October 2023

1. Governing Texts

The Data Protection Act, 2021 ('the Act') was passed in April 2021 and was brought into force effective July 9, 2021.

Drafted around a set of EU style data protection principles to which data controllers must adhere, personal data must be collected in a fair and transparent manner and only be used and disclosed for purposes properly understood and agreed to by data subjects. Any personal data collected must be adequate, kept up-to-date, and should not be retained for longer than is necessary to fulfill the collection purposes.

Importantly, the Act provides a standard framework for both public and private bodies in the management of the personal data they use. Internationally active organizations will find many similarities between the Act and data protection laws of other jurisdictions where they are active, but there are some key differences. The Act provides a lighter approach to data protection regulation than other jurisdictions in the region.

1.1. Key acts, regulations, directives, bills

The Act is the main piece of relevant legislation.

1.2. Guidelines

The Information Commissioner ('the Commissioner') once established, will be responsible for issuing data protection guidance to public and private bodies on their obligations under the Act. The Commissioner has not yet been appointed and no date has yet been set for the appointment.

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

The Act applies to the following public bodies:

• the British Virgin Islands ('BVI') House of Assembly ('the Assembly') or any committee of the Assembly;
• the Cabinet of BVI;
• a BVI Ministry, department, or division of the BVI Ministry;
• a local authority;
• a statutory body established for a public purpose, whether incorporated or not, and which is owned or controlled by the BVI Government; and
• any other body prescribed by the Minister, to be a public body for the purposes of the Act. 'Minister' means the Minister to whom responsibility for information is assigned (Section 2 of the Act).

The Act applies to any person who processes, has control over, or authorizes the processing of any personal data in respect of commercial transactions.

'Commercial transaction' means any transaction of a commercial nature, whether contractual or not, which includes any matters relating to the supply or exchange of goods or services, agency, investments, financing, and insurance.

2.2. Territorial scope

The Act applies to a person in respect of personal data if:

• the person is established in the BVI and processes personal data, or employs or engages any other person to process personal data on their behalf, whether or not in the context of that establishment; or
• the person is not established in the BVI, but uses equipment in the Islands for processing personal data otherwise than for the purposes of transit through the Islands.

2.3. Material scope

The objectives of the Act are to:

• safeguard personal data processed by public and private bodies by balancing the necessity of processing the personal data and protecting personal data from unlawful processing by public and private bodies; and
• to promote transparency and accountability in the processing of personal data.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The Commissioner is responsible for overseeing compliance with the Act.

3.2. Main powers, duties and responsibilities

The functions of the Commissioner include:

• monitoring compliance by public and private bodies with the requirements of the Act;
• providing advice to public and private bodies on their obligations under the Act;
• receiving and investigating complaints about alleged violations of the data protection principles and in respect thereof, may make reports to complainants;
• undertaking educational programs to promote understanding of the Act;
• undertaking research into, and monitoring developments in data processing and information technology to ensure the continued protection of personal data through administrative, legislative, or other methods, and to report to the Minister the results of such research and monitoring;
• managing technical cooperation and exchange of information with foreign data protection authorities as is necessary in the exercise of their functions; and
• exercising and performing such other functions as are conferred or imposed on the Commissioner by or under the Act or any other enactment.

4. Key Definitions

Data controller: A person who either alone or jointly or in common with other persons processes any personal data, or has control over, or authorizes the processing of any personal data, but does not include a data processor.

Data processor: Means a person who, processes personal data on behalf of a data controller, but does not include an employee of the data controller.

Personal data: Any information in respect of commercial transactions that relates directly or indirectly to a data subject, who is identified or identifiable from that information, or from that and other information in the possession of a data user, including any sensitive personal data and expression of opinion about the data subject.

Sensitive data: Any personal data about a data subject's physical or mental health, sexual orientation, political opinions, religious beliefs or other beliefs of a similar nature, criminal convictions, the commission or alleged commission, of any offense, or any other personal data that the Minister may by order prescribe.

Health data: Not separately defined but would fall under the definition of sensitive personal data.

Biometric data: Not separately defined.

Pseudonymization: Not separately defined.

5. Legal Bases 

5.1. Consent

There is a requirement for the data subject to give 'express consent' before the processing or disclosure of personal data. Explicit data subject consent is required before processing sensitive personal data.

5.2. Contract with the data subject

A data controller may process personal data about a data subject if the processing is necessary:

• for the performance of a contract to which the data subject is a party; or
• for the taking of steps at the request of the data subject with a view to entering into a contract.

5.3. Legal obligations

A data controller may also process personal data about a data subject if the processing is necessary for compliance with any legal obligation to which the data controller is the subject, other than an obligation imposed by a contract.

5.4. Interests of the data subject

A data controller may also process personal data about a data subject if the processing is necessary in order to protect the vital interests of the data subject.

5.5. Public interest

The Act permits the disclosure of personal data for a purpose other than the purpose for which it was collected if that disclosure is in the public interest as determined by the relevant Minister.

5.6. Legitimate interests of the data controller

This is not a recognized legal basis for processing under the Act.

5.7. Legal bases in other instances

Further legal bases for processing under the Act include:

• for the administration of justice; and
• for the exercise of any other functions conferred on a person by or under any law.

6. Principles

General Principle

Personal data shall not be processed unless it is processed for a lawful purpose directly related to an activity of the data controller, the processing of the personal data is necessary for or directly related to that lawful purpose, and the personal data is adequate but not excessive in relation to that purpose.

Notice and Choice Principle

A data controller shall inform a data subject upon request for personal data containing:

• the purposes for which the personal data is being or is to be collected and further processed;
• any information available to the data controller as to the source of that personal data;
• the data subject's right to request access to and request correction of the personal data and how to contact the data controller with any inquiries or complaints in respect of the personal data;
• the class of third parties to whom the data controller discloses or may disclose the personal data;
• whether it is obligatory or voluntary for the data subject to supply the personal data; and
• where it is obligatory for the data subject to supply the personal data, the consequences for the data subject if they fail to supply the personal data.

Disclosure Principle

No personal data shall, without the consent of the data subject, be disclosed for any purpose other than the purpose for which the personal data was to be disclosed at the time of collection, or a purpose directly related to this purpose.

Security Principle

A data controller shall, when processing personal data, take practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access, disclosure, alteration, or destruction by having regard to:

• the nature of the personal data and the harm that would result from such loss, misuse, modification, unauthorized or accidental access, disclosure, alteration, or destruction;
• the place or location where the personal data is stored;
• any security measures incorporated into any equipment in which the personal data is stored;
• the measures taken for ensuring the reliability, integrity, and competence of personnel having access to personal data; and
• the measures taken to ensure the secure transfer of personal data.

Retention Principle

The personal data processed for any purpose shall not be kept longer than is necessary for the fulfillment of that purpose. The data controller shall take all reasonable steps to ensure that all personal data is destroyed or permanently deleted if it is no longer required for the purpose for which it was to be processed.

Data Integrity Principle

Data controllers shall take reasonable steps to ensure that the personal data is accurate, complete, not misleading, and kept up-to-date by having regard to the purpose, including any directly related purpose, for which the personal data was collected and further processed.

Access Principle

Data subjects shall be given access to their personal data held by a data controller and be able to correct said personal data where the personal data is inaccurate, incomplete, misleading, or not up-to-date, except where compliance with a request to such access or correction is refused under the Act.

7. Controller and Processor Obligations

7.1. Data processing notification

Please see the Notice and Choice Principle outlined in the section on principles above.

7.2. Data transfers

Data transfers outside the BVI are permitted, but personal data must not be transferred to a country or territory that does not ensure an adequate level of protection for processing personal data unless the express consent of the data subject has been given.

The Act does not refer to a mechanism for ensuring adequate safeguards. We anticipate that accompanying regulations will approve the use of EU Standard Contractual Clauses ('SCCs') for such transfers.

7.3. Data processing records

Not applicable.

7.4. Data protection impact assessment

Not applicable.

7.5. Data protection officer appointment

Not applicable.

7.6. Data breach notification

Although there is a security principle under the Act, there is no requirement to notify the Commissioner in the event of a breach.

7.7. Data retention

The personal data processed for any purpose shall not be kept longer than is necessary for the fulfillment of that purpose. The data controller shall take all reasonable steps to ensure that all personal data is destroyed or permanently deleted if it is no longer required for the purpose for which it was to be processed.

7.8. Children's data

Not applicable.

7.9. Special categories of personal data

A data controller shall not process any sensitive personal data of a data subject unless:

• the data subject has given their explicit consent to the processing of the personal data;
• the processing is necessary:
  • for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment;
  • in order to protect the vital interests of the data subject or another person, in a case where:
    • consent cannot be given by or on behalf of the data subject;
    • the data controller cannot reasonably be expected to obtain the consent of the data subject; or
    • consent by or on behalf of the data subject has been unreasonably withheld;
  • for medical purposes and is undertaken by:
    • a healthcare professional; or
    • a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a healthcare professional;
  • for the purpose of, or in connection with, any legal proceedings;
  • for the purpose of obtaining legal advice;
  • for the purposes of establishing, exercising, or defending legal rights;
  • for the administration of justice;
  • for the exercise of any functions conferred on any person by or under any enactment; or
  • any other purposes as the Minister thinks fit; or
• the information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.

7.10. Controller and processor contracts

Where processing of personal data is carried out by a data processor on behalf of the data controller, the data controller shall, for the purpose of protecting the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration, or destruction, ensure that the data processor:

• provides sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out; and
• takes reasonable steps to ensure compliance with those measures.

8. Data Subject Rights

8.1. Right to be informed

A data controller shall inform a data subject upon request for personal data of:

• the purposes for which the personal data is being or is to be collected and further processed;
• any information available to the data controller as to the source of that personal data;
• the data subject's right to request access to and request correction of the personal data and how to contact the data controller with any inquiries or complaints in respect of the personal data;
• the class of third parties to whom the data controller discloses or may disclose the personal data;
• whether it is obligatory or voluntary for the data subject to supply the personal data; and
• where it is obligatory for the data subject to supply the personal data, the consequences for the data subject if he or she fails to supply the personal data.

8.2. Right to access

Data subjects are entitled to request access to their personal data. The data access request must be made in writing to the data controller, who is entitled to charge a reasonable fee for responding.

Following receipt of the written request and fee, the data controller is required to respond within 30 days. The data controller can request a further period of time to respond to the request provided that this request is notified to the data subject within the initial 30-day time period.

While there is no requirement under the Act to disclose the document which holds the personal data, the requested information needs to be provided to the data subject in an 'intelligible form'.

8.3. Right to rectification

A data subject has the right to request that personal data be amended where the data is:

• incomplete;
• incorrect;
• misleading;
• excessive; or
• not relevant to the purposes for which the document is held.

Such application must be in writing and specify:

• which document requires amendments;
• the personal data that is claimed to be incomplete, incorrect, misleading, or irrelevant;
• the reasons for the claim; and
• the amendment requested.

Where a public or private body is satisfied with the reasons for a rectification application, the body shall cause the personal data to be amended. However, if the body is not satisfied with the reasons, it may refuse to make an amendment and shall notify the data subject in writing of the reasons for refusal and the data subject's right to lodge a complaint with the Commissioner.

Following on from the above, any data subject who is aggrieved by a decision of a public or private body to refuse a rectification application may lodge a complaint in writing to the Commissioner within 28 days of receipt of the refusal.

8.4. Right to erasure

No separate right other than the right to rectification.

8.5. Right to object/opt-out

Right to opt out of receiving direct marketing at any time.

8.6. Right to data portability

Not applicable.

8.7. Right not to be subject to automated decision-making

Not applicable.

8.8. Other rights

Not applicable.

9. Penalties 

Refusal or failure to comply with an order issued by the Commissioner is an offense.

The data controller is liable on conviction to a fine of up to $100,000, imprisonment for up to five years, or both.

Where sensitive personal data is processed without a legal ground for doing so, the data controller is liable on conviction to a fine of up to $200,000 or imprisonment for up to two years. Where an offense has been committed by a body corporate, a director, company secretary, or similar officer could be held liable. Corporate bodies face fines of up to $500,000.

The Act also contains provisions to protect whistleblower employees from being dismissed. A data subject who suffers damage may institute proceedings in the civil court. It is a defense for both private and public bodies to demonstrate that they took such care as was reasonably required in the circumstances.

9.1 Enforcement decisions

None to date.