Organisation

LEAL & CO. LTD AND SUBSIDIARIES

Scope of Policy

For the purposes of Article 37 of the GDPR, ‘a group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from and by each establishment’. Therefore, for the purposes of this policy, the following entities have appointed a single data protection contact to address their GDPR/MDPA alignment efforts:

LEAL & CO. LTD. (LEAL) PHARMACIE NOUVELLE LTD. (PNL)

LEAL COMMUNICATIONS AND INFORMATICS LTD. (LCI) LEAL EQUIPEMENTS CIE

LTEE. (LEC)

LEAL ENERGIE LTD. (LE)

UNITED MOTORS LTD. (UML) DISTRIPC LTD. (ELYTIS)

LEAL AGENCY LTD. (LACY) BEST FIT LTD. (BFIT)

INSPIRE SYSTEMS INSTITUTE LTD. (TYLERS)

LEAL & CO. LTD. and its subsidiaries, (LEAL) or the ‘company’, hereby undertakes to comply with the conditions set by the GDPR, the MDPA and all other legislation that is relevant with to the jurisdictions in which it operates.

The ‘singe data protection contact’ per Article 37 of the GDPR acts as the Group Data Protection Officer.

Policy operational date

15/11/2018

Policy prepared by

GROUP DATA PROTECTION OFFICER

Date approved

15/11/2018

Approved by

CEO

Annexed to this Policy

ANNEX (I)- Contacts of the Group Data Protection Officer

ANNEX (II) - Accountability Principles for the Processing of Personal Data

Purpose of policy

(LEAL) and all entities acting upon the instructions of the company are dedicated to upholding and promoting the rights of all data subjects including customers, clients, staff members and the general public who have entrusted the company with their personal data. The purpose of this policy is to enable (LEAL) to:

• Protect the rights of all individuals who provide their personal data
• Communicate clearly the Company’s position with regard to GDPR and the MDPA to our customers, clients, staff members and all other stakeholders that may provide their personal data
• Ensure continuous compliance with GDPR and the MDPA with respect to our systems and processes
• Encourage good practice across all sectors of the company and promote GDPR by design and by default

This policy covers all aspects of the GDPR and the MDPA and explicitly covers a number of key provisions within both legal instruments. This does not exclude the need for compliance to other Articles of the GDPR or the MDPA not specifically mentioned.

It is an umbrella policy which may have other related policies referred to which must also be consulted.

Personal data

This policy applies to (personal data) relating to identifiable individuals, in terms of the GDPR and the MDPA.

Definitions

All terms used in this policy are as referenced from the in the GDPR and the MDPA.

Policy statement

This Policy seeks to promote compliance across all sectors of the company in line with the GDPR and MDPA. The MDPA, (took effect on the 15th January 2018), has been aligned with the GDPR (took effect on the 25th May 2018). As such, key provisions within the GDPR and MDPA will overlap throughout this Policy.

With the approval and incorporation of this Policy, the company, (LEAL), commits to upholding the personal data of all data subjects in line with the accountability principles set in Annex (II) and covets to take all necessary, proportionate and legal measures to ensure that all personal data entrusted to the company is kept safe within the groups data protection systems and processes, which must be aligned with the requirements set by the General Data Protection Regulations (GDPR) and the Mauritius Data Protection Act 2017 (MDPA).

In accordance with this Policy, (LEAL) covets to:

• At all times uphold the fundamental rights of the data subject as illustrated in the GDPR and MDPA atthe heart of our processes when handling personal data.
• Will remain transparent and honest as to the use of personal data and will ensure to
• Provide training and support for all staff who handle personal data, so that they can act confidently and consistently process data in line with our obligations towards our stakeholders.

(LEAL) recognises that its first priority under the GDPR and the MDPA is to avoid causing harm to individuals with regard to their personal data. In the main this means:

• Providing adequate systems and processes that keep personal data securely in the right hands
• Ensuring that all personal data held by (LEAL) is accurate and updated

Secondly, the GDPR and MDPA aims to ensure that the legitimate concerns of individuals about the ways in which their data may be used are taken into account. In addition to being open and transparent, (LEAL) will seek to give individuals as much choice as is possible and reasonable over what data is held and how it is used.

PRINCIPLES

1

PRINCIPLES RELATING TO THE PROCESSING OF PERSONAL DATA

Article 5 of the GDPR

Article 21 of the MDPA

(LEAL) will adhere to the six principles of processing of personal data as covered in Article 5 of the GDPR and Article 21 of the MDPA.

This policy commitment will be supported by implementing controls which evaluate the extent to which these principles are respected for personal data processing where (LEAL) is the data Controller.

2

LAWFULNESS

Article 6 of the GDPR

(LEAL) will ensure that at least one of the six conditions under Article 6 of the GDPR for lawful processing are met for personal data processing where (LEAL) is the data Controller.

3

CONSENT

Article 7 of the GDPR

Article 24 of the MDPA

(LEAL) will ensure that the conditions for consent are satisfied where applicable for personal data processing where (LEAL) is the data Controller.

(LEAL) will ensure that the conditions for consent are met in all areas where consent is required for the processing of personal data.

4

CHILDREN

Article 8 of the GDPR

Article 30 of the MDPA

(LEAL) does not normally process the personal data of children (below the age of 16), but where such processing takes place steps will be taken to comply with Article 8 of the GDPR.

Consent of the Parent or Guardian of a child must be obtained before processing personal data.

Where personal data of children is processed, such as for dependents of employees, this policy commitment will be supported by implementing controls which evaluate the extent to which these Article 8 requirements are respected for the processing of personal data of children where (LEAL) is the data Controller.

Where the personal data of a child (below the age of 16) is being processed, (LEAL) will apply Article 30 of the MDPA to take reasonable efforts to verify that consent has been authorised, taking into account available technology.

5

PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA

Article 9 of the GDPR

Article 29 and 34 of the MDPA

(LEAL) will ensure that the conditions for processing of special categories of personal data are satisfied where applicable where (LEAL) is the data Controller.

This policy commitment will be supported by implementing controls which evaluate the extent to which personal data processing of special categories of personal data is expected where (LEAL) is the data Controller. This includes the use of a Data Protection Impact Assessment (DPIA) for high risk processing.

6

PROCESSING OF PERSONAL DATA RELATING TO CRIMINAL CONVICTIONS AND OFFENCES

Article 10 of the GDPR

Article 29 of the MDPA

(LEAL) does not normally process relating to criminal convictions and offences, but where such processing takes place steps will be taken to comply with Article 10 of the GDPR.

For the purposes of the MDPA, criminal convictions will be qualified under Article 29 and will be processed in accordance with Article 29(2) of the MDPA.

Where personal data relating to criminal convictions and offences is processed, such as for screening of employees, this policy commitment will be supported by implementing controls which evaluate the extent to which these Article 10 requirements are respected where (LEAL) is the data Controller.

RIGHTS OF DATA SUBJECTS

7

TRANSPARENT INFORMATION, COMMUNICATION AND MODALITIES FOR EXERCISING THE RIGHTS OF THE DATA SUBJECT

Article 12 of the GDPR

Articles 37, 38 and 39 of the MDPA

(LEAL) will ensure that information provided to data subjects, such as via a privacy notice, will be in a concise, transparent, intelligible and easily accessible form, using clear and plain language, where (LEAL) is the data Controller in accordance with Article 12 of the GDPR and Article 37 of the MDPA.

This policy commitment will be supported by implementing controls which ensure compliance with Articles 13 and 14, and 15 to 22 of the GDPR and Articles 37, 38 and 39 of the MDPA in support of data subject rights where (LEAL) is the data Controller. This includes the use of fair processing procedures as described in the related documents.

8

INFORMATION TO BE PROVIDED WHERE PERSONAL DATA ARE COLLECTED FROM THE DATA SUBJECT

Article 13 of the GDPR

Article 37 of the MDPA

(LEAL) will ensure that all the information required under paragraph 1 (basic) and paragraph 2 (further) to be provided to data subjects will be available, such as via a privacy notice, will be available at the time the data is obtained where (LEAL) is the data Controller.

This policy commitment is further aligned with Article 37 of the MDPA which will be supported by implementing controls which ensure compliance with Articles 13 of the GDPR.

9

RIGHT OF ACCESS BY THE DATA SUBJECT

Article 15 of the GDPR

Article 37 of the MDPA

(LEAL) will ensure that the right of access by the data subject will be respected in accordance with Article 15 of the GDPR and Article 37 of the MDPA where applicable.

(LEAL) shall, upon written request of a data subject, provide, at reasonable intervals, without excessive delay and free of charge confirmation as to whether the personal data relating to the data subject is being processed and forward a copy per request.

(LEAL) may, where there is reasonable doubt concerning the identity of a data subject making a request for a copy of their personal data held by the company, request further information to confirm the identity of the person making the request.

Related document: Data subject request procedure

10

RIGHT TO RECTIFICATION

Article 16 of the GDPR

Article 39 of the MDPA

(LEAL) will ensure that the right to rectification by the data subject will be respected.

Upon request from the data subject, all personal data shall be declared for rectification without undue delay.

This policy commitment will be supported by procedural measures to facilitate the submission of data subject requests for rectification, including monitoring that those requests are responded to within the limits allowed.

11

RIGHT TO ERASURE

Article 17 of the GDPR

Article of the MDPA

(LEAL) will ensure that the right to erasure of personal data held on the data subject will be respected.

(LEAL) also recognises its obligations to comply with other legislation, specific to the jurisdictions in which it operates, which require records are retained for specified periods. (LEAL) will therefore maintain a personal data retention plan for each of its operations.

(LEAL) therefore undertakes to balance the need to respect data subject requests with the need to retain records for legitimate purposes.

Upon request from the data subject and depending on the purposes of the data processing, (LEAL) will erase the personal data of the data subject without undue delay.

Related document: Data subject request procedure

12

RIGHT TO RESTRICTION OF PROCESSING

Article 18 of the GDPR

Article 39 of the MDPA

(LEAL) will ensure that the right to restriction of processing will be respected in terms of the valid reasons which are covered under Article 18 of the GDPR and Article 39 of the MDPA.

This policy commitment will be supported by procedural measures to facilitate the restriction of processing, including monitoring that those requests are responded to within the limits allowed.

Related document: Data subject request procedure

13

RIGHT TO DATA PORTABILITY

Article 20 of the GDPR

(LEAL) will respect the right to data portability including the provision of data in a structured, commonly used and machine-readable format.

This policy commitment will be supported by procedural measures to facilitate appropriate data formats are provided and monitoring that those requests are processed within reasonable time limits.

Related document: Data subject request procedure

14

RIGHT TO OBJECT

Article 21 of the GDPR

Article 39 of the MDPA

(LEAL) will support the right to object to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) of the GDPR.

The right to object will be subject to the purposes for which the data is processed.

Related document: Data subject request procedure

15

AUTOMATED INDIVIDUAL DECISION-MAKING, INCLUDING PROFILING

Article 22 of the GDPR

(LEAL) will ensure that wherever an automated decision making is conducted, such activities will be noted in the DPIA and that appropriate and proportional measures are taken to secure personal data.

(LEAL) will ensure that its affected management and employees conducting DPIAs will receive awareness training on how to conduct DPIAs where (LEAL) is the data Controller.

Related document: Data subject request procedure

CONTROLLER RESPONSIBILITIES

16

RESPONSIBILITY OF THE CONTROLLER

Article 24 of the GDPR

(LEAL) will fulfil all of its responsibilities as outlined in Article 24, including implementing policies such as this document and related policies. (LEAL) will also adhere to any applicable Code of Conduct.

(LEAL) will implement appropriate technical and organisational measures (TOM’s) to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR and the MDPA. Those measures shall be reviewed and updated where necessary.

17

DATA PROTECTION BY DESIGN AND BY DEFAULT

Article 25 of the GDPR

(LEAL) will implement appropriate technical and organisational measures (TOM’s) to protect the rights of data subjects to support data protection by design and by default.

(LEAL) will implement the use of an approved methodology for data protection by design and by default when implementing the outcomes of a DPIA or when undertaking changes to the design or function of processing of personal data.

18

JOINT CONTROLLERS

Article 26 of the GDPR

(LEAL) will undertake a DPIA when a joint controller role is envisaged and act on the finding of the DPIA in accordance with Article 26.

In addition, where a joint controller is involved in the processing of personal data, (LEAL) shall take reasonable measures to assess the joint controller’s obligation with the GDPR and national Data Protection Legislation where applicable and depending on the jurisdiction of operation.

19

PROCESSING UNDER THE AUTHORITY OF THE CONTROLLER OR PROCESSOR

Article 29 of the GDPR

(LEAL) will ensure that those acting under its authority, including employees and Processors will receive clear instructions on the processing of personal data.

(LEAL) may make use of Data Transfer Agreements where personal data is transferred to a processor, stipulating the terms and conditions to be adhered to during processing.

20

RECORDS OF PROCESSING ACTIVITIES

Article 30 of the GDPR

(LEAL) will ensure that an appropriate record of processing activities is kept and made available to relevant authorities as required.

The record of processing will be maintained by the DPO and available from the office of the DPO.

21

COOPERATION WITH THE SUPERVISORY AUTHORITY

Article 31 of the GDPR

Article 14 of the MDPA

(LEAL) will co-operate at all times with the relevant Supervisory Authorities. This co-operation will be co-ordinated through the office of the DPO.

(LEAL) shall be registered as a Data Controller and Processor and shall oblige to the requests of the Mauritius Data Protection Office.

22

SECURITY OF PROCESSING

Article 32 of the GDPR

Article 31 of the MDPA

(LEAL) will implement appropriate organisational and technical measures to ensure a level of security appropriate to the risk of processing of personal data.

These measures will also prevent the unauthorised access to, alteration, disclosure, accidental loss and destruction of personal data.

Appropriate measures will include conducting periodic risk assessments and implementing appropriate risk responses. Such assessments and responses will take into account appropriate international practices, including applicable code of conduct.

23

NOTIFICATION OF A PERSONAL DATA BREACH TO THE SUPERVISORY AUTHORITY

Article 33 of the GDPR

(LEAL) will ensure that there are organisational measures to support notification of a personal data breach to the supervisory authority. The data breach process and procedures will be adequately documented and communicated.

Related document: Data Breach Incident Response Plan

24

NOTIFICATION OF A PERSONAL DATA BREACH TO THE DATA SUBJECT

Article 34 of the GDPR

Article 29 of the MDPA

(LEAL) will notify a data subject of a data breach within 72 hours after becoming aware of the breach.

(LEAL) will ensure that there are organisational measures to support notification of a personal data breach to the data subject. The data breach process and procedures will be adequately documented and communicated.

Related document: Data Breach Incident Response Plan

25

DATA PROTECTION IMPACT ASSESSMENT

Article 35 of the GDPR

Article 34 of the MDPA

(LEAL) will conduct a Data Protection Impact Assessment (DPIA) where the processing of personal data is likely to result in a high risk to the rights and freedoms of natural persons.

(LEAL) will implement the use of an approved methodology for a DPIA.

26

PRIOR CONSULTATION

Article 36 of the GDPR

Article 35 of the MDPA

(LEAL) DPO will consult the supervisory authority prior to processing where a DPIA under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the Controller, (LEAL) to mitigate the risk.

GROUP DATA PROTECTION OFFICER

27

DESIGNATION OF THE DATA PROTECTION OFFICER

Article 37 and Article 38 of the GDPR

(LEAL) will ensure that a Data Protection Officer (DPO) is appointed in line with the requirements set out in Article 37, Article 38, and Article 39 of the GDPR.

The DPO will also function in the same capacity where (LEAL) is the data controller or data processor.

TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS

28

GENERAL PRINCIPLE FOR TRANSFERS

Article 44 – 49 of the GDPR

Article 36 of the MDPA

(LEAL) will ensure that the general principle for transfers is respected. This will be achieved through the implementation of appropriate measures in line with Articles 45 to 49 of the GDPR and in accordance with Article 36 of the MDPA.

29

TRANSFERS ON THE BASIS OF AN ADEQUACY DECISION

Article 45 and 46 of the GDPR

Article 36 of the MDPA

(LEAL) will monitor the list of countries, sectors and international organisations where an adequacy decision has been made. Where appropriate (LEAL) will benefit from that decision.

Where it is not clear as to the adequacy of data protection regulation in countries outside of the EU and Mauritius, (LEAL) shall make reasonable inquiry into the data protection systems in use by the Processor.

(LEAL) will incorporate appropriate contractual measures, including the use of standard data protection clauses to uphold the data subject’s rights.

30

BINDING CORPORATE RULES

Article 47 of the GDPR

(LEAL) will ensure that Binding Corporate Rules (BCRs) are used to provide appropriate protection for international transfers where appropriate. Any such BCRs will be registered with the appropriate supervisory authority.

(LEAL) will seek legal advice to ensure that the appropriate BCRs are implemented.

31

TRANSFERS OR DISCLOSURES BEYOND THE SCOPE OF THE GDPR OR MAURITIAN DATA PROTECTION LAW

Article 48 of the GDPR

(LEAL) will ensure that transfers or disclosures not authorised by or beyond the scope of GDPR law or Mauritian data protection law will be handled appropriately.

(LEAL) will seek legal advice to ensure that the appropriate transfers are implemented.

RIGHTS OF DATA SUBJECTS

1

TRANSPARENT INFORMATION, COMMUNICATION AND MODALITIES

FOR EXERCISING THE RIGHTS OF THE DATA SUBJECT

Article 12 and 15 - 22 of the GDPR

Articles 37 - 40 of the MDPA

(LEAL) will ensure that data subject requests for access to and management of data subjects’ personal data, where (LEAL) is the data Processor, will be handled in accordance with the requirements of the GDPR and our obligations under the MDPA.

Response to data subject requests will normally be under the terms of an agreement with the data Controller.

This policy commitment will be supported by implementing controls which ensure compliance with Articles 15 to 22 of the GDPR and Articles 37 to 40 of the MDPA in support of data subject rights where (LEAL) is the data Processor.

2

RIGHT OF ACCESS BY THE DATA SUBJECT

Article 15 of the GDPR

Article 37 of the MDPA

(LEAL) will ensure that data subject requests for access to and management of data subjects’ personal data, where (LEAL) is the data Processor, will be handled in accordance with the requirements of the GDPR and MDPA.

3

RIGHT TO RECTIFICATION

Article 16 of the GDPR

Article 39 du MDPA

(LEAL) will ensure that data subject requests for access to and management of data subjects’ personal data, where (LEAL) is the data Processor, will be handled in accordance with the requirements of Article 16 of the GDPR and Article 39 of the MDPA. Response to such data subject requests will from normally be under the terms of an agreement with the data Controller (normally the customer of (LEAL))

This policy commitment will be supported by implementing controls which ensure compliance with Articles 15 to 22 of the GDPR in support of data subject rights where (LEAL) is the data Processor. This includes the use of fair processing procedures as described in the related documents.

Related document: Data subject request procedure

4

RIGHT TO ERASURE

Article 17 of the GDPR

Article 39 of the MDPA

(LEAL) will ensure that data subject requests for access to and management of data subjects’ personal data, where (LEAL) is the data Processor, will be handled in accordance with the requirements under Article 17 of the GDPR and Article 39 of the MDPA. Response to such data subject requests will typically be contained within the terms of an agreement with the data Controller.

Related document: Data subject request procedure

5

RIGHT TO RESTRICTION OF PROCESSING

Article 18 and Articles 15 - 22 of the GDPR

Article 39 of the MDPA

(LEAL) will ensure that data subject requests for access to and management of data subjects’ personal data, where (LEAL) is the data Processor, will be handled in accordance with the requirements of Article 18 the GDPR and Article 39 of the MDPA. Response to such data subject requests will from normally be under the terms of an agreement with the data Controller.

This policy commitment will be supported by implementing controls which ensure compliance with Articles 15 to 22 in support of data subject rights where (LEAL) is the data Processor. This includes the use of fair processing procedures as described in the related documents.

Related document: Data subject request procedure

6

NOTIFICATION OBLIGATION REGARDING RECTIFICATION OR ERASURE OF PERSONAL DATA OR RESTRICTION OF PROCESSING

Article 19 of the GDPR

(LEAL) will ensure that data subject requests for access to and management of data subjects’ personal data, where (LEAL) is the data Processor, will be handled in accordance with the requirements of Article 19 GDPR in particular and Article 37 of the MDPA. Response to such data subject requests will from normally be under the terms of an agreement with the data Controller.

Related document: Data subject request procedure

7

RIGHT TO DATA PORTABILITY

Article 20 of the GDPR

(LEAL) will ensure that data subject requests for access to and management of data subjects’ personal data, where (LEAL) is the data Processor, will be handled in accordance with the requirements of Article 20 of the GDPR. Response to such data subject requests will from normally be under the terms of an agreement with the data Controller (normally the customer of (LEAL)).

Related document: Data subject request procedure

8

RIGHT TO OBJECT

Article 21 and Articles 15 – 22 of the GDPR

Article 39 of the MDPA

(LEAL) will ensure that data subject requests for access to and management of data subjects’ personal data, where (LEAL) is the data Processor, will be handled in accordance with the requirements of Article 21 of the GDPR and Article 39 of the MDPA. Response to such data subject requests will from normally be under the terms of an agreement with the data Controller (normally the customer of (LEAL)).

This policy commitment will be supported by implementing controls which ensure compliance with Articles 15 to 22 in support of data subject rights where (LEAL) is the data Processor. This includes the use of fair processing procedures as described in the related documents.

9

AUTOMATED INDIVIDUAL DECISION-MAKING, INCLUDING PROFILING

Article 22 of the GDPR

Article 38 of the MDPA

(LEAL) will ensure that data subject requests for access to and management of data subjects’ personal data, where (LEAL) is the data Processor, will be handled in accordance with the requirements of the GDPR. Response to such data subject requests will typically be contained the terms of an agreement with the data Controller.

In accordance with Article 38 of the MDPA, personal data processing by fully automated systems will only be conducted once consent has been obtained from the data subject or otherwise for contractual or legal reasons.

PROCESSOR RESPONSABILITIES

10

PROCESSING UNDER THE AUTHORITY OF THE CONTROLLER OR PROCESSOR

Article 29 of the GDPR

(LEAL) will ensure that those acting under its authority, including employees and sub-processors will receive clear instructions on the processing of personal data. In its role as a Processor, (LEAL) will only act on the instructions of the Controller.

Related document: (controller to processor and processor to processor contract)

11

RECORDS OF PROCESSING ACTIVITIES

Article 30 of the GDPR

Article 33 of the MDPA

(LEAL) will ensure that an appropriate record of processing activities is kept and made available as required by Article 30 of the GDPR and Article 33 of the MDPA.

The record of processing will be maintained by the DPO and available from the office of the DPO.

Related document: Article 30 record of processing

12

COOPERATION WITH THE SUPERVISORY AUTHORITY

Article 31 of the GDPR

(LEAL) will co-operate at all times with the relevant Supervisory Authorities in all jurisdictions in which we operate. This co-operation will be co-ordinated through the office of the DPO.

This includes, but may not be limited to, the Mauritius Data Protection Office (MDPO) under the leadership of the Commissioner and all other Supervisory Authorities that derive their powers from Article 51 of the GDPR or any other supervisory authority outside of Mauritius and the EU that is responsible for the implementation and enforcement of data protection law.

13

SECURITY OF PROCESSING

Article 32 of the GDPR

Article 31 of the MDPA

(LEAL) will implement appropriate organisational and technical measures (TOM’s) to ensure a level of security appropriate to the risk of processing of personal data in accordance with Article 32 of the GDPR and Article 31 of the MDPA.

These measures includes conducting periodic risk assessments and implementing appropriate risk responses. Such assessments and responses will take into account appropriate international practices, including applicable code of conduct.

Related document: IT security policy

14

NOTIFICATION OF A PERSONAL DATA BREACH TO THE SUPERVISORY AUTHORITY

Article 33 of the GDPR

Article 25 of the MDPA

(LEAL) will ensure that there are organisational measures to support notification of a personal data breach to the Customer (Controller) or other Processor who will in turn notify the supervisory authority. The data breach process and procedures will be adequately documented and communicated.

Related document: Data Breach Incident Response Plan

15

COMMUNICATION OF A PERSONAL DATA BREACH TO THE DATA SUBJECT

Article 34 of the GDPR

Article 25 of the MDPA

(LEAL) will not normally communicate a personal data breach to the data subject as this is the responsibility of the Controller. However, where a contract requires (LEAL) to do so, this communication will take place in accordance with Article 34 of the GDPR and Article 25 of the MDPA.

The data breach process and procedures will be adequately documented and communicated.

Related document: Data Breach Incident Response Plan

TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS

16

GENERAL PRINCIPLE FOR TRANSFERS

Article 44 of the GDPR

Article 36 of the MDPA

(LEAL) will ensure that the general principle for transfers is respected. This will be achieved through the implementation of appropriate measures in line with Articles 45 to 49 of the GDPR.

2 Clauses and contracts governing the transfer of personal data outside of Mauritius and where applicable, shall align with Article 36 of the MDPA.

17

TRANSFERS ON THE BASIS OF AN ADEQUACY DECISION

Article 45 of the GDPR

Article 36 of the MDPA

(LEAL) will monitor the list of countries, sectors and international organisations where an adequacy decision has been made. Where appropriate (LEAL) will benefit from that decision.

(LEAL) will incorporate appropriate contractual measures, including the use of standard data protection clauses to uphold the data subject’s rights.

18

TRANSFERS OR DISCLOSURES BEYOND THE SCOPE OF THE GDPR OR MAURITIAN DATA PROTECTION LAW

Article 48 of the GDPR

(LEAL) will ensure that transfers or disclosures not authorised by or beyond the scope of the MDPA or GDPR law will be handled appropriately.

(LEAL) will seek legal advice to ensure that the appropriate transfers are implemented.