“The Act”, safeguarding the privacy of Barbadian citizens
The Data Protection Act 2019, also known as the Act for short, is a data protection law that was passed in Barbados in 2019 and recently went into effect in March of this year. As is the case with many data privacy laws that have been passed in the past few years, the Act was modeled after the EU’s General Data Protection Regulation or GDPR. To this end, the Act sets specific guidelines that data controllers with Barbados must follow when collecting, processing, and disclosing the personal data of data subjects within the country. What’s more, the Act contains stronger extraterritorial applications when compared to many data privacy laws around the world, ensuring the personal data of Barbadian citizens is protected even when they are abroad.
What is the scope and application of the Act?
In terms of the personal scope of the law, the Act applies to both data controllers and data processors, which can include both natural persons as well as public or private legal entities. In terms of the territorial jurisdiction of the law, the Act applies to “data controllers and data processors who are resident, incorporated/organized/registered, or otherwise formed in Barbados, or who maintain an office, branch, or agency in Barbados through which processing of personal data is carried out”.
Alternatively, the extraterritorial jurisdiction on the law applies to “data controllers/processors who are not resident, incorporated/organized/registered, or otherwise formed in Barbados will be subject to the Act where they process personal data of data subjects in Barbados and such processing activities relate to the offering of goods or services to data subjects in Barbados”. What’s more, the Act also has a material scope, which covers both the processing of personal data, as well as sensitive personal data.
What are the requirements of data controllers under the Act?
In keeping with similarities between the Act and the EU’s GDPR law, the Data Protection Act 2019 established a multitude of data privacy and protection principles that data controllers must follow when processing personal data. These principles include:
- Personal data must be processed in a manner that is fair, lawful, and transparent in relation to the data subject.
- Personal data may only be collected for specific, explicit, and legitimate purposes. Personal data may not be processed in any manner outside of the context of these purposes.
- Personal data that is processed must be adequate, relevant, and limited to what is necessary in the relation to the purposes for which said personal data was collected.
- Personal data that is processed must be both accurate and kept up to date at all times. Data controllers are responsible for taking every reasonable step to ensure that the personal data in their possession is accurate, in accordance with the purpose for which said personal data was processed, erased, or rectified.
- Personal data must be stored in a form that allows for the identification of applicable data subjects, for no period longer than to fulfill the purposes for which said personal data was processed.
- Personal data must be processed in a manner that both ensures the security of the data and makes use of appropriate technical and organizational measures, including protecting personal data from unauthorized or unlawful processing, destruction, damage, and accidental loss.
In addition to the data protection principles listed above, the Act also mandates that data controllers adhere to a bevy of other obligations as it relates to the safeguarding of personal data. These obligations include registering with the Register of Data Controllers, ensuring that there are safeguards in place to protect personal data during data transfers, and undertaking Data protection impact assessments for DPIA’s for short. Additionally, data controllers are also responsible for appointing a data protection officer or DPO, providing both data subjects and the Data Protection Commissioner with data breach notifications when applicable, and establishing written contracts with data processors.
What are the rights of Barbadian citizens under the Act?
In keeping with the international trend of guaranteeing the data privacy rights of data subjects, the Act provides Barbadian citizens with a number of rights as it pertains to data protection. These rights include:
- The right to be informed- Under the Act, data controllers are required to provide data subjects with various details at the time when personal data is collected, including the name and contact details of said data controller, as well as the purposes and legal basis for processing, among others.
- The right to access- Under the Act, data subjects maintain the right to access in connection with their personal data.
- The right to rectification- Under the Act, data subjects maintain the right to obtain their personal data, without undue delay, for the purpose of rectification in relation to inaccurate information concerning said data subjects,
- The right to erasure- Under the Act, data subjects maintain the right to request the erasure of their personal data by a data controller, without undue delay.
- The right to object or opt-out- Under the Act, data subjects maintain the right to obtain a restriction with respect to the processing of their personal data, given certain circumstances. For example, instances in which the accuracy of personal data is contested by the applicable data subject.
- The right to data portability- Under the Act- data subjects maintain the right to obtain personal data that they have provided to a particular data controller in structured, machine-readable, commonly used format.
- The right to not to be subject to automatic decision making- Under the Act, data subjects maintain the right to not be subject to automatic decision making made on the basis of automatic processing, including profiling.
- The right to prevent processing likely to cause stress or damage- Under the Act, data subjects maintain the right to require data controllers to cease the processing of their personal data for a specific purpose or specified manner, at the end of a 21 day period. Such a purpose or manner can include data processing that would cause unwarranted stress or distress to data subjects.
In terms of violations related to non-compliance with the law, data violators who fail to adhere with the Act are subject to a variety of criminal punishment and monetary fines. Such punishments and fines include a term of imprisonment for a maximum of three years, a monetary fine of BBD 500,000 ($240,047), or both. Moreover, data controllers who fail to register with the Register of Controllers are also subject to a monetary fine of up to BBD 10,000 to ($4,799), as well as a term of imprisonment of up to two months.
As Barbados has made a concerted effort to provide more comprehensive data protection rights to their citizens, The Data Protection Act 2019 serves a standard that data controllers within the country must adhere to at all times when collecting personal data. Furthermore, as many countries within the Caribbean have outdated data protection policies, or even no laws relating to data protection at all, Barbados is vastly ahead of the curve as it relates to data protection with the region. To this end, Barbados has succeeded in providing a similar level of data protection to Barbadian citizens as is offered to residents of EU members states by the General Data Protection Regulation.