Isle of Man
Law: Data Protection Act 2018 ('the Act'), Data Protection (Application of the GDPR) Order 2018 ('the GDPR Order'), Data Protection (Application of the LED) Order 2018 ('the LED Order'), The GDPR and LED Implementing Regulations 2018 ('the Implementing Regulations'), and The GDPR and LED Implementing (Amendment) Regulations 2018 ('the Implementing Regulations')
Regulator: Information Commissioner ('the Commissioner')
Summary: The Act, the GDPR Order (which contains the Applied GDPR in its Annex), the LED Order, and the Implementing Regulations collectively constitute Isle of Man's legal data protection framework, repealing and replacing the Data Protection Act 2002. The Act provides that the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and EU Law Enforcement Directive apply in the Isle of Man by order, and such legislation is brought into effect through the Implementing Regulations.
The GDPR Order and the Implementing Regulations have extra-territorial effect in the same way as the GDPR. With regard to penalties, the GDPR differs from the Implementing Regulations in that the latter sets the maximum amount of a penalty at £1 million in relation to an infringement of a provision of the Applied GDPR. The Commissioner, established by the GDPR Order and the Implementing Regulations as the supervisory authority, has published guidance on, among other things, Data Protection Impact Assessments, direct marketing, data protection officers, cookies, and children's data. The relevant legislation for direct marketing is Unsolicited Communications Regulations 2005, which provides, among other things, that consent for electronic marketing should be obtained for both B2B and B2C relationships. The European Commission has recognised Isle of Man as providing adequate protection for personal data.