December 2023 

1. Governing Texts

1.1. Key acts, regulations, directives, bills

Data protection in the Bahamas is primarily governed by the Data Protection (Privacy of Personal Information) Act 2003 ('the Act'). The Act serves to protect the privacy of individuals concerning personal data and to regulate the collection, processing, retention, use, and disclosure of certain information relating to individuals and to provide for matters incidental to or in connection with the same.

1.2. Guidelines

The name of the authority responsible for enforcing the Act is the Data Protection Commissioner ('the Commissioner') through the Office of the Data Protection Commissioner ('ODPC'). The ODPC has, in the past, issued guidance primarily aimed at data controllers.

1.3. Case law

There is an absence of significant or landmark judicial decisions in the Bahamas that specifically focus on the Act.

2. Scope of Application

2.1. Personal scope

The Act only applies to individuals or entities once the prescribed threshold/criteria laid out in Section 4 of the Act has been met, where either:

• the data controller is established in the Bahamas and the data is processed in the context of that establishment; or
• the data controller is not established in the Bahamas but uses equipment in the Bahamas for processing the data (other than for the purpose of transit through the Bahamas).

Note that if a data controller falls within the latter category above, they are obligated to nominate a representative established in the Bahamas. Pursuant to Section 4(3) of the Act, any of the following are deemed data controllers 'established in the Bahamas':

• individuals ordinarily resident in the Bahamas;
• a body incorporated or registered under the laws of the Bahamas;
• a partnership or other unincorporated association formed under the laws of the Bahamas; and
• any person who does not fall within the above categories but maintains an office, branch, or agency in the Bahamas through which they carry on any business activity or a regular practice.

If an entity controlling the data falls within any of the above categories, it will be subject to the Act.

The Act, according to Section 5 of the Act, does not apply to personal data:

• that, in the opinion of the Minister or the Minister for National Security, are or at any time were, kept for the purpose of safeguarding the security of the Bahamas;
• consisting of information that the person keeping the data is required by law to make available to the public;
• kept by an individual and concerned only with the management of their personal, family, or household affairs, or kept by an individual only for recreational purposes;
• which is deliberations of the Parliament of Bahamas and Parliamentary committees; or
• which is pending civil, criminal, or international legal assistance procedures.

2.2. Territorial scope

There is some extraterritorial applicability of the Act insofar as it relates to data controllers not established in the jurisdiction as described in the section on personal scope above but otherwise still uses equipment in the Bahamas for data processing. Theoretically, this means that a data controller based outside the Bahamas, using equipment in the Bahamas to process data within the context of their establishment, shall nominate a local representative established in the Bahamas who would thus be subject to complying with the Act. To reiterate, however, this does not apply to data controllers who merely use equipment in the Bahamas for the transit of data through the jurisdiction.

2.3. Material scope

The Act specifically provides regulation around the collection, processing, retention, use, and disclosure of personal data, as well as provisions addressing personal data disclosure exceptions.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The Ministry of Finance ('the Ministry'), holding data protection within its portfolio, is the regulator of the Act.

3.2. Main powers, duties and responsibilities

The ODPC has statutory responsibilities and an important role to play in upholding data protection regulations within the jurisdiction. According to Section 15(1) of the Act, the ODPC has the authority to initiate investigations or delegate the same to other enforcement agencies to examine potential violations of the Act's provisions by data controllers or processors in relation to data subjects. These investigations may stem from individual complaints or the ODPC's own suspicion of a contravention of the Act.

To enforce compliance, the ODPC employs various measures, including:

• issuing enforcement notices as outlined in Section 16 of the Act;
• imposing prohibition notices under Section 17 of the Act;
• issuing information notices in accordance with Section 18 of the Act; and
• in rare cases, pursuing and prosecuting summary offenses under Section 28 of the Act.

In addition to these statutory responsibilities, the ODPC also undertakes a role in public education regarding data protection issues and emerging trends. Furthermore, the ODPC can provide valuable assistance in addressing and rectifying data breaches when they occur.

4. Key Definitions

Data controller: A person who, either alone or with others, determines the purposes for which and the manner in which any personal data is, or is to be, processed (Section 2(1) of the Act).

Data processor: A person who processes personal data on behalf of a data controller but this does not include an employee of a data controller who processes such data in the course of their employment (Section 2(1) of the Act).

Personal data: Data relating to a living individual who can be identified either from the data or from the data in conjunction with other information in the possession of the data (Section 2(1) of the Act).

Sensitive data: Personal data relating to racial origin; political opinions or religious or other beliefs; physical or mental health (other than any such data reasonably kept by them in relation to the physical or mental health of their employees in the ordinary course of personnel administration and not used or disclosed for any other purpose); trade union involvement or activities; sexual life; or criminal convictions, the commission or alleged commission of any offense, or any proceedings for any offense committed, the disposal of such proceedings, or the sentence of any court in such proceedings (Section 2(1) of the Act).

Health data: This is not specifically defined under the Act.

Biometric data: This is not specifically defined under the Act.

Pseudonymization: This is not specifically defined under the Act.

5. Legal Bases

Under the Act, while there are defined data controller obligations as regards data processing, there is no specific detailed legal bases for processing personal data as, comparatively, is outlined in the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') or the California Consumer Privacy Act of 2018 (last amended in 2020) ('CCPA') (e.g., necessity to perform a contract, legal obligation, protection of vital interests, etc.). More specifically detailed in the Act are legal bases for disclosing or not disclosing personal data.

5.1. Consent

See the explanation above

5.2. Contract with the data subject

See the explanation above

5.3. Legal obligations

See the explanation above

5.4. Interests of the data subject

See the explanation above

5.5. Public interest

See the explanation above

5.6. Legitimate interests of the data controller

See the explanation above

5.7. Legal bases in other instances

See the explanation above

6. Principles

The Act primarily focuses on ensuring the lawful and fair collection and the accuracy and relevance of the data, as well as specific purposes for processing, data minimization, storage limitation, and securing personal data.

With regard to the general collection of personal data, data controllers are statutorily obligated via Section 6 of the Act to ensure:

• data has been collected by means that are both lawful and fair in the circumstances of the case;
• data is kept accurate and, where necessary, up to date (except in the case of backup data);
• data is only kept for one or more specified and lawful purposes;
• data is not used/disclosed in any manner incompatible with the purpose(s);
• data collected is adequate, relevant, and not excessive in relation to the purpose(s);
• data is not kept for longer than is necessary for the purpose(s); and
• appropriate security measures are taken against unauthorized access to, or alteration, disclosure, or destruction of data, and against its accidental loss or destruction.

If sharing/disclosing the data with third parties (including affiliates), a data controller must pay particular attention to Section 12 of the Act which states that a data controller, in the collection of personal data, owes a duty of care to the data subject(s) concerned and must use contractual or other legal means to provide a comparable level of protection from any third party to whom they disclose information for the purpose of data processing.

With regard to the collection of data, in determining whether personal data has been collected lawfully/fairly in the circumstances of the case, regard is to be had to the method by which the data was obtained – including, in particular, whether any person from whom the data was obtained was deceived or misled as to the purpose(s) for which the data was to be processed. Note, however, that per Section 6(2) of the Act, data will not be viewed as unfairly collected purely on the basis that the purpose for which the data was obtained was not disclosed at the time it was obtained as long as that data was not used in such a way that damage or distress is, or is likely to be, caused to any data subject.

7. Controller and Processor Obligations

7.1. Data processing notification

There is no requirement under the Act to register with the ODPC as a data controller or processor.

7.2. Data transfers

Data transfers are permitted under the Act where such transfer of data is required or authorized by or under any enactment, is required by any convention or other instrument imposing an international obligation on the Bahamas, or otherwise, is made pursuant to the express or implied consent of data subjects.

Careful attention must be paid to Section 12 of the Act, however, which allows for the Commissioner to, in their discretion, prohibit the transfer of personal data from the Bahamas to a place outside the Bahamas in cases where there is a failure to provide protection either by contract or otherwise equivalent to that provided under the Act. Also factoring into that decision will be whether the data transfer is likely to cause damage or distress to any person and the subsequent desirability of facilitating such an international data transfer. Should the Commissioner determine such data should not be transferred outside the jurisdiction, they may issue a prohibition notice which must be complied with as it is an offence not to do so.

7.3. Data processing records

There is no obligation for data controllers and/or data processors to maintain data processing records under the Act. There is, however, a requirement under Section 6(1)(b) of the Act that data controllers ensure that data is accurate and, where necessary, kept up to date.

7.4. Data protection impact assessment

Data Protection Impact Assessments are not required or contemplated under the Act.

7.5. Data protection officer appointment

The Act does not require data controllers to appoint a data protection officer.

7.6. Data breach notification

There is no positive duty or obligation to notify a data subject or supervisory authority in the event of a data breach under the Act.

7.7. Data retention

As regards data retention under the Act, Sections 6(1)(c)(i) and (iv) provide that personal data shall be kept only for one or more specific and lawful purposes and shall not be kept for longer than is necessary for that purpose(s), except in the case of personal data being kept for historical, statistical, or research purposes. Under non-legally binding guidance provided by the ODPC in A Guide for Data Controllers ('the Guide'), Section 6 states that: 'This requirement places a responsibility on data controllers to be clear about the length of time data will be kept and the reason why the information is being retained. You should assign specific responsibility for ensuring that files are regularly purged and that personal information is not retained any longer that necessary.'

It is further suggested by the ODPC that in compliance with this rule, it is recommended to have a defined policy on retention periods for all personal data items stored by the data controller, and management and computer procedures to implement the same.

7.8. Children's data

No, there are no specific provisions regulating the processing of children's data under the Act.

7.9. Special categories of personal data

The Act defines sensitive personal data in Section 2(1) of the Act, i.e., personal data relating to racial origin; political opinions or religious or other beliefs; physical or mental health (other than any such data reasonably kept by them in relation to the physical or mental health of their employees in the ordinary course of personnel administration and not used or disclosed for any other purpose); trade union involvement or activities; sexual life; or, criminal convictions, the commission or alleged commission of any offense, or any proceedings for any offense committed, the disposal of such proceedings, or the sentence of any court in such proceedings. However, while Section 30(1)(a) of the Act provides that the Minister responsible for data protection may, from time to time, make regulations to provide additional safeguards in relation to sensitive personal data, no regulation has been created to provide specific provisions regarding the processing of sensitive categories of personal data.

7.10. Controller and processor contracts

Section 12(2) of the Act provides that a data controller shall use contractual or other legal means to provide a comparable level of protection from any third party (e.g., to whom they disclose information for the purpose of data processing). The Act itself does not, however, provide particulars that must or should be included in such agreements. In the Guide (which is not legally binding), the ODPC does provide in Part 7, in the context of providing a minimum standard of security for personal data, a contract should be in place with any data processor that imposes equivalent security obligations on the data processor as that provided for in the guidance. According to the Guide, examples of a minimum standard of security include, inter alia, security of premises when unoccupied, restricting access to information to authorized staff on a need-to-know basis in accordance with a defined policy, and password protection on all computer systems.

8. Data Subject Rights

8.1. Right to be informed

The right to be informed and the right of access are synonymous in the Act. Section 8 of the Act provides that, subject to the provisions of the Act (i.e., any exceptions to the foregoing), any individual who makes a written request to a data controller has a right, within 40 days after complying with the provisions of the section, to:

• be informed by the data controller whether the data kept by them includes personal data relating to the individual;
• be supplied by the data controller with a copy of the information constituting any such data; and
• where any of the information is expressed in terms that are not intelligible to the average person without explanation, the information shall be accompanied by an explanation of those terms.

8.2. Right to access

See the section on the right to be informed.

8.3. Right to rectification

Data subjects in the Bahamas have a right to the rectification or erasure of their data, subject to exceptions, pursuant to Section 10 of the Act. This section provides that an individual shall, upon submission of a written request to a data controller who keeps personal data relating to them, be entitled to have rectified or, where appropriate, erased any such data in relation to which there has been a contravention of Section 6(1) of the Act (e.g., if data has not been kept accurately or is otherwise inadequate, irrelevant, or excessive) by the data controller and the data controller shall comply with the request within 40 days after it has been given or sent to them.

8.4. Right to erasure

See the section on the right to rectification.

8.5. Right to object/opt-out

This right is not specifically provided for under the Act in a general sense, although the right does exist in the context of opting out of direct marketing.

Data subjects possess the entitlement to prevent their data from being processed for direct marketing purposes as stipulated in Section 11 of the Act. It is important to note that the Act's definition of 'direct marketing' encompasses not only traditional direct mailing but also extends to electronic marketing and newsletters. To exercise this right and halt such processing, a data subject can submit a written request to the relevant data controller, requesting the cessation of any data retained for the direct marketing register. Subsequently, the data controller is obligated to take action within a timeframe of no more than 40 days. They must either erase the data or discontinue its use for direct marketing purposes and then notify the data subject in writing of these actions.

8.6. Right to data portability

This right is not specifically provided for under the Act.

8.7. Right not to be subject to automated decision-making

This right is not specifically provided for under the Act.

8.8. Other rights

Not applicable.

9. Penalties

Per Section 29 of the Act, penalties for persons found guilty of offenses under the Act are prescribed as follows:

• on summary conviction (before a magistrate) a fine not exceeding BSD 2,000 (approx. $2,000); or
• on conviction on information (in the Supreme Court of the Bahamas) a fine not exceeding BSD 100,000 (approx. $100,000).

Upon the conviction of an offense under the Act, the court may also order that any data associated with the commission of the relevant offense be forfeited, destroyed, or erased.

9.1 Enforcement decisions

There have been no notable enforcement decisions made pursuant to the Act in recent years.