Seychelles DPA 2023

Data Protection Act, 2023

Flag of SC
Republic of SeychellesOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
December 22, 2023
Enacted
December 19, 2023
Enforcing Authority
Information Commission
Consent Model
Opt-in
Applies To
All data controllers and processors operating within Seychelles; 18-month transitional compliance period from December 2023

Overview

The Seychelles Data Protection Act 2023 is a modern privacy law that replaces the unenforced 2003 Act. Enacted December 19, 2023 and effective December 22, 2023, it designates the Information Commission as the competent enforcement authority with powers to conduct audits and investigations. The law includes an 18-month transitional compliance period running until June 2025, giving organizations time to align their data processing practices.

What This Means for Your Website

If your website processes personal data of individuals in Seychelles, you must obtain consent before processing, conduct Data Protection Impact Assessments for high-risk activities, and implement prompt breach notification procedures. Organizations may need to appoint a DPO depending on their size and the nature of their processing. The transitional period provides time to establish compliant practices.

Key Requirements

Consent is the primary legal basis for processing personal data. DPIAs are required for high-risk processing activities. Breach notification to the Information Commission and affected individuals must be prompt. DPO appointment depends on organization size and processing nature. Data subjects have comprehensive rights including access, rectification, and erasure. Security measures must protect personal data.

How ConsentStack Handles This

ConsentStack provides a consent management platform that helps meet the Seychelles DPA 2023 requirements. It delivers a configurable consent banner for lawful data collection, records all consent decisions with timestamps, supports data subject rights workflows, and maintains audit trails for Information Commission compliance reviews.

Penalties

Administrative fines for contraventions (amounts set by Commission); enforcement notices and compliance orders

Key Requirements

  • Consent required for personal data processing
  • Data Protection Impact Assessments required for high-risk processing
  • Prompt breach notification to Information Commission and affected individuals
  • DPO appointment required based on organization size and processing nature
  • Data subjects have comprehensive rights including access, rectification, and erasure
  • Data security measures mandatory

Notable Provisions

  • Replaces the Data Protection Act 2003 which was enacted but never implemented
  • 18-month transitional period for compliance until June 2025
  • Information Commission empowered to conduct audits and investigations

Other Sub-Saharan Africa Regulations

POPIASouth Africa
Africa's most developed and actively enforced data protection law. POPIA establishes eight conditions for lawful processing and grants the Information Regulator broad enforcement powers including criminal sanctions. The inclusion of "online identifiers" in the definition of personal information means cookies are covered, and Section 69's direct marketing consent requirement is directly relevant to consent management.
NDPANigeria
One of Africa's most comprehensive data protection laws, with the GAID providing Africa's most detailed cookie consent framework. Essential cookies are exempt; non-essential cookies require conspicuous accept/reject banners. The NDPC enforces a two-tier penalty structure based on organizational significance.
Ghana Act 843Ghana
Ghana's foundational data protection law requires mandatory registration with the DPC before processing begins, with renewal every 2 years. Criminal penalties include up to 10 years imprisonment for serious violations. A new comprehensive bill is under consultation as of late 2025.
Kenya DPA 2019Republic of Kenya
Kenya's comprehensive data protection law establishes the ODPC as an independent enforcement authority. It uniquely calculates penalties using "whichever is lower" rather than the global norm of "whichever is higher." Mandatory registration of data controllers is required before processing, and consent serves as the primary legal basis for personal data collection.
Tanzania PDPA 2022United Republic of Tanzania
Tanzania's first comprehensive data protection legislation establishes the Personal Data Protection Commission as the supervisory body. It mandates DPO appointment for all controllers and processors, a broader requirement than most jurisdictions. Personal data must be processed lawfully with consent, and criminal penalties of up to 10 years imprisonment apply for violations.
Ivory Coast Law 2013-450Ivory Coast
Ivory Coast's data protection law features an escalating penalty structure with significant increases for repeat offenders — up to 5% of pre-tax sales or XOF 500 million. ARTCI has been active in issuing formal notices against online lending applications. Prior declaration or authorization from ARTCI is required.

Frequently Asked Questions

When does the Seychelles DPA 2023 compliance deadline end?

The 18-month transitional compliance period runs until approximately June 2025, after which full enforcement is expected.

What happened to the previous Seychelles data protection law?

The Data Protection Act 2003 was enacted but never implemented or enforced. The DPA 2023 replaces it entirely with a modern framework.

Do I need a DPIA under the Seychelles DPA?

Yes, Data Protection Impact Assessments are required for high-risk processing activities under the DPA 2023.

Who enforces the Seychelles DPA 2023?

The Information Commission is the designated enforcement authority with powers to conduct audits, investigations, and issue compliance orders.

Stay compliant with Seychelles DPA 2023

ConsentStack helps you implement Opt-in consent for Republic of Seychelles automatically.

Get started