Mourant Ozannes
The following law(s) specifically govern personal data / information:
The Data Protection Act, 2021 (DPA) came into force on 9 July 2021.
The key data protection principles in this jurisdiction are:
- General principle
The general principle of the DPA provides that a data controller shall not:
- process personal data (other than sensitive personal data) without the express consent of the data subject; or
- transfer personal data outside of the BVI without proof of adequate data protection safeguards or consent from the data subject.
Notwithstanding the above, processing will be permitted if:
- it is for a lawful purpose directly related to an activity of the data controller;
- it is necessary for, or directly related to, that purpose; and
- the personal data is adequate but not excessive in relation to that purpose.
The lawful purposes for which processing of personal data will be permitted include where it is necessary:
- for the performance of a contract to which the data subject is a party or for the taking of steps at the request of the data subject with a view to entering into a contract;
- for compliance with any legal obligation to which the data controller is the subject (other than one imposed by a contract);
- to protect the vital interests of the data subject;
- for the administration of justice; or
- for the exercise of any functions conferred on a person by law.
Note that the lawful purposes above do not include the 'legitimate interests' basis contained in GDPR.
- Notice and choice principle
Data controllers must inform a data subject of:
- the purposes for processing;
- information as to the source of the personal data;
- the rights to request access to and correction of personal data;
- how to contact the data controller with any inquiries or complaints;
- the class of third parties to whom the personal data will be disclosed; and
- whether the data subject is obliged to supply the personal data and, if so, the consequences of non-compliance.
- Disclosure principle
No personal data shall be disclosed without the consent of the data subject for any purpose other than the purpose for which the personal data was to be disclosed at the time of collection (or a directly related purpose) or to any party other than a third party of the class of third parties specified above.
- Security principle
Data controllers must take practical steps to protect personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction by having regard to:
- the nature of the personal data and the harm that would result from the same;
- the place or location where the personal data is stored;
- any security measures incorporated into any storage equipment;
- the measures taken for ensuring the reliability, integrity and competence of personnel having access to the personal data; and
- the measures taken for ensuring the secure transfer of the personal data.
- Retention principle
Personal data shall not be kept longer than is necessary for the fulfilment of the purpose for processing and data controllers must take all reasonable steps to ensure that personal data is destroyed or permanently deleted if no longer required for the purpose for which it was to be processed.
- Data integrity principle
A data controller shall take reasonable steps to ensure that personal data is accurate, complete, not misleading and kept up-to-date.
- Access principle
Data subjects shall be given access to their personal data and be able to request corrections where the personal data is inaccurate, incomplete, misleading or not up-to-date.
The supervisory authority / regulator in charge of data protection is:
The DPA establishes the Office of the Information Commissioner as the supervising authority in the BVI. However, as at 24 August 2021, no Information Commissioner has yet been appointed.
Is there a requirement to register with a supervisory authority / regulator?
No.
Is there a requirement to notify the supervisory authority / regulator?
No.
Is it possible to register with / notify the supervisory authority / regulator online?
N/A.
The key data subject rights under the data protection laws of this jurisdiction are:
A data subject may make a written request to the data controller under the following rights:
- to be informed of processing and be given a description of the data and purposes for processing within 30 days of such request (the right of access);
- for the data controller to rectify any data which is incomplete, incorrect, misleading, excessive or which is not relevant to the purpose for which it is held (the right to apply for rectification); and
- that the data controller stop or not begin processing for the purposes of direct marketing (the right to prevent processing for direct marketing).
Is there a requirement to appoint a data protection officer (or equivalent)?
No.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
No. However, it is best practice to conduct an impact assessment in certain circumstances, such as before starting any new automated decision-making, or if personal data is bought from another organisation or is obtained from publically accessible sources and it is not possible to provide privacy information to individuals.
Does this jurisdiction have any specific data breach notification requirements?
The DPA does not contain any specific notification requirements in relation to data breaches. However as this is a new regime, such requirements may be forthcoming in the form of regulations or guidance in due course.
Does your jurisdiction specifically restrict the transfer of personal data out of the jurisdiction? If so, please provide an overview of the restrictions and what transfer tools / mechanisms can be utilised to allow a lawful transfer of personal data.
Under the general principle of the DPA, a data controller may not transfer personal data outside of the BVI without proof of adequate data protection safeguards or consent from the data subject.
Such processing will be permitted if:
- it is for a lawful purpose directly related to an activity of the data controller;
- it is necessary for, or directly related to, that purpose; and
- the personal data is adequate but not excessive in relation to that purpose.
Do the data protection laws of your jurisdiction have “extra-territorial effect” on organisations outside your jurisdiction? If so, please describe.
Yes, to a limited extent. The DPA applies to data controllers not established in the BVI that use equipment in the BVI for processing personal data, otherwise than for the purpose of transit of data through the BVI.
Does your jurisdiction have any rules specifically dealing with marketing?
Yes. A data subject may, by notice in writing to a data controller, require the data controller to stop or not to begin processing, personal data for the purposes of direct marketing.
Do different rules apply to business-to-business and business-to-consumer marketing?
No.
Does your jurisdiction have any rules specially dealing with electronic marketing (for example, by email, text, WhatsApp message, online ads etc)?
There are no specific rules dealing with electronic marketing. However, best practice would be for the sender/poster to state the types of data it stores and processes and to whom, and for what purpose, such data may be transferred.
Does your jurisdiction have any rules specifically dealing with cookies? If so, please provide further details (for example, is there a need to differentiate between the types of cookies used).
There are no specific rules dealing with cookies. However, best practice would be for website operators to state the types of data the cookies store and to whom, and for what purpose, such data may be transferred.
What are the consequences of non compliance with data protections laws (including marketing laws) within your jurisdiction? Please provide an overview of the level of fines that may be imposed by a supervisory authority/regulator.
The Information Commissioner will have various enforcement powers available to it, such as issuing information notices and enforcement notices and requesting that a Magistrate issue a search warrant.
Offences by bodies corporate under the DPA will give rise to liability on summary conviction to a fine of US$250,000 or on indictment to a fine of US$500,000. The directors and officers of a body corporate may also be held liable if the offence was committed with their consent or connivance, or was attributable to their neglect.
In broad terms, are there any factors unique to your jurisdiction that you would advise a multinational to consider if it is processing personal data from individuals within your jurisdictions, without being located there?
Yes. Where a data controller is not established in the BVI but uses equipment in the BVI for processing personal data, otherwise than for the purpose of transit of data through the BVI, the data controller
Are there any upcoming data protection developments that a multinational organisation should be aware of?
As the BVI data protection regime is newly established, the Information Commissioner has yet to be appointed (as at 24 August 2021). We anticipate that further guidance on the DPA will be issued by the Office of the Information Commissioner in due course.