Mourant Ozannes (Cayman) LLP
What law(s) specifically govern personal data / information?
The Data Protection Act (2021 Revision) of the Cayman Islands (the DPA).
What are the key data protection principles in this jurisdiction?:
- Personal data shall be processed fairly.
- Personal data shall be obtained only for one or more specified lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are collected or processed.
- Personal data shall be accurate and, where necessary, kept up-to-date.
- Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose.
- Personal data shall be processed in accordance with the rights of data subjects under the DPA.
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
What is the supervisory authority / regulator in charge of data protection?
The Office of the Ombudsman (Ombudsman ).
Is there a requirement to register with a supervisory authority / regulator?
No.
Is there a requirement to notify the supervisory authority / regulator?
No.
Is it possible to register with / notify the supervisory authority / regulator online?
No.
What are the key data subject rights under the data protection laws of this jurisdiction?
The right to be informed. A data subject has a right to be informed who the data controller is and the purposes for processing their personal data. This information must be provided to data subjects "as soon as reasonably practicable", which generally means at the time the personal data is collected.
The right of access. A data subject is entitled to be informed by a data controller, upon giving the relevant data controller a written request and payment of any applicable fee, whether their personal data is being processed by or on behalf of that data controller and, if that is the case, to be provided with a copy of their personal data and other supplementary information, including:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or classes of recipients to whom the data may be disclosed;
- the countries or territories to which the data may be transferred; and
- the general measures taken by the data controller to ensure the security of the personal data.
The right to rectification. A data subject may complain to the Ombudsman, who may issue an order to rectify, block, erase or destroy personal data that is inaccurate.
The right to stop / restrict processing. A data subject may, by notice in writing to a data controller, require the data controller to cease processing, or to not begin processing, or to cease processing for a specified purpose or in a specified manner, the data subject's personal data. This right is not absolute and does not apply in some circumstances.
The right to stop direct marketing. A data subject may, by notice in writing to a data controller, require the data controller to cease processing, or not begin processing, personal data relating to the data subject for the purposes of direct marketing.
Rights in relation to automated decision makingA data subject may, by notice in writing to a data controller, require that a decision which affects them significantly is not solely based on processing of personal data by automatic means.
The right to seek compensation. A person who suffers damage by reason of a contravention of the DPA by a data controller may seek compensation in the courts.
The right to complain. A complaint may be made to the Ombudsman by or on behalf of any person about the processing of personal data in violation of the DPA. On receiving the compliant, the Ombudsman may conduct an investigation.
Is there a requirement to appoint a data protection officer (or equivalent)?
No.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
No. However, it is best practice to conduct an impact assessment in certain circumstances, such as before starting any new automated decision-making, or if personal data is bought from another organisation or is obtained from publicly accessible sources and it is not possible to provide privacy information to individuals.
Does this jurisdiction have any specific data breach notification requirements?
Yes. A data controller must report a personal data breach to the Ombudsman and the individual(s) whose data was breached, unless the breach is unlikely to prejudice their rights and freedoms. The report must be made without undue delay, but no longer than 5 days after the data controller should, with the exercise of reasonable diligence, have been aware of the breach.
What restrictions apply to the international transfer of personal data / information?
The eighth data protection principle under the DPA imposes restrictions on the transfer of personal data to countries or territories which do not ensure an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
The Ombudsman considers that the following countries and territories ensure an adequate level of protection for the purposes of the eighth data protection principle:
- Member States of the European Economic Area (that is, the European Union plus Lichtenstein, Norway, and Iceland) where Regulation (EU) 2016/679 (the GDPR ) is applicable; and
- any country or territory in respect of which an adequacy decision has been adopted by the European Commission pursuant to Article 45(3) GDPR or remains in force pursuant to Article 45(9) GDPR.
A country and territory may still be deemed to have adequate protection depending on certain factors including:
- the nature of the personal data;
- the country/territory of origin of the information contained in the data;
- the country/territory of final destination of that information;
- the purposes for and period in which the data is intended to be processed;
- the laws and international obligations of, and the codes of conduct or other rules enforceable in, the country or territory in question; and
- any security measures taken in respect of the data in that country or territory.
The DPA provides exemptions from the general prohibition on transfers of personal data outside the countries specified above in certain circumstance including, among others, where the transfer is:
- made with the individual's consent;
- necessary for the performance of a contract between the individual and the organisation;
- necessary for the performance of a contract made in the interests of the individual between the controller and another person;
- necessary for important reasons of substantial public interest;
- necessary to protect the vital interests of the data subject;
- required under international cooperation arrangements between intelligence and regulatory agencies, if permitted or required under an enactment or an order issued by the Grand Court of the Cayman Islands; or
- authorised by the Ombudsman as ensuring adequate safeguards for the individual(s).
In addition, the Ombudsman will approve the following terms as ensuring adequate safeguards (a) data transfer agreements based on standard contractual clauses that may be published by the Ombudsman; or (b) data transfer agreements which replicate the rights and obligations contained in the EU 'standard contractual clauses' pursuant to Article 46 paras (2)(c), (2)(d), or (5) GDPR.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
Yes, to a limited extent. The DPA applies to data controllers not established in the Cayman Islands where the personal data is processed in the Cayman Islands otherwise than for the purposes of transit of the data through the Cayman Islands.
What rules specifically deal with marketing?
A data subject may, by notice in writing to a data controller, require the data controller to cease processing, or to not begin processing, personal data relating to the data subject for the purposes of direct marketing.
Do different rules apply to business-to-business and business-to-consumer marketing?
No.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
Not applicable.
What rules specifically deal with cookies?
Not applicable.
What are the consequences of non compliance with data protections laws (including marketing laws)?
The penalty for an offence under the DPA is generally US$12,195 on summary conviction or US$24,390 on conviction on indictment.
The DPA also specifies different penalties for certain offences, including among others:
- Failure to report a personal data breach as required by the DPA – fine of US$121,951 on conviction.
- Failure to comply with an information request from the Ombudsman made for the purpose of carrying out the Ombudsman's functions under the DPA, or intentionally altering, suppressing or destroying information required to be produced to the Ombudsman – fine of US$121,951 and/or five years' imprisonment on conviction.
- Knowingly or recklessly and without the consent of the data controller obtaining, disclosing or procuring the disclosure of personal data (subject to narrow exceptions) – fine of US$121,951 and/or five years' imprisonment on conviction.
For a serious contravention of the DPA, where the contravention was likely to cause substantial damage or distress to the data subject, the data controller may be subject to a monetary penalty in an amount determined by the Ombudsman. A monetary penalty must not exceed US$304,878.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
Where a data controller is not established in the Cayman Islands but the personal data is processed in the Cayman Islands otherwise than for the purposes of transit of the data through the Cayman Islands, the data controller must appoint a local representative established in the Cayman Islands who shall, for all purposes within the Cayman Islands, be the data controller and, bear all obligations under the DPA as if the representative were the data controller.
What upcoming data protection developments should multinational organisations be aware of?
No.