Data Protection Regulations in the Cayman Islands

Data Protection Regulations in the Cayman Islands

The Cayman Islands Data Protection Law, 2017 (Law 33 of 2017), also known as the DPL for short, is a comprehensive data protection law that was passed in the Cayman Islands in 2017. As one of many privacy laws that have drawn their foundations and principles from the European Unions General Data Protection Regulation or GDPR, DPL was passed in an effort to ensure that data controllers and processors are held to a similar standard as is set forth in the GDPR law. To this extent, while the DPL does vary from the EU’s GDPR Law in certain respects, it nevertheless lays out the legislative framework that data controllers and processors within the Cayman Islands must adhere to when collecting or processing personal data.

How are data controllers and processors defined under the DPL?

Under the DPL, data controllers are defined as a “person who, alone or jointly with others, determines the purposes, conditions, and manner in which any personal data are, or are to be, processed and includes a local representative”. Alternatively, data processors are defined as “Any person who processes personal data on behalf of a data controller but, for the avoidance of doubt, does not include an employee of the data controller”. In terms of the scope and application of the DPL, the personal scope applies to all personal data that is collected and processed, while the material scope of the law applies to both active and passive data processing activities, such as obtaining, recording, or carrying out operations, among others. Conversely, the territorial scope of the law is applicable under the following circumstances:

What are the requirements of data controllers and processors under the PDL?

Under the PDL, data controllers and processors within the Cayman Islands are responsible for abiding by the following principles as it relates to data processing activities:

What are the rights of data subjects under the PDL?

Under the PDL, data subjects within the Cayman Islands are granted the following rights data protection and privacy rights:

In terms of penalties related to violations of the PDL, the law is enforced by the Office of the Ombudsman or the Ombudsman for short. As such, the Ombudsman is authorized to impose a variety of administrative punishments and monetary penalties in relation to non-compliance with the law. Some of these penalties and punishments include a fine of KYD 100,000 ($115,353), as well as a civil liability for failing to provide information at the request of the Ombudsman, as well as a fine of KYD 100,000 ($115,353), and a term of imprisonment of up to five years for failure to comply with an enforcement order made on behalf of the Ombudsman.

While the DPL varies from the EU’s GDPR law as it relates to certain rights and provisions, such as the rights to explicit erasure and data portability, the DPL nevertheless provides data subjects within the Cayman Islands with a strong level of data protection. Moreover, while certain rights laid forth in the DPL must be expressed through the means of filing a complaint with the Ombudsman, data controllers and processors still face steep penalties in instances where they fail to comply with rights afforded to data subjects under the law. As such, data subjects undoubtedly have an avenue of recourse should they wish to exercise their rights under the law.

Related Reads