Cayman Islands: Cayman Islands Data Protection Law – Obligations For Cayman Islands Businesses

Last Updated: 11 October 2019
Article by Jonathan Fitzgibbons and Susan Lock

The Cayman Islands Data Protection Law is in force as of 30 September 2019. This article provides a summary of the main provisions of the Data Protection Law and highlights some important obligations and compliance steps.

The Cayman Islands Data Protection Law 2017 is in force as of 30 September 2019. The Data Protection Law is one of a number of new regulations in the Cayman Islands and, as a result, it is likely that many businesses are not yet fully compliant. This article is intended to provide a summary of the main provisions of the Data Protection Law and highlight some important obligations and compliance steps. It is not intended as legal advice. Please contact Bedell Cristin if you would like specific advice on how the Data Protection Law applies to your business.

RATIONALE AND SUMMARY OF THE LAW

The Data Protection Law regulates the future processing of all personal data in the Cayman Islands. Drafted around internationally recognized privacy principles it enshrines a framework of rights designed to give individuals greater control over their personal data. The Data Protection Law sets out certain duties of those holding personal data and together with the Confidential Information Disclosure Law and certain legal rights gives the Cayman Islands the most comprehensive data protection regime in the region.

The Data Protection Law applies to 'personal data' of a 'data subject' that is 'processed' by 'data controllers' or 'data processers'. The definitions are broad such that it is extremely likely that a business will fall under the parameters of the data protection framework. Should you fall within the framework you must comply with the eight data protection principles; the detail of which is below. Very broadly, as a Cayman Islands entity should you fall with the 'data controller' or 'data processer' you should be looking to undertake the seven compliance steps, again, the detail of which is below.

The distinction on 'data controller' or 'data processer' is an important one and therefore should be analysed on an individual basis. All 'data controllers' are required to comply with the data protection principles relating to the personal data that the 'data controller' processes. 'Data controllers' are also required to ensure that third parties comply with the data protection principles should such third parties process the personal data on the 'data controller's' behalf.

The Cayman Islands supervising authority is the Office of the Ombudsman. The Ombudsman's website contains guidance and useful compliance resources.

REQUIREMENTS OF THE LAW

The Data Protection Law will apply to any legal or natural person that processes1 "Personal Data". Personal Data is defined in the Data Protection Law as any "data relating to a living individual who can be identified" (referred to in the Data Protection Law as "data subjects").2 There is an additional category of "Sensitive Personal Data" which is subject to greater restrictions and is described in more detail in the "frequently asked questions" section below.

If your organisation processes Personal Data you will either be a "Data Controller" or a "Data Processor" in respect of that data3. The Data Controller is the person or entity that determines how the Personal Data will be processed, and a "Data Processor" is any person or entity that processes it on behalf of the Data Controller (but does not include an employee of a Data Controller).

Most organisations will be a Data Controller in respect of at least some Personal Data but may be a Data Processor of other Personal Data. The distinction is important, as the Data Controller has liability for the actions of a Data Processor in many circumstances.

Data Controllers must comply with eight data protection principles set out in schedule 1 of the Data Protection Law:

  1. Personal Data shall be processed fairly and only in specific circumstances;
  2. Personal Data shall be obtained only for one or more specified lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes;
  3. Personal Data shall be adequate, relevant and not excessive in relation to the purpose of purposes for which it is collected or processed;
  4. Personal Data shall be accurate and, where relevant, kept up to date;
  5. Personal Data processed for any purpose shall not be kept for longer than is necessary for that purpose;
  6. Personal Data shall be processed in accordance with the rights of data subjects;
  7. Appropriate technical and organisational measures shall be taken against unauthorized or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data; and
  8. Personal Data shall not be transferred to a country or territory unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of Personal Data.

The Data Protection Law provides specific rights to data subjects, including the right to certain information from a Data Controller and the right to access Personal Data held by a Data Controller (an "Access Request")

The supervising authority for data protection in the Cayman Islands is the Office of the Ombudsman The Ombudsman's website contains guidance and useful compliance resources. Within the Ombudsman, the Cayman Islands Information Commissioner has responsibility for taking action, including receiving complaints and instigating proceedings against Data Controllers for breaches of the Data Protection Law.

COMPLIANCE STEPS

Set out below are seven compliance steps that every business in Cayman should be undertaking, at a minimum, to comply with the main requirements of the Data Protection Law in respect of its primary data sources, and to identify where further compliance work is needed. This is intended as general guidance only - it is not exhaustive or intended to be a complete compliance programme, and is not a substitute for formal legal advice. Many of the provisions described below are subject to exceptions detailed in the Data Protection Law and additional guidance contained in the Data Protection Regulations, 2018.

  1. Data Mapping

The first step to complying with the Data Protection Law is to understand how information and data flows into and out of your organisation and how it is used. A data mapping exercise means conducting an examination of:

  • where Personal Data comes from and the purposes for which it is collected;
  • where the Personal Data you collect is transferred to;
  • whether you are the Data Controller or a Data Processor in respect of Personal Data coming from any particular source;
  • whether the Personal Data you collect is "adequate relevant and not excessive" for the purposes it is collected;
  • to what extent steps are taken to keep Personal Data accurate;
  • how Personal Data is stored and protected within your organisation; and
  • how and when Personal Data is deleted.

We recommend starting with the main sources and types of Personal Data your organisation collects. Typically that might be Personal Data received via the internet and email and relating to employees, other businesses and clients.

A data map is an essential guide in understanding where changes might be required to comply with the Data Protection Law and in preparing policies and procedures for ongoing compliance.

  1. Privacy Notices

The source of any Personal Data, whether it be a form, email or a website, should provide a data protection notice containing the information required by the Data Protection Law. At a minimum the privacy notice must include the identity of the Data Controller, the purposes for which the Data is being collected, and information that will enable the data subject to contact the Data Controller.

We recommend that a privacy notice is used to obtain the consent of the data subject whenever possible. Consent has high compliance value under the Data Protection Law. For example, all data processing must be conducted in accordance with at least one of the specific conditions set out in Schedule 2 of the Data Protection Law and, in the case of Sensitive Personal Data, also in accordance with one of the conditions set out in Schedule 3 of the Data Protection Law. In both cases the conditions are satisfied if the data subject has consented. International transfers of Personal Data are also permitted with consent, even if the recipient is not subject to contractual or statutory safeguards.4

In the case of websites consent is generally obtained by requiring the user to check a box at or before the point of collection. In the case of email it generally requires a disclosure in the body of the email itself describing the purposes for which the information will be used and a clear statement that sending an email to your organisation is an indication of consent to the collection and use of Personal Data for the specified purposes.

  1. Contractual Provisions

If you are transferring Personal Data to a third party Data Processor (for example a fund administrator, insurance manager or corporate services provider) it is a requirement of the Data Protection Law that the processing is carried out pursuant to a written contract specifying that the Data Processor is to act only on instructions from the Data Controller, and requiring the Data Processor to apply appropriate safeguard to the Personal Data. It is also important to ensure that the contract contains appropriate contractual remedies and indemnities to protect you in the event of a personal data breach.

Additionally, if Personal Data is going to be transferred internationally to a jurisdiction that is not considered adequate (being any EEA jurisdiction and any jurisdiction in respect of which an adequacy decision has been made by the European Commission – listed here) then, unless consent has been obtained or the transfer is within one of the other limited exceptions set out in Schedule 4 of the Data Protection Law, the transfer must be made subject to suitable contractual provisions or a stand-alone data transfer agreement.

  1. Data Subject Requests

A data subject is entitled to ask whether their Personal Data is being processed by your organisation and, if so, for a description of:

  • the Personal Data;
  • the purposes for which it is being processed;
  • who the data may be disclosed to;
  • any countries that the Personal Data may be transferred to; and
  • the general security measures in place to protect the Personal Data.

A data subject is also entitled to receive (in intelligible form) a copy of the Personal Data and the source of it (to the extent available).

A data subject may also request certain information in respect of automated processing of Personal Data, including the right to request that no decision taken by or on behalf of the Data Controller that significantly affects the data subject is based solely on automatic processing.

Requests must be responded to within 30 days.

A data subject is entitled, by notice in writing, to require the Data Controller to cease processing his or her Personal Data within 21 days.

Given the limited time frame to respond it is important to have a plan, a nominated person and, ideally, a written procedure in place to deal with requests.

  1. Retention Policy

The fifth principle of the Data Protection Law is that Personal Data shall not be kept for longer than is necessary for the purpose it was collected. We recommend that you have a written retention policy and, importantly, that records are actually erased or destroyed once the term is reached. Documents that may be required in connection with future legal claims should be retained for the applicable limitation period (generally in Cayman this is 6 years).

  1. Security

Appropriate technical and organizational measures must be taken to protect against unauthorized or unlawful processing, use, disclosure or deletion of Personal Data. Technical security will include measures such as restricted physical access, encryption, and passcodes for access to mobile phones and computer networks. Organisational security includes restricting access to employees that have a valid need to access the Personal Data.

The Ombudsman's guidance states that you can consider the technology that is available and the costs of implementation when deciding which measures to take, provided that the measures are appropriate to the circumstances and the risks.

  1. Notifications

A personal data breach is defined in the Data Protection Law as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal data transmitted, stored or otherwise processed". All personal data breaches must be notified to the Ombudsman and to the individual or individuals whose Personal Data is involved within 5 working days. If you use a Data Processor then the steps that the Data Processor must take if it causes a breach should be detailed in the contract in place, and responsibility for the reporting still rests with the Data Controller.

Notification of a breach should include:

  • the nature of the personal data breach;
  • the consequences of the breach;
  • the measures proposed or taken by yourself to address the breach; and
  • the measures you recommend the individual(s) to take to mitigate the possible adverse effects of the breach.

OUR SERVICES

Bedell Cristin is experienced in advising large and small organisations with each stage of a data protection compliance projects. Our attorneys have assisted numerous multi-jurisdictional businesses with data mapping, privacy notices, policies and procedures, post-breach action, processor and transfer contracts and client agreements. Please contact us if you would like assistance in complying with the Cayman Data Protection Law or international data protection standards.

FREQUENTLY ASKED QUESTIONS

Under what circumstances may Personal Data processed?

The first principle of the Data Protection Law states that Personal Data may only be processed if:

  • the data subject has consented;
  • the processing is necessary for the performance of a contract to which the data subject is a party or taking steps at the request of the data subject with a view to entering into a contract;
  • it is necessary to comply with a (non-contractual) legal obligation;
  • it is necessary to protect the vital interests of the data subject;
  • it is necessary for the administration of justice, the exercise of any statutory functions, the functions of government, or any other functions of a public nature carried out in the public interest;
  • it is necessary in connection with the legitimate interests of the Data Controller or any third party, unless it would prejudice the rights and freedoms or legitimate interests of the data subject.

What is Sensitive Personal Data and what additional rules apply to it?

Sensitive Personal Data means Personal Data consisting of:

  • the racial or ethnic origin of the data subject;
  • the political opinions of the data subject;
  • the data subject's religious beliefs or other beliefs of a similar nature;
  • whether the data subject is a member of a trade union;
  • genetic data of the data subject;
  • the data subject's physical or mental health or condition;
  • medical data;
  • the data subject's sex life;
  • the data subject's commission, or alleged commission, of an offence; or
  • any proceedings for any offence committed, or alleged to have been committed, by the data subject, the disposal of any such proceedings or any sentence of a court in the Islands or elsewhere.

In addition to the conditions that must be satisfied in order to process Personal Data, Sensitive Personal Data may only be processed if:

  • the data subject has consented;
  • There is a legal necessity arising from the data subject's employment by the Data Controller (for example, the provision of health insurance);
  • The processing is necessary to protect the vital interests of the data subject (or another person, where consent from the data subject has been unreasonably withheld);
  • The processing is carried out in the course of legitimate activities of a non-profit that exists for political, philosophical, religious or trade-union purposes (provided certain other requirements are met);
  • The Personal Data has been made public by the data subject;
  • The processing is necessary in connection with legal proceedings or legal rights, the administration of justice, the exercise of statutory functions or the exercise of any functions of government;
  • The processing is necessary for medical purposes (subject to certain additional requirements);
  • The circumstances are prescribed by regulation; or
  • Other circumstances that may be determined by Cabinet.

Given the limited time frame to report a personal data breach it is important to have a plan in place before the event, including a nominated person and, ideally, a written procedure to deal with breaches and notification.

Can we charge a fee for access requests?

No, not unless the request is unfounded or excessive. Examples of unfounded or excessive requests (as specified in the Data Protection Regulations 2018) are requests that are repetitive, fraudulent or that would unreasonably divert the resources of the Data Controller. The Data Controller has the burden of proving that the request is unfounded or excessive and any such determination should be documented.

Which countries can we send Personal Data to without additional compliance obligations?

The current list includes any member state of the European Union, Norway, Liechtenstein, Iceland, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, New Zealand, Switzerland, and Uruguay.

Can we send Personal Data to the United States without the consent of the data subject?

The US is not considered an "equivalent jurisdiction" and the Privacy Shield framework between the EU, US and Switzerland does not apply to data transfers from the Cayman Islands. However the Ombudsman has said that self-certification under the Privacy Shield by US entities "may be taken into consideration as a positive factor" when making general authorisations about permitted transfers. Until such time as a general authorisation is made, transfers to entities in the United States must be made with the consent of the data subject or pursuant to appropriate contractual safeguards.

What if we need to disclose Personal Data in an emergency?

Disclosure of Personal Data is permitted without consent if is it necessary to protect the vital interests of the data subject.

Is the Cayman Data Protection Law the same as the GDPR?

The two are very similar but not identical. However, if your organisation is currently compliant with GDPR it will also be compliant with the Data Protection Law.

Are there standard contractual provisions we can use for our agreements?

The Ombudsman intends to publish standard clauses but has not yet done so. However, provisions that replicate the rights and obligations of the EU's standard clauses will satisfy the requirements of the Data Protection Law.

Footnotes

1 "Processing" is defined very broadly. If you are doing anything with Personal Data, including the act of collecting or deleting it, you will "processing" it for the purposes of the Data Protection Law.

2. The definition specifically includes : (i) location data, online identifiers or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual; (ii) an expression of opinion about the individual; and (iii) any indication of the intentions of the data controller or any other person in respect of the individual.

3. https://www.theguardian.com/news/datablog/2010/jul/16/data-plural-singular.

4. It is important to note that consent, for the purposes of the Data Protection Law must be a "freely given, specific, informed and unambiguous indication of the Data Subject's wishes....by a statement or by a clear affirmative action"... Pre-checked boxes or "opt-out" consent forms will not be sufficient. The burden of proving consent is on the Data Controller and may be void if there is a "significant imbalance between the position of the Data Subject and the Data Controller (for example, a bank requiring consent in order to process a loan application). Consent may be withdrawn at any time.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Practice Guides
by Mondaq Advice Centres
Relevancy Powered by MondaqAI
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions