Cayman Islands: Update In Respect Of Data Protection In The Cayman Islands - July 2019

Last Updated: 5 July 2019
Article by Lucy Frew, Tony De Quintal, Colm Dawson, Andrew Howarth, Alice Molan and Sara Hall

Most Popular Article in Cayman Islands, July 2019

The Cayman Islands Data Protection Law, 2017 ("DPL"), which was expected to come into force in January 2019, will not come into force until September 2019. The Office of the Ombudsman has issued a Guide for Data Controllers which aims to explain how the Ombudsman will interpret certain provisions of the DPL. Businesses are therefore well-positioned to prepare.

Overview of the DPL

International financial sector businesses will find many similarities between the data protection law of the Cayman Islands and of other jurisdictions where they are active. The DPL requires a data controller to comply with eight data protection principles when processing personal data and to ensure that those principles are complied with in relation to personal data processed on the data controller's behalf. The DPL deals also with data security, data breaches and the rights of individual data subjects.

The DPL applies to personal data processed by "data controllers" and "data processors". Financial sector entities established in the Cayman Islands will generally be "data controllers", "data processors" or both. The DPL applies to processing carried out by data controllers established within the Cayman Islands. In certain cases, it applies to data controllers outside the Cayman Islands that process personal data within the Cayman Islands.

A "data controller" is the person which determines the purposes, conditions and manner in which any personal data are, or are to be, processed.

A "data processor" is any person which processes personal data on behalf of a data controller but does not include an employee of the data controller.

The term "personal data" means data relating to an identifiable living individual - referred to as a "data subject". The data subject does not need to be in the Cayman Islands.

The term "processing", in relation to data, means obtaining, recording or holding data, or carrying out any operation or set of operations on personal data.

Even those financial services businesses whose clients and counterparties are all entities will nevertheless process personal data. For example, an investment fund with an entity investor will typically process personal data of that investor's individual representatives, directors and beneficial owners.

Data controllers and data processors in practice

It is possible for the same entity to be a data controller for some purposes but a data processor for others. For example, in the context of providing typical services to clients, a service provider will often not be regarded as a "data controller" because the client entity, rather than the service provider, determines the purposes, conditions and means of the processing of personal data. However, the same service provider may be regarded as a data controller in other contexts, for example in its capacity as an employer or in complying with its own obligations.

A data controller which engages a data processor must ensure that the engagement is based on a written contract under which the data processor agrees to act only on instructions from the data controller, subject to certain exceptions, and to take appropriate measures to ensure the security of processing. In practice, data controllers will invariably wish to include a number of other important requirements to ensure that the data controller is in a position to comply with its own obligations.

Data controllers remain ultimately responsible when processing personal data. However, data processors which breach their contractual obligations may be liable for damages to the data controller.

The eight data protection principles

A data controller must comply with the following eight data protection principles, which are set out below and further expanded on in the DPL.

  1. Lawfulness, fairness and transparency - Personal data shall be processed fairly. In addition, personal data may be processed only if at least one of a number of conditions, discussed below, for lawful processing is met. Data subjects also have the right to be informed, as also discussed below.
  2. Purpose limitation - Personal data shall be obtained only for one or more specified lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  3. Data minimisation - Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are collected or processed.
  4. Accuracy - Personal data shall be accurate and, where necessary, kept up to date.
  5. Storage limitation - Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose.
  6. Data subject rights - Personal data shall be processed in accordance with the rights of data subjects under the DPL.
  7. Integrity, confidentiality and security - Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. Cross-border transfer - Personal data shall not be transferred to a country unless that country ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Conditions for lawful processing of personal data

Personal data cannot be processed unless at least one of these conditions is met.

  1. Consent - The data subject has given consent to the processing. In order to be valid, consent needs to meet a number of tests. Moreover, it can be withdrawn at any time, which could be problematic as a financial sector business is unlikely to be able to cease processing instantly. Often a financial sector business of dealing with an entity client or counterpart and will not be in a position to obtain direct consent from underlying individuals.
  2. Contract - The processing is necessary for the performance of a contract to which the individual data subject is a party; or the taking of steps at the request of the data subject with a view to entering into a contract. This condition does not apply to processing of an individual's details who is not party to the contract.
  3. Legal obligation - The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract. The Ombudsman regards a "legal obligation" to refer to an obligation applicable under Cayman Islands law.
  4. Vital interests - The processing is necessary in order to protect the vital interests (generally understood to mean matters of life and death) of the data subject.
  5. Public functions - The processing is necessary for the exercise of public functions, namely the administration of justice; any functions conferred on any person by or under any enactment; any functions of the Crown or any public authority; or of any other functions of a public nature exercised in the public interest by any person.
  6. Legitimate interests - The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except if the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

Cross-border transfer

Pursuant to the eighth data protection principle, personal data shall not be transferred to a country unless that country ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. Financial sector businesses typically need to process personal data outside the Cayman Islands and therefore need to consider whether the other country in which data is processed ensures an adequate level of protection.

Countries regarded as ensuring an adequate level of protection

Member states of the EU (namely Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the United Kingdom) and European Economic Area (meaning the EU member states plus Lichtenstein, Norway, and Iceland) where the EU General Data Protection Regulation ("GDPR") is implemented are regarded as ensuring an adequate level of protection.

Also, any European Commission finding that a country outside the EU does, or does not, have "adequate protection" will be determinative for the Cayman Islands. At the time of writing, the European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited to the Privacy Shield framework) as providing adequate protection. By implementing the DPL, the Cayman Islands is beginning the process towards achieving a positive determination.

Other countries may be assessed as ensuring an adequate level of protection

A data controller may consider other countries to have an adequate level of protection. The DPL specifies a number of criteria ("Country Criteria") to which a data controller must have regard in determining whether the level of protection in a country is adequate including, but not limited to, the law in force in that country, the international obligations of that country and any security measures taken in respect of the data in that country. As the data controller will be held accountable for its decision, and in order to obtain certainty, the data controller may wish to request a specific authorisation for the transfer from the Ombudsman as discussed below.

Transfers to which the prohibition of cross-border transfer does not apply

The DPL sets out certain transfers to which the prohibition of cross-border transfer of personal data under the eighth data protection principle does not apply as set out below.

  1. Consent - The data subject has consented to the transfer. The comments in relation to consent as a possible lawful basis of processing apply equally to cross-border transfer.
  2. Contract performance - The transfer is necessary for the performance of a contract between the data subject and the data controller or the taking of steps at the request of the data subject with a view to the data subject's entering into a contract with the data controller.
  3. Contract conclusion - The transfer is necessary for the conclusion of a contract between the data controller and a person other than the data subject, being a contract that is entered into at the request of the data subject, or is in the interests of the data subject; or the performance of such a contract.
  4. Public interest - The transfer is necessary for reasons of substantial public interest.
  5. Legal claim - The transfer is necessary for the purpose of, or in connection with, any legal proceedings, for the purpose of obtaining legal advice; or is otherwise necessary for the purposes of establishing, exercising or defending legal rights.
  6. Vital interests - The transfer is necessary in order to protect the vital interests of the data subject.
  7. Public register - The transfer is part of the personal data on a public register and any conditions subject to which the register is open to inspection are complied with by a person to whom the data are or may be disclosed after the transfer.
  8. Approved terms - The transfer is made on terms of a kind approved by the Ombudsman as ensuring adequate safeguards for the rights and freedoms of data subjects.
  9. Authorised transfer - The transfer has been authorised by the Ombudsman as being made in such a manner as to ensure adequate safeguards for the rights and freedoms of data subjects.
  10. International cooperation arrangements - The transfer is required under international cooperation arrangements between intelligence agencies to combat organised crime, terrorism or drug trafficking.

The "Consent", "Contract performance" and "Contract conclusion" transfer scenarios above are subject to the same caveats as discussed above in relation to "Consent" and "Contract" for lawful processing of personal data.

The Ombudsman has approved the following "Approved terms" as ensuring adequate safeguards:

  • agreements incorporating standard contractual clauses to be published by the Ombudsman; or
  • agreements which replicate the rights and obligations contained in the EU "standard contractual clauses" pursuant to the GDPR (albeit appropriately amended to reflect that cross-references to provisions of EU data protection law need to be replaced with cross-references to corresponding provisions of the DPL).

For the purposes of "Authorised transfer", the Commissioner will take into account the Country Criteria.

Rights of data subjects

The DPL sets out a number of rights of individual data subjects which are, in brief summary, as follows.

  • Individuals have the right to access their own personal data and receive information about its use. To do so, individuals must make a subject access request ("SAR") in writing. A data controller has thirty days to respond to a request and cannot impose a fee to deal with a request except in exceptional circumstances. There are some limited exemptions to this right to access. Generally, however, data controllers should be prepared for the possibility that data may need to be disclosed. We have experience of SARs being used by disgruntled clients in a financial services context in other jurisdictions.
  • Individuals have a right to have inaccurate personal data rectified, blocked, erased or destroyed.
  • The DPL introduces a right for individuals to demand that processing cease. However, this right is not absolute.
  • The DPL introduces an absolute right for individuals to demand that direct marketing cease or not begin. Direct marketing is defined as the communication, by whatever means, of any advertising, marketing, promotional or similar material, that is directed to particular individuals.
  • Where a decision is made solely by automated means (without human involvement), an individual has the right to require that it be reconsidered on a different basis.
  • An individual has the right to complain to the Ombudsman about any perceived violation of the DPL, and to seek compensation for damages in the courts.

Data subjects also have the right to be informed, as discussed further below.

Data privacy notice

Personal data shall not be treated as processed fairly unless the data subject has, as soon as reasonably practicable, been provided with, at a minimum, the identity of the data controller and the purpose for which the data are to be processed. However, information on certain additional points should be provided in the privacy notice as a matter of good practice and may be required on grounds of fairness, as well as reducing the likelihood of SARs.

The Ombudsman's expectation is that privacy information will be provided in the form of a privacy notice. Privacy information must be provided to individuals "as soon as reasonably practicable", which in practice means at the time personal data is gathered. For example, an investment fund will typically include the privacy notice within its subscription agreement or equivalent.

Data security, integrity and confidentiality

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Compliance with the DPL overlaps to a significant degree with businesses' cybersecurity measures. However, there are different aspects to this principle, including:

  • organisational measures, such as staff training and policy development;
  • technical measures, such as physical protection of data, pseudonymisation and encryption; and
  • securing ongoing availability, integrity and accessibility, for example by ensuring backups.

In circumstances where a data processor is involved, the data controller will invariably wish to take certain steps and include certain provisions within the contract to ensure compliance.

Personal data breaches

A data controller must notify the Ombudsman and the affected data subject(s) of a personal data breach without undue delay (but no longer than five days after the data controller should, with the exercise of reasonable diligence, have been aware of that breach). The notification should include specified information including but not limited to a description of the nature and consequences of the breach, the measures proposed or taken by the data controller to address it and the measures recommended to mitigate the possible adverse effects of the breach.

A "personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or, access to, personal data transmitted, stored or otherwise processed.

It is important to have a plan dealing with how a breach would be identified and handled in practice and have robust breach detection, investigation and internal reporting procedures in place. No business will wish to only be considering these matters for the first time when a breach actually occurs.

Internal data protection policy

Although there is no specific requirement under the DPL for a data controller to have an internal data protection policy, the Ombudsman's view is that having documented policies and processes in place will be very helpful when a data subject exercises his or her rights, when a data breach occurs, or the event of an investigation by the Ombudsman.


The DPL contains a number of partial exemptions in relation to the following, all of which are expanded on in the DPL and Guide:

  • National security
  • Crime prevention and prosecution
  • Government fees and duties
  • Health, education or social work
  • Monitoring, inspection or regulatory function
  • Journalism, literature or art
  • Research, history or statistics
  • Information available to public by or under enactments
  • Disclosures required by law or made in connection with legal proceedings
  • Personal, family or household affairs
  • Honours
  • Corporate finance
  • Negotiations
  • Legal professional privilege
  • Trusts
  • Exemptions by regulations

However, the exemptions are only very limited exemptions from the DPL. Thus, even if an exemption applies, personal data is exempt only from a narrow subset of the overall provisions. The majority of the requirements in the DPL continue to apply.


The DPL provides a detailed framework for complaints to the Ombudsman and the Ombudsman's power to investigate and make information orders, enforcement orders and monetary penalty orders. The DPL also provides for a number of offences and fines. Where an offence under the DPL has been committed by an entity, a director, member, secretary or similar officer of that entity may also be regarded as having committed that offence.

Practical measures

Cayman Islands entities may wish to consider the following steps:

  • Consider whether, and in what circumstances, the business will be considered a data controller or data processor under the DPL and the extent of any exemptions that may apply.
  • Conduct an analysis of how and when personal data is currently processed.
  • Consider what lawful basis of processing can be used for the processing of personal data.
  • Consider what "adequate safeguards" can be relied upon if data is processed outside the Cayman Islands
  • To the extent necessary, prepare, review and update documents (for example, client agreements, agreements with service providers, offering and transactional documents, employment contracts,).
  • Prepare a privacy notice.
  • Prepare or update an internal data protection policy.
  • Establish and maintain a plan to deal with a potential data breach.
  • Ensure procedures are in place to allow staff to recognise and promptly respond to a subject access request and react to a data breach.
  • Train relevant staff.

Next steps

This advisory provides an overview of the DPL. In addition to the DPL itself it is necessary to consider the potential extra-territorial effect of the EU Global Data Protection Regulation. The application of data protection requirements will need to be considered on a case by-case basis. Walkers' Regulatory & Risk Advisory practice group comprises a team of dedicated specialist lawyers who will be happy to advise on all aspects of data protection requirements, as well as reviewing and preparing privacy notices, data protection policies and agreements with processors.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Practice Guides
by Mondaq Advice Centres
Relevancy Powered by MondaqAI
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions