Data protection

INTRODUCTION

Personal data is information relating to an identified or identifiable individual and can be general in nature such as name, address, email or mobile number or location data, amongst others, or biometric or genetic form. Such data is collected and used every day and everywhere.

The Data Protection Act 2017 (the “DPA 2017” or the “Act”) has been enacted to strengthen the control and personal autonomy that data subjects have over their personal data, in line with current relevant international standards. The DPA is aligned with the key principles found in international laws namely the EU General Data Protection Regulation (GDPR) (EU) 2016/679.

Considering the above, a vigorous Data Protection Policy is therefore of utmost importance for the good governance of Mauritius Multisports Infrastructure Ltd (“MMIL” or “Company”)). This Data Protection Policy (the “Policy”) has been developed to ensure good practice in relation to the collection, use, processing, handling, and storage, amongst others, of personal data pertaining to patients and/or athlete (“you” or “your”) by the Company through the Health Care Unit. The Health Care Unit offers outpatient medical services such as medical consultation, physiotherapy, and nursing services. It also provides medical coverage for sports events. This Policy sets out how the Company handles your Personal data to comply with its obligations in accordance with the law.

SCOPE OF THIS POLICY

This Policy applies to all Personal data collected and processed by the Company, its employees, agents and volunteers who have access to the patient/athlete personal data. Anyone collecting and processing personal data on behalf of the Company must read, understand, and mandatorily comply with this Policy.

By voluntarily providing us with your personal data, you are consenting to our use of it in accordance with this Policy. This Policy ensures that the company:
1. conforms with the DPA 2017;
2. protects the rights of the patients or athletes;
3. stores and processes personal data in line with local laws; and,
4. has adequate systems in place to protect itself from the risks of a data or security breaches, or other issues that may crop up.

TERMINOLOGIES

The following are some key definitions for the terms used in this Policy:
– “Collect” does not include receiving unsolicited information;
– “Consent” means any freely given specific, informed and unambiguous indication of the wishes of a data subject, either by a statement or a clear affirmative action, by which he signifies his agreement to personal data relating to him being processed;
– “Controller” means a person who or public body which, alone or jointly with others, determines the purposes and means of the processing of personal data and has decision making power with respect to the processing;
– “Data subject” means an identified or identifiable individual, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual;
– “Physical or mental health”, in relation to personal data, includes information on the provision of health care services to the individual, which reveals his health status;
– “Processing” means an operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
– “Special categories of personal data”, in relation to a data subject, means personal data pertaining to –

(a) his racial or ethnic origin;
(b) his political opinion or adherence;
(c) his religious or philosophical beliefs;
(d) his membership of a trade union;
(e) his physical or mental health or condition;
(f) his sexual orientation, practices or preferences;
(g) his genetic data or biometric data uniquely identifying him;
(h) the commission or alleged commission of an offence by him;(i) any proceedings for an offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any Court in the proceedings; or
(j) such other personal data as the Commissioner may determine to be sensitive personal data;

“Third party” means a person or public body other than a data subject, a controller, a processor or a person who, under the direct authority of a controller or processor, who or which is authorised to process personal data.

WHAT PERSONAL DATA WE COLLECT

The Company collects the following personal data from its athletes or patients: Name, address, email address, national identification number, racial or ethnic origin and physical or mental health or condition. (“Personal Data”). The Company and its employees shall ensure that Personal data is collected solely for the provision of the services provided by the Company and only if the collection of the data is necessary for that purpose.

USE & PROCESSING OF YOUR PERSONAL DATA

The Company shall comply with all the provisions listed in the DPA 2017 in the processing of your Personal Data and it may process the Personal Data under one or more of the following lawful bases:

  1. to use the information to comply with the Company’s legal and regulatory obligations;
  2. to use the information for the performance of the Company’s contractual obligations towards you for the provision of the services or to take steps before entering into a contract and provide the services;
  3. for the purposes of the legitimate interests pursued by the Company or its authorised third party, except if the processing is unwarranted considering the harm and prejudice to your rights and freedoms or your legitimate interests; or
  4. for the purpose of historical, statistical, or scientific research; and
  5. the processing is necessary for the purpose of preventive or occupational medicine, medical diagnosis or the provision of health services.

The Company will use your Personal Data for the following purposes:

  1. The name, address, email address and national identification number are collected to you for the conclusion of a contract and before providing the services;
  2. The racial or ethnic origin is collected to assist in the diagnosis, prognosis and to determine the adequate medication for the provisions of health care treatment. The data will be processed only under the responsibility of a professional; and
  3. The physical or mental health or condition data are collected to provide the necessary health care or treatment pursuant to the contract. This data will be processed only under the responsibility of a professional.

The Company will process and store your Personal data for as long as it is necessary for the performance of its contractual and statutory obligations.
If your Personal data is no longer required, it will be deleted. Retention period will, in any case, be compliant with any applicable and relevant laws.

CONSENT

In addition to the lawful bases set out in Clause 6 above, consent is another lawful basis for the processing of Personal data. Where the use or processing of Personal data does not fall within the purview of the lawful bases set out in Clause 5, your instructions and explicit consent will be required. You will be given ongoing control over how their data is being used, thus ensuring transparency and accountability. Consent shall be obtained before the Company provides you any services. Where the processing is based on your consent, you have the right to withdraw your consent at any time. Please note that this will not affect the lawfulness of processing based on your consent before its withdrawal.

DISCLOSURE OF YOUR PERSONAL DATA

We will only share your Personal data with relevant third parties where:

  • You have given us your express consent to do so;
  • It is necessary to allow us to meet or enforce a legal obligation; and
  • It is necessary and proportionate for the prevention, investigation, detection or prosecution of an offence;
  • For the purpose of historical, statistical or scientific research whilst ensuring that the required security and organisational measures are implemented to protect your rights;
  • It is necessary for your protection, such as in medical emergency cases.

Please note that the Personal Data may be disclosed to the Ministry of Youth Empowerment Sports & Recreation in case of a parliamentary question. However, your express consent to do so will be collected prior to doing so.
We endeavour to disclose only the strict minimum Personal data that is required to perform or enforce our business relationship.

HOW WE SECURE YOUR PERSONAL DATA

The Company is a registered controller with the Data Protection Commissioner under the DPA 2017 and will take appropriate organisational and technical measures to safeguard your Personal data against any unauthorised or unlawful disclosure and/or use. Our employees and authorised agents are bound by confidentiality provisions regarding any personal information held by the Company. Access to and access controls to the medical database system (Jelly Software) are restricted by passwords and user authentication. Only authorised personnel can access patient records. In the event of a Personal data breach involving your Personal data, the Company has a duty to notify the breach to the Data Protection Commissioner and we shall take all necessary remedial action as well as measures to mitigate the possible adverse effects of the breach. Moreover, where the personal data breach is likely to result in a high risk to your rights and freedoms, we are bound to inform you about the personal data breach.

WHAT RIGHTS YOU HAVE OVER YOUR PERSONAL DATA

In compliance with DPA 2017:

  • Upon a written request made to the Company, we shall provide you, at reasonable interval, without excessive delay confirmation as to whether or not your Personal data is being processed and forward you a copy of the data;
  • You have the right to request for a rectification of your Personal data on the ground of inaccuracy;
  • Subject to any retention period, you have the right to request for the erasure of your Personal data if:
    • You withdraw your consent and there is no other legal ground for the processing; or
    • You object to the processing of your Personal data and there are no overriding legitimate grounds for processing or restriction of processing of your Personal data or to object to the processing of the data;
  • You also have the right to lodge a complaint in relation to the processing of your Personal data or any breach, with the Data Protection Commissioner.

TRANSFER OF PERSONAL DATA OUTSIDE MAURITIUS

Please note that the Company may transfer your Personal data to countries which may not have the same data protections laws as in Mauritius where the transfer is necessary:
a. for the performance of a contract between yourself and MMIL or for the implementation of pre-b. contractual measures taken at your request;
c. for the conclusion or performance of a contract concluded in your interest between the Company and another person;
d. for reasons of public interest as provided by law;
e. for the establishment, exercise, or defence of a legal claim; or
to protect your vital interests or of other persons, where you are physically or legally incapable of giving consent; or
f. for the purpose of compelling legitimate interests pursued by the Company which are not overridden by your interests, rights and freedoms involved and where –
– the transfer is not repetitive and concerns a limited number of data subjects; and
– the Company has assessed all the circumstances surrounding the data transfer operation and has, based on such assessment, provided to the Commissioner proof of appropriate safeguards with respect to the protection of the personal data.

QUERIES OR COMPLAINTS

One of the Company’s duties as a controller is to designate a Data Protection officer who will be responsible to monitor the internal compliance with data protection laws. We have designated Mr. Narainsamy Venketasamy to act as the Data Protection Officer of the Company and he can be contacted by email at rajen@cotedorsports.mu
The Data Protection Officer will be the first point of contact for the Data Protection Office and for you, should you have any queries or concerns. If you are not satisfied with our response to your complaint, you have the right to lodge a complaint with the Data Protection Commissioner of Mauritius.

UPDATES AND AMENDMENTS

This Policy will be updated as necessary to reflect best practice in data management, security, and control and to ensure compliance with any changes or amendments made to the Act.