GDPR in Mauritius: the guide for a business serving Europe

· 3 min read · SOVALYX Technologies

SHARE

A Mauritian company can be fully subject to the GDPR without a single office in Europe: it is enough that it offers goods or services to people located in the EU, or monitors their behaviour. That is the extraterritorial effect of Article 3 — and it stacks with the Mauritian Data Protection Act, never replacing it.

Article 3: the two triggers that cross borders

The GDPR applies to a business established outside the Union in two cases defined by Article 3. First trigger: offering goods or services to people located in the EU, even free of charge. What matters is targeting: a website in French with prices in euros, delivery offered to Europe, clients actively courted in Paris or Brussels. Second trigger: monitoring the behaviour of people located in the EU — profiling cookies, behavioural analytics on your European visitors, targeted advertising.

Conversely, a European tourist who spontaneously buys from a purely local shop does not, by itself, trigger the regulation: the intention to target is what counts. A third, indirect but frequent route in Mauritius: processing on behalf of others. If you process data for a European client — BPO, hosting, development, support — Article 28 imposes precise contractual obligations, which your clients pass down systematically.

GDPR + Data Protection Act 2017: cumulative, not substitutive

The Data Protection Act 2017 applies to your processing in Mauritius in any case. The good news: both texts share the same philosophy — lawful basis, defined purpose, data subject rights, security, transfer rules. Serious DPA compliance therefore covers much of the road.

The GDPR nevertheless adds requirements of its own: designating a representative in the Union, notifying breaches to the competent supervisory authority within 72 hours, and the Chapter V transfer regime, which stacks on top of the DPA's. On the hosting side, we detailed this articulation in Mauritian DPA + GDPR: where should your client data live?

The EU representative: the most forgotten obligation

Article 27 requires non-EU businesses subject to the regulation to designate in writing a representative established in a Member State where the data subjects are. This representative acts as a contact point for supervisory authorities and for people exercising their rights, and must be mentioned in your privacy information.

Exemptions exist — occasional processing, no large-scale sensitive data, limited risk for individuals — but they must be demonstrated, not assumed. In practice, specialist services offer this representation at modest cost; its absence, on the other hand, is immediately visible in any due diligence and weakens your whole compliance posture.

EU → Mauritius transfers: on what basis?

Mauritius does not benefit from an adequacy decision by the European Commission. The flow of personal data from a European client to your Mauritian systems is therefore a transfer under Chapter V, resting in practice on standard contractual clauses (SCCs), backed by real technical measures: encryption, access control, logging. Your hosting choice bears directly on that demonstration — we devote a guide to it: where should your European clients' data live?

And if you are a processor, Article 28 requires a precise data processing agreement with each client: documented instructions, security, control of sub-processing, assistance. Our GDPR processor checklist turns those obligations into control points.

First steps: the checklist

This article presents the general principles of the GDPR and is not legal advice: have your analysis validated by specialist counsel before settling borderline cases.

How SOVALYX can help

For a Mauritian business subject to the GDPR, SOVALYX starts by mapping your flows: where your European clients' data lives, who accesses it, on what basis. A private cloud hosted in Mauritius, with full access logs and a short subcontracting chain, then makes your transfers and your security demonstrable in a few pages. 24/7 supervision under SLA and an automated, tested disaster recovery plan provide the Article 32 guarantees your clients and their auditors ask for.

Talk compliance with an engineer

🧰 The companion tool: Are you ready for the AI Act? — free · 2 minutes.

Reviewed and optimised by AI.