Data Protection Regulations in the Cayman Islands

The Cayman Islands Data Protection Law, 2017 (Law 33 of 2017), also known as the DPL for short, is a comprehensive data protection law that was passed in the Cayman Islands in 2017. As one of many privacy laws that have drawn their foundations and principles from the European Unions General Data Protection Regulation or GDPR, DPL was passed in an effort to ensure that data controllers and processors are held to a similar standard as is set forth in the GDPR law. To this extent, while the DPL does vary from the EU’s GDPR Law in certain respects, it nevertheless lays out the legislative framework that data controllers and processors within the Cayman Islands must adhere to when collecting or processing personal data.

How are data controllers and processors defined under the DPL?

Under the DPL, data controllers are defined as a “person who, alone or jointly with others, determines the purposes, conditions, and manner in which any personal data are, or are to be, processed and includes a local representative”. Alternatively, data processors are defined as “Any person who processes personal data on behalf of a data controller but, for the avoidance of doubt, does not include an employee of the data controller”. In terms of the scope and application of the DPL, the personal scope applies to all personal data that is collected and processed, while the material scope of the law applies to both active and passive data processing activities, such as obtaining, recording, or carrying out operations, among others. Conversely, the territorial scope of the law is applicable under the following circumstances:

• A data controller or processor is established within the Cayman Islands and the collection and processing of personal data is done so within the context of said establishment.
• A data controller or processor is not established within the Cayman Islands but nevertheless, collects or processes personal data that was obtained from data subjects within the Cayman Islands, unless said collection or processing of personal data is limited solely to the transit of said data.

What are the requirements of data controllers and processors under the PDL?

Under the PDL, data controllers and processors within the Cayman Islands are responsible for abiding by the following principles as it relates to data processing activities:

• Principle one– Personal data be collected and processed fairly, and all collection and processing of personal data must be done so on the basis of legality.
• Principle two– Personal data must only be collected or processed for specific and legitimate purposes, and personal data cannot be processed further for any purpose that is incompatible with these specific and legitimate purposes.
• Principle three– All personal data that is collected and processed must be relevant, adequate, and non-excessive in relation to the purposes for which it was collected or processed.
• Principle four– All personal data that is collected or processed must be accurate and kept up to date when necessary.
• Principle five– All personal data that is processed must not be kept for any longer than is needed to fulfill the purpose of processing.
• Principle six– Personal data must be collected and processed in accordance with the rights of data subjects as set forth in the PDL.
• Principle seven– Data controllers and processors must develop and implement appropriate organizational, technical, and security controls and measures to ensure that personal data is not lost, destroyed, damaged, or accessed illegally.
• Principle eight– Personal data is prohibited from being transferred to another country unless said country provides an adequate level of data protection in accordance with the provisions and regulations of the PDL.

What are the rights of data subjects under the PDL?

Under the PDL, data subjects within the Cayman Islands are granted the following rights data protection and privacy rights:

• The right to access– Data subjects have the right to be informed about the collection, processing, and use of their personal data.
• The right to access– Data subjects have the right to access any personal data that a data controller or processor has stored concerning them. Under the PDL, all requests to access personal data must be made in writing.
• The right to rectification– Data subjects have the right to request that a data controller or processor rectify personal data pertaining to them. However, this right is not expressly granted to data subjects, as a complaint must first be filed with the Office of the Ombudsman or the Ombudsman for short.
• The right to erasure– Data subjects have the right to submit a complaint with the Ombudsman for the purpose of having their personal data erased.
• The right to object or opt-out- Data subjects have the right to demand that a data controller or processor cease the processing of their personal data. This demand must also be made in writing to all applicable parties.
• The right to stop direct marketing– Data subjects have the right to request that their personal data be excluded from use for marketing purposes.
• The right not to be subject to automated decision making– Data subjects have the right not to be subject to data processing decisions made solely on the basis of automated processing.
• The right to complain and receive compensation– Data subjects have the right to submit a complaint to the Ombudsman in the event that their rights are violated under the PDL, as well as receive compensation for said violation of rights.

In terms of penalties related to violations of the PDL, the law is enforced by the Office of the Ombudsman or the Ombudsman for short. As such, the Ombudsman is authorized to impose a variety of administrative punishments and monetary penalties in relation to non-compliance with the law. Some of these penalties and punishments include a fine of KYD 100,000 ($115,353), as well as a civil liability for failing to provide information at the request of the Ombudsman, as well as a fine of KYD 100,000 ($115,353), and a term of imprisonment of up to five years for failure to comply with an enforcement order made on behalf of the Ombudsman.

While the DPL varies from the EU’s GDPR law as it relates to certain rights and provisions, such as the rights to explicit erasure and data portability, the DPL nevertheless provides data subjects within the Cayman Islands with a strong level of data protection. Moreover, while certain rights laid forth in the DPL must be expressed through the means of filing a complaint with the Ombudsman, data controllers and processors still face steep penalties in instances where they fail to comply with rights afforded to data subjects under the law. As such, data subjects undoubtedly have an avenue of recourse should they wish to exercise their rights under the law.