Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Bermuda: PrivCom publishes blog on lawful bases for use of personal data

On April 22, 2024, the Bermuda Office of the Privacy Commissioner (PrivCom) published a blog outlining the conditions under which organizations may use personal information according to the Personal Information Protection Act (PIPA) 2016.

Lawful bases

In particular, the blog highlights that Section 6 of PIPA lists six lawful bases for the use of personal information, namely when:

  • an organization has the consent of the individual;
  • a reasonable person would not expect that an individual would object, and there is no prejudice to the individual's rights;
  • the organization needs that information to fulfill a contract;
  • it is a legal requirement to collect and/or use the information;
  • the information is publicly available and will be used for the same purpose that it was made public;
  • the use of the personal information is necessary to respond to an emergency; and
  • the use of the personal information is necessary in the context of an individual's employment relationship with the organization.


The blog states that organizations must ensure that consent for using personal information is both clear and specific. Further, the blog provides the following tips and good practices regarding consent:

  • consent requests should be separate from other terms and conditions;
  • separate consent must be obtained for different uses of personal information;
  • the language used in consent forms should be clear and concise;
  • any overseas third parties who will rely on the consent need to be clearly named;
  • organizations should document evidence of consent; and
  • consent should be reviewed and updated if the use of personal information changes.

You can read the blog here.