(When St Lawrence Management Limited is acting as Data Processor)
This notice describes how personal information is collected and handled by St Lawrence Management Limited a company incorporated in Mauritius with Business Registration Number C10093815 (hereinafter referred to as “We”), when it acts as a processor under the Data Protection Act 2017(“DPA”), so as to meet the data protection standards of the data controller and comply with the applicable laws, regulations and policies pertaining to data protection.
2. Controller and Processor relationship
The Controller, as defined under the DPA, will determine the purposes and means of the processing of personal data and has decision making power with respect to such processing. The Controller has appointed St Lawrence Management Limited as Processor by virtue of an agreement, by virtue of which we would be processing data on behalf of such Controller.
3. Data Collection – Which personal data we collect?
The personal data that we collect from the data subject could be one or more of the following or such other data relating to the economic or social identity of the data subject.
- name and surname;
- national identity card number;
- passport details;
- residential address;
- contact details (phone and fax numbers, email addresses); and
- Curriculum Vitae (CV).
We may also request for special categories of data in the event that we came across potential adverse media or hit on the data subject while conducting compliance screening. These data will cover, but not be limited to:
- the commission or alleged commission of an offence by the data subject; and
- any proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any Court in the proceedings.
4. How and why we use your personal data?
As data processor, we may collect and process the personal data of employees, directors, shareholders and clients of the controller. This may include data we receive directly from a data subject for example by completing forms, by corresponding with us over the phone, by email or otherwise and data we receive from other sources including for example, business partners, sub-contractors in technical, payment and delivery services, credit reference agencies and others.
We will only process personal data for specific purposes. We use the personal data in the course of our business activities and interaction with the data subject only for the following purposes:
- performing our agreement with the data controller;
- promoting eventual business relationships;
- assisting the data subject with any queries or concerns;
- complying with any legal or regulatory obligations imposed on us;
- fulfilling our legitimate commercial interests; and
- sending communications to the data subject if the latter has consented to receiving the same, and for any other purposes for which we have the consent of the data subject.
We will not keep personal data longer that is necessary for the purpose or purposes for which they were collected. We will take all reasonable steps to destroy, or erase from our systems, all data which is no longer required.
5. To whom do we disclose personal data?
The personal data of the data subject may be shared as follows:
- with our employees to fulfil our contractual obligations with the Controller; and
- with our accountants, auditors, lawyers, other professional advisors, or third-party service providers, on a need-to-know basis, for the purpose of assisting us to manage, support and develop our contractual obligations and generally to comply with our legal and regulatory obligations.
We will ensure that the personal data of data subjects is kept safely. Only designated persons will have access to such personal data on a strictly need-to-know basis for the purposes of fulfilling our agreement, or promoting our business relationship with the controller. In addition, third parties with whom we share your personal data will be contractually obliged to safeguard all personal data to which they have access.
Some disclosures do not require the consent of the data subject. This happens when we share personal data with (i) law enforcement bodies/agencies and other statutory authorities, if required by law and (ii) if required or authorized by law or if we suspect any unlawful activities.
6. Data Security
The Controller will take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.
As Processor, we have put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. We will maintain data security by protecting the confidentiality, integrity and availability of the personal data.
7. Data Protection Officer
The Data Protection Officer of the Controller is Ms Verna Ochit, who can be contacted on the following:
Address: 49 Labourdonnais Street, 2nd Floor C&R court, Port- Louis
Phone number: 213 7000
8. What are Data Subject’s rights?
As per the DPA, all individuals who are the subject of personal data held by a data controller are entitled to inter alia have a:
- Right to have access to any personal data being processed by the Company (see also paragraph 9 of the Data Protection Policy).
- Right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects for the said data subject.
- Right to rectification, erasure or restriction on processing.
- Right to have personal data taken off a direct marketing or direct mailing list.
- Right to object in writing at any time to the processing of personal data unless the Controller demonstrates compelling legitimate grounds for such processing which override the data subject’s interests, rights and freedoms or for the establishment, exercise or defence of a legal claim.
When a request to disclose or rectify personal data is received, no disclosure or rectification will be carried out unless the authority and authenticity of such a request has been established.
9. Compliance with Data Protection Act 2017
All processing of personal data by Processor will be done in compliance with the Data Protection Act 2017.
If a data subject believes that we have not handled a request in an appropriate manner, the data subject may lodge a complaint with the Data Protection Commissioner (DPC) (The Data Protection Office, 5th floor, SICOM Tower, Wall Street Ebène, Mauritius). However, we would request the data subject to contact us to try to resolve any issues amicably before referring any complaint to the DPC.
This notice will be updated as and when required to reflect best practices in data management, security and control and to ensure compliance with any changes or amendments made to the Data Protection Act 2017, regulations made thereunder, any data protection policies and generally applicable data protection rules.
Glossary of Terms:
Data Protection Act 2017: In Mauritius, the law which governs the protection of personal data is the Data Protection Act 2017 (hereinafter referred to as “DPA”).
Controller means a person who or public body which, alone or jointly with others, determines the purposes and means of the processing of personal data and has decision making power with respect to the processing.
Processor means any person who or public body which, processes personal data on behalf of the Controller.
Data Subject (Individual) means an identified or identifiable individual, in particular by reference to an identifier as described under paragraph 4.
Personal Data means any information relating to a data subject.