Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Barbados: Overview of Vendor Privacy Contracts

Xanya69 / Essentials collection / istockphoto.com

1. Governing Texts

1.1. Legislation

  • The Data Protection Act 2019 ('the Act') came into effect (with the exception of certain provisions requiring registration of data controllers and data processors and the creation of official registers of data controllers and data processors, namely Sections 50, 51, 52, 55, 56, and 57 of the Act) on 31 March 2021.The Sections of the Act excluded from coming into effect on 31 March 2021 are expected to take effect upon publication of a further proclamation, the Governor-General, in the Official Gazette at a future date.

1.2. Regulatory authority guidance

The Data Protection Commissioner has not yet been appointed. As such, no guidance has been issued yet.

1.3. Regulatory authority templates

Not Applicable.

2. Definitions

Data controller: A person who alone, jointly or in common with others determines the purposes for which, and the manner in which, any personal data is or should be processed or where personal data is processed only for the purpose for which the data is required by or under an enactment to be processed, the person on whom the obligation to process the data is imposed by or under an enactment (Section 2 of the Act).

Data processor: Any person, other than an employee of a data controller, who processes personal data on behalf of the data controller (Section 2 of the Act).

3. Contractual Requirements

3.1. Are there requirements for a contract to be in place between a controller and processor?

The processing by a data processor shall be governed by a written contract between the data processor and the data controller (Section 58(4) of the Act).

Moreover, where the processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with Section 4(1)(f) of the Act unless (Section 4(9) of the Act):

  • the processing is carried out under a contract:
    •  which is made or evidenced in writing; and
    • under which the data processor is to act only on instructions from the data controller; and
  • the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by Section 4(1)(f) of the Act.

3.2. What content should be included?

Processing by a data processor shall be governed by a written contract between the data processor and the data controller which sets out the following (Section 58(4) of the Act):

  • the subject-matter and duration of the processing;
  • the nature and purpose of the processing;
  • the type of personal data and categories of data subjects; and
  • the obligations and rights of the data controller.

The contract prepared pursuant to Section 58(4) of the Act shall also stipulate that the data processor (Section 58(5) of the Act):

  • processes the personal data only on documented instructions from the data controller, including with regard to transfers of personal data to countries outside of Barbados or an international organisation, unless required to do so by any enactment and in such a case, the data processor shall inform the data controller of that legal requirement before processing, unless the enactment prohibits such information to be shared on important grounds of public interest;
  • ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • takes all measures required pursuant to Section 62 of the Act.
  • respects the conditions referred to in Sections 58(2) and (7) of the Act for engaging another data processor;
  • taking into account the nature of the processing, assists the data controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the data controller's obligation to respond to requests for exercising the data subject's rights under Part III of the Act;
  • assists the data controller in ensuring compliance with the obligations pursuant to Sections 62 to 66 of the Act, taking into account the nature of processing and the information available to the data processor;
  • on the determination of the data controller, deletes or returns all the personal data to the data controller after the end of the provision of services relating to processing, and deletes existing copies unless the enactment requires storage of the personal data; and
  • makes available to the data controller all information necessary to demonstrate compliance with the obligations set out in this section and allow for and contribute to audits, including inspections, conducted by the data controller or another auditor mandated by the data controller.

4. Data Subject Rights Handling & Assistance

4.1. Are processors required to assist controllers with handling of data subject requests?

The Act stipulates that the contract between a data controller and a data processor shall contain provisions requiring the data processor, taking into account the nature of the processing, to assist the data controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the data controller's obligation to respond to requests for exercising the data subject's rights under Part III of the Act (Section 58(5)(e) of the Act).

For further information see Barbados – Data Subject Rights.

5. Processor Recordkeeping

5.1. Are processors required to keep records of their processing activities?

A data processor and, where applicable, the data processor's representative is required to maintain a record of all categories of processing activities carried out on behalf of a data controller, which contains (Section 60(2) of the Act):

  • the name and contact details of the data processor or data processors and of each data controller on behalf of whom the data processor is acting, and, where applicable, of the data controller's or the data processor's representative, and the data privacy officer;
  • the categories of processing carried out on behalf of each data controller;
  • where applicable, transfers of personal data to another country or an international organisation, including the identification of that country or international organisation and, in the case of transfers referred to in Section 26 of the Act, the documentation of suitable safeguards; and
  • where possible, a general description of the technical and organisational security measures referred to in Section 62(1) of the Act.

6. Security Measures

6.1. Are processors required to implement specific security measures? If so, what measures must be implemented?

Where the processing is to be carried out on behalf of a data controller, the data controller is required to only use a data processor who shall implement the appropriate technical and organisational measures to ensure that the processing will be in accordance with the requirements of the Act; and ensure the protection of the rights of the data subject (Section 58(1) of the Act).

Moreover, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, the data controller and the data processor are required to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including (Section 62(1) of the Act):

  • the pseudonymisation and encryption of personal data;
  • the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
  • a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

In addition, in assessing the appropriate level of security, account shall be taken, in particular, of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored, or otherwise processed (Section 62(2) of the Act).

Furthermore, the data controller and data processor shall take steps to ensure that any individual acting under the authority of the data controller or the data processor who has access to personal data does not process the personal data except on instructions from the data controller, unless he is required to do so by any enactment (Section 62(3) of the Act).

7. Breach Notification

7.1. Are processors under an obligation to notify controllers in the event of a data breach? If so, are there timeframe and content requirements?

The data processor is required to notify the data controller of any data breach, without undue delay, after becoming aware of a personal data breach (Section 63(3) of the Act).

For further information see Barbados – Data Breach.

8. Subprocessor

8.1. Are subprocessors regulated? If so, what obligations are imposed?

The data processor is restricted from engaging another data processor without prior specific or general written authorisation of the data controller (Section 58(2) of the Act).

In addition, where there is general written authorisation under Section 58(2) of the Act, the data processor shall inform the data controller of any intended changes concerning the addition or replacement of other data processors and the data controller shall be given the opportunity to object to such changes (Section 58(3) of the Act).

Where a data processor engages another data processor for carrying out specific processing activities on behalf of the data controller in accordance with Section 58(2) of the Act, the same obligations as set out in the contract between the data controller and the data processor as referred to under Sections 58(5) and (6)  and shall be imposed on that other data processor, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Act (Section 58(7) of the Act, see also section 3.2 above).

9. Cross-Border Transfers

9.1. Do transfer restrictions apply to processors? If so, what restrictions and what exemptions apply?

Data controllers and data processors are required to develop binding corporate rules which shall specify, among other things, the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question (Section 25(1)(b) of the Act).

In addition, a data processor is required to processes the personal data only on documented instructions from the data controller, including with regard to transfers of personal data to countries outside of Barbados or an international organisation, unless required to do so by any enactment and in such a case, the data processor shall inform the data controller of that legal requirement before processing, unless the enactment prohibits such information to be shared on important grounds of public interest (Section 58(5)(a) of the Act).

10. Regulatory Assistance

10.1. Are processors required to assist controllers with regulatory investigations?

Not Applicable.

11. Processor DPO / Representative

11.1. Are processors required to appoint a DPO / representative?

The data controller and the data processor are required to designate a data privacy officer in any case where (Section 67(1) of the Act):

  • the processing is carried out by a public authority or body, except for a court of competent jurisdiction acting in their judicial capacity;
  • the core activities of the data controller or the data processor consist of processing operations which, by virtue of their nature, their scope and their purposes, require regular and systematic monitoring of data subjects on a large scale; or
  • the core activities of the data controller or the data processor consist of processing on a large scale of sensitive personal data.

For further information see Barbados – Data Protection Officer Appointment.

12. Supervision & Monitoring

12.1. Are controllers obliged to supervise or monitor processors' compliance with the law and contract?

Pursuant to Section 4(1)(f) of the Act, where the processing of the personal data is carried out by a data processor on behalf of a data controller, the data controller is required to take reasonable steps to ensure that a data processor complies with ensuring that they have put in place technical and organisational security measures that govern the processing that is to be carried out (Section 4(8)(a) of the Act).

Moreover, the contract between the data controller and the data processor shall also stipulate that the data processor shall make available to the data controller all information necessary to demonstrate compliance with the obligations set out in Section 58 of the Act and allow for and contribute to audits, including inspections, conducted by the data controller or another auditor mandated by the data controller (Section 58(5)(h) of the Act).


Authored by OneTrust DataGuidance

DataGuidance's Privacy Analysts carry out research regarding global privacy developments, and liaise with a network of lawyers, authorities and professionals to gain insight into current trends. The Analyst Team work closely with clients to direct their research for the production of topic-specific Charts.

Feedback