An Overview of the Cayman Islands’ Data Protection Act

I. Introduction

The Data Protection Act (“DPA”) stands as the primary legislative framework governing data protection in the Cayman Islands. Originally enacted on March 27, 2017, the DPA has been in force since September 30, 2019, following the Data Protection Law, 2017 (Commencement) Order. The DPA is implemented by the Data Protection Regulations, 2018, which came into force immediately after the DPA. Since its inception, the DPA has been subject to several revisions, with the most recent version being effective as of March 31, 2021.

II. Who Needs to Comply with the DPA

A. Material Scope

The DPA applies to:

1. Data controllers established in the Cayman Islands that deal with personal data that is processed in the “context of that establishment” ; and
2. Personal data processed in the Cayman Islands “otherwise than for the purposes of transit”. This is applicable to data controllers not established in the Cayman Islands.

The following are to be treated as being “established” in the Cayman Islands:

• an individual who is ordinarily resident in the Islands;
• a body incorporated or registered as a foreign company under the law of the Islands;
• a partnership or other unincorporated association formed under the law of the Islands; or
• any person who does not fall within paragraph (a), (b) or (c) but maintains in the Islands —
  • an office, branch or agency through which the person carries on any activity; or
  • a regular practice.

B. Exemptions

The DPA comprehensively outlines the following exemptions under which personal data processing is exempt from its provisions:

a. National Security

Personal data is exempt from the provisions of the DPA when necessary for safeguarding national security in the Cayman Islands

b. Crime, government fees and duties

Personal data, when processed for the following purposes, is exempt from the provisions of the DPA:

1. Crime prevention, detection, or investigation;
2. Apprehension or prosecution of suspected offenders; and
3. Assessment or collection of any fees or duty.

This exemption also applies to data that is being processed under any legal purposes, other than the ones mentioned above.

c. Health

Personal data is exempt from the provisions of the DPA if its release could result in reasonable mental or physical harm to the data subject.

d. Education

Personal data, that qualifies as an educational record, is exempt from the DPA if its disclosure is likely to cause harm to the mental or physical health of the data subject.

e. Social work

Personal data is exempt from the provisions of the DPA if its processing may result in serious harm to the physical and mental health of a data subject and thus prejudice social work applications.

f. Monitoring, inspection or regulatory function

Personal data is exempt from the provisions of the DPA, if its processing may prejudice the monitoring, inspection or regulatory aspect of a public function covered under the law.

g. Journalism, Literature, or art

Personal data may be exempt from the provisions of the DPA if it involves the publication of journalistic, artistic or literary materials. However, for this exemption to apply, the data controller must have a reasonable basis that the publication would be in the public interest.

h. Research, history, or statistics

Personal data that is processed for research, history or statistics is exempt from the DPA’s provisions if:

1. The personal data is not processed to support a measure or decision relating to a particular individual; and
2. The personal data is not processed in a way that is likely to result in substantial damage or substantial distress to any individual.

i. Information available to the public by or under enactments

Personal data is exempt from the DPA’s non-disclosure provisions if the data controller is under a legal obligation to make it publicly available.

j. Disclosures required by law or made in connection with legal proceedings

Personal data is exempt from the DPA’s non-disclosure provisions, if its disclosure is necessary for the purposes of quasi-judicial or legal proceedings, obtaining legal advice, or establishing a legal right.

k. Personal Family or household affairs

Personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs is exempt from the application of the DPA. The scope of the exemption is very narrow, like all exemptions. Any use of personal data by an organisation of any type does not fall under this exemption. Similarly, the publication of information is also not covered under this exemption.

l. Honours

Personal data that is processed by the Crown or the Premier for the purposes of conferring any honour or dignity, is exempt from the DPA’s provisions.

m. Corporate Finance

Personal data is exempted from the provisions of the DPA if it is processed for the purposes of a corporate finance service provided by:

1. a legally registered person providing for investment business;
2. a person who is exempted from the obligation to be legally registered to provide an investment business;
3. a person who is an authorised person providing for investment business;
4. a person who is exempt in respect of investment business;
5. a person who through their employment offers a corporate finance service; or
6. a partner who provides a corporate finance service in a partnership.

n. Negotiations

Personal data consisting of a record of the intentions of the data controller in relation to any negotiations with the data subject, is exempt from the provisions of the DPA.

o .Legal professional privilege and trusts

Personal data is exempt from the provisions of the DPA, if it comprises the following:

1. Information that is subject to legal professional privilege; or
2. Information that relates to any structure or arrangement that is an ordinary trust, any structure or arrangement that is a trust established under the Trusts Act (2011 Revision), or any will made pursuant to the Wills Act (2004 Revision).

III. Definitions of Key Terms

A. Consent

“Consent” in relation to a data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to the said data subject.

B. Data Controller

“Data Controller” means the person who, alone or jointly with others, determines the purposes, conditions and manner in which any personal data are, or are to be, processed and includes a local representative.

C. Data Processor

“Data Processor” means any person who processes personal data on behalf of a data controller but, for the avoidance of doubt, does not include an employee of the data controller.

D. Data Subject

“Data Subject” means —

1. an identified living individual; or
2. a living individual who can be identified directly or indirectly by means reasonably likely to be used by the data controller or by any other person.

E. Personal Data

“Personal Data” means data relating to a living individual who can be identified and includes data such as —

1. the living individual’s location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the living individual;
2. an expression of opinion about the living individual; or
3. any indication of the intentions of the data controller or any other person in respect of the living individual.

F. Sensitive Personal Data

“Sensitive Personal Data” means, in relation to a data subject, personal data consisting of —

1. the racial or ethnic origin of the data subject;
2. the political opinions of the data subject;
3. the data subject’s religious beliefs or other beliefs of a similar nature;
4. whether the data subject is a member of a trade union;
5. genetic data of the data subject;
6. the data subject’s physical or mental health or condition;
7. medical data;
8. the data subject’s sex life;
9. the data subject’s commission, or alleged commission, of an offence; or
10. any proceedings for any offence committed, or alleged to have been committed, by the data subject, the disposal of any such proceedings or any sentence of a court in the Islands or elsewhere.

G. Processing

“Processing”, in relation to data, means obtaining, recording or holding data, or carrying out any operation or set of operations on personal data, including — (a) organising, adapting or altering the personal data; (b) retrieving, consulting or using the personal data; (c) disclosing the personal data by transmission, dissemination or otherwise making it available; or (d) aligning, combining, blocking, erasing or destroying the personal data.

IV. Obligations for Organisations Under DPA

A. Appointment of Local Representative

The data controller must appoint a local representative “established” in the Cayman Islands, who for all purposes, shall be the data controller.

B. Consent Requirements

The data controller is required to obtain consent from the data subjects as the lawful basis for processing, which must adhere to the following conditions:

1. It must be a freely given, specific, informed, and unambiguous indication of the data subject's wishes.
2. Data subjects have the right to withdraw consent at any time
3. The data subject must signify agreement by a statement or clear affirmative action.

C. Lawful Basis of Processing of Personal Data

The data controller must ensure that at least one of the following conditions is met as a lawful basis for personal data processing:

1. The data subject has given consent.
2. Processing is necessary for the performance of a contract with the data subject or to take steps at their request before entering into a contract.
3. Processing is necessary to comply with a legal obligation (other than a contractual obligation).
4. Processing is necessary to protect the data subject's vital interests.
5. Processing is necessary for the administration of justice or the exercise of functions conferred by any enactment, the Crown, a public authority, or other functions of a public nature exercised in the public interest.
6. Processing is necessary for the legitimate interests of the data controller or a third party, unless those interests are overridden by the data subject's rights and freedoms.

D. Fair Processing of Sensitive Personal Data

The data controller must ensure that at least one of the following conditions is met as a lawful basis for the processing of sensitive personal data:

1. The data subject has given explicit consent.
2. Processing is necessary for employment-related rights or obligations conferred or imposed by law.
3. Processing is necessary to protect the vital interests of the data subject or another person, under specific circumstances.
4. Processing is carried out by a non-profit organization with appropriate safeguards, limited to members or those with regular contact, and without disclosure to third parties without consent.
5. The data subject has made the information public.
6. Processing is necessary for legal proceedings, obtaining legal advice, or establishing, exercising, or defending legal rights.
7. Processing is necessary for the administration of justice or the exercise of functions conferred by any enactment, the Crown, or a public authority.
8. Processing is necessary for medical purposes, carried out by a health professional or someone with an equivalent duty of confidentiality.
9. Processing occurs in circumstances prescribed by regulations.

E. Data Subject Requests

Access to Personal Data upon Request

The data controller, upon receiving a written request, must provide data subjects with access to their personal data. The data controller is required to comply with this request within thirty (30) days of receiving the written request.

Access to personal data may be provided free of charge, unless the request is excessive and unreasonably diverts resources. In this case, to cover the cost of providing information, a reasonable amount may be charged as a fee.

Request to Cease Processing

The data controller is required to cease processing personal data within twenty-one (21) days of receiving a formal written request from the data subject to do so.

Rectification of Personal Data

The data controller, following a complaint made by a data subject and upon order of the Ombudsman, must rectify, block, erase, or destroy the following:

1. Inaccurate personal data; and
2. Personal data that is an expression of opinion based on inaccurate personal data.

Right to Stop Processing for Direct Marketing

The data controller is required to cease, or not to begin, processing for the purposes of direct marketing personal data relating to the data subject, at the end of such period as is reasonable in the circumstances, upon receiving a notice in writing from the data subject to do so.

Rights in Relation to Automated Decision Making

The data controller, upon receiving a request in writing from the data subject, is required to ensure that no decision taken by or on behalf of the data controller that significantly affects the data subject is based solely on the processing by automatic means of the data subject's personal data for the purpose of evaluating the data subject's performance at work, creditworthiness, reliability, conduct or any other matters relating to the data subject.

F. Data Minimisation

The data controller must ensure that the personal data collected is adequate, relevant, and not excessive for the purposes for which it is processed.

G. Data Security

The data controller must implement appropriate technical and organizational measures to protect personal data from unauthorized access, loss, destruction, etc.

H. Data Breach Notification

The data controller is required to notify the Ombudsman and affected data subjects in the event of a breach of personal data. This must be implemented without undue delay and within five days from when the Data controller was made aware of the breach.

V. Data Subject Rights

A. Right to Access

A data subject is entitled to be informed by a data controller whether their personal data is being processed by or on behalf of that data controller. Provided that such is the case, the data subject is to be given by that data controller a description of their personal data.

B. Right to Rectification

The data subject has the right to file a complaint to the office of the Ombudsman, against the Data Controller on account of inaccurate personal data. If the office Ombudsman is satisfied that the personal data is inaccurate, it may order the data controller to rectify, block, erase or destroy that data.

C. Right to Stop Processing

A data subject, with regards to their personal data, is entitled at any time, by notice in writing to a data controller, to require the data controller:

1. to cease processing;
2. not to begin processing; and
3. to cease processing for a specified purpose or in a specified manner.

D. Right to Compensation

A data subject, who has suffered damage by reason of a contravention by a data controller of any requirement of the DPA, has a valid cause of action for compensation from the data controller for that damage.

VI. Limitations

The provisions of the DPA do not prevent the disclosure of personal data if such disclosure is required by any other law, court order or legal proceedings. Furthermore, the processing of personal data is allowed where it is necessary for the purpose of establishing, exercising, or defending legal rights.

VII. Regulatory Authority

The office of the Ombudsman has exclusive supervisory authority to enforce the provisions of the DPA. This role entails the following functions, including but not limited to:

1. Registering, hearing, investigating, and issuing rulings on complaints submitted by data subjects;
2. Monitoring, investigating, and reporting on compliance by data controllers with respect to the standards established by the DPA;
3. Intervening and delivering opinions and orders related to processing operations;
4. Issuing orders for the rectification, blocking, erasure, or destruction of data;
5. Imposing temporary and permanent bans on the processing of personal data;
6. Recommending reforms that may be general or targeted towards specific data controllers;
7. Engaging in legal proceedings regarding violations of the DPA, and referring violations to the authorities, as appropriate;
8. Co-operating with other supervisory authorities to perform the functions of the DPA; and
9. Creating awareness by publicizing and promoting the requirements of the DPA, the rights of data subjects, and the duties of data controllers.

VIII. Penalties for Non-Compliance

A. Offences Related to Information Orders

Failure to comply with an information order issued by the Ombudsman can result in a fine of $100,000 and imprisonment for a term of five years for any of the following:

1. Refusing or, without reasonable excuse, failing to supply information required by the Ombudsman.
2. Intentionally altering, suppressing, or destroying information required to be produced to the Ombudsman.
3. Providing false or misleading information to the Ombudsman.

B. Failure to Comply with Orders

Failure to comply with an information requirement, enforcement order, or monetary penalty order under the DPA is punishable by a fine of $100,000 and imprisonment for a term of five years.

C. Offences in Respect of Warrants

A person convicted of an offense in respect of a warrant is liable:

1. On summary conviction, to a fine of $20,000; or
2. On conviction on indictment, to a fine of $100,000 or imprisonment for a term of four years, or both.

The offenses related to the execution of warrants issued by a judge include:

1. Obstructing a person in the execution of a warrant.
2. Failing, without reasonable excuse, to provide reasonable assistance to a person executing a warrant.
3. Making a statement in response to a requirement under the Act that the person knows is false in a material respect.
4. Recklessly making a statement in response to such a requirement that is false in a material respect.

D. Unlawful Obtaining, Disclosing, and Selling of Personal Data

Offenses related to the unlawful handling of personal data results in a fine of $100,000. This includes knowingly or recklessly, without the data controller's consent:

1. Obtain or disclose personal data; or
2. Procure the disclosure of personal data to another person.

E. Monetary Penalty Orders

The Ombudsman has the authority to issue monetary penalty orders (not exceeding $250,000) for serious contraventions of the DPA, provided the contravention was likely to cause substantial damage or distress to a data subject.

F. General Provisions Relating to Offences

The DPA also contains general provisions regarding offenses:

1. On summary conviction, to a fine of $10,000; or
2. On conviction on indictment, to a fine of $20,000.

These fines are in addition to any monetary penalty imposed by the Ombudsman.

IX. How Can Organizations Operationalize the DPA

Organizations can operationalize the DPA through the following actions:

1. Having data processing agreements in place for all data processors.
2. Notifying data subjects when making decisions that affect them based solely on automatic means.
3. When planning to use personal data for a new purpose, organizations should check its compatibility with their original purpose or obtain specific consent from the data subjects for the new purpose.
4. Defining clear policies that specify the duration in which each type of personal data that is being processed should be retained.
5. Clearly identifying any personal data that needs to be kept for public interest archiving, scientific or historical research, or statistical purposes.
6. Establishing safeguards to regulate the cross-border transfer of personal data.
7. Developing a robust framework for receiving and processing data requests and complaints from consumers

X. How Securiti Can Help

Navigating ever-evolving privacy requirements can be complex, particularly when it comes to cross-border data transfers. Fortunately, Securiti’s suite of automation modules offers a comprehensive solution for organizations seeking to ensure compliance with the Cayman Islands’ Data Protection Act.

Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI. Securiti provides unified data intelligence, controls, and orchestration across hybrid multi-cloud environments. Large global enterprises rely on Securiti's Data Command Center for data security, privacy, governance, and compliance.

Request a demo to learn more.