September 2021

1. Governing Texts

1.1. Legislation

• Data Protection Act (2021 Revision) ('the Act')
• Data Protection Regulations, 2018 (SL 17 of 2019) ('the Regulations')

1.2. Regulatory authority guidance

The Office of the Ombudsman ('the Ombudsman') has issued the following guidance:

• Data Protection Law 2017 Guide for Data Controllers ('the Data Controller Guide');
• Data Protection Guidance for Small Businesses and Organizations; and
• frequently asked questions on data protection for organisations.

1.3. Regulatory authority templates

The Ombudsman has not issued any templates for vendor contracts.

2. Definitions

Data controller: The person who alone or jointly with others determines the purposes, conditions and manner in which any personal data are, or are to be, processed. This includes the local representative nominated by a data controller that is not established in the Cayman Islands but that processes personal data in the Cayman Islands other than for the purposes of transit of the data through the Islands (Section 2 of the Act).

Data processor: Any person who processes personal data on behalf of a data controller. For the avoidance of doubt, this does not include an employee of the data controller (Section 2 of the Act).

3. Contractual Requirements

3.1. Are there requirements for a contract to be in place between a controller and processor?

Schedule 1, Part 2(3) of the Act outlines that if processing of personal data is carried out by a data processor on behalf of a data controller, the data controller will not to be regarded as complying with the seventh principle under Schedule 1 of the Act unless the processing is carried out under a contract:

• that is made or evidenced in writing;
• under which the data processor is to act only on instructions from the data controller; and
• that requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle.

In this respect, the seventh principle under Schedule 1 of the Act requires that appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

3.2. What content should be included?

The Data Controller Guide (see pages 200-204) outlines that contracts must include the following mandatory terms:

• the data processor must only act on the written instructions of the data controller (unless required by law to act without such instructions); and
• the data processor must take appropriate measures to ensure the security of processing.

The Data Controller Guide also notes that where the data processor has a limited need to use personal data for its own purposes, for example where the processor is complying with legal/regulatory requirements, this should be noted as an exception to the general rule that the data processor should only act on the data controller's instruction. 

Moreover, the Data Controller Guide recommends that contracts also include the following terms:

• the data processor must ensure that people processing the data are subject to a duty of confidence;
• the data processor must only engage a subprocessor with the prior consent of the data controller and a written contract;
• the data processor must assist the data controller in providing subject access and allowing data subjects to exercise their rights under the Act;
• the data processor must assist the data controller in meeting its obligations under the Act in relation to the security of processing, the notification of personal data breaches, and Data Protection Impact Assessments ('DPIA');
• the data processor must delete or return all personal data to the controller as requested at the end of the contract; and
• the data processor must submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their legal obligations, and tell the controller immediately if it is asked to do something infringing the Act.

Moreover, the Data Controller Guide notes that it is a matter of good practice for such contracts to include the following information:

• the subject matter and duration of the processing;
• the nature and purpose of the processing;
• the type of personal data and categories of data subject; and
• the obligations and rights of the data controller.

The Data Controller Guide suggests that, 'to the extent a service provider which primarily acts as a data processor has a limited need to act as a data controller in its own right, it is best practice to state this in the contract' (page 23 of the Data Controller Guide).

The Data Controller Guide also outlines that the requirements under the Act are also found in EU law, and that therefore an EU compliant data processing agreement will consequently also be compliant under the Act.

4. Data Subject Rights Handling & Assistance

4.1. Are processors required to assist controllers with handling of data subject requests?

Data processors process personal data on behalf of a data controller, and must only act on the written instructions of the data controller. As the data controller is required to comply with the data protection principles outlined in Schedule 1 of the Act, and the controller is also required to ensure that the principles are complied with in relation to the personal data that are processed on the data controller's behalf by the processor (Section 5(4) of the Act), processors are required to assist with handling data subject rights (see also section 3.2. above, and the Data Controller Guide).

For further information see Cayman Islands – Data Subject Rights.

5. Processor Recordkeeping

5.1. Are processors required to keep records of their processing activities?

The Act does not specify requirements for data controllers or data processors to keep records of processing activities, and instead sets out general provisions for providing information to the Ombudsman (see Sections 15, 49, and 60 of the Act). 

However, the Data Controller Guide states that data processors must document their processing activities (page 203 of the Data Controller Guide).

6. Security Measures

6.1. Are processors required to implement specific security measures? If so, what measures must be implemented?

As outlined in section 3.2. above, data processors must take appropriate measures to ensure the security of processing, and must assist the data controller in meeting its obligations under the Act in relation to the security of processing. In addition, the data processor must comply with the seventh data protection principle under Schedule 1 of the Act, by ensuring that equivalent obligations as those imposed on the data controller are observed (the Data Controller Guide).

In this respect, the seventh data protection principle under Schedule 1 of the Act outlines that appropriate technical and organisational measures must be taken. No further detail on the implementation of security measures is provided within the provisions of the Act.

However, the Data Controller Guide provides an overview of security expectations including technical and organisational measures (see pages 63-75 of the Data Controller Guide). Furthermore, the Data Controller Guide highlights the importance of selecting data processors that provide sufficient guarantees regarding their security measures and emphasises the potential for including security requirements in contracts with data processors (see pages 69-70 of the Data Controller Guide).

The Act also provides for exceptions, and notes that personal data are exempt from any of the provisions of the data protection principles under Schedule 1 of the Act, and Parts 2, 3, and 6 of Schedule 1 of the Act, if the exemption from any or all of the provisions is required for the purpose of safeguarding national security (Section 18(1) of the Act).

7. Breach Notification

7.1. Are processors under an obligation to notify controllers in the event of a data breach? If so, are there timeframe and content requirements?

The Act does not provide for data processor notification requirements for data breaches. However, the Data Controller Guide notes that if a data processor is used, the requirements on breach reporting should be detailed in the contract between the data controller and the data processor (page 170 of the Data Controller Guide). Moreover, the Data Controller Guide states that data processors are directly responsible for notifying any personal data breaches to the data controller without delay (see page 203 of the Data Controller Guide).

For further information see Cayman Islands – Data Breach.

8. Subprocessor

8.1. Are subprocessors regulated? If so, what obligations are imposed?

The Act does not establish provisions regulating subprocessors. However, the Data Controller Guide provides that data processors must only engage a subprocessor with the prior consent of the data controller and a written contract (pages 200-203 of the Data Controller Guide). Moreover, the Data Controller Guide notes that if a data processor uses a subprocessor then the data processor will, as the original processor, remain directly liable to the data controller for the performance of the subprocessor's obligations (page 204 of the Data Controller Guide).

9. Cross-Border Transfers

9.1. Do transfer restrictions apply to processors? If so, what restrictions and what exemptions apply?

The Act does not contain specific provisions regulating data transfer requirements and restrictions with respect to data processors. However, the Data Controller Guide briefly notes that contractual measures between the data controller and data processor may overlap with the data controller's obligations under the eighth data protection principle under Schedule 1 of the Act (page 202 of the Data Controller Guide). The eighth data protection principle in Schedule 1 of the Act stipulates that, '[p]ersonal data shall not be transferred to a country or territory unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data'.

The data processor's obligation to assist the data controller in meeting its obligations under the Act in relation to, among other things, the security of processing (page 203 of the Data Controller Guide, see also section 3.2. above), would also include compliance with the eighth data protection principle.

For further information with respect to data transfer requirements, see Cayman Islands – Data Transfers.

10. Regulatory Assistance

10.1. Are processors required to assist controllers with regulatory investigations?

The Act does not expressly provide for the obligation of data processors to assist a data controller with regulatory investigations. However, Section 44(1) of the Act also provides that the Ombudsman may require any person to provide such information as the Ombudsman may reasonably consider appropriate for the purpose of carrying out the Ombudsman's functions under the Act, including any information with respect to which an exemption is claimed.

The Data Controller Guide notes that data processors may be subject to the investigative and corrective powers of the Ombudsman under Part 6 of the Act (page 201 of the Data Controller Guide). Moreover, the Data Controller Guide recommends that contracts between the controller and processor include provisions requiring the processor to, among other things, submit to audits and inspections, and to provide the controller with whatever information is necessary to ensure compliance with the obligations under the Act (page 203 of the Data Controller Guide). Finally, the Data Controller Guide notes that data processors must cooperate with the Ombudsman (page 203 of the Data Controller Guide).

11. Processor DPO / Representative

11.1. Are processors required to appoint a DPO / representative?

The Act and the Data Controller Guide do not set out provisions regulating or referring to a data processor's obligation to appoint a data protection officer or representative.

For further information see Cayman Islands – Data Protection Officer Appointment.

12. Supervision & Monitoring

12.1. Are controllers obliged to supervise or monitor processors' compliance with the law and contract?

The Act provides that the data controller must ensure that the data protection principles are complied with in relation to the personal data that are processed on the data controller's behalf (Section 5(4) of the Act). In addition, if a data processor is processing personal data on behalf of the data controller and is acting on a written contract and under the instructions of the data controller, the controller is responsible for the activities of the processor (Schedule 1, Part 2(3) of the Act). 

Moreover, the Data Controller Guide highlights that data controllers remain responsible for compliance with the Act even if the processing of personal data is delegated, and the contract between the controller and processor will detail the specific rights and obligations of the data controller (page 200 of the Data Controller Guide). The Data Controller Guide also recommends that contracts between the controller and processor include provisions requiring the processor to, among other things, submit to audits and inspections (page 203 of the Data Controller Guide).

Authored by OneTrust DataGuidance

DataGuidance's Privacy Analysts carry out research regarding global privacy developments, and liaise with a network of lawyers, authorities and professionals to gain insight into current trends. The Analyst Team work closely with clients to direct their research for the production of topic-specific Charts.