Global Data Protection Law Guide  Grenada

Seon & Associates

 

What law(s) specifically govern personal data / information?

Data Protection Act No. 1 of 2023

(enacted but not yet in effect)

The rationale and overarching objective of this Act is to promote the protection of personal data processed by public and private bodies, to provide for the establishment of the Information Commission and for related matters

 

What are the key data protection principles in this jurisdiction?:

General Principle – with certain exceptions a data user shall not process personal data about a data subject unless the data subject has given his or her consent to the processing of the personal data or process sensitive personal data about a data subject. The data user may, inter alia, process personal data about the data subject if the processing is necessary, for example, to perform a contract to which the data subject is a party; or to take steps at the request of the data subject with a view to entering into a contract;

The general principle also contemplates that the company or organization is expected to collect only the minimum amount of personal information necessary for a lawful purpose. Unnecessary or excessive data collection is discouraged, and personal data should only be processed for the purpose for which it was collected. The company or organization must clearly communicate the intended uses to customers, and the company or organization is obligated to maintain accurate and up-to-date personal data.

Notice and Choice Principle – in practical terms, this requires the company or organization upon request by the customer to inform the customer of its data protection practices, for example, what personal data is being collected, how it will be used, the source of that data, who it will be shared with, the customer’s right to request access and to rectify personal data, whether it is obligatory or voluntary for the customer to supply the data, and any other relevant details as to its data collection. The choice component of this principle in effect offers customers the option to consent to or opt out of the collection use and sharing of their data for different purposes.

Disclosure Principle – requires customer consent and for such disclosures to be specific and detailed to include information about any third parties with whom the data is shared and the purpose for which it was shared.

Security Principle – the key implications of this principle is that the company or organization will have to adopt and implement security measures to protect personal data against unauthorized or accidental access or disclosure, alteration or destruction. It requires the company or organization to provide sufficient guarantees in respect of those measures and to take reasonable steps to ensure its compliance. It therefore means that the company or organization has an obligation to regularly assess the effectiveness of its security measures through, for example, risk assessments, security audits, penetration testing, and other methods, notwithstanding that the Act requires a review and assessment of its procedures every five years.

Retention Principle – this requires that the data processed by the company or organization should not be kept for longer than is necessary for fulfilling the purpose for which it was collected and that the company or organization must take all reasonable steps to ensure that the personal data is destroyed or permanently deleted, if it is no longer required for the purpose for which it was to be processed.

Data Integrity Principle – the company or organization is to take all reasonable steps to ensure that the personal data is accurate, complete and up to date having regard to the purpose for which the personal data was collected and processed. It places an obligation on the company or organization to maintain the quality and accuracy of personal data throughout its life cycle.

Access Principle – the key obligation of this principle is that the customers have the right to access their own personal data as well as the right, (subject to certain exceptions under the Act) to request corrections to their personal data where it is inaccurate incomplete, misleading or outdated. Upon request made by a person for access to personal data, the company or organization has 30 calendar days to give written notice as to whether access will be granted, and if granted, to give to the requesting person within 60 days access to the personal data or part thereof.

 

What is the supervisory authority / regulator in charge of data protection?

The Information Commission

Generally, the Information Commission will be established to monitor compliance, advise organizations, and handle complaints.

 

Is there a requirement to register with a supervisory authority / regulator?

No

 

Is there a requirement to notify the supervisory authority / regulator?

No

 

Is it possible to register with / notify the supervisory authority / regulator online?

No

 

What are the key data subject rights under the data protection laws of this jurisdiction?

Right of access to personal data

Right of access to data in an alternative format for persons with sensory disability

Right to rectification of personal data

Right to object to processing of personal data

Right to update personal data

Right to consent

Right to withdraw consent

Right to complain to the Information Commission

 

Is there a requirement to appoint a data protection officer (or equivalent)?

No

 

Do data protection/ privacy impact assessments need to be carried out in certain circumstances?

No

 

Does this jurisdiction have any specific data breach notification requirements?

No

 

What restrictions apply to the international transfer of personal data / information?

Although the transfer and processing of sensitive data of a data subject are restricted in general, there are no provisions which specifically address the international transfer of personal data/information.

 

Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?

The Act is silent as to its territorial scope. However, the scope of the undermentioned provision may apply to parties outside of Grenada, but this will be subject to interpretation by a Court in Grenada:

The Act applies to persons “who process or have control over or authorizes the processing of any personal data in respect of commercial transactions in Grenada”.

 

What rules specifically deal with marketing?

None

 

Do different rules apply to business-to-business and business-to-consumer marketing?

No

 

What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?

None

 

What rules specifically deal with cookies?

None

 

What are the consequences of non compliance with data protections laws (including marketing laws)?

The Information Commission has various enforcement powers with respect to non-compliance such as notices of investigation, information notices, and enforcement notices.

Warrants may be issued by a Magistrate authorizing an authroised officer of the Commission to enter and search any premises and seize any documents on such premises.

Under the Act, offences may be committed by persons or bodies corporate.

In the case of a person, the person is liable:

• (a) summary conviction, to a fine not exceeding fifty thousand Eastern Caribbean Dollars (EC$50,000.00) or to imprisonment for a term not exceeding three years; and
• (b) conviction on indictment, to a fine not exceeding one hundred thousand Eastern Caribbean Dollars (EC$100,000.00) or to imprisonment for a term not exceeding five years or to both.

In the case of a body corporate, the body corporate is liable upon:

• (a) summary conviction, to a fine not exceeding two hundred and fifty thousand Eastern Caribbean Dollars (EC$250,000.00); and
• (b) conviction on indictment, to a fine not exceeding five hundred thousand Eastern Caribbean Dollars (EC$500,000.00).

Where a body corporate is held liable, any officer, director or agent of the corporation who directed, authorised, assented to, or participated in the commission of the offence is a party to and commits an offence, is liable to the punishment provided for the offence.

There is a right of appeal to the High Court against any enforcement notice, information notice, or decision of the Information Commission.

 

In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?

Multinational organisations should be guided by the same Principles (as mentioned above) when processing personal data/information from persons within Grenada.

 

What upcoming data protection developments should multinational organisations be aware of?

There are none of which we are aware.

The Data Protection Act is not yet in force.

 

Search by:

Need more information?
Contact a member firm:

Sephorah Khan

Seon & Associates

Grenada

Disclaimer:

© 2026, Seon & Associates. All rights reserved by Seon & Associates as author and the owner of the copyright in this chapter. Seon & Associates has granted to Multilaw non-exclusive worldwide license to use and include this chapter in this guide and to sublicense Lexis Nexis, a division of RELX Inc. and its affiliates certain rights to use and distribute this Guide.

The information in the International Data Protection Laws Guide provides a general overview at the time of publication and is not intended to be a comprehensive review of all legal developments nor should it be taken as opinion or legal advice on the matters covered. It is for general information purposes only and readers should take legal advice from a Multilaw member firm.

Publication Date: 2026