Cayman Islands - Data Protection Overview
1. Governing Texts
The Cayman Islands' Data Protection Act (2021 Revision) (Law 56 of 2021) ('DPA') draws its foundational tenets, including processing principles and legal bases for processing, from the UK's Data Protection Act 2018 ('DPA 2018') and the European Union's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). As such, the UK and EU data protection compliance essentially equates to DPA compliance with a few key exceptions; most notably, under the DPA, data subjects do not have an explicit right of erasure or a right to data portability, and the supervisory authority to which complaints and queries are to be submitted is the Cayman Islands' Office of the Ombudsman ('the Ombudsman').
In further contrast to the UK and EU data protection legislation and guidance, the DPA does not require Data Protection Impact Assessments ('DPIAs') and imposes relatively less severe monetary penalties for breaches of its provisions.
- Data Protection Law, 2017 (Law 33 of 2017)
- Data Protection Regulations, 2018 (SL 17 of 2019) ('the Regulations')
The Ombudsman has issued the following guidance:
- Data Protection Act (2021 Revision) Guide for Data Controllers ('the Guide for Data Controllers');
- Data Protection Law 2017 Guide for Data Subjects;
- Data Protection Law 2017 Guidance for Small Businesses and Organisations;
- Data Protection Law 2017 Guidance on Monetary Penalty Orders; and
- Data Protection Law – Section 40 Guidelines.
1.3. Case law
The Data Protection Law, 2017 came into force on 30 September 2019 (the consolidated DPA came into force on 30 April 2021) and domestic case law has yet to be developed.
Given its status as a British Overseas Territory, and that the DPA is based upon the UK's DPA 2018 with the specific aim of achieving adequacy status with the EU's GDPR, the Cayman Islands will likely look to the UK and European Commission decisions for common law precedents.
2. Scope of Application
The DPA applies to personal data processed by data controllers and data processors.
Section 6(1) of the DPA states: 'This Act applies to a data controller in respect of any personal data only if:
- the data controller is established in the Cayman Islands and the personal data are processed in the context of that establishment; or
- the data controller is not established in the Cayman Islands but the personal data are processed in the Cayman Islands otherwise than for the purposes of transit of the data through the Cayman Islands.'
The data controller must nominate a local representative established in the Cayman Islands who, for all intents and purposes, will be the data controller (Section 6(1)(b) of the DPA) and bear all obligations under the DPA as if the representative were the data controller (Section 6(2) of the DPA).
The expression 'established in the Cayman Islands' means (Sections 6(1) and 6(2) of the DPA).
- an individual who is ordinarily resident in the Cayman Islands;
- a body incorporated or registered as a foreign company under the law of the Cayman Islands;
- a partnership or other unincorporated association formed under the law of the Cayman Islands; or
- any person who does not under one of the above categories but maintains in the Cayman Islands:
- an office, branch, or agency through which the person carries on any activity; or
- a regular practice.
Under the DPA, 'processing' means active and passive data processing activities, and is defined as obtaining, recording, or holding data, or, carrying out any operations, set of operations, including the (Section 2 of the DPA):
- organising, adapting, or altering personal data;
- retrieving, consulting, or using personal data;
- disclosing personal data by transmission, dissemination, or otherwise making it available; or
- aligning, combining, blocking erasing, or destroying personal data.
Processing that are exempt include activities concerning (Part 4 of the DPA):
- national security (Section 18 of the DPA);
- crime, government fees, and duties (Section 19 of the DPA);
- health, education, or social work (Section 20 of the DPA);
- monitoring, inspection, or regulatory function (Section 21 of the DPA);
- journalism, literature, or art (Section 22 of the DPA);
- research, history, or statistics (Section 23 of the DPA);
- information available to public by or under enactments (Section 24 of the DPA);
- disclosures required by law or made in connection with legal proceedings (Section 25 of the DPA);
- personal, family, or household affairs (Section 26 of the DPA);
- honours (processing personal data by the crown or premier for the purposes of conferring any honour or dignity) (Section 27 of the DPA);
- corporate finance (Section 28 of the DPA);
- negotiations (personal data which forms part of a record of the intentions of the data controller in respect of any negotiations with the data subject) (Section 29 of the DPA); and
- legal professional privilege and trusts (Section 30 of the DPA).
3.1. Main regulator for data protection
The main regulator for data protection is the Ombudsman.
3.2. Main powers, duties and responsibilities
The principal functions of the Ombudsman include (Section 34 of the DPA):
- hearing, investigating, and ruling on complaints made under the DPA;
- monitoring, investigating, and reporting on data controller compliance with obligations under the DPA;
- intervening and delivering opinions and orders related to processing operations;
- ordering the rectification, blocking, erasure, or destruction of data;
- imposing a temporary or permanent ban on process;
- making recommendations for reform of a general nature and directed at specific data controllers;
- engaging in proceedings where the provisions of the DPA have been violated, or referring such violations to the appropriate authorities;
- cooperating with other data protection supervisory authorities;
- publicising and promoting the DPA requirements and data subject rights; and
- undertaking any other action which appears to be incidental or conducive to the Ombudsman's functions under the DPA.
The Ombudsman is also tasked with carrying out any data protection functions (those related to the protection of individuals in respect of processing of personal information) which may be prescribed by regulations for the purpose of enabling the Cayman Islands to satisfy any of its international obligations (Section 37(2) of the DPA).
In addition, the Ombudsman must promote good practice and observance of the DPA by data controllers as well as develop guidance, collaborate with trade associations with respect to codes of conduct, and assess data controller adherence to good practice under the DPA (Sections 41 and 42 of the DPA).
Good practice is defined as such practice in the processing of personal data as appears to the Ombudsman to be desirable having regard to the interests of data subjects and others, and includes compliance with the requirements of the DPA.
From an enforcement perspective, the Ombudsman is empowered to undertake investigations related to data protection complaints and may consider the following factors when determining whether to launch an investigation (Section 43(4) of the DPA):
- the extent to which the complaint appears to raise a matter of substance;
- any undue delay in making the complaint;
- whether a complaint is frivolous or vexatious; or
- whether or not the person making the complaint is entitled to make a request under Section 8 of the DPA (fundamental rights of access to personal data) in respect of the personal data in question.
The Ombudsman is empowered to make information orders and enforcement orders, respectively (Sections 44 and 45 of the DPA). An information order requires the subject to provide such information as the Ombudsman may reasonably consider appropriate for the purpose of carrying out the Ombudsman's functions under the DPA.
In circumstances where the Ombudsman is satisfied that there are reasonable grounds to believe that a data controller has contravened, or is likely to contravene, any provision of the DPA, the Ombudsman may, with a view to improve the data controller's compliance with the relevant provision, by way of an order served on the data controller, require the data controller to (Section 45(1) of the DPA):
- take specified steps within a specified time, or to refrain from taking specified steps after a specified time;
- refrain from processing any personal data, or any personal data of a specified description;
- refrain from processing personal data for a specified purpose or in a specified manner, after a specified time; or
- do anything which appears to the Ombudsman to be incidental or conducive to the carrying out of the Ombudsman's functions under the DPA.
Where a judge is satisfied by information supplied on oath by the Ombudsman concerning reasonable grounds for believing that a data controller has contravened, is contravening, or is likely to contravene the data protection principles under the DPA or that an offence under the DPA has been or is being committed, and that there are reasonable grounds to believe that evidence of the contravention or of the commission of the offence is to be found on any premises specified in the information, a judge may grant a warrant to the Ombudsman (Section 51(2) of the DPA).
Any current or former Ombudsman, member of the Ombudsman's staff, agent of the Ombudsman, or consultant to the Ombudsman is bound by a duty of confidentiality and must not knowingly or wilfully disclose any information which:
- has been or was obtained by, or furnished to, the Ombudsman under or for the purposes of the DPA;
- relates to an identified or identifiable person; and
- is not at the time of the disclosure, and has not previously been, available to the public from other sources, unless the disclosure is made with lawful authority.
4. Key Definitions
Data controller: The person who, alone or jointly with others, determines the purposes, conditions, and manner in which any personal data are, or are to be, processed and includes a local representative (Section 2 of the DPA).
- the living individual's location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of the living individual;
- an expression of opinion about the living individual; or
- any indication of the intentions of the data controller or any other person in respect of the living individual.
- the racial or ethnic origin of the data subject;
- the political opinions of the data subject;
- the data subject's religious beliefs or other beliefs of a similar nature;
- whether the data subject is a member of a trade union;
- genetic data of the data subject;
- the data subject's physical or mental health or condition;
- medical data;
- the data subject's sex life;
- the data subject's commission, or alleged commission, of an offence; or
- any proceedings for any offence committed, or alleged to have been committed, by the data subject, the disposal of any such proceedings, or any sentence of a court in the Cayman Islands or elsewhere.
Pseudonymisation: There is no definition of 'pseudonymisation' in the DPA. However, the Guide for Data Controllers states that 'pseudonymisation' is the de-identification of personal data such that it cannot be attributed to a specific individual without the use of additional information, and where this additional information is kept separate and is subject to technical and organisational measures to prevent any undesired re-identification of the individual. A basic example is the replacing of a direct identifier, such as a name, with a pseudonym, and keeping the list matching the pseudonym with the individual secure and separate.
Data subject: An identified living individual or a living individual who can be identified directly or indirectly by means reasonably likely to be used by the data controller or by any other person (Section 2 of the DPA).
5. Legal Bases
'Consent' in relation to a data subject is defined as any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to said data subject (Section 2 of the DPA).
Consent may be used as a legal basis for processing personal data pursuant to Paragraph 1 of Schedule 2 (First Principle - Conditions for Processing of Personal Data) of the DPA ('Schedule 2').
In accordance with Paragraph 1 of Schedule 3 (First Principle - Conditions for Processing Sensitive Personal Data) of the DPA ('Schedule 3'), consent may also be used as a legal basis for processing sensitive personal data.
Schedule 5 (Conditions of Consent) of the DPA ('Schedule 5') sets out the conditions of consent as follows:
- the onus is on the data controller to prove that the data subject consented to the processing of their personal data;
- a data subject's consent to the processing of their personal data must be separate and distinct from consent to other matters;
- consent may be withdrawn at any time, but such withdrawal does not affect the lawfulness of processing prior to the withdrawal of consent; and
- in circumstances where there is a significant imbalance between the position of the data subject and the data controller, consent cannot serve as a legal basis for the processing of personal data.
The Guide for Data Controllers notes that:
- the DPA sets a high standard for consent;
- processing on the legal basis of consent requires a positive action to opt-in; and
- consent to processing cannot be a precondition of a service.
Consent requests should be prominent, concise, separate from other terms and conditions, and easily understood. The Guide for Data Controllers further recommends that records be kept as evidence of consent and that mechanisms are established for data subjects to withdraw their consent at any time.
'Processing necessary for contract' is a legal basis for processing personal data (Paragraph 2 of Schedule 2 of the DPA).
A data controller may only rely on this legal basis for processing where the data subject is party to the contract and where such processing is necessary to:
- satisfy the relevant contractual obligations; or
- prepare the contract for execution.
The data subject's right to stop processing is restricted by the legal basis of 'processing necessary for contract' (Section 10(2)(a) of the DPA).
In addition, the Guide for Data Controllers states that 'processing necessary for contract' cannot be used as a legal basis for the processing of personal data in circumstances where pre-contractual steps are taken at the request of a third party or without the participation of the data subject. The processing must be targeted and proportionate in relation to the purpose, as well as necessary to satisfy contractual obligations.
The Guide for Data Controllers further states that the profiling of an individual's interests and preferences based on purchases is not necessary for the performance of the contract and, therefore, a data controller cannot rely on 'processing necessary for contract' as a legal basis for processing in this regard.
'Processing under legal obligation' as a legal basis for the processing of personal data (Paragraph 3 of Schedule 2 of the DPA).
In addition, the Guide for Data Controllers notes that the legal obligation may be statutory or common law and that a data controller seeking to rely on this legal basis must be able to identify either the specific legal provision or guidance which establishes the legal obligation to process personal data. However, it is not necessary for the legal obligation to require the specific processing of personal data and mandatory regulatory requirements may constitute a valid legal obligation so long as there is a statutory basis for the regulatory regime.
Where the processing of personal data is on the legal basis of legal obligation, a data subject's right to stop processing is restricted (Section 10(2)(b) of the DPA).
'Processing to protect vital interests' is a legal basis for processing personal data (Paragraph 4 of Schedule 2 of the DPA).
The Guide for Data Controllers states that a data controller will be able to rely on this legal basis if the processing of personal data is necessary to protect a data subject's life or to protect an interest which is essential for the life of a data subject.
Circumstances which typically give rise to such a legal basis are where personal data (health data) must be processed for medical purposes (emergency medical care) but the relevant individual (data subject) is not capable of providing consent to the processing. In such cases, the processing involves sensitive personal data and it is therefore necessary to identify a condition for processing in accordance with Schedule 3.
'Processing necessary for exercise of public functions' as a legal basis for the processing of personal data, noting that this applies where the processing is necessary for (Paragraph 5 of Schedule 2 of the DPA):
- the administration of justice;
- the exercise of any functions conferred on any person by or under any enactment;
- the exercise of any functions of the Crown or any public authority; or
- the exercise of any other functions of a public nature exercised in the public interest by any person.
The Guide for Data Controllers notes that this legal basis for processing is most relevant to public authorities which process personal data in the exercise of official authority and organisations which process personal data to perform a specific statutory task in the public interest. While the functions listed in Paragraph 5 of Schedule 2 are not exhaustive, data controllers who seek to process on this legal basis must specify the relevant task, function, or power and identify its basis in common law or statute. Data controllers should demonstrate that they are carrying out a 'public function' in the public interest or that they are exercising official authority.
Factors to consider when determining whether the processing is a public function include:
- the extent to which the state has assumed responsibility for the relevant function;
- the role and responsibility of the state in relation to the subject matter in question;
- the nature and extent of the public interest in the relevant function;
- the nature and extent of any statutory power or duty in relation to the relevant function;
- the extent to which the state, directly or indirectly, regulates, supervises, or inspects the performance of the relevant function;
- the extent to which the state makes payment for the relevant function;
- whether the function involves or may involve the use of statutory coercive powers; and
- the extent of the risk that improper performance of the function might violate an individual's human rights.
'Processing for legitimate interests' is a legal basis for processing personal data (Paragraph 6 of Schedule 2 of the DPA).
The Guide for Data Controllers states that 'legitimate interest' is the most flexible legal basis on which to process personal data and is most appropriate in circumstances where a data subject's personal data is processed in a reasonably expected manner, the processing has a minimal impact on a data subject's privacy, or where there is a compelling justification for the processing.
The Guide for Data Controllers further states that in order to process personal data on the basis of legitimate interests, a three-part test must be satisfied:
- purpose test: Identify a legitimate interest;
- necessity test: Demonstrate that the processing of personal data is necessary to achieve the legitimate interest; and
- balancing test: Consider whether a data subject's interests, rights, and freedoms override the legitimate interest.
Legitimate interests may include commercial interests (workplace surveillance, fraud prevention, intra-group transfers, IT systems monitoring), individual interests, or broader social benefits. 'Necessary' means that the processing of personal data is targeted and proportionate to the purpose for which personal data is processed. When undertaking the balancing test, if a data subject would not reasonably expect the processing or the processing may cause harm or prejudice to a data subject's interests, rights, and freedoms, then the processing is not likely justified.
'Regulations about legitimate interests', states that the Cayman Islands Cabinet may, by regulations, specify particular circumstances in which the conditions for 'processing for legitimate interests' are satisfied (Paragraph 7 of Schedule 2 of the DPA)
There are eight principles for the processing of personal data (Part 1 Schedule 1 of the DPA):
Personal data must be processed fairly and only on the basis of a lawful purpose or as prescribed by Schedule 2 of the DPA, providing conditions, which include:
- processing necessary for contract;
- processing under legal obligation;
- processing to protect vital interests;
- processing necessary for exercise of public functions; and
- processing for legitimate interests.
Sensitive personal data must be processed on the basis of a lawful purpose or, as prescribed by Schedule 3 of the DPA, certain conditions, including:
- vital Interests;
- non-profit associations;
- information made public by the data subject;
- legal proceedings, etc.;
- public functions;
- medical purposes; and
- circumstances prescribed by regulations.
Personal data must be obtained only for one or more specified lawful purposes and must not be further processed in any manner incompatible with that purpose or those purposes.
Personal data must be adequate, relevant, and not excessive in relation to the purpose or purposes for which they are collected or processed.
Personal data must be accurate and, where necessary, kept up to date.
Personal data processed for any purpose must not be kept for longer than is necessary for that purpose.
Personal data must be processed in accordance with the rights of data subjects under the DPA.
Appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data and against accidental loss, destruction of, or damage to, personal data.
Personal data must not be transferred to a country or territory unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
7. Controller and Processor Obligations
There is no data processing notification requirement under the DPA.
Pursuant to the eighth principle, the DPA imposes restrictions on the transfer of personal data to countries that are located outside of the European Economic Area ('EEA') and to third countries that do not have adequate data protection. For the purposes of the eighth principle, the Ombudsman considers EEA Member States and any country or territory deemed adequate by the European Commission as ensuring an adequate level of data protection.
In addition, other countries and territories may be considered adequate based on a number of factors which include the data protection laws in force in the country or territory in question and the international data protection obligations of such countries or territories. A data controller is required to assess such considerations when determining whether a country or territory complies with the eighth data protection principle and will be held accountable for any such determination in this regard.
There are exemptions from the prohibition against personal data transfers outside of the EEA and countries deemed by the European Commission to have adequate data protection. Such exemptions include where the transfer is (Schedule 4 of the DPA):
- made with the individual's consent;
- necessary for the performance of a contract between the data subject and the data controller, or for pre-contractual steps taken at the data subject's request;
- necessary for the conclusion of a contract between the data controller and a third party, and that contract is entered into at the data subject’s request or is in the data subject's interest;
- necessary for reasons of substantial public interest;
- necessary for the purpose of, or in connection with, any legal proceedings, necessary for obtaining legal advice, or is necessary for establishing, exercising, or defending legal rights;
- necessary to protect the vital interests of the data subject; or
- made in regard to public data on a public register, and any conditions subject to which the register is open to inspection are complied with.
The Ombudsman is empowered to issue a general authorisation for personal data transfers to third countries which do not have adequate data protection where the rights and freedoms of the affected data subjects will be adequately protected. As at the date of this overview, no such authorisations have been issued by the Ombudsman.
The Guide for Data Controllers states that it is best practice to keep detailed documentation of all data processing activities (including all purposes for which personal data is processed) in order to respond to data subject access requests, cooperate with Ombudsman investigations, and provide data subjects with information related to the processing of their personal data.
The DPA does not currently prescribe DPIAs. However, the Guide for Data Controllers states, under 'Individual Rights', that it is best practice to carry out a privacy impact assessment ('PIA') to mitigate the risks of processing personal data.
Specifically, a PIA is best practice in situations where data processing is likely to result in a high risk to individuals, for example where (Step 9 of the Data Protection Fact Sheet - Ten steps to take now ('the Factsheet'):
- a new technology is being deployed;
- a profiling operation is likely to significantly affect individuals; or
- there is processing on a large scale of special categories of data.
Furthermore, the Factsheet states that, if an organisation buys personal data from other organisations or obtains personal data from publicly accessible sources and comes to the conclusion that it is impossible to provide privacy information to individuals, a PIA should be conducted to find ways to mitigate the risks of the processing (page 126 of the Guide for Data Controllers).
The Guide for Data Controllers also states that with respect to contracts between data controllers and data processors, a data processor must assist the data controller in meeting its DPA obligations in relation to DPIAs. As a reference for DPIAs, the Guide for Data Controllers cites the UK Information Commissioner's Office Guidance on Data Protection Impact Assessments.
There is no requirement to appoint a data protection officer under the DPA.
However, the Frequently Asked Questions ('the FAQs') and Frequently asked questions on data protection for organisations ('the FAQs for Organisations') highlight that it may be recommended for larger or complex organisations to appoint a DPO.
'Personal data breach' is defined by the DPA as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed (Section 2 of the DPA).
Personal data breaches provides that breaches are to be reported to the affected data subjects and the Ombudsman within five days (Section 16 of the DPA).
The DPA prescribes that in the case of a data breach, the controller must, without undue delay, but no longer than five days after the data controller should, with the exercise of reasonable diligence, have been aware of that breach, notify the data subject of the data in question and the Ombudsman of that personal data breach. In its notification the data controller must describe:
- the nature of the breach;
- the consequences of the breach;
- the measures proposed or taken by the data controller to address the breach; and
- the measures recommended by the data controller to the data subject of the personal data in question to mitigate the possible adverse effects of the breach.
A caveat to the above-noted reporting requirement is that all data breaches are to be reported to the Ombudsman and the individual(s) whose data was breached, unless the breach is unlikely to prejudice the rights and freedoms of the breach-affected data subjects (page 170 of the Guide to Data Controllers).
Where a data controller uses a data processor to process personal data on its behalf and that data processor suffers a reportable personal data breach, then the data controller is required to inform the Ombudsman and the breach-affected data subjects. The Guide for Data Controllers states that respective breach reporting requirements for data controllers and data processors should be detailed in a data processing agreement in accordance with the seventh principle of the DPA.
The Guide for Data Controllers notes that the DPA 'does not dictate' the retention duration for personal data and that the onus is on the data controller to justify retention on the basis of processing purposes. Data controllers are advised to consider whether:
- the stated purposes for processing remain applicable (personal data should not be kept indefinitely on the basis that it may one day be processed);
- personal data, or parts thereof, in respect of a commercial relationship can be deleted;
- information must be retained to defend possible future legal claims;
- any legal or regulatory requirements apply to the retention of personal data;
- there are applicable relevant industry standards or guidelines; and
- personal data is processed for historical, statistical, or scientific purposes; such processing is exempt from the fifth principle (storage limitation).
There are no specific provisions contained within the DPA which relate to the processing of children's personal data. However, under the Regulations, a 'child' is defined as a person under the age of 18 years. An exception to the disclosure of children's personal data under a data subject access request (Section 8(3) of the Regulations) A further exception to the DPA's data subject information provisions in respect of children's personal data (Sections 9(1) and 9(5) of the Regulations), which note that certain personal data are exempt from the subject information provisions to the extent that the application of those provisions would be likely to prejudice the carrying out of social work by reason of the fact that serious harm to the physical or mental health or condition of the data subject or any other person would be likely.
Under 'legitimate interest', the Guide for Data Controllers states that legitimate interests may be considered as a legal basis for processing personal data related to children or vulnerable individuals, but extra care must be taken to ensure that the interests and freedoms of such data subjects are protected.
The Guide for Data Controllers further states (in 'the right to be informed' section) that if a data controller collects or obtains children's personal data, particular care must be taken to ensure that the information provided to such data subjects is appropriately written (uses clear and plain language).
Sensitive personal data must be processed on the basis of a lawful purpose or, as prescribed by Schedule 3 of the DPA, conditions, including - consent, employment, vital Interests, non-profit associations, information made public by the data subject, legal proceedings, etc., public functions, medical purposes, and circumstances prescribed by regulations.
Data processing agreements underpin the DPA's controller- processor dynamic. In order for a controller to comply with the seventh data protection principle, processing of personal data by a data processor on the data controller's behalf must be undertaken pursuant to a written contract.
According to the seventh principle, if a data processor carries out processing of personal data on behalf of a controller, the controller shall not be regarded as complying with the seventh principle unless the processing is carried out under a contract:
- made or evidenced in writing;
- where the data processor is to act only on instructions from the data controller; and
- that requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle (Paragraph 3, Part 2, Schedule 1 of the DPA).
A data processing agreement, based on the DPA, must include the following terms:
- a data processor must only process personal data on the data controller's written instructions (unless required by law to process personal data without such instructions); and
- a data processor must take appropriate measures to ensure the security of processing.
The Guide for Data Controllers recommends that the following terms also be incorporated into a data processing agreement such that a data processor will:
- ensure that all personnel who process the personal data are subject to a duty of confidentiality;
- only engage a data sub-processor under a written contract and with the prior written approval of the data controller;
- assist the data controller with data subject access to personal data as well as assist data subjects with exercising their rights under the DPA;
- assist the data controller to meet its DPA obligations with respect to personal data processing security, person data breach notification, and DPIAs;
- delete or return all person data to the data controller as requested by the data controller at the expiration of the data processing agreement; and
- submit to audits and inspections, provide all information to the data controller which is necessary to ensure and demonstrate that the data processor and data controller satisfy their respective obligations under the DPA, and advise the data controller if requested to process personal data in a manner which breaches the DPA or other applicable data protection laws.
8. Data Subject Rights
The transparency requirement and provides that data subjects have the right to be informed about the collection and use of their personal data (Section 8(1) of the DPA). The mechanism for providing such information to data subjects is a privacy notice which must be given to data subjects at the time the data controller collects their personal information and must contain the following components:
- identity of the data controller;
- a description of the data subject's personal data;
- purposes for which the personal data are processed by or on behalf of the data controller;
- recipients or classes of recipients to whom the personal data are or may be disclosed by or on behalf of the data controller;
- any territories or countries outside of the Cayman Islands to which the data controller, whether directly or indirectly, transfers, intends to transfer, or wishes to transfer the personal data; and
- general technical and organisational measures to be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
To exercise the right to access, the data subject must provide a data controller with a written data subject access request and a data controller is not required to respond to an access request unless the request is in writing (Section 8(4) of the DPA). A data controller is also entitled to request a fee for processing a data subject access request in certain circumstances (Section 8(1) of the DPA).
Fees for data subject access requests are governed by Section 3 of the Regulations. Personal data which is requested under Section 8 of the DPA must be provided free of charge unless the data controller can demonstrate that the request is manifestly unfounded or excessive because the request is repetitive, fraudulent in nature, or would unreasonably divert the data controller's resources (Sections 3(1) and 3(2) of the Regulations). Where a data controller proves that the request is manifestly unfounded or excessive, the data controller may charge a reasonable fee which accounts for administrative costs or refuse to satisfy the request and provide the reasons for doing so (Sections 3(1) and 3(4) of the Regulations).
Where a data controller receives a written data subject access request, it has 30 days in which to respond unless further information is required from the data subject regarding the data subject's identity or in order to satisfy the access request. In such circumstances, the 30-day response period is automatically suspended until such time as the data subject provides the data controller with the requisite information.
The response period extension is governed by Section 4 of the Regulations. A data controller is permitted to extend the time period in which to respond to a data subject access request by up to 30 days where one or more of the following conditions apply (Section 8 of the DPA):
- a large amount of personal data is requested or must be searched and, as a result, compliance with the response period would unreasonably interfere with the data controller's operations;
- additional time is required to consult with a third party before the data controller can determine whether to grant the data subject access request;
- the data subject provides consent to the response period extension; and
- the Ombudsman has granted a response period extension (including beyond 30 days).
Where the response period is extended, the data controller must inform the relevant data subject of the reason(s) for the extension and the date on which a final data subject access request response will be provided.
The right of access also includes an obligation on the part of the data controller to inform the data subject, through a written statement, of the data subject's rights (Section 8(12) of the DPA). Such a statement is typically contained within a data controller's privacy notice.
A data controller must comply with a data subject's access request in relation to providing the data subject with a copy of their personal data in the format requested unless:
- the provisions of such a copy is not possible or would involve disproportionate effort; or
- the data subject agrees otherwise.
If any of the personal data contained within the copy are not intelligible, the data controller must provide an explanation for same (Sections 9(1) and 9(2) of the DPA).
An exception was created to the release of (access to) personal data where such a release could reasonably cause mental or physical harm to the relevant data subject or any other person (Section 7(1) of the Regulations).
Pursuant to the 'health exemption', a data controller is permitted to refuse a data subject access request if the data controller seeks the opinion of an appropriate healthcare professional as to whether the health exemption applies and obtains an opinion, in writing, from such a health professional that the health exemption applies to the personal data (Section 7(2)(a) of the Regulations). A data controller is also permitted to refuse a data subject access request if (Section 7(2)(b), Regulations):
- the data controller consulted a health professional prior to receiving the request;
- the health professional would have been the appropriate health professional consulted(Section 7(2)(a) of the Regulations); and
- the data controller obtained an opinion, in writing, from such a health professional that the health exemption applied to the personal data.
The data controller does not satisfy the requirements of Section 7(2)(b) of the Regulations where the data controller (Section 7(3) of the Regulations):
- obtained the health professional's opinion 'before the start of the period of six months that ends on the day that the request is made'; or
- obtained the health professional's opinion within the time period prescribed by Section 7(3)(a) of the Regulations, but 'it is reasonable in all the circumstances to consult the appropriate health professional again'.
A data subject's right to rectification of personal data, which is processed by a data controller, or, on behalf of a data controller by a data processor, is codified in Section 14(1) of the DPA. This right is not expressly granted to data subjects as it flows through the right to submit a complaint regarding inaccurate personal data to the Ombudsman. Where such a complaint is investigated and legitimised by the Ombudsman, an order may be issued which requires the data controller in question to correct the inaccuracy or delete the inaccurate personal data.
Under the DPA, data subjects do not have an explicit right to erasure. However, data subjects are entitled to request that a data controller cease processing their personal data (see section 8.5. below) in accordance with Section 10(1) of the DPA which, according to the Guide for Data Controllers, includes the erasure of personal data. In addition, the Guide for Data Controllers states that a data controller should have appropriate processes in place to comply with individuals' requests for erasure under the right to stop or restrict processing and that pursuant to the fifth principle (storage limitation), data subjects have an absolute right to erasure if personal data is no longer required for processing.
The Ombudsman was empowered, where satisfied by a data subject complaint submitted under Section 43 of the DPA that the relevant personal data is inaccurate, to rectify, block, erase, or destroy such personal data (Section 14 of the DPA).
The data subject has the right, by notice in writing to the relevant data controller, to require the data controller to cease processing, not begin processing, or cease processing for a specified purpose or in a specified manner, the data subject's personal data (Section 10(1) of the DPA).
A data controller who receives such notice must, within 21 days of receiving the notice, comply with the notice unless the processing is necessary:
- for the performance of a contract to which the data subject is a party or the taking of steps at the request of the data subject with a view to entering into a contract;
- for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract;
- to protect the vital interests of the data subject; or
- in such other circumstances as may be prescribed by regulations.
If a data controller does not comply with a data subject's notice as above, it must provide the data subject with the reasons for its non-compliance (Section 10(2) of the DPA).
However, the data controller is not required to comply with a data subject's request to cease processing under Section 10(1) of the DPA if the data controller applies for non-compliance to the Ombudsman within 21 days of the date of the data subject's request and the data controller receives approval from the Ombudsman for non-compliance (Section 6(1) of the Regulations). In such circumstances, the data controller must inform the relevant data subject of the application for non-compliance (Section 6(2) of the Regulations).
The right to stop direct marketing
'Direct marketing' is defined by the DPA to mean the communication, by whatever means, of any advertising, marketing, promotional, or similar material, which is directed to particular individuals (Section 11(1) of the DPA).
A data subject has the right, at any time by written notice to a data controller, to require a data controller (at the end of such period as is reasonable in the circumstances) to cease, or not commence, the processing of a data subject's personal data for the purpose of direct marketing (Section 11(2) of the DPA).
There is no right to data portability under the DPA.
The data subjects the right not to be granted to be subject to automated decision making. Under this provision, a data subject may, at any time by written notice to a data controller, require the data controller to ensure that no decision taken by or on behalf of the data controller (which significantly affects the data subject) is based solely on the processing by automatic means of the data subject's personal data for the purpose of evaluating the data subject's:
- job performance;
- conduct; or
- any other matters related to the data subject.
A data controller has a positive duty, where a decision that significantly affects a data subject is based solely on processing by automatic means, to notify the affected data subject that a decision was made on such an automated basis. In these circumstances, a data subject is entitled, within 21 days, to request in writing that the data controller reconsider its decision or make another determination other than on the basis of automated decision making (Section 12(2) of the DPA).
The right to complain / seek compensation
A data subject's right to submit a complaint to the Ombudsman is enshrined in Section 43 of the DPA, which provides that 'A complaint may be made to the Ombudsman by or on behalf of any person about the processing of personal data that has not been or is not being carried out in compliance with the provisions of this Act or anything required to be done pursuant to this Act.'
A data controller is required to inform data subjects of their right to complain to the Ombudsman under Section 43 of the DPA (Section 5 of the Regulations).
Where a complaint is submitted to the Ombudsman on behalf of a data subject, written authorisation from the data subject is required to submit the complaint (Section 43(2) of the DPA).
Section 13 of the DPA grants data subjects the right to seek compensation from a data controller which contravenes any requirement of the DPA.
Contravention of breach notification requirements
A data controller who contravenes the breach notification requirements prescribed by Section 16 of the DPA, commits an offence and is liable on conviction to a fine of KYD 100,000 (approx. €107,450).
Contravention of information order
Part 6 of the DPA provides that a person who refuses or, without reasonable excuse, fails to supply information required under an information order made by the Ombudsman commits an offence and is liable on conviction to a fine of KYD 100,000 (approx. €107,450), or to imprisonment for a term of five years, or both (Section 44(4) of the DPA). The same penalties apply where a person intentionally alters, suppresses, or destroys information that is required under an information order (Section 44(5) of the DPA) or where a person knowingly (Section 44(6)(a) of the DPA) or recklessly (Section 44(6)(b) of the DPA) makes a false statement in purported compliance with an information order.
Contravention of enforcement order or monetary penalty order
A person who fails to comply with an information requirement, enforcement order, or monetary penalty order commits an offence and is liable on conviction to a fine of KYD 100,000 (approx. €107,455.15), or to imprisonment for a term of five years, or both (Section 46(1) of the DPA).
There are no enforcement decisions to date.