Cayman Islands Data Protection LawGuide Book2017

Cayman Islands Data Protection Law

Guide BookCayman Islands Data Protection Law, 2017

1. Background and OverviewOn 27 March 2017 the DataProtection Law, 2017 (Law) waspassed by the Legislative Assemblyof the Cayman Islands. Onceenacted, the Law will introduce forthe first time in the CaymanIslands a legislative framework ondata protection. Although thetimeframe for the enactment ofthe Law is not yet known, the Lawwill come into force on a date setby Cabinet Order, and differentdates may be appointed fordifferent provisions of the Law andin relation to different matters.

This note is not a comprehensiveguide to the Law and deals onlywith the key concepts andobligations which arise from it.

2. What should I do now?In addition to informing yourselfabout the Law, we recommend thatyou implement the followingproactive measures prior to thecommencement of the Law:

understand your organisation'streatment under the Law and theextent of any exemptions thatmay apply to it.conduct an audit (whether formalor informal) of your organisation'scurrent arrangements andunderstand how personal data isprocessed.create or update your internaldata protection policies andprocedures (including proceduresto validate information heldabout data subjects).create or update your externaldata protection policies and

procedures to inform your clientsand employees about the dataheld on them and the purposesfor which such data is processed.agree to responsibilities withinyour organisation to ensurecompliance with the Law and toenforce your privacy policies andto deal with information requestsfrom data subjects.

3. Key definitions and concepts

Data ControllerA person, firm or company who, alone or jointly with others, determines the purposes, conditions and manner in which any personal data is, or are to be, processed. In certain instances, a data controller will also include nominees of the data controller1. In an employment context, a data controller will normally be an employer. In a commercial context, a data controller will normally be a service provider that processes personal data in the performance of its services.

The Law applies to any datacontroller in respect of personaldata (a) that is established in theCayman Islands and the personaldata is processed in the context ofthat establishment; or (b) that isnot established in the CaymanIslands but the personal data isprocessed in the Cayman Islandsotherwise than for the purposes oftransit of the data through theCayman Islands.

Data SubjectAny identified living individual or

any living individual who can beidentified directly or indirectly bymeans reasonably likely to be usedby the data controller or by anyother person, e.g. employees,applicants, contractors, agencyworkers and other personnel.

ProcessingObtaining, recording or holdingdata, or carrying out any operationor set of operations on personaldata, including organising,adapting, altering, retrieving,consulting, or using personal dataor disclosing personal data bytransmission, dissemination orotherwise making it available oraligning, combining, blocking,erasing or destroying personal data.

Data ProcessorA person, firm or company thatprocesses personal data on behalfof the data controller, but does notinclude an employee of the datacontroller.

Personal DataData relating to a living individualwho can be identified and includesdata such as -

the living individual’s locationdata, online identifier or one ormore factors specific to thephysical, physiological, genetic,mental, economic, cultural orsocial identity of the livingindividual.an expression of opinion aboutthe living individual.any indication of the intentions ofthe data controller or any otherperson in respect of the living

Cayman Islands Data Protection Law

1.

2.

4.

5.

6.

7.

8.

individual.

Sensitive Personal DataSensitive personal data is personaldata in relation to the data subject(which qualifies for an additionallevel of protection under the Law)consisting of information as to:

racial or ethnic origin.political opinions.religious or other similar beliefs.trade union membership.medical or genetic data.physical or mental health orcondition.sexual life.the commission or allegedcommission of any criminaloffences.any criminal proceedings orconvictions (including verdict andsentencing).

Data Protection PrinciplesThere are eight data protectionprinciples. It is the duty of a datacontroller to comply with theprinciples:

personal data shall be processedfairly. personal data shall be processedonly for one or more specifiedlawful purposes.

3. personal data shall be adequate,relevant and not excessive in relation to the purpose for which they are collected/processed.

personal data shall be accurateand up to date. personal data shall not be kept forlonger than is necessary. personal data shall be processedin accordance with the rights of data subjects under the Law.

appropriate technical andorganisational measures shall betaken in relation to personal data. personal data shall not betransferred outside the CaymanIslands unless an adequate levelof protection for the rights andfreedoms of data subjects is

ensured.4. Requirements for lawful DataProcessing - the basics

Data Protection PrinciplesUnder the Law, all data controllersare required to comply with thedata protection principles thatrelate to the personal data that thedata controller processes. Datacontrollers are also required toensure that third parties complywith the protection principles ifsuch third parties are processingpersonal data on the datacontroller's behalf.

Personal DataIn order for a data controller toprocess personal data fairly (arequired data protection principle),the identity of the data controllerand the purpose for which thepersonal data is processed must bedisclosed. In addition, one of thefollowing preconditions must alsobe satisfied:

the data subject has given consent to the processing.2

the processing is necessary for (a)the performance of a contract towhich the data subject is a partyor (b) taking steps at the requestof the data subject with a view toentering into a contract.the processing is necessary forlegal compliance (other thancontractual compliance).the processing is necessary to protect the vital interests of the data subject.3

the processing is necessary for theadministration of justice or theexercise of statutory,governmental or public functions.the processing is necessary for thepurposes of legitimate interestspursued by the data controller orthe third party to whom the datais disclosed, except if theprocessing is unwarranted in anyparticular case by reason ofprejudice to the rights andfreedoms or legitimate interestsof the data subject.

Sensitive Personal Data Sensitive personal data is given special protection under the Law. In order for a data controler to process sensitive personal data fairly, in addition to fulfilling the conditions for processing regular personal data fairly, one of the following preconditions must also be satisfied:

the data subject has givenconsent to the processing.processing is necessary forexercising or performing any legalright or obligation in connectionwith the data subject'semployment.processing is necessary (a) toprotect the vital interests of thedata subject or another personwhere consent cannot be given bythe data subject or the datacontroller cannot reasonably beexpected to obtain such consentor (b) to protect the vital interestsof another person where consentof the data subject has beenunreasoanbly withheld.processing is carried out in thecourse of legitimate activities bycertain non-profit associationsand certain conditions are met.the data has been made public asa result of steps taken by the datasubject.processing is necessary for thepurposes of legal proceedings,obtaining legal advice orestablishing, exercising ordefending legal rights.processing is necessary for theadministration of justice or theexercise of statutory,governmental or public functions.processing is necessary formedical purposes and isperformed by a healthprofessional or a person who, inthe circumstances, owes a duty ofconfidentiality equivalent to thatwhich would arise if that personwere a health professional.

Cayman Islands Data Protection Law

5. Rights of Data Subjects

Right of Notification and AccessAs discussed above, data controllersgenerally have the obligation toprocess information fairly andnotify data subjects if theirpersonal data is being processed. Ifpersonal data is being processed, adata subject is entitled to be giventhe following information by thedata controller as soon asreasonably practicable:

a description of the personal dataheld in respect of the datasubject; anda description of the purposes forwhich the personal data is beingprocessed.

In addition to the initial notificationrequirements set out above, unlessa limited range of exemptionsapply, data subjects are alsoentitled to request from datacontrollers:

a description of the personal dataheld in respect of the datasubject.a description of the purposes forwhich the personal data is beingprocessed.a description of the recipients towhom the personal data may bedisclosed.communication in intelligible formof the personal data and thesource of the data.

The data controller need not supplyany information where the requesthas not been made in writing and/or the data controller's fee (withinlimits to be set out in regulations)has not been paid.

If the data controller has not beensupplied with such information ashe reasonably requires to satisfyhimself as to the identity of theperson making the request and/orto locate the information, the datacontroller need not supply theinformation provided the datacontroller has informed the data

subject in writing of thisrequirement.

The time limit for providing theinformation is 30 days from the daythe data controller receives therequest and the fee, but where thedata controller has requestedfurther information to satisfyhimself of the identity of the datasubject and/or to locate theinformation this period shall notresume until the information hasbeen supplied.

If complying with a subject accessrequest cannot be done withoutdisclosing personal data relating toanother data subject who can beidentified from that personal data,then information may be withheld,unless:

that other data subject has consented to such disclosure.it is reasonable in all thecircumstances to comply with therequest without the consent ofthe other data subject.

However, even where the datacontroller elects not to disclosepersonal data, such of the personaldata as can be disclosed withoutrevealing the identity of the otherindividual (including by the removalof names or other identifyinginformation) must nevertheless bedisclosed.

Should a data controller fail tocomply with a subject accessrequest, a data subject may applyto the Information Commissioner(Commissioner) who has broadpowers to order compliance andlevy fines.

Right to Cease ProcessingA data subject is entitled at anytime by notice in writing to a datacontroller to require the datacontroller to cease processing, ornot to begin processing, or to ceaseprocessing for a specified purposeor in a specified manner, the datasubject's personal data. The data

controller shall as soon aspracticable, but within 21 days,comply with the notice, unless

the processing is necessary for (a)the performance of a contract towhich the data subject is a partyor (b) taking steps at the requestof the data subject with a view toentering into a contract.the processing is necessary for compliance with any legal obligation to which the data controller is subject (other than a contractual obligation).the processing is necessary toprotect the vital interests of thedata subject.

Automated Decision MakingA data subject is entitled at anytime, by notice in writing to a datacontroller, to require the datacontroller to ensure that no decisiontaken by or on behalf of the datacontroller that significantly affectsthe data subject is based solely onthe processing by automatic meansof the data subject’s personal datafor the purpose of evaluating thedata subject’s performance atwork, creditworthiness, reliability,conduct or any other mattersrelating to the data subject.

If decisions are taken automaticallythat significantly affect a datasubject based solely on processingby automatic means of the datasubject’s personal data for thepurpose of evaluating the datasubject’s performance at work,creditworthiness, reliability, conductor any other matters relating to thedata subject, the data controllershall as soon as reasonablypracticable notify the data subjectthat the decision was taken on thatbasis. The data subject is entitledwithin 21 days of receiving thatnotification, to notify the datacontroller in writing requiring thedata controller to reconsider thedecision or to take a new decisionotherwise than on that basis.

Cayman Islands Data Protection Law

Direct MarketingA data subject is entitled at anytime by notice in writing to a datacontroller to require the datacontroller at the end of such periodas is reasonable in thecircumstances to cease, or not tobegin, processing the data subject'spersonal data for the purposes ofdirect marketing.

“Direct marketing” means the communication (by whatever means) of any advertising, marketing, promotional or similar material, that is directed to particular individuals.

Rectification, Blocking, Erasure,DestructionA data subject can apply to theCommissioner on the basis thatpersonal data held by a datacontroller is inaccurate. If theCommissioner is satisfied thatpersonal data is inaccurate, theCommissioner may order the datacontroller to rectify, block, erase ordestroy such data, or certain otherpersonal data held by the datacontroller which contains anexpression of opinion which appearsto the Commissioner to be basedon the inaccurate data.

If data received by the datacontroller has been accuratelyrecorded then the Commissionermay make an order requiring thatthe data in question besupplemented by a statement ofthe true facts.

The Commissioner may require thedata controller to notify thirdparties to whom the data has beendisclosed of the rectification,blocking, erasure or destruction.

CompensationA person who suffers damage byreason of a data controller’s

contravention of the Law is entitledto compensation from the datacontroller for that damage.

6. Offences under the Law – theConsequencesIt should be noted that a director,manager, secretary or othercompany officer may be guilty of anoffence in addition to the companyif the offence is proved to havebeen committed with their consentor connivance or attributable totheir neglect.

Offences under the Law include:

unlawfully obtaining or disclosingpersonal data.unlawful sale of personal data.failing to comply with anenforcement order or aninformation order.

Fines under the Law could be ashigh as CI $100,000 (US $122,000)and certain offences are punishableby imprisonment. Under the Lawthe Commissioner also has the rightto serve a data controller with amonetary penalty order if theCommissioner is satisfied on abalance of probabilities that therehas been a serious contravention ofthe Law by the data controller andthe contravention was of a kindlikely to cause substantial damageor substantial distress to the datasubject. Monetary penalty orderscould be as high as CI $250,000 (US$305,000).

7. ExemptionsIt should be noted that the Lawcontains a number of very detailedexemptions and modifications thatmay apply. Without beingexhaustive, exemptions andmodifications may apply insituations relating to trusts,corporate finance services, nationalsecurity, crime, health, education,

social work, journalism, historical orscientific research, disclosuresrequired by law or legal proceedingsand legal professional privilege.

The existence and scope ofexemptions which may beapplicable to your business shouldbe considered in detail. We adviseanyone seeking to rely on suchexemptions to contact our office toconduct an initial exemptionanalysis and/or a full dataprotection audit.

We expect that regulations andguidance on the Law will be issuedprior to its implementation. Weshall provide a further update indue course.

We would be happy to discussthe implications of the DataProtection Law, 2017 for yourbusiness or organisation.Please contact your usual Ogierattorney or a member of ourteam listed here.

Legal services in BVI, Cayman Islands, Guernsey, Hong Kong, Jersey, Luxembourg, Shanghai, Tokyo ogier.comOgier provides practical advice on BVI, Cayman Islands, Guernsey, Jersey and Luxembourg law through its global network of offices. Ours is the only firm to advise on these five laws. Weregularly win awards for the quality of our client service, our work and our people. This client briefing has been prepared for clients and professional associates of Ogier. The informationand expressions of opinion which it contains are not intended to be a comprehensive study or to provide legal advice and should not be treated as a substitute for specific adviceconcerning individual situations. Regulatory information can be found at www.ogier.com.

1 If the data controller is not established in the Cayman Islands but the personal data are processed in the Cayman Islands, (otherwise than for the purposes of transit of the data through the Cayman Islands) the data controller must nominate a local representative established in the Cayman Islands who will be the data controller for the purposes of the Law.

2 “consent” in relation to a data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to the said data subject.

3 In other jurisdictions this condition is generally understood to only apply to matters of life and death.

Cayman Islands Data Protection Law

Contact us

James HeinickePartnerT+1 345 815 1768M+1 345 516 0453james.heinicke@ogier.com

Cory MaccullochAssociateT+1 345 815 1773M+1 345 326 3328cory.macculloch@ogier.com

89 Nexus WayCamana BayGrand CaymanCayman Islands KY1-9009T +1 345 949 9876F +1 345 949 9877E cayman@ogier.com