12 July 2018
The Government Information Service (‘GIS’) announced, on 20 June 2018, that the Ministry of Small Business, Entrepreneurship and Commerce is seeking comments on the draft Data Protection Act 2018 (‘the Draft Act’), which would regulate the collection, retention, processing, use and dissemination of personal data. In particular, the Draft Act would apply to data controllers established in Barbados, or outside of Barbados that use equipment in the country to process personal data, except for transit purposes.
The Draft Act contains provisions on the rights of data subjects including the right to rectification, blocking, erasure and destruction of personal data. Furthermore, the Draft Act provides for the establishment of the Data Protection Commissioner (‘the Commissioner’), vested with the authority to publish guidance, conduct audits, and investigations, as well as for the establishment of the Data Protection Tribunal, which would be in charge of considering appeals to enforcement actions.
Any person who operates as a data controller without being registered may be liable to a fine of BBD 10,000 (approx. €4,300) and two months imprisonment
The Draft Act also stipulates that a person cannot operate as a data controller unless they are registered. To register, prospective data controllers must provide the Commissioner with their name, address, a description of the personal data to be processed, the purpose for processing, any recipients to whom the data may be disclosed, and a description of any countries to which the data may be directly or indirectly transferred. Moreover, Section 25(3) of the Draft Act outlines that any person who operates as a data controller without being registered may be liable to a fine of BBD 10,000 (approx. €4,300) and two months imprisonment.
In addition, Section 4(3) of the Draft Act mandates that any data controller that contravenes the data protection principles, which cover the fair and lawful processing of personal data, may be liable to a fine of BBD 100,000 (approx. €42,800) and two years imprisonment. Furthermore, Section 65 of the Draft Act mandates that any person who, knowingly or recklessly, obtains or discloses personal data without the consent of the data controller may be liable to a fine of BBD 10,000 (approx. €4,300) and six months imprisonment. The Draft Act also provides that where an offence is committed by a body corporate and with the consent, connivance or neglect of any director, manager, secretary or similar officer, both may be liable.
Comments may be sent to [email protected] before 31 July 2018.
FELICITY TURTON Privacy Analyst