Defining Personal Privacy in the Caribbean Netherlands

The Personal Data Protection Act BES is a data protection law that was passed in 2010. The Personal Data Protection Act BES provides data protection for data subjects residing within the Caribbean Netherlands, consisting of the islands of Bonaire, Sint Eustatius, and Saba. While these islands are classified as special municipalities under the Dutch administrative system, many dutch laws that are applicable to citizens living in the Netherlands are not applicable to citizens living in the Caribbean Netherlands, as the Caribbean Netherlands have their own equivalent of Dutch law. To this end, the Personal Data Protection Act BES provides data protection to data subjects residing in the Caribbean Netherlands, in a manner similar to that of the Dutch GDPR Implementation Act.

How are data controllers and processors defined under the Personal Data Protection Act BES?

Under the Personal Data Protection Act BES, a data controller is defined as “the natural person, legal person or any other person or administrative body that, alone or together with others, determines the purpose and means of the processing of personal data.” Alternatively, a data processor is defined as “the person who processes personal data on behalf of the controller, without being subject to his direct authority.” Moreover, the law defines the processing of personal data as “any act or set of acts relating to personal data, including in any case the collection, recording, organization, storage, updating, modification, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of making available, bringing together, relating to each other, as well as blocking, erasing or destroying data.”

What are the requirements of data controllers and processors under the Personal Data Protection Act BES?

Under the Personal Data Protection Act BES, data controllers, and processors operating within the Caribbean Netherlands are responsible for adhering to the following requirements:

• Personal data must be processed in a proper and careful manner that is in accordance with the law.
• Personal data may only be collected for specific, explicit, and legitimate purposes.
• Personal data may be only processed if the data subject has given their unambiguous consent, and the processing of said data is necessary to safeguard a vital interest of the data subject, among other considerations.
• Personal data may not be further processed that is incompatible with the purposes for which it was obtained.
  “Personal data may not be kept in a form that makes it possible to identify the data subject for longer than is necessary for the realization of the purposes for which they are collected or subsequently processed.”
• Personal data may only be processed in a manner that is adequate, relevant, and non-excessive in relation to the purposes for which said personal data was collected.
• Anyone who acts under the authority of the controller or of the processor, as well as the processor himself, insofar as they have access to personal data, will only process them on behalf of the controller, unless deviating legal obligations.
• If the controller has personal data processed on his behalf by a processor, he will ensure that this provides sufficient guarantees with regard to the technical and organizational security measures with regard to the processing to be performed. The controller monitors compliance with those measures.

What are the rights of data subjects under the Personal Data Protection Act BES?

The Personal Data Protection Act BES provides data subjects residing within the territory of the Caribbean Netherlands with the following data protection rights:

• The right to be informed.
• The right to access.
• The right to erasure.
• The right to rectification.
• The right to object or opt-out.
• The right to seek compensation.
• The right not to be subject to automated data processing decisions.

In terms of the penalties that can be imposed against data controllers and processors who violate the rights of data subjects under the law, the Personal Data Protection Act BES is enforced by the BES Personal Data Protection Commission, “which has the task of supervising the processing of personal data in accordance with the provisions laid down by and pursuant to this Act.” To this point, the BES Personal Data Protection Commission has the authority to investigate the activities and operations of data controllers operating within the Caribbean Netherlands, as well as impose a variety of administrative and monetary penalties against said parties should they find evidence of wrongdoing.

Much like the Virgin Islands Data Protection Act, 2021 which provides data protection to data subjects residing within the British Virgin Islands, the Personal Data Protection Act BES provides data protection for data subjects residing within the Caribbean Netherlands. Through the passing of the law, citizens of the islands of Bonaire, Sint Eustatius, and Saba are provided with a level of data protection that is comparable to the level of protection that is afforded to citizens of EU member states under the General Data Protection Regulation, as well as the Dutch GDPR Implementation Act with respect to the European Netherlands. As such, residents of all Dutch territories can have the assurance that their personal data is being protected at all times.