“The Act”, Safeguarding the Privacy of Barbadian Citizens

“The Act”, Safeguarding the Privacy of Barbadian Citizens

The Data Protection Act 2019, also known as the Act for short, is a data protection law that was passed in Barbados in 2019 and recently went into effect in March of this year. As is the case with many data privacy laws that have been passed in the past few years, the Act was modeled after the EU’s General Data Protection Regulation or GDPR. To this end, the Act sets specific guidelines that data controllers with Barbados must follow when collecting, processing, and disclosing the personal data of data subjects within the country. What’s more, the Act contains stronger extraterritorial applications when compared to many data privacy laws around the world, ensuring the personal data of Barbadian citizens is protected even when they are abroad.

What is the scope and application of the Act?

In terms of the personal scope of the law, the Act applies to both data controllers and data processors, which can include both natural persons as well as public or private legal entities. In terms of the territorial jurisdiction of the law, the Act applies to “data controllers and data processors who are resident, incorporated/organized/registered, or otherwise formed in Barbados, or who maintain an office, branch, or agency in Barbados through which processing of personal data is carried out”.

Alternatively, the extraterritorial jurisdiction of the law applies to “data controllers/processors who are not resident, incorporated/organized/registered, or otherwise formed in Barbados will be subject to the Act where they process personal data of data subjects in Barbados and such processing activities relate to the offering of goods or services to data subjects in Barbados”. What’s more, the Act also has a material scope, which covers both the processing of personal data, as well as sensitive personal data.

What are the requirements of data controllers under the Act?

In keeping with similarities between the Act and the EU’s GDPR law, the Data Protection Act 2019 established a multitude of data privacy and protection principles that data controllers must follow when processing personal data. These principles include:

In addition to the data protection principles listed above, the Act also mandates that data controllers adhere to a bevy of other obligations as it relates to the safeguarding of personal data. These obligations include registering with the Register of Data Controllers, ensuring that there are safeguards in place to protect personal data during data transfers, and undertaking Data protection impact assessments for DPIAs for short. Additionally, data controllers are also responsible for appointing a data protection officer or DPO, providing both data subjects and the Data Protection Commissioner with data breach notifications when applicable, and establishing written contracts with data processors.

What are the rights of Barbadian citizens under the Act?

In keeping with the international trend of guaranteeing the data privacy rights of data subjects, the Act provides Barbadian citizens with a number of rights as it pertains to data protection. These rights include:

In terms of violations related to non-compliance with the law, data violators who fail to adhere to the Act are subject to a variety of criminal punishment and monetary fines. Such punishments and fines include a term of imprisonment for a maximum of three years, a monetary fine of BBD 500,000 ($240,047), or both. Moreover, data controllers who fail to register with the Register of Controllers are also subject to a monetary fine of up to BBD 10,000 to ($4,799), as well as a term of imprisonment of up to two months.

As Barbados has made a concerted effort to provide more comprehensive data protection rights to its citizens, The Data Protection Act 2019 serves as a standard that data controllers within the country must adhere to at all times when collecting personal data. Furthermore, as many countries within the Caribbean have outdated data protection policies, or even no laws relating to data protection at all, Barbados is vastly ahead of the curve as it relates to data protection within the region. To this end, Barbados has succeeded in providing a similar level of data protection to Barbadian citizens as is offered to residents of EU members states by the General Data Protection Regulation.

Related Reads