Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Bermuda: PrivCom sends letter to SEC clarifying scope of PIPA for companies with US regulatory obligations

The Bermuda Office of the Privacy Commissioner ('PrivCom') announced, on 11 October 20221, that it had sent a letter to the U.S. Securities and Exchange Commission ('SEC') for a request to provide a view as to the application of the Personal Information Protection Act ('PIPA') in the context of Bermuda-based organisations with U.S. regulatory obligations. As such, the letter provides guidance to assure organisations that PIPA does not prevent the sharing of personal information to meet requirements under the law, provided that organisations meet their obligations under PIPA. In addition, the letter recommends organisations take steps to meet their obligations including: 

  • establishing internal standards that outsourcing partners or third parties must meet;
  • creating an evaluation process as part of procuring vendors (such as a survey, questionnaire, or formal audit);
  • conducting due diligence to validate the responses' accuracy;
  • documenting the agreement and the parties' mutual responsibilities in a legally enforceable contract; and
  • monitoring the relationship for compliance with these standards.

Finally, the letter outlines that organsiations subject to the jurisdiction of the SEC and who receive a legitimate examination of a request from the SEC may use personal information for the purposes of sharing with the SEC, provided that the organisation meets its compliance, transparency, and other requirements under PIPA. Specifically, the letter notes that organisations can rely on Section 6(1)(g) of PIPA, and may reasonably conclude that a transfer of personal information to the SEC is permitted under Section 15 of PIPA.

You can trad the press release here and the letter here.