The introduction of the Data Protection Act, 2023 in Seychelles marks a significant step toward strengthening data privacy and regulatory compliance across the financial services sector. For Securities Dealers, the Act brings increased scrutiny on how personal data is collected, processed, stored, and protected, particularly in an environment where digital onboarding, cross-border operations, and continuous client monitoring are standard practice.
One of the most frequently asked questions is whether a Data Protection Officer (DPO) must be appointed. The answer is not absolute. The legislation does not impose a blanket obligation on all entities. Instead, it introduces a conditional requirement, meaning that the need to appoint a DPO depends on the nature, scale, and scope of the organisation’s data processing activities.
The Data Protection Act applies broadly to both public and private entities operating in Seychelles that process personal data through structured or automated systems. Its primary objective is to protect individuals’ right to privacy while ensuring that organisations handle data in a transparent and accountable manner. For Securities Dealers, this includes handling client onboarding documentation, conducting KYC and AML checks, monitoring transactions, maintaining client communication records, and storing financial and identification data over extended periods.
Under the Act, a Data Protection Officer is required in situations where an organisation’s core activities involve large-scale processing of personal data, regular and systematic monitoring of individuals, or the processing of sensitive personal data on a significant scale. In the context of Securities Dealers, these criteria may become relevant given the continuous nature of transaction monitoring, the volume of client data processed, and the sensitivity of financial information handled. However, whether a specific firm meets these thresholds is not automatic and should be assessed on a case-by-case basis, taking into account factors such as client base, transaction volume, system architecture, and operational complexity.
Even in cases where the appointment of a DPO is not strictly required, many Securities Dealers choose to designate one as part of a broader compliance and governance framework. This reflects a growing recognition that data protection is closely linked to regulatory risk, operational integrity, and client trust. A DPO can provide oversight on how personal data is handled across the organisation, ensure that policies and procedures remain aligned with regulatory expectations, and act as a central point of coordination for data protection matters.
The role of a DPO also becomes particularly relevant in managing interactions with the Information Commission, which is the competent authority responsible for enforcing the Act. In practice, this may include supporting the firm during regulatory inspections, responding to queries, and facilitating communication in the event of a data protection concern or incident. In addition, the DPO plays an important role in ensuring that data subject rights such as access, rectification, deletion, and objection to processing are handled efficiently and in accordance with the law.
The Act places considerable emphasis on accountability. Securities Dealers are expected to implement appropriate technical and organisational measures to safeguard personal data, maintain accurate records of processing activities, and ensure that data is processed lawfully and for clearly defined purposes. This includes adopting internal controls, access restrictions, data retention policies, and security safeguards that are proportionate to the risks associated with their operations. Firms are also expected to assess potential risks through mechanisms such as data protection impact assessments, particularly where processing activities may affect the rights and freedoms of individuals.
Another important aspect of the framework is the handling of personal data breaches. Where a breach occurs, firms may be required to notify the regulator within a specified timeframe and, in certain cases, inform affected individuals. This further highlights the importance of having clear internal procedures and defined responsibilities for incident management, whether or not a formal DPO has been appointed.
Failure to comply with the Data Protection Act can expose firms to regulatory action, including enforcement measures and financial penalties. The Information Commission has the authority to investigate, issue enforcement notices, and impose sanctions where necessary. Beyond regulatory consequences, there is also a clear reputational dimension. In an industry built on trust, the ability to demonstrate strong data protection practices is increasingly seen as a key element of sound governance and responsible business conduct.
In conclusion, while the appointment of a Data Protection Officer is not universally mandatory under the Data Protection Act, 2023, it becomes relevant in specific circumstances tied to the scale and nature of data processing. For many Securities Dealers, evaluating this requirement is an important step in aligning with regulatory expectations and strengthening their overall compliance framework. Taking a proactive approach to data protection not only supports compliance but also contributes to long-term operational resilience and client confidence.
Need guidance on how to comply with the requirements, or tailored advice on data protection and the appointment of a DPO? Contact FiveComply today.
Disclaimer
This article is provided for general informational purposes only and does not constitute legal or tax advice.
