive updated and similar materials from us, any personal data held by us for that purpose will be kept by us until such time that you notify us that you no longer wish to.
The primary point of contact for questions, concerns or complaints relating to this notice, including any requests to exercise your legal rights, is our Data Protection Officer, who can be contacted:
• By post, to Level 7, ICONEBENE, Rue de l’Institut, Ebene, Cybercity, Mauritius;
• Using our website contact form;
• By telephone on +230 6555223
• By email at firstname.lastname@example.org
We will look into your concern or complaint and work with you to resolve the matter.
If you still feel that we have not handled your request in an appropriate manner according to the law, you have the right to complain to the Data Protection Office at email@example.com.