1. Introduction
To perform its contractual obligations, the Mauritius Research and Innovation Council (“MRIC”) collects, processes, and stores personal data (including sensitive personal data) of its data subjects. MRIC treats these personal data collected as private and confidential. The MRIC abides by all data protection laws as may be applicable, including the Mauritian Data Protection Act 2017 and the EU General Data Protection Regulation (“GDPR”). We have implemented organisational, physical and technical safeguards thus ensuring protection (of personal data collected) from: unauthorized access, misuse and/or unauthorized disclosure. We are also committed to being transparent about how personal data of our data subjects are collected and used. The data subject is kindly requested to read this privacy statement carefully as it contains important information on:
- Who we are;
- How and why we collect, store, use and share personal information on our data subjects;
- The rights of the data subject in relation to his/her personal information collected and stored by the MRIC and
- How to contact us and the supervisory authorities for any complaints with respect to the collection and use of the personal data collected.
2. Who we are
The Mauritius Research and Innovation Council (MRIC), a parastatal, not-for profit organization operating under the aegis of the Ministry of Technology, Communication and Innovation, is an apex body advising Government of the Republic of Mauritius on all matters concerning scientific, technological, research and innovation issues. The MRIC also acts as a focal point for national research and innovation promotion and coordination responding to the social and economic needs of the country. The MRIC benefits from part of public funds.
The Gender Based Violence Observatory is an MRIC initiative. Our website address is: https://gbvo.mric.mu.
3. Who are our ‘Data Subjects’?
As per the DPA 2017, the MRIC collects data from its “data subjects”. A data subject is an identified or identifiable individual, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual2.
The MRIC data subjects include: the MRIC employees, suppliers, grantees; collaborators and reviewers.
4. How do we collect personal data?
We collect personal data directly from the data subject, and, where lawful and reasonable, we may collect personal information about the data subject from third parties and publicly available sources.
5. Why do we need to collect personal data?
The MRIC uses the personal data collected to meet our responsibilities towards our data subjects. Without the personal data collected, we may not be able to provide or continue providing our services.
The personal data are collected for:
- Payment of suppliers;
- Returns to the Mauritius Revenue Authority (MRA) with respect of employees, consultants and suppliers;
- payment of honorarium and grant administration;
- carrying out statistical and other analyses to identify potential markets and trends;
- evaluating and improving our existing services;
- developing new products and services;
- complying with applicable laws.
6. For what purposes does the MRIC use personal data collected?
We use the personal data collected to facilitate the processing of applications, evaluation and administration of grants and for other tasks relevant to the proper functioning of the MRIC.
7. Type of personal data collected
As per the DPA 2017, the MRIC endeavours to collect the strict minimum personal data required for our normal business activities.
The following personal data are collected:
- Name and address of data subject;
- Contact details including phone numbers and email address;
- Occupation;
- National identity card/passport number;
- Qualifications (certificates) in CV;
- Current and previous appointments;
- Gender;
- Tax account number;
- Bank details.
For the purposes of our surveys, we may collect highly sensitive data. In such cases exceptional care is taken to:
- Obtain ethical clearances from relevant authorities for collecting such data;
- Obtain the written consent the data subject and ensuring that he/she has understood the reason for collecting such data;
- Anonymize the data collected;
- Sign relevant confidentiality agreements with the officers collecting such data.
8. To whom does the personal data belong?
As per the Data Protection Act 2017, the personal data solely belongs to the data subjects who are entirely free to decide whether or not to provide their personal data to the MRIC.
Should the data subject refuse to provide us with their personal data, there are no consequences unless in cases where:
- the supply of specific personal data is mandatory by law and
- the personal data are mandatory for processing of payments, returns to the MRA and the MRIC grants.
9. Disclosure of personal data collected
The MRIC may only disclose personal data of its data subjects if such disclosure:
- is required by law;
- is exempted from data protection laws;
- is for the administration of justice;
- is in the public interest;
- is necessary for the initiation and/or performance of a contract to which the data subjects are a party;
- is required to protect the vital interests of the data subject;
- is as per the terms and conditions agreed with the data subject.
10. Consent and disclosure to third parties
The MRIC shall process the personal data of all of our data subjects in confidentiality through the organizational, physical and technical safeguards set in place.
We shall ensure that there is no unauthorized access, misuse and/or unauthorized disclosure. We are also committed to being transparent about how personal data of our data subjects are collected and used.
We routinely share personal data of our data subjects internally if access to the data is necessary for performance of our contract. We may also share the personal data with the regulatory authorities, if required.
Unless required by law, we will not share the personal information of our data subjects with any other third party without prior written consent from the data subject.
11. Transfer across borders
Sometimes we may process the personal data of our data subjects in other countries for ordinary business purposes. These countries may not have the same level of protection. If necessary, we will ask the party to whom we transfer the personal data of our data subjects to agree to our privacy principles, associated policies and practices.
12. Storing of personal data
We store personal data as required by law.
13. Our security practices
Our security systems and technical and organisational measures are designed to prevent loss (including accidental loss), alteration of, unauthorised destruction, damage and/or unlawful access, disclosure of personal data of our data subjects or the processing of personal data from unauthorized third parties.
14. Access to personal data and other rights of the data subjects
As our customer, the data subject may, in writing:
- ask us to give him/her with a full description of their personal information we hold;
- ask us to correct or update his/her personal information through our customer service channels;
- ask us to restrict the processing of or erase his/her personal data at any point in time; or
- object to the processing of his/her personal data for a specific purpose.
We will take note of the rights of our data subjects and take necessary actions under applicable privacy and data protection laws.
The data subject has the right to query a decision that we make about our services that he/she has requested for.
15. Monitoring of electronic communications
We communicate with our data subjects through different methods and channels as allowed by law and in compliance with our legal and regulatory responsibilities and internal policies.
16. Retention of personal data
We retain personal data as per the statutory and regulatory requirements. Where there is no legal requirement, the personal data of the data subject will be destroyed after one year following the lawful purpose for which the data was obtained.
17. Right to change this privacy notice
The MRIC reserves the right to change this privacy statement. We will communicate all changes on our website. The latest version of our privacy statement will replace all earlier versions unless it says differently.
18. Queries, complaints, and breach
For any queries or complaints please contact:
- Dr Vickram Bissonauth
- Data Protection Officer & Research Coordinator
- v.bissonauth@mric.mu; contact@mric.mu
- Mauritius Research and Innovation Council
- www.mric.mu
- 6th Floor, Ebene Heights
- 34 Cybercity
- Ebene, Mauritius
- Tel: (230) 465 1235
- Fax: (230) 465 123
The Data Protection Act 2017 also gives the data subject the right to lodge a complaint directly with the:
- Data Protection Commissioner.
- 5th Floor, SICOM Tower,
- Wall Street,
- Ebene,
- Republic of Mauritius
- www.dataprotection.govmu.org