An Overview of the British Virgin Islands’ Data Protection Act

I. Introduction

The Data Protection Act, 2021 (DPA) is a comprehensive data protection law of the British Virgin Islands (BVI). Passed on April 13, 2021, it came into full force on July 9, 2021, and binds the Crown. DPA serves as the primary legislative framework in BVI, with the objective  to govern the processing of personal data by public and private bodies and to promote accountability and transparency in the processing of such data

This article delves into the applicability of DPA, key definitions, obligations for businesses, limitations, and how to ensure compliance with DPA.

II. Who Needs to Comply with the DPA

A. Material Scope 

The scope of DPA encompasses persons that:

1. Process personal data; and
2. Control, or authorise, the processing of any personal data concerning commercial transactions.

DPA applies to any person:

1. Based in the BVI, that processes personal data or hires or engages someone else to do so on their behalf, regardless of whether that person is established there; or
2. Not based in the BVI but makes use of equipment present in the BVI to process personal data except for transit through the BVI. In such a case, a person based in the BVI needs to be nominated as a representative.

As per DPA, the following are treated as “established” in the BVI:

1. Any person physically present in the BVI for at least 180 days in a calendar year;
2. Any body incorporated as per the BVI’s laws;
3. Any partnership or unincorporated association formed as per the BVI’s laws; and
4. Any person conducting a regular professional practice or maintaining an office, branch, or agency to carry out any activity.

B. Exemptions

DPA outlines the following situations and purposes of processing personal data as being exempt from its provisions:

• Personal data processed by an individual solely for their personal, family, or household affairs, including recreational purposes.
• Personal data processed for the prevention, detection, or investigation of crimes, or the apprehension or prosecution of offenders shall be exempt from the General, Notice and Choice, Disclosure, and Access principles.
• Personal data processed for the assessment or collection of any tax or duty shall be exempt from the General, Notice and Choice, Disclosure and Access principles.
• Processing of personal data related to physical or mental health information, provided that an application of DPA’s provisions would likely cause serious harm to the data subject or another individual's health shall be exempt from the Access principle.
• Processing personal data for statistics or research purposes, provided the results do not identify the data subject shall be exempt from the General, Notice and Choice, Disclosure, and Access principles.
• Processing that is necessary for, or in connection with, any court order or judgment shall be exempt from the General, Notice and Choice, Disclosure, and Access principles.
• Processing for discharging regulatory functions, if the application of the DPA’s provisions would prejudice such functions shall be exempt from the General, Notice and Choice, Disclosure, and Access principles.
• Processing solely for journalistic, literary, or artistic purposes under specific public interest conditions shall be exempt from the General, Notice and Choice, Disclosure, Retention, Data Integrity and Access principles.
• The Minister, on the Information Commissioner's recommendation, can exempt data controllers or classes of data controllers from any of the Personal Data Protection Principles enshrined in DPA provisions, via a Gazette Order.

III. Definitions of Key Terms

A. Commercial Transaction

A commercial nature, whether or not contractual, that includes matters related to the supply or exchange of goods or services, agency, investments, financing, banking, and insurance.

B. Data Processor

A person who is not an employee of the data controller but processes data on behalf of the data controller.

C. Data Subject

A natural person, whether living or deceased.

D. Data Controller

A person who either independently or with other persons processes any personal data, or has control over, or authorises the processing of any personal data, but does not include a data processor.

E. Personal Data

Any information related to commercial transactions, which:

1. is being processed wholly or partly using equipment operating automatically in response to instructions given for that purpose;
2. is recorded with the intention that it should wholly or partly be processed by the use of such equipment; or
3. is recorded as part of a relevant filing system or with the intention that it should be part of a relevant filing system, which is directly or indirectly related to a data subject, who is identified or identifiable from that information, or in conjunction with other information in the possession of a data user, including any sensitive personal data and expression of opinion about the data subject.

F. Processing

An activity that involves collecting, recording, holding or storing the personal data or carrying out any operation or set of operations on the personal data, which includes:

• organisation, adaptation, or alteration of personal data;
• retrieval, consultation, or use of personal data;
• disclosure of personal data by transmission, transfer, dissemination, or otherwise making available; or
• alignment, combination, correction, erasure, or destruction of personal data.

G. Sensitive Personal Data

Any personal data relating to a data subject’s

• physical or mental health;
• sexual orientation;
• political opinions;
• religious beliefs or other beliefs of a similar nature;
• criminal convictions, the commission or alleged commission of any offence; or
• any other personal data that the Minister may, by Order, prescribe.

IV. Obligations of Organisations under the DPA

A. Conditions for the Use of Personal Data

Data controllers must comply with the following permissible requirements for processing personal data:

• Compliance with general principles of data processing:
  • Lawful Purpose: Personal data processing must serve a lawful purpose directly related to the controller's activities.Necessity: The processing must be necessary for, or directly related to, that purpose.
  • Adequacy and Proportionality: The personal data must be adequate but not excessive for the stated purpose.
• The performance of a contract to which the data subject is a party.
• Taking steps at the request of the data subject with the view of entering into a contractCompliance with any legal obligation to which the data controller is subject, other than an obligation imposed by a contract.
• Protecting the vital interests of the data subject.
• The administration of justice.
• The exercise of any functions conferred on a person by or under any law.

B. Conditions for the Use of Sensitive Personal Data

Data controllers may only process sensitive personal data under the following permissible situations:

• Explicit consent has been obtained from the data subject; or
• The information that forms part or whole of the sensitive personal data  has been deliberately made public by the data subject; or
• Processing is necessary for the data controller to perform  any rights or obligations conferred on it by law or  in connection with employment; or
• Processing is necessary to protect the vital interests of the data subject or another person in relation to the prescribed instances:
  • Medical purposes;
  • The purposes of legal proceedings, administration of justice, and to establish, exercise, or defend legal rights;
  • The exercise of any functions conferred on any person under any law; and
  • Any other purposes as deemed fit by the Minister.

C. Data Integrity Principle

Data controllers must make sure that the personal data collected is accurate, complete, not misleading, up-to-date, and directly related to its defined purpose.

D. Consent Requirements

Data controllers must obtain express consent from data subjects to process personal data. For sensitive personal data, data controllers must comply with the much higher standard of “explicit consent.”

E. Security Requirements

Data controllers must deploy practical measures to ensure that the personal data is protected from any loss, misuse, modification, unauthorized access, accidental access, disclosure, alteration, or destruction. This must be done concerning the following considerations:

• The nature of the personal data;
• The harm that is likely to occur due to the mishandling of the data;
• The storage location of the personal data;
• The security measures incorporated in the equipment that stores personal data;
• The reliability, integrity, and competence of personnel having access to the personal data; and
• The measures taken to ensure the safe transfer of personal data.

In addition, when data is processed by a data processor on behalf of a data controller, the data controller is required to obtain sufficient guarantees from the processor that reasonable technical and organizational measures have been undertaken to comply with the aforementioned security measures.

F. Retention Principle

Data controllers must ensure that the personal data being processed is not stored for longer than the duration that is necessary for the fulfillment of the defined purpose. Once the stated purpose is fulfilled, the data must be destroyed or deleted.

G. Cross-Border Data Transfer Requirements

Data controllers must obtain express consent from data subjects and ensure the implementation of adequate data protection safeguards to transfer personal data out of the Virgin Islands.

H. Third-Party Processing Requirements

Data controllers, at the time of collection, must inform the data subjects about the class of third parties with whom the data controller discloses or may disclose any personal data. Thus, at any stage of data processing, the data controller, without the data subjects’ consent, cannot disclose personal data to any third parties except as those already specified.

I. Disclosure Requirements

Data controllers must obtain the data subject’s consent before disclosing personal data while complying with the following stipulations:

• Express consent for disclosure must be obtained from the data subjects.
• Personal data must not be disclosed for any purpose other than what is directly related to the purpose of collection of personal data.
• Personal data must not be disclosed to any party other than the class of parties with whom the personal data is shared by the controller.

However, there are instances where personal data can be disclosed for purposes other than those for which the data was collected or for any other reason directly related to that reason. These include when:

• The disclosure of personal data is necessary for preventing, detecting, or investigating a crime.
• The disclosure of personal data is required by law or mandated by an order of a court.
• The data controller acted in the reasonable belief that they had the right to disclosure or they would have obtained the data subject’s consent, had the latter been aware of the reasons for such disclosure.
• The disclosure was justified to be in the public interest, as determined by the Minister.

V. Data Subject Rights

A. Right to Withdraw Consent

A data subject is entitled to withdraw their consent at any stage of data processing. However, withdrawal of consent shall have no consequence on the lawfulness of the data collected and processed before the withdrawal.

B. Right to Access

A data subject holds the right to access their personal data, through a written request, at any stage of data processing. The data subject must be informed, by the Chief Executive Officer of the organization, of (a) whether the request to access has been rejected or approved and (b) the prescribed fee, if applicable. The organization must respond to the request within 30 days of receipt of the request.

The data subject, in conjunction with their request, is entitled to the following:

• A copy of their personal data;
• The purposes for which their personal data is being or will be processed;
• The recipients or classes of recipients to whom personal data is or may be disclosed by the data controller organization; and
• All available information available to the data controller organization in relation to the source of the data.

C. Right to Rectification

A data subject is entitled to request rectification of their personal data in instances where it is inaccurate, incomplete, misleading, not up-to-date, or not relevant to the purposes of the processing. This is to be done by submitting a written application, specifying:

• The document containing the record of personal data that requires amendment;
• The personal data that is claimed to be incomplete, incorrect, misleading, or irrelevant, along with the reasons accompanying this claim; and
• The amendment requested by the data subject.

Where a public or private body is satisfied with the reasons for such an application, it is obligated to amend the personal data. When making these amendments, the body must, where practicable, ensure that the original text of the document is not obliterated, preserving the record of the data prior to the change.

D. Right to Inform

Data controllers must inform the data subject about: ( upon a request for personal data)

• The purposes for which personal data will be collected and processed;
• Any available information to the data controller regarding the source of that personal data;
• The data subject’s right to request access to and rectification of their personal data;
• Contact information of the data controller for redressal of complaints and inquiries;
• The class of third parties to whom the data controller discloses or may disclose personal data;
• Whether it is obligatory or voluntary for the data subject to provide their personal data to the controller; and
• Consequences for the data subject when personal data is not provided in instances where it is obligatory.

E. Right to Restrict Processing

A data subject is entitled, at any stage of data processing, via notice in writing, to require the data controller not to commence processing or to cease processing of their personal data for the purposes of direct marketing. Upon receipt of the request, the data controller must comply with this request within 3 days and notify the data subject of the same.

Exercising the DSRs

A data subject is entitled to request access to their personal data at any stage of data processing, or to require the data controller to cease processing (or to not process) any personal data concerning them for direct marketing purposes. These requests must be submitted in writing to the data controller, who is then required to respond with a description of the personal data collected and processed by them.

Timeline to respond to a DSR request

The stipulated response time for a request to access data is 30 days and for a request to restrict processing is 3 days.

Extension of Request Response Time

The response time for access requests may be extended by thirty (30) days in the event of the following:

• The original 30-day period may cause reasonable interference with the operations of the organisation.
• The compliance with the request requires necessary consultations, which cannot be reasonably completed within the 30-day duration.
• Additional time is necessary for converting the personal data into an alternative format.

The data subject is to be notified in writing of the decision to grant the extension, which must state the duration of the extension, as well as the data subject’s right to submit a complaint to the Information Commissioner regarding the extension.

Refusal of Request

A data subject request for access to personal data can be refused for the following reasons:

• The data controller does not have the information that may be reasonably required to locate the personal data of the concerned data subject.
• An organisation’s compliance with the request will be in contravention of any duty of confidentiality recognised by law or the exemptions to DPA.
• The person who can be recognized from the disclosure of the personal data gives consent to the disclosure of their personal data to the person making the request.
• The organisation has obtained written approval from the Information Commissioner against compliance with the request for access to data.

In the event that a data subject request is rejected, the data subject should be notified in writing. The notice should specify the reasons for rejection, i.e., personal data accessed does not exist, the provision of DPA on which the rejection was based. The data subject must also be informed of their right to submit a complaint (within 28 days of receipt of refusal) to the Information Commissioner regarding the rejection.

VI. Regulatory Authority

The Office of the Information Commissioner is established under DPA as the designated authority for the enforcement of the law, and the Information Commissioner and other staff of this Office are to be appointed by the Governor. The functions of the Information Commissioner include the following:

• Advising public and private bodies and monitoring their compliance with the DPA.
• Designing and implementing educational initiatives to promote understanding of the DPA.
• Monitoring developments in data processing and information technology. This should be complemented by active research initiatives as well as administrative and legislative reforms to ensure that these developments are incorporated into data protection mechanisms. All research and monitoring should be well documented and periodically reported to the Minister.
• Cooperating with foreign governments in an exchange of ideas and dialogue.
• Receiving, investigating, and addressing complaints about alleged violations of the data protection principles enshrined in the DPA. The complaint mechanism process is as follows:

1. 1. The Chief Executive Officer of the organisation to which the complaint pertains must be informed by the Office of the Ombudsman before the investigation process is officially initiated.
   2. The Information Commissioner is required to issue an investigation notice to the organisation for access to personal data and other relevant information and documentation.
   3. The information commissioner may serve the organisation with an enforcement notice to rectify, erase, or modify the personal data. This enforcement notice is to be compiled within thirty (30) days.
   4. Communicating with the data subjects about the decision of the investigation. The decision should be communicated as soon as it is reasonably practicable, and in a well-explained manner.
   5. The data subjects may seek judicial review within 30 days of receiving the written notice.

The Minister has the authority to make regulations for the purposes of this Act in consultation with the Commissioner, who must carry out a detailed review of the Act within five years of its enactment.

VII. Penalties for Non-Compliance

The DPA has outlined the following as penalties:

Obstruction of the duties of the Information Commissioner

Intentionally obstructing the Information Commissioner or an authorised officer from carrying out their duties and functions as outlined in the DPA shall, on summary conviction, result in a fine up to $5000 and/or imprisonment for a maximum term of 6 months.

Willful Disclosure of Personal Data

Wilfully disclosing personal data as well as collecting, storing, or disposing of it in a manner that is in contravention of the DPA shall, on summary conviction, result in a fine of up to $5000 and/or imprisonment for a term not exceeding 6 months.

Breach of Confidentiality

Unlawful disclosure of personal data by the Information Commissioner or persons acting on their behalf or under their direction shall incur the following penalties:

• Penalty on summary conviction: A fine not exceeding $50,000 and/ or imprisonment for a term not exceeding 3 years.
• Penalty on conviction on indictment: A fine not exceeding $100,000 and/or imprisonment for a term not exceeding 5 years.

Processing Sensitive Personal Data

Processing sensitive data in contravention of the principles outlined in DPA shall, on conviction, result in a fine of $200,000 and/or imprisonment for a term not exceeding 2 years.

Offences by Bodies Corporate

If an offence under the DPA is proved to be committed with the consent, connivance, or negligence of a director, manager, secretary, or similar officer of a body corporate, both that individual and the body corporate shall be liable.

• Penalty for body corporate on summary conviction: A fine not exceeding $250,000.
• Penalty for body corporate on conviction on indictment: A fine not exceeding $500,000.

Civil Protections for distress

In the event that a data subject experiences damage or distress resulting from a public or private body's contravention of the DPA’s provisions, civil proceedings may be brought before the Court.

VIII. How can Organisations Operationalise the DPA

• Organisations should define and implement internal policies that specify clear timelines for which each type of personal data processed shall be retained. In addition, these policies should be consistently reflected in contracts regarding data sharing that are made with data processors or other third parties.
• When planning to use personal data for a new purpose, organisations should check their compatibility with their original purpose or obtain specific consent from the data subjects for the new purpose.
• Data controllers must establish clear SOPs for personnel dealing with personal data to ensure that confidentiality is upheld and security measures are adequately enforced.

IX. How Securiti Can Help

Navigating ever-evolving privacy requirements can be complex. Fortunately, Securiti’s suite of automation modules offers a comprehensive solution for organizations seeking to ensure compliance with the British Virgin Islands’ Data Protection Act.

Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI. Securiti provides unified data intelligence, controls, and orchestration across hybrid multi-cloud environments. Large global enterprises rely on Securiti's Data Command Center for data security, privacy, governance, and compliance.

Request a demo to learn more.