{"kind":"expression","expression":{"expr_id":"464","doc_id":"464","label":"2021 Revision","is_as_enacted":"f","commenced_on":"2021-04-30","superseded_on":null,"valid_from":"2021-04-30","valid_to":null,"is_current":"t","incorporating":"[\"LAW 33\/2017 Data Protection Act, 2017 - 30-Sep-2019 - G12\/2017\/s1\", \"SL 16\/2019 Data Protection Act 2017 (Commencement) Order, 2019 - 2-Sep-2019 -LG9\/2019\/s1\", \"LAW 56\/2020 Citation of Parliament Act, 2020 - 3-Dec-2020 - LG89\/2020\/s1\"]","akn_expr_iri":"\/akn\/ky\/act\/2017\/33\/eng@2021-04-30","akn_envelope":"{\"_canary\": {\"iri\": {\"work\": \"\/akn\/ky\/act\/2017\/33\", \"expression\": \"\/akn\/ky\/act\/2017\/33\/eng@2021-04-30\", \"manifestation\": \"\/akn\/ky\/act\/2017\/33\/eng@2021-04-30.pdf\"}, \"pdf\": {\"md5\": \"54a477d13c0e40d48067f510dd4bc8a5\", \"path\": \"\/Users\/q\/kyleg-data\/working\/PRINCIPAL\/2017\/2017-0033\/2017-0033_2021 Revision.pdf\", \"pages\": 56, \"filename\": \"2017-0033_2021 Revision.pdf\"}, \"errors\": [], \"extraction\": {\"model\": null, \"stats\": {\"word_count\": 15081, \"paragraph_count\": 62, \"text_char_count\": 95982}, \"usage\": null, \"method\": \"pymupdf-text\", \"version\": \"kyleg-akn-1.0\", \"extracted_at\": \"2026-06-22\"}, \"classification\": \"text_layer\", \"validation_flags\": [], \"docai_processor_id\": null}, \"akomaNtoso\": {\"act\": {\"body\": [{\"eId\": \"sec_n1\", \"num\": null, \"text\": \"SCHEDULE 1 THE DATA PROTECTION PRINCIPLES AND THEIR INTERPRETATION SCHEDULE 2 FIRST PRINCIPLE - CONDITIONS FOR PROCESSING OF PERSONAL DATA SCHEDULE 3 FIRST PRINCIPLE - CONDITIONS FOR PROCESSING OF SENSITIVE PERSONAL DATA SCHEDULE 4 TRANSFERS TO WHICH EIGHTH PRINCIPLE DOES NOT APPLY SCHEDULE 5 CONDITIONS OF CONSENT ENDNOTES Data Protection Act (2021 Revision) (2021 Revision) PART 1 - INTERPRETATION, PRINCIPLES, APPLICATION, OBLIGATIONS AND OFFICE\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_1\", \"num\": \"1.\", \"text\": \"Short title and commencement 1. This Act may be cited as the Data Protection Act (2021 Revision).\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_2\", \"num\": \"2.\", \"text\": \"Interpretation 2. In this Act \u2014 \u201cbusiness\u201d includes any trade or profession; \u201cOmbudsman\u201d means the Ombudsman appointed under section 3 of the Ombudsman Act (2021 Revision); \u201cconsent\u201d in relation to a data subject means any freely given, specific, informed and unambiguous indication of the data subject\u2019s wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to the said data subject; \u201cdata controller\u201d means the person who, alone or jointly with others determines the purposes, conditions and manner in which any personal data are, or are to be, processed and includes a local representative referred to in section 6(2); Data Protection Act (2021 Revision) \u201cdata processor\u201d means any person who processes personal data on behalf of a data controller but, for the avoidance of doubt, does not include an employee of the data controller; \u201cdata protection principles\u201d has the meaning referred to in section 5; \u201cdata subject\u201d means \u2014 (a) an identified living individual; or (b) a living individual who can be identified directly or indirectly by means reasonably likely to be used by the data controller or by any other person; \u201cenforcement order\u201d means an order under section 45; \u201chealth professional\u201d means an individual registered to practise under any of the professions specified in the Health Practice Act (2021 Revision) or any other Law relating to health; \u201chealth record\u201d means a record that \u2014 (a) consists of information relating to the physical health, mental health or condition of a data subject; and (b) has been made by or on behalf of a health professional in connection with the care of that data subject; \u201cinaccurate\u201d, in relation to personal data, includes data that are misleading, incomplete or out of date; \u201cnon-disclosure provisions\u201d means the following provisions to the extent that they are inconsistent with the disclosure in question \u2014 (a) the first data protection principle, except to the extent to which it requires compliance with the conditions in Schedules 2 and 3; (b) the second and third data protection principles; and (c) sections 10 and 14; \u201cperson\u201d includes any corporation, either aggregate or sole, and any club, society, association, public authority or other body, of one or more persons; \u201cpersonal data\u201d means data relating to a living individual who can be identified and includes data such as \u2014 (a) the living individual\u2019s location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the living individual; (b) an expression of opinion about the living individual; or (c) any indication of the intentions of the data controller or any other person in respect of the living individual; Data Protection Act (2021 Revision) \u201cpersonal data breach\u201d means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or, access to, personal data transmitted, stored or otherwise processed; \u201cprocessing\u201d, in relation to data, means obtaining, recording or holding data, or carrying out any operation or set of operations on personal data, including \u2014 (a) organising, adapting or altering the personal data; (b) retrieving, consulting or using the personal data; (c) disclosing the personal data by transmission, dissemination or otherwise making it available; or (d) aligning, combining, blocking, erasing or destroying the personal data; \u201cpublic authority\u201d means \u2014 (a) a ministry, portfolio or department; (b) a statutory body or authority, whether incorporated or not; (c) a company which \u2014 (i) is wholly owned by the Government or in which the Government has a direct or indirect controlling interest; or (ii) is specified in an Order made by the Cabinet; and (d) any other body or organisation specified by the Cabinet by Order as a public authority on account of providing services of a public nature which are essential to the welfare of Caymanian society; \u201cpublic register\u201d means any register that, pursuant to a requirement imposed by Law or in pursuance of an international agreement, is open to public inspection or open to inspection by any person having a legitimate interest in the subject matter of the register; \u201cpublish\u201d, in relation to journalistic, literary or artistic material, means to make available to the public or any section of the public; \u201crecipient\u201d, in relation to personal data, includes a person to whom the data are disclosed, as well as any person (such as an employee or agent of the relevant data controller, a relevant data processor, or an employee or agent of a data processor) to whom they are disclosed in the course of processing the data for the data controller, but does not include a person to whom disclosure is or may be made as a result of, or with a view to, a particular inquiry by or on behalf of that person made in the exercise of any power conferred by law; \u201cregistered company\u201d means a company within the meaning of section 2 of the Companies Act (2021 Revision); \u201cregulations\u201d means regulations made under this Act; \u201csensitive personal data\u201d has the meaning assigned in section 3; \u201cspecial purposes\u201d has the meaning assigned in section 4; Data Protection Act (2021 Revision) \u201cstaff\u201d, in relation to the Ombudsman, includes any individual employed in the office of the Ombudsman; \u201csubject information provisions\u201d means \u2014 (a) the first data protection principle to the extent to which it requires compliance with paragraph 2 of Part 2 of Schedule 1; and (b) section 8; and \u201cthird party\u201d, in relation to personal data, means any person other than \u2014 (a) the data subject; (b) the data controller; or (c) any data processor or other person authorised to process data for the data controller or data processor.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_3\", \"num\": \"3.\", \"text\": \"Sensitive personal data 3. In this Act, \u201csensitive personal data\u201d means, in relation to a data subject, personal data consisting of \u2014 (a) the racial or ethnic origin of the data subject; (b) the political opinions of the data subject; (c) the data subject\u2019s religious beliefs or other beliefs of a similar nature; (d) whether the data subject is a member of a trade union; (e) genetic data of the data subject; (f) the data subject\u2019s physical or mental health or condition; (g) medical data; (h) the data subject\u2019s sex life; (i) the data subject\u2019s commission, or alleged commission, of an offence; or (j) any proceedings for any offence committed, or alleged to have been committed, by the data subject, the disposal of any such proceedings or any sentence of a court in the Islands or elsewhere.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_4\", \"num\": \"4.\", \"text\": \"Special purposes 4. In this Act, \u201cspecial purposes\u201d means any one or more of the following \u2014 (a) the purposes of journalism; (b) artistic purposes; and (c) literary purposes.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_5\", \"num\": \"5.\", \"text\": \"The data protection principles: content, consent and duty to comply 5. (1) References in this Act to the data protection principles are to the principles set out in Part 1 of Schedule 1. Data Protection Act (2021 Revision) (2) The data protection principles shall be interpreted in accordance with Part 2 of Schedule 1. (3) Schedules 2 and 3 set out conditions that apply for the purposes of the first principle and Schedule 4 sets out transfers to which the eighth principle does not apply. (4) Subject to section 17, a data controller shall comply with the data protection principles that relate to the personal data that the data controller processes, and shall ensure that the data protection principles are complied with in relation to the personal data that are processed on the data controller\u2019s behalf. (5) In determining consent under this Act, the provisions of Schedule 5 shall apply.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_6\", \"num\": \"6.\", \"text\": \"Application of Act; duty to nominate a Cayman Islands representative 6. (1) This Act applies to a data controller in respect of any personal data only if \u2014 (a) the data controller is established in the Islands and the personal data are processed in the context of that establishment; or (b) the data controller is not established in the Islands but the personal data are processed in the Islands otherwise than for the purposes of transit of the data through the Islands. (2) A data controller referred to in subsection (1)(b) shall nominate, for the purposes of this Act, a local representative established in the Islands who shall, for all purposes within the Islands, be the data controller and, without limiting the generality of this provision, bear all obligations under this Act as if the representative were the data controller. (3) For the purposes of subsections (1) and (2), each of the following is to be treated as established in the Islands \u2014 (a) an individual who is ordinarily resident in the Islands; (b) a body incorporated or registered as a foreign company under the law of the Islands; (c) a partnership or other unincorporated association formed under the law of the Islands; or (d) any person who does not fall within paragraph (a), (b) or (c) but maintains in the Islands \u2014 (i) an office, branch or agency through which the person carries on any activity; or (ii) a regular practice. Data Protection Act (2021 Revision)\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_7\", \"num\": \"7.\", \"text\": \"Ombudsman 7. The provisions of the Freedom of Information Act (2021 Revision) relating to the office of the Ombudsman shall have effect with respect to the Ombudsman referred to in this Act. PART 2 - RIGHTS AND RESPONSIBILITIES OF DATA SUBJECTS AND OTHERS\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_8\", \"num\": \"8.\", \"text\": \"Fundamental rights of access to personal data 8. (1) A person is entitled to be informed by a data controller whether the personal data of which the person is the data subject are being processed by or on behalf of that data controller, and, if that is the case, to be given by that data controller a description of \u2014 (a) the data subject\u2019s personal data; (b) the purposes for which they are being or are to be processed by or on behalf of that data controller; (c) the recipients or classes of recipients to whom the data are or may be disclosed by or on behalf of that data controller; (d) any countries or territories outside the Islands to which the data controller, whether directly or indirectly, transfers, intends to transfer or wishes to transfer the data; (e) general measures to be taken for the purpose of complying with the seventh data protection principle; and (f) such other information as the Ombudsman may require the data controller to provide. (2) A data subject is entitled to communication in an intelligible form, by the relevant data controller, of \u2014 (a) the data subject\u2019s personal data; and (b) any information available to the relevant data controller as to the source of those personal data. (3) If the processing by automatic means of the data subject\u2019s personal data for the purpose of evaluating matters relating to the data subject, including the data subject\u2019s performance at work, creditworthiness, reliability or conduct, has constituted or is likely to constitute the sole basis for any decision significantly affecting the data subject, the data subject is entitled to be informed by the relevant data controller of the reasons for that decision. (4) A data controller shall not be obliged under subsection (1), (2) or (3) to supply any personal data unless the data controller has received \u2014 Data Protection Act (2021 Revision) (a) a request in writing; and (b) the fee that the data controller may require, such fee, being within the limits prescribed by regulations. (5) If a data controller reasonably requires further information in order to be satisfied as to the identity of the data subject making the request or to locate the information that the data subject seeks, and has informed the data subject in writing of the requirement, the data controller is not obliged to comply with the request unless supplied with that information, during which period the time specified in subsection (6) shall automatically stand suspended. (6) A data controller shall comply with a request under this section within thirty days (or such other period as may be prescribed by regulations) of the date on which the data controller receives both the request and fee referred to in subsection (4), but where the data controller has requested further information under subsection (5), the period shall not resume until the information has been supplied. (7) If a data controller cannot comply with the request without disclosing personal data relating to another data subject who can be identified from that personal data, the data controller is not obliged to comply with the request unless \u2014 (a) the other data subject has consented to the disclosure of the personal data to the person making the request; or (b) it is reasonable in all the circumstances to comply with the request without the consent of the other data subject. (8) In subsection (7), the reference to personal data relating to another data subject includes a reference to personal data identifying that other data subject as the source of the personal data sought in the request. (9) Subsection (7) shall not be construed as excusing a data controller from communicating so much of the personal data sought in the request as can be communicated without disclosing the identity of the other data subject concerned, whether by the omission of names or other identifying particulars or otherwise. (10) In determining for the purposes of subsection (7)(b) whether it is reasonable in all the circumstances to comply with the request without the consent of the other data subject concerned, the data controller shall have regard to, in particular \u2014 (a) any duty of confidentiality owed to the other data subject; (b) any steps taken by the data controller to seek the consent of the other data subject; (c) whether the other data subject is capable of giving consent; and (d) any express refusal of consent by the other data subject. Data Protection Act (2021 Revision) (11) If the Ombudsman is satisfied on the application of a data subject who has made a request under this section that a data controller has contravened this section in failing to comply with the request, the Ombudsman shall issue an enforcement order under section 45 ordering the data controller to comply with the request. (12) If personal data are being processed by or on behalf of a data controller who receives a request under this section from the data subject, the obligation to supply the personal data under this section includes an obligation to give the data subject a statement of the data subject\u2019s rights under this Act in such form, and to such extent, as may be prescribed by regulations.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_9\", \"num\": \"9.\", \"text\": \"Treatment of requests under section 8 9. (1) The obligation imposed by section 8(2)(a) shall be complied with by supplying the data subject with a copy of the personal data in the format requested unless \u2014 (a) the supply of such a copy is not possible or would involve disproportionate effort; or (b) the data subject agrees otherwise. (2) If any of the personal data referred to in section 8(2)(a) are expressed in terms that are not intelligible without explanation the copy shall be accompanied by an adequate explanation. (3) If a data controller has previously complied with a request under section 8 by the data subject referred to therein, the data controller is not obliged to comply with a subsequent identical or similar request under that section by the data subject unless the interval between compliance with the previous request and the making of the current request is reasonable. (4) In determining whether the interval referred to in subsection (3) is reasonable, regard shall be had to the nature of the personal data, the purpose for which the personal data are processed and the frequency with which the personal data are altered. (5) Section 8(3) shall not be regarded as requiring the provision of information as to the logic of any decision-making where the information constitutes a trade secret. (6) Personal data and other information supplied under section 8 shall be supplied by reference to the data in question at the time when the request for the personal data is received, except that account may be taken of any amendment or deletion made between that time and the time when the information is supplied, the amendment or deletion being such that would have been made regardless of the receipt of the request. Data Protection Act (2021 Revision)\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_10\", \"num\": \"10.\", \"text\": \"Right to stop processing 10. (1) A data subject is entitled at any time, by notice in writing to a data controller, to require the data controller to cease processing, or not to begin processing, or to cease processing for a specified purpose or in a specified manner, the data subject\u2019s personal data. (2) The data controller shall, as soon as practicable, but in any case within twentyone days of receiving a notice under subsection (1), comply with that notice unless \u2014 (a) the processing is necessary for the performance of a contract to which the data subject is a party or the taking of steps at the request of the data subject with a view to entering into a contract; (b) the processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract; (c) the processing is necessary in order to protect the vital interests of the data subject; or (d) the processing is necessary in such other circumstances as may be prescribed by regulations, and the data controller shall state to the data subject the reasons for the noncompliance with the notice. (3) If, on the application of a data subject who has given notice under subsection (1), the Ombudsman is satisfied that the data controller in question has failed to comply with the notice, the Ombudsman may issue an enforcement order under section 45. (4) The failure by a data subject to exercise the right conferred by subsection (1) does not affect any other right conferred on the data subject by this Act.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_11\", \"num\": \"11.\", \"text\": \"Right to stop processing for direct marketing 11. (1) In this section, \u201cdirect marketing\u201d means the communication, by whatever means, of any advertising, marketing, promotional or similar material, that is directed to particular individuals. (2) A data subject is entitled at any time, by notice in writing to a data controller, to require the data controller at the end of such period as is reasonable in the circumstances, to cease, or not to begin, processing for the purposes of direct marketing personal data relating to the data subject. (3) If, on the application of a data subject who has given notice under subsection (1), the Ombudsman is satisfied that the data controller in question has failed to comply with the notice, the Ombudsman may issue an enforcement order under section 45. Data Protection Act (2021 Revision) (4) The failure by a data subject to exercise the right conferred by subsection (2) does not affect any other right conferred on the data subject by this Act.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_12\", \"num\": \"12.\", \"text\": \"Rights in relation to automated decision-making 12. (1) A data subject is entitled at any time, by notice in writing to a data controller, to require the data controller to ensure that no decision taken by or on behalf of the data controller that significantly affects the data subject is based solely on the processing by automatic means of the data subject\u2019s personal data for the purpose of evaluating the data subject\u2019s performance at work, creditworthiness, reliability, conduct or any other matters relating to the data subject. (2) If no notice has been given under subsection (1) and a decision that significantly affects a data subject is based solely on processing specified in that subsection \u2014 (a) the data controller shall as soon as reasonably practicable notify the data subject that the decision was taken on that basis; and (b) the data subject is entitled, within twenty-one days of receiving that notification from the data controller, by notice in writing, to require the data controller to reconsider the decision or to take a new decision otherwise than on that basis. (3) The data controller shall, within twenty-one days of receiving a notice under subsection (2)(b), give the data subject a written notice specifying the steps that the data controller intends to take to comply with the notice. (4) A notice under subsection (1) does not have effect in relation to, and nothing in subsection (2) applies to, a decision \u2014 (a) in respect of which one condition in each of subsections (5) and (6) is satisfied; or (b) that is made in such other circumstances as may be prescribed by regulations. (5) The first condition is that the decision \u2014 (a) is taken in the course of steps taken \u2014 (i) for the purpose of considering whether to enter into a contract with the data subject; (ii) with a view to entering into such a contract; or (iii) in the course of performing such a contract; or (b) is authorised or required by or under any enactment. (6) The second condition is that \u2014 (a) the effect of the decision is to grant a request of the data subject; or (b) steps have been taken to safeguard the legitimate interests of the data subject including by allowing the data subject to make representations. Data Protection Act (2021 Revision) (7) If the Ombudsman is satisfied on the application of a data subject that a person taking a decision in respect of the data subject has failed to comply with a notice under subsection (1) or (2)(b), the Ombudsman may, among other things, issue an enforcement order directing the data controller to reconsider the decision where that decision is not based solely on the processing mentioned in subsection (1).\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_13\", \"num\": \"13.\", \"text\": \"Compensation for failure to comply 13. A person who suffers damage by reason of a contravention by a data controller of any requirement of this Act has a cause of action for compensation from the data controller for that damage.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_14\", \"num\": \"14.\", \"text\": \"Rectification, blocking, erasure or destruction 14. (1) If the Ombudsman is satisfied on a complaint made under section 43 that personal data are inaccurate, the Ombudsman may order the data controller to rectify, block, erase or destroy \u2014 (a) those data; and (b) any other personal data in respect of which the person is the data controller and that contain an expression of opinion that appears to the Ombudsman to be based on the inaccurate data. (2) Subsection (1) applies whether or not the personal data accurately record information received or obtained by the data controller from the data subject or a third party, but, if the data accurately record such information, then the Ombudsman may instead of making an order under subsection (1) \u2014 (a) make an order requiring the personal data to be supplemented by a statement of the facts relating to the matters dealt with by the data as the Ombudsman may approve; (b) make such order as the Ombudsman thinks fit to ensure the accuracy of the data, having regard to the purpose or purposes for which the data were obtained and further processed, with or without a further order requiring the data to be supplemented by a statement of the facts relating to the matters dealt with by the data as the Ombudsman may approve; or (c) make an order requiring the data controller to ensure that the data indicate that, in the data subject\u2019s view, the data are inaccurate. (3) If the Ombudsman \u2014 (a) makes an order under subsection (1); or (b) is satisfied on a complaint made under section 43 that personal data that have been rectified, blocked, erased or destroyed were inaccurate, Data Protection Act (2021 Revision) the Ombudsman may, if it is considered reasonably practicable, order the data controller to notify third parties to whom the data have been disclosed of the rectification, blocking, erasure or destruction. PART 3 - RESTRICTED PROCESSING AND PERSONAL DATA BREACHES\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_15\", \"num\": \"15.\", \"text\": \"Preliminary determination by Ombudsman as to restricted processing 15. The Cabinet may, after consultation with the Ombudsman and such other persons that the Cabinet may consider appropriate, make regulations prescribing the types of processing that require the prior approval of the Ombudsman, being processing that is considered particularly likely to \u2014 (a) cause substantial damage or substantial distress to data subjects; or (b) otherwise significantly prejudice the rights and freedoms of data subjects.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_16\", \"num\": \"16.\", \"text\": \"Personal data breaches 16. (1) In the case of a personal data breach, the data controller shall, without undue delay, but no longer than five days after the data controller should, with the exercise of reasonable diligence, have been aware of that breach, notify the data subject of the data in question and the Ombudsman of that personal data breach, describing \u2014 (a) the nature of the breach; (b) the consequences of the breach; (c) the measures proposed or taken by the data controller to address the breach; and (d) the measures recommended by the data controller to the data subject of the personal data in question to mitigate the possible adverse effects of the breach. (2) A data controller who contravenes subsection (1) commits an offence and is liable on conviction to a fine of one hundred thousand dollars. PART 4 - EXEMPTIONS\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_17\", \"num\": \"17.\", \"text\": \"Effect of this Part 17. Except as provided by this Part, the subject information provisions shall have effect notwithstanding any law prohibiting or restricting the disclosure, or authorising the withholding, of information. Data Protection Act (2021 Revision)\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_18\", \"num\": \"18.\", \"text\": \"National security 18. (1) Personal data are exempt from any of the provisions of \u2014 (a) the data protection principles; and (b) Parts 2, 3 and 6, if the exemption from any or all of the provisions is required for the purpose of safeguarding national security. (2) The Governor may, for the purpose mentioned in subsection (1), issue a certificate with respect to any personal data exempting that data from all or any of the provisions referred to in that subsection and that certificate shall be sufficient evidence of that fact. (3) In the exercise of the discretion to issue a certificate under subsection (2), the Governor may consult with the National Security Council. (4) The certificate issued under subsection (2) shall identify the personal data to which it applies. (5) If in any consideration of a matter by the Ombudsman it is claimed by a data controller that a certificate under this section applies to any personal data, any party, that is, the Governor, the data controller or the data subject, may make an application to the Ombudsman contending that the certificate does not apply to the personal data with respect to which the complaint is made. (6) Notwithstanding subsection (5), unless the Ombudsman makes a determination under subsection (7), the certificate shall be conclusively presumed so to apply. (7) On an application under subsection (5), the Ombudsman may determine that the certificate does not apply to the personal data with respect to which the complaint is made. (8) A document purporting to be a certificate under this section and signed by the Governor shall be received in evidence and taken to be such a certificate unless the contrary is proved.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_19\", \"num\": \"19.\", \"text\": \"Crime, government fees and duties 19. (1) Personal data processed for any of the following purposes \u2014 (a) the prevention, detection or investigation of crime; (b) the apprehension or prosecution of persons who are suspected to have committed an offence anywhere; or (c) the assessment or collection of any fees or duty, or of any imposition of a similar nature, in the Islands, are exempt from the first data protection principle (except to the extent to which it requires compliance with the conditions in Schedules 2 and 3), the nondisclosure provisions and section 8, to the extent to which the application of Data Protection Act (2021 Revision) those provisions to the data would be likely to prejudice any of the matters referred to in paragraphs (a) to (c). (2) Personal data that \u2014 (a) are processed for the purpose of discharging functions under any Law; and (b) consist of information obtained for such a purpose from a person who had possession of it for any of the purposes referred to in subsections (1)(a) to (c), are exempt from the subject information provisions to the same extent as personal data processed for any of the purposes referred to in subsections (1)(a) to (c).\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_20\", \"num\": \"20.\", \"text\": \"Health, education or social work 20. (1) The Cabinet may, by regulations, exempt from the subject information provisions, or modify those provisions in relation to, personal data consisting of information as to the physical or mental health or condition of the data subject. (2) The Cabinet may, by regulations, exempt from the subject information provisions, or modify those provisions, in relation to personal data in respect of which the data controller is the proprietor, governor, governing body, director or manager of, or a principal or teacher at a school, and the personal data consist of information relating to persons who are or have been pupils at the school. (3) The Cabinet may, by regulations, exempt from the subject information provisions, (or modify those provisions in relation to,) personal data of such other descriptions as may be specified in the regulations, being information \u2014 (a) processed by a public authority; and (b) appearing to the Cabinet to be processed in the course of, or for the purposes of, carrying out social work in relation to the data subject or other individuals, to the extent that the Cabinet consider that the application to the data of those provisions, (or of those provisions without modification), would be likely to prejudice the carrying out of social work.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_21\", \"num\": \"21.\", \"text\": \"Monitoring, inspection or regulatory function 21. (1) Personal data which are processed for the purposes of any monitoring, inspection or regulatory function connected with the exercise of a public function in cases of \u2014 (a) public safety; (b) the prevention, investigation, detection and prosecution of criminal offences, or of breaches of ethics for regulated professions; or (c) an important economic or financial interest of the Islands, including \u2014 Data Protection Act (2021 Revision) (i) compliance with international tax treaties or international cooperation purposes; (ii) any monitoring, inspection or regulatory function exercised by official authorities (including regulation of the financial services industry); and (iii) any monetary, budgetary and taxation purposes in the Islands, are exempt from the subject information provisions to the extent to which the application of those provisions to the data would be likely to prejudice the proper discharge of the function. (2) Subsection (1) applies to \u2014 (a) a public function conferred on any person by or under any Law or regulations; (b) a function of the Crown, the Governor in Cabinet or a public authority; or (c) any other function of a public nature.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_22\", \"num\": \"22.\", \"text\": \"Journalism, literature or art 22. (1) Personal data which are processed only for the special purposes are exempt from any provision to which this section relates if \u2014 (a) the processing is undertaken with a view to the publication by a person of any journalistic, literary or artistic material; (b) the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, publication would be in the public interest; and (c) the data controller reasonably believes that, in all the circumstances, compliance with that provision is incompatible with the special purposes. (2) This section relates to the following provisions \u2014 (a) the data protection principles except the seventh data protection principle; and (b) section 10. (3) In considering, for the purposes of subsection (1)(b), whether the belief of a data controller that publication would be in the public interest was or is a reasonable one, regard may be had to the data controller\u2019s compliance with any code of practice that is relevant to the publication in question.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_23\", \"num\": \"23.\", \"text\": \"Research, history or statistics 23. (1) In this section, \u201crelevant conditions\u201d means \u2014 (a) the condition that the personal data are not processed to support a measure or decision with respect to a particular data subject; and Data Protection Act (2021 Revision) (b) the condition that the personal data are not processed in such a way that substantial damage or substantial distress is likely to be caused to any data subject. (2) Personal data processed for statistical purposes or for the purposes of historical or scientific research in compliance with the relevant conditions are exempt from the first data protection principle to the extent to which it requires compliance with paragraph 2(b) of Part 2 of Schedule 1. (3) Subsection (2) applies if \u2014 (a) the provision of such information proves impossible or would involve a disproportionate effort; or (b) processing is required by or under an enactment. (4) For the purposes of the second data protection principle, the further processing of personal data for the purpose of research, history or statistics in compliance with the relevant conditions is not to be regarded as incompatible with the purposes for which they were obtained. (5) Personal data processed solely for the purposes of scientific research or kept in a form that identifies a data subject for a period which does not exceed the period necessary for the sole purpose of creating statistics are exempt from section 8. (6) Subsection (5) applies if \u2014 (a) the data are processed in compliance with the relevant conditions; (b) there is no risk of breaching the rights and freedoms of the data subject; and (c) the results of the research or any resulting statistics are not made available in a form that identifies one or more of the data subjects. (7) Personal data processed for historical, statistical or scientific purposes in compliance with the relevant conditions are exempt from the fifth data protection principle to the extent to which compliance would be likely to prejudice those purposes.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_24\", \"num\": \"24.\", \"text\": \"Information available to public by or under enactments 24. Personal data are exempt from \u2014 (a) the subject information provisions; (b) the fourth data protection principle and section 14(1) to (3); and (c) the non-disclosure provisions, if the data consist of information that the data controller is obliged by or under any enactment to make available to the public, including by inspection, gratuitously or on payment of a fee. Data Protection Act (2021 Revision)\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_25\", \"num\": \"25.\", \"text\": \"Disclosures required by law or made in connection with legal proceedings 25. (1) Personal data are exempt from the non-disclosure provisions if the disclosure is required by or under any enactment, by any law or by the order of a court. (2) Personal data are exempt from the non-disclosure provisions if their disclosure is necessary \u2014 (a) for the purpose of, in connection with, or in contemplation of, any quasijudicial or legal proceedings; (b) for the purpose of obtaining legal advice; or (c) otherwise for the purposes of establishing, exercising or defending a legal right.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_26\", \"num\": \"26.\", \"text\": \"Personal, family or household affairs 26. Personal data processed by an individual only for the purposes of that individual\u2019s personal, family or household affairs are exempt from the data protection principles and Parts 2 and 3.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_27\", \"num\": \"27.\", \"text\": \"Honours 27. Personal data are exempt from the subject information provisions if processed for the purposes of the conferring by the Crown or the Premier of any honour or dignity.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_28\", \"num\": \"28.\", \"text\": \"Corporate finance 28. (1) If personal data are processed for the purposes of, or in connection with, a corporate finance service provided by a relevant person \u2014 (a) the data are exempt from the subject information provisions to the extent to which either \u2014 (i) the application of those provisions to the data could affect the price of any instrument already in existence or that is to be or may be created; or (ii) the data controller reasonably believes that the application of those provisions to the data could affect the price of any such instrument; and (b) to the extent that the data are not exempt from the subject information provisions by virtue of paragraph (a), they are exempt from those provisions if the exemption is required for the purpose of safeguarding an important economic or financial interest of the Islands. (2) For the purposes of subsection (1)(b) the Cabinet may by regulations specify \u2014 (a) matters to be taken into account in determining whether exemption from the subject information provisions is required for the purpose of safeguarding an important economic or financial interest of the Islands; or Data Protection Act (2021 Revision) (b) circumstances in which exemption from those provisions is, or is not, to be taken to be required for that purpose. (3) In this section \u2014 \u201ccorporate finance service\u201d means a service consisting of \u2014 (a) underwriting in respect of issues of, or the placing of issues of, any instrument; (b) advice to undertakings on capital structure, industrial strategy and related matters and advice and service relating to mergers and the purchase of undertakings; or (c) services relating to such underwriting as mentioned in paragraph (a); \u201cinstrument\u201d means an instrument representing investment within the meaning of any Law in the Islands; \u201cprice\u201d includes value; \u201crelevant person\u201d means \u2014 (a) a registered person within the meaning of any Law providing for investment business or a person who is exempted by the respective Law from the obligation to be registered in respect of an investment business; (b) a person who is an authorised person under any Law providing for investment business, or is an exempt person under that Law, in respect of the investment business; (c) a person who may be prescribed by regulations for the purposes of this section; (d) a person who, in the course of the person\u2019s employment, provides to the employer a service falling within paragraph (b) or (c) of the definition of \u201ccorporate finance service\u201d; or (e) a partner who provides to other partners in a partnership a service falling within the provisions of either paragraph (b) or (c) of the definition of \u201ccorporate finance service\u201d.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_29\", \"num\": \"29.\", \"text\": \"Negotiations 29. Personal data which consist of records of the intentions of the data controller in relation to any negotiations with the data subject are exempt from the subject information provisions in any case to the extent to which the application of those provisions would be likely to prejudice those negotiations.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_30\", \"num\": \"30.\", \"text\": \"Legal professional privilege and trusts 30. Personal data are exempt from the subject information provisions if the data consist of information \u2014 (a) in respect of which legal professional privilege applies; Data Protection Act (2021 Revision) (b) in relation to \u2014 (i) any structure or arrangement that is an ordinary trust; (ii) any structure or arrangement that is a trust established pursuant to the Trusts Act (2021 Revision); or (iii) any will made pursuant to the Wills Act (2021 Revision).\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_31\", \"num\": \"31.\", \"text\": \"Exemptions by regulations 31. (1) Subject to subsection (2), the Cabinet may, after consultation with the Ombudsman, by regulations \u2014 (a) exempt from subject information provisions personal data consisting of information, the disclosure of which is prohibited or restricted by or under any enactment; or (b) exempt from the non-disclosure provisions personal data consisting of information, the disclosure of which is made in circumstances specified in the regulations. (2) The Cabinet shall not grant an exemption under subsection (1) unless it considers the exemption to be necessary for the purpose of safeguarding the interests of data subjects or the rights and freedoms of any other individual. PART 5 - FUNCTIONS OF THE OMBUDSMAN\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_32\", \"num\": \"32.\", \"text\": \"Independence and powers 32. (1) The Ombudsman shall have all powers, direct and incidental, as are necessary or convenient to undertake the Ombudsman\u2019s functions as provided for under this Act and for purposes of this section, the word \u201cfunctions\u201d includes power, authority and duty. (2) In the exercise of the Ombudsman\u2019s functions under this Act, the Ombudsman shall be independent and shall not be subject to the direction or control of any other person or authority. (3) The Ombudsman may appoint such officers and employees as are necessary to enable the performance of the Ombudsman\u2019s functions under this Act. (4) The Ombudsman shall, from moneys appropriated by the Cayman Islands Parliament, meet operational expenses of the office and the provision of a reserve fund and, where there is any balance separate from the reserve fund, pay such balance into the general revenues of the Islands. (5) The Cabinet may, by regulations, provide for the operation of the reserve fund. Data Protection Act (2021 Revision)\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_33\", \"num\": \"33.\", \"text\": \"Ombudsman to be subject to Public Service Management Act 33. Except as otherwise stated in this Act or the Freedom of Information Act (2021Revision), the Ombudsman shall be subject to the Public Service Management Act (2018 Revision).\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_34\", \"num\": \"34.\", \"text\": \"Functions of Ombudsman 34. The principal functions of the Ombudsman include \u2014 (a) to hear, investigate and rule on complaints made under this Act; (b) to monitor, investigate and report on the compliance by data controllers with their obligations under this Act; (c) to intervene and deliver opinions and orders related to processing operations; (d) to order the rectification, blocking, erasure or destruction of data; (e) to impose a temporary or permanent ban on processing; (f) to make recommendations for reform both of a general nature and directed at specific data controllers; (g) to engage in proceedings where the provisions of this Act have been violated, or refer these violations to the appropriate authorities; (h) to co-operate with other data protection supervisory authorities; (i) to publicise and promote the requirements of this Act and the rights of data subjects under it; and (j) to do anything which appears to the Ombudsman to be incidental or conducive to the carrying out of the Ombudsman\u2019s functions under this Act.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_35\", \"num\": \"35.\", \"text\": \"Documents signed by Ombudsman 35. A document that appears to have been signed by or on behalf of the Ombudsman shall be presumed to have been so signed and be admissible in any proceedings unless the contrary is shown.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_36\", \"num\": \"36.\", \"text\": \"Reports to Cayman Islands Parliament and budget 36. The Ombudsman shall, as soon as reasonably practicable after the end of each year, lay before the Cayman Islands Parliament \u2014 (a) a report of the operation of this Act during the year and may from time to time submit such other reports as the Ombudsman thinks appropriate; and (b) accounts audited in accordance with the Public Management and Finance Act (2020 Revision). Data Protection Act (2021 Revision)\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_37\", \"num\": \"37.\", \"text\": \"International cooperation 37. (1) The Ombudsman is the designated authority in the Islands for the purposes of international cooperation related to data protection. (2) The Ombudsman shall also carry out any data protection functions (that is, functions relating to the protection of individuals with respect to the processing of personal information) that may be prescribed by regulations for the purpose of enabling the Islands to give effect to any of its international obligations.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_38\", \"num\": \"38.\", \"text\": \"Protection of Ombudsman 38. Neither the Ombudsman nor any member of staff of the Ombudsman\u2019s office shall be liable in damages for anything done or omitted in the discharge or purported discharge of their respective functions under this Act unless it is shown that the act or omission was negligent or in bad faith.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_39\", \"num\": \"39.\", \"text\": \"Defamation 39. (1) It is a defence to any proceedings in libel or slander that information supplied to the Ombudsman was communicated to the Ombudsman pursuant to this Act. (2) It is a defence to any proceedings in libel or slander that information communicated by a data controller to any person under this Act was communicated to the data controller in the first instance by a third person, unless the communication to or by the data controller was made maliciously.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_40\", \"num\": \"40.\", \"text\": \"Consultation of Ombudsman 40. A public authority that is drawing up administrative measures or rules relating to the protection of data subjects\u2019 rights and freedoms with regard to data processing shall consult the Ombudsman on the content of such measures or rules.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_41\", \"num\": \"41.\", \"text\": \"Promotion of this Act by Ombudsman 41. (1) The Ombudsman shall promote good practice and observance of this Act by data controllers. (2) The Ombudsman may arrange for the dissemination of information about the operation of this Act, about good practice, and about other matters within the scope of the Ombudsman\u2019s functions under this Act, and may give advice to any person as to any of those matters.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_42\", \"num\": \"42.\", \"text\": \"Codes of practice 42. (1) The Cabinet may, after consulting with the Ombudsman, make regulations for the preparation and dissemination of codes of practice which may be specific to a particular industry or processing operation. Data Protection Act (2021 Revision) (2) Any guidance under subsection (3) shall describe the personal data or processing to which the code of practice shall relate, and may also describe the persons or classes of persons to whom it shall relate. (3) The Ombudsman shall also \u2014 (a) if the Ombudsman considers it appropriate to do so, encourage trade associations to prepare, and to disseminate to their members, codes of practice for guidance as to good practice; and (b) if a trade association submits a code of practice for the Ombudsman\u2019s consideration, consider the code and, after such consultation with data subjects or persons representing data subjects as appears to the Ombudsman to be appropriate, notify the trade association whether, in the Ombudsman\u2019s opinion, the code promotes good practice. (4) The Ombudsman may, with the consent of the relevant data controller, assess any processing of personal data for the adherence to good practice and shall inform the data controller of the results of the assessment. (5) The Ombudsman may charge such fees as may be considered fit for any services provided by the Ombudsman under this Act. (6) In this section \u2014 \u201cgood practice\u201d means such practice in the processing of personal data as appears to the Ombudsman to be desirable having regard to the interests of data subjects and others, and includes compliance with the requirements of this Act; and \u201ctrade association\u201d includes any body representing data controllers. (7) The Ombudsman shall also provide the Cabinet with a copy of any code of practice prepared under subsection (1), unless the code is included in any report provided to the Cabinet. (8) The Ombudsman shall cause to be laid a copy of a report, or of a code provided under subsection (7) before the Cayman Islands Parliament as soon as practicable after the Cabinet receives the report or a copy of the code. PART 6 - ENFORCEMENT\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_43\", \"num\": \"43.\", \"text\": \"Complaints 43. (1) A complaint may be made to the Ombudsman by or on behalf of any person about the processing of personal data that has not been or is not being carried out in compliance with the provisions of this Act or anything required to be done pursuant to this Act. (2) A person submitting a complaint on behalf of another under subsection (1) shall provide written authorisation from the aggrieved person. Data Protection Act (2021 Revision) (3) On receiving a complaint referred to in subsection (1), or on the Ombudsman\u2019s own motion, the Ombudsman may conduct an investigation. (4) The matters to which the Ombudsman may have regard in determining whether or not to conduct an investigation referred to in subsection (1) include \u2014 (a) the extent to which the complaint appears to the Ombudsman to raise a matter of substance; (b) any undue delay in making the complaint; (c) whether a complaint is frivolous or vexatious; and (d) whether or not the person making the complaint is entitled to make a request under section 8 in respect of the personal data in question. (5) The Ombudsman may consult with the Information and Communications Technology Authority with regards to the enforcement functions under this Act where the matters before the Ombudsman relate to the operation of information and communications technology networks, the provision of related services or on the application of the seventh data protection principle. (6) The Information and Communications Technology Authority shall comply with any reasonable request made by the Ombudsman, in accordance with the Ombudsman\u2019s enforcement functions, for advice on technical and similar matters relating to the operation of information and communications technology networks, the provision of related services or on the application of the seventh data protection principle.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_44\", \"num\": \"44.\", \"text\": \"Information orders 44. (1) The Ombudsman may require any person to provide such information as the Ombudsman may reasonably consider appropriate for the purpose of carrying out the Ombudsman\u2019s functions under this Act including any information with respect to which an exemption is claimed. (2) A person who is required to provide information under this section shall provide it in such a manner, form and within such reasonable period as the Ombudsman may specify. (3) An information requirement under this section shall also contain particulars of the right to seek judicial review conferred by section 47. (4) A person who refuses or, without reasonable excuse, fails to supply information required under subsection (1) commits an offence and is liable on conviction to a fine of one hundred thousand dollars or to imprisonment for a term of five years, or both. (5) A person who intentionally alters, suppresses or destroys information that is required to be produced under subsection (1) commits an offence and is liable on conviction to a fine of one hundred thousand dollars or to imprisonment for a term of five years or both. Data Protection Act (2021 Revision) (6) A person commits an offence if, in purported compliance with a requirement made under subsection (1), the person \u2014 (a) makes a false statement that the person knows to be false in a material respect; or (b) recklessly makes a statement that is false in a material respect, and is liable on conviction to a fine of one hundred thousand dollars or to imprisonment for a term of five years, or to both.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_45\", \"num\": \"45.\", \"text\": \"Enforcement orders 45. (1) If the Ombudsman is satisfied that there are reasonable grounds for believing that a data controller has contravened, is contravening or is likely to contravene any provision of this Act, the Ombudsman may, with a view to effecting the data controller\u2019s compliance with the provision, by way of an order served on the data controller, require that data controller to \u2014 (a) take specified steps within a specified time, or to refrain from taking specified steps after a specified time; (b) refrain from processing any personal data, or any personal data of a specified description; (c) refrain from processing data for a specified purpose or in a specified manner, after a specified time; or (d) do anything which appears to the Ombudsman to be incidental or conducive to the carrying out of the Ombudsman\u2019s functions under this Act. (2) An enforcement order shall include \u2014 (a) a statement of the provision which the Ombudsman is satisfied has been or is being contravened and the reasons for reaching that conclusion; and (b) particulars of the right to seek judicial review conferred by section 47. (3) If \u2014 (a) an order requires a data controller to rectify, block, erase or destroy any personal data; or (b) the Ombudsman is satisfied that personal data that have been rectified, blocked, erased or destroyed had been processed in contravention of any of the data protection principles, that order may, if it is reasonably practicable, require the data controller to notify third parties to whom the data have been disclosed of the rectification, blocking, erasure or destruction. (4) The Ombudsman shall, in determining whether it is reasonably practicable to require an enforcement order under subsection (3), have regard in particular to the number of persons who would have to be notified. Data Protection Act (2021 Revision)\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_46\", \"num\": \"46.\", \"text\": \"Failure to comply with order 46. (1) Subject to sections 47 and 48, a person who fails to comply with an information requirement, enforcement order or monetary penalty order under this Act commits an offence and is liable on conviction to a fine of one hundred thousand dollars or to imprisonment for a term of five years, or both. (2) It is a defence for a person charged with an offence under subsection (1) to prove that all due diligence has been exercised to comply with the information requirement, enforcement order or monetary penalty order in question.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_47\", \"num\": \"47.\", \"text\": \"Right to seek judicial review 47. A person who has received an information requirement, enforcement order or monetary penalty order under this Act may, within forty-five days of receipt and upon notice to the Ombudsman, seek judicial review of the information requirement or the order in the Grand Court.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_48\", \"num\": \"48.\", \"text\": \"Ombudsman to certify 48. (1) Where the person concerned has not sought judicial review upon the expiry of the forty-five day period referred to in section 47, the Ombudsman may certify in writing to the court any failure to comply with an information requirement, enforcement order or monetary penalty order made under sections 44, 45 or 55 and the court may consider such failure under the rules relating to contempt of court. (2) The Rules Committee referred to in section 19 of the Grand Court Act (2015 Revision) may make rules providing for \u2014 (a) the effect on proceedings referred to in subsection (1) of a person obtaining leave to seek judicial proceedings out of the time referred to in section 47; and (b) any other matters relating to proceedings under this section.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_49\", \"num\": \"49.\", \"text\": \"Disclosure of information 49. (1) Except as provided in this Act, no enactment or law prohibiting or restricting the disclosure of information shall preclude a person from furnishing the Ombudsman with any information required for the discharge of the Ombudsman\u2019s functions under this Act. (2) Subsection (1) shall not be read so as to compel an individual to utter anything that tends to incriminate that individual. Data Protection Act (2021 Revision)\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_50\", \"num\": \"50.\", \"text\": \"Confidentiality of information 50. (1) A current or former Ombudsman, current or former member of the Ombudsman\u2019s staff, current or former agent of the Ombudsman, or current or former consultant to the Ombudsman, shall not knowingly or wilfully disclose any information which \u2014 (a) has been or was obtained by, or furnished to, the Ombudsman under or for the purposes of this Act or the Freedom of Information Act (2021Revision); (b) relates to an identified or identifiable person; and (c) is not at the time of the disclosure, and has not previously been, available to the public from other sources, unless the disclosure is made with lawful authority. (2) For the purposes of subsection (1) a disclosure of information is made with lawful authority if \u2014 (a) the disclosure is made with the consent of the person to whom the information relates; (b) the information was provided for the purpose of it being made available to the public, in whatever manner, under any provision of this Act; (c) the disclosure is made for the purposes of the discharge of \u2014 (i) functions under this Act or the Freedom of Information Act (2021 Revision); or (ii) any retained-European Union obligation of the United Kingdom that has been extended to the Islands;1 (d) the disclosure is made for the purposes of any proceedings, whether criminal or civil and whether arising under, or by virtue of, this Act or otherwise; or (e) having regard to the rights and freedoms or legitimate interests of any person, the disclosure is necessary in the public interest. (3) A person who knowingly or recklessly discloses information in contravention of subsection (1) commits an offence.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_51\", \"num\": \"51.\", \"text\": \"Entry and search of premises 51. (1) In this Part \u2014 \u201coccupier\u201d, in relation to premises, includes a person in charge of premises; \u201cpremises\u201d includes \u2014 1 Note (not forming part of this Act): As of 31st December 2020, the United Kingdom (UK) ceased to be a Member of the European Union (EU).  The UK-EU Withdrawal Agreement provides, in Article 3(1)(e), that the Cayman Islands falls within the territorial scope of the UK-EU Withdrawal Agreement. (see: https:\/\/eurlex.europa.eu\/legal-content\/EN\/TXT\/PDF\/?uri=OJ:C:2019:384I:FULL&from=EN) Data Protection Act (2021 Revision) (a) any ship, aircraft, vessel or other vehicle; and (b) any hovercraft or other floating or airborne contrivance, registered in the Islands. (2) If a judge is satisfied by information on oath supplied by the Ombudsman that there are reasonable grounds for believing \u2014 (a) that a data controller has contravened, is contravening or is likely to contravene any of the data protection principles; or (b) that an offence under this Act has been or is being committed, and that there are reasonable grounds to believe that evidence of the contravention or of the commission of the offence is to be found on any premises specified in the information, the judge may grant a warrant to the Ombudsman. (3) A warrant granted under subsection (2) may authorise the Ombudsman or any of the Ombudsman\u2019s staff at any time \u2014 (a) to enter the premises and search them; (b) to inspect, examine, operate and test any equipment found there which is used or intended to be used for the processing of personal data; and (c) to inspect, examine and seize any documents, equipment or other thing found there which may be evidence of the contravention of subsection (2).\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_52\", \"num\": \"52.\", \"text\": \"Warrant not exercisable 52. (1) The powers of inspection and seizure conferred by a warrant shall not be exercisable in respect of personal data that are exempt under section 18. (2) The powers of inspection and seizure conferred by a warrant shall not be exercisable in respect of information for which legal professional privilege is claimed; in the event of such a claim, the relevant material shall be sealed, held by a neutral party, and the party claiming privilege shall bring the matter before the Grand Court no later than five days following such claim, at which time the Grand Court shall determine the matter, and the costs of this procedure shall be in accordance with an order of the Grand Court.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_53\", \"num\": \"53.\", \"text\": \"Offences in respect of warrants 53. A person who \u2014 (a) obstructs a person in the execution of a warrant granted under this Act; (b) fails, without reasonable excuse, to give a person executing such a warrant such assistance as may be reasonably required for the execution of the warrant; (c) makes a statement in response to a requirement under this Act which the person knows to be false in a material respect; or Data Protection Act (2021 Revision) (d) recklessly makes a statement in response to such a requirement which is false in a material respect, commits an offence and is liable \u2014 (i) on summary conviction, to a fine of twenty thousand dollars; or (ii) on conviction on indictment, to a fine of one hundred thousand dollars or a term of imprisonment of four years, or to both.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_54\", \"num\": \"54.\", \"text\": \"Unlawful obtaining etc. of personal data 54. (1) A person shall not, knowingly or recklessly, without the consent of the data controller \u2014 (a) obtain or disclose personal data; or (b) procure the disclosure to another person of the personal data. (2) Subsection (1) does not apply to a person who shows that the obtaining, disclosing or procuring \u2014 (a) was necessary for the purpose of preventing or detecting a crime; or (b) was required or authorised by or under any enactment, by any law or by the order of the Grand Court. (3) A person who contravenes subsection (1) commits an offence and is liable, upon conviction, to a fine of one hundred thousand dollars. (4) A person who sells personal data commits an offence if the person has obtained the data in contravention of subsection (1) and is liable, upon conviction, to a fine of one hundred thousand dollars. (5) A person who offers to sell personal data commits an offence if \u2014 (a) the person has obtained the data in contravention of subsection (1); or (b) the person subsequently obtains the data in contravention of that subsection. (6) For the purposes of subsection (5), an advertisement indicating that personal data are or may be for sale is an offer to sell the data.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_55\", \"num\": \"55.\", \"text\": \"Power of the Ombudsman to impose monetary penalty 55. (1) The Ombudsman may serve a data controller with a monetary penalty order if the Ombudsman is satisfied on a balance of probabilities that \u2014 (a) there has been a serious contravention of this Act by the data controller; and (b) the contravention was of a kind likely to cause substantial damage or substantial distress to the data subject. Data Protection Act (2021 Revision) (2) A monetary penalty order is an order requiring the data controller to pay a monetary penalty of an amount determined by the Ombudsman and specified in the order. (3) The amount of the monetary penalty determined by the Ombudsman shall not exceed two hundred and fifty thousand dollars. (4) The monetary penalty order shall be paid into the general revenues of the Islands within the period specified in the order. (5) The Ombudsman, before serving a monetary penalty order, shall serve the data controller with a notice of intent that the Ombudsman proposes to serve a monetary penalty order. (6) A notice of intent shall state that the data controller may make written representations in relation to the Ombudsman\u2019s proposal within a period of twenty-one days and such other information as may be prescribed. (7) The Ombudsman may not serve a monetary penalty order until the period specified in subsection (6) has expired.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_56\", \"num\": \"56.\", \"text\": \"Guidance about monetary penalty orders 56. (1) The Ombudsman shall prepare and issue guidance, after consultation with Cabinet, on the exercise of the Ombudsman\u2019s functions under section 55. (2) The guidance shall, in particular, deal with \u2014 (a) the circumstances in which the Ombudsman would consider it appropriate to issue a monetary penalty order; and (b) how the Ombudsman will determine the amount of the penalty.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_57\", \"num\": \"57.\", \"text\": \"General provisions relating to offences 57. (1) A person who commits an offence under this Act is liable, except where this Act otherwise provides \u2014 (a) on summary conviction, to a fine of ten thousand dollars; or (b) on conviction on indictment, to a fine of twenty thousand dollars. (2) A fine ordered under this Act shall be in addition to any monetary penalty imposed by the Ombudsman under section 55. (3) The Grand Court by or before which a person is convicted of \u2014 (a) an offence under section 16 or 54; or (b) an offence under section 46 relating to an enforcement order, may order any document or other material used in connection with the processing of personal data and appearing to the court to be connected with the commission of the offence to be forfeited, destroyed or erased. Data Protection Act (2021 Revision) (4) The Grand Court shall not make an order under subsection (3) in relation to any material if a person, (other than the offender), claiming to be the owner of, or otherwise interested in, the material applies to be heard by the court, unless an opportunity is given to the person to show cause why the order should not be made.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_58\", \"num\": \"58.\", \"text\": \"Liability for offences 58. (1) Where an offence under this Act has been committed by a body corporate and is proved to have been committed with the consent or connivance of, or to be attributable to, any neglect on the part of \u2014 (a) any director, secretary or similar officer of the body corporate; or (b) any person who was purporting to act in any such capacity, the director, secretary, similar officer of the body corporate or any person purporting to act in any such capacity, as well as the body corporate, commit that offence and are liable to be proceeded against and punished accordingly. (2) Where the affairs of a body corporate are managed by its members, subsection (1) applies, in relation to the acts and defaults of a member in connection with the member\u2019s functions of management, as if the member were a director of the body corporate. PART 7 - GENERAL\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_59\", \"num\": \"59.\", \"text\": \"Act binds Crown 59. This Act binds the Crown.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_60\", \"num\": \"60.\", \"text\": \"Service of orders, etc. 60. (1) A notice required by this Act to be given to the Ombudsman shall not be regarded as given until it is in fact received by the Ombudsman. (2) A notice or other document which is required or authorised under this Act to be given to the Ombudsman may be given by electronic or other means on the condition that the Ombudsman is able to obtain or recreate the notice or document in intelligible form. (3) An order, notice, direction or other document required or authorised by or under this Act to be given to or served on any person other than the Ombudsman may be given or served \u2014 (a) by delivering it to the person; (b) by leaving it at the person\u2019s address; (c) by sending it by registered post to the person at the person\u2019s address; or Data Protection Act (2021 Revision) (d) by sending it to the person by electronic or other means to the person\u2019s given facsimile number or electronic mail address or such other given address by which the order, notice, direction or document may be obtained or recreated in intelligible form. (4) Without limiting the generality of subsection (3), any such order, notice, direction or other document may be given to or served on a partnership, company incorporated outside the Islands or unincorporated association by being given to or served \u2014 (a) in any case, on a person who is, or purports, under whatever description, to act as, its secretary, clerk or other similar officer; (b) in the case of a partnership, on the person having the control or management of the partnership business; (c) in the case of a partnership or company incorporated outside the Islands, on the local representative referred to in section 6(2); or (d) by being delivered to the registered or administrative office of a person referred to in paragraph (a), (b) or (c) if the person is a body corporate. (5) If the person to or on whom an order, notice, direction or other document referred to in subsection (3) is to be given or served has notified the Ombudsman of an address within the Islands as the one at which the person or someone on the person\u2019s behalf will accept documents of the same description as that order, notice, direction or other document, that address shall also be treated for the purposes of this section as the person\u2019s address. (6) If the name or the address of an owner, lessee or occupier of premises on whom an order, notice, direction or other document referred to in subsection (3) is to be served cannot, after reasonable enquiry, be ascertained it may be served by \u2014 (a) addressing it to the person on whom it is to be served by the description of \u201cowner\u201d, \u201clessee\u201d or \u201coccupier\u201d of the premises; (b) specifying the premises on it; and (c) delivering it to a responsible person resident or appearing to be resident on the premises or, if there is no person to whom it can be delivered, by affixing it, or a copy of it, to a conspicuous part of the premises. (7) Upon the service of a notice or other document under this section, the person carrying out the service shall, where required, provide an affidavit of service in accordance with Order 65 Rule 8 of the Grand Court Rules, 1995 as proof of service.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_61\", \"num\": \"61.\", \"text\": \"Regulations 61. (1) The Cabinet may make regulations prescribing all matters that are required or permitted by this Act to be prescribed, or are necessary or convenient to be prescribed for giving effect to the purposes of this Act. Data Protection Act (2021 Revision) (2) Regulations made under this Act may \u2014 (a) make different provisions in relation to different cases or circumstances; (b) apply in respect of particular persons or particular cases or particular classes of persons or particular classes of cases, and define a class by reference to any circumstances whatsoever; (c) contain such transitional, consequential, incidental or supplementary provisions as appear to the Cabinet to be necessary or expedient for the purposes of this Act; or (d) create an offence punishable by a fine of one hundred thousand dollars. Data Protection Act (2021 Revision) SCHEDULE 1 SCHEDULE 1 (Section 5(1) and (2)) THE DATA PROTECTION PRINCIPLES AND THEIR INTERPRETATION PART 1 The Data Protection Principles First principle 1. Personal data shall be processed fairly. In addition, personal data may be processed only if \u2014 (a) in every case, at least one of the conditions set out in paragraphs 1 to 6 of Schedule 2 is met; and (b) in the case of sensitive personal data, at least one of the conditions in paragraphs 1 to 10 of Schedule 3 is also met. Second principle 2. Personal data shall be obtained only for one or more specified lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. Third principle 3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are collected or processed. Fourth principle 4. Personal data shall be accurate and, where necessary, kept up to date. Fifth principle 5. Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose. Sixth principle 6. Personal data shall be processed in accordance with the rights of data subjects under this Act. Seventh principle 7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. SCHEDULE 1 Data Protection Act (2021 Revision) Eighth principle 8. Personal data shall not be transferred to a country or territory unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. PART 2 Interpretation of Data Protection Principles First principle: source 1. (1) In determining for the purposes of the first principle whether personal data are processed fairly, regard is to be had to \u2014 (a) the method by which they are obtained, including in particular whether any person from whom they are obtained is deceived or misled as to the purpose or purposes for which they are to be processed; and (b) whether the information contained in the personal data has previously been made public as a result of steps deliberately taken by the data subject. (2) Subject to paragraph 2, for the purposes of the first principle, personal data are prima facie to be treated as obtained fairly if they consist of information obtained from a person who is required to supply it by or under an enactment or by a convention or other instrument imposing an international obligation on the Islands. First principle: specified information at relevant time 2. For the purposes of the first principle personal data shall not be treated as processed fairly unless the data subject has, as soon as reasonably practicable, been provided with, at a minimum \u2014 (a) the identity of the data controller; and (b) the purpose for which the data are to be processed. Seventh principle: processing contract to ensure reliability 3. If processing of personal data is carried out by a data processor on behalf of a data controller, the data controller shall not to be regarded as complying with the seventh principle unless the processing is carried out under a contract \u2014 (a) that is made or evidenced in writing; (b) under which the data processor is to act only on instructions from the data controller; and (c) that requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle. Data Protection Act (2021 Revision) SCHEDULE 1 Eighth principle: what is adequate protection in foreign country 4. For the purposes of the eighth principle, an adequate level of protection is one that is adequate in all the circumstances of the case, having regard, among other things, to \u2014 (a) the nature of the personal data; (b) the country or territory of origin of the information contained in the data; (c) the country or territory of final destination of that information; (d) the purposes for which and period during which the personal data are intended to be processed; (e) the law in force in the country or territory in question; (f) the international obligations of that country or territory; (g) any relevant codes of conduct or other rules that are enforceable in that country or territory, whether generally or by arrangement in particular cases; and (h) any security measures taken in respect of the data in that country or territory. Exceptions to Eighth principle 5. The eighth principle does not apply to a transfer falling within Schedule 4, except in such circumstances and to such extent as may be prescribed by regulations. Eighth principle: European Union finding decisive 6. (1) If in any proceedings under this Act a question arises as to whether the requirement of the eighth principle as to an adequate level of protection is met in relation to the transfer of any personal data to a country or territory outside the Islands which is a member state of the European Union or with respect to which a European Union finding has been made in relation to transfers of the kind in question, that question shall be determined in accordance with that finding. (2) In this paragraph \u201cEuropean Union finding\u201d means a finding of the European Commission, under the procedure provided for in Article 93 of Directive 2016\/679\/EC or such other provision or instrument as may for the time being be in force on the protection of data subjects with regard to the processing of personal data and on the free movement of such data, that a country or territory outside the European Economic Area does, or does not, ensure an adequate level of protection within the meaning of Article 45 of Regulation (EU) 2016\/679 or such other provision or instrument as may for the time being be in force for that purpose. SCHEDULE 2 Data Protection Act (2021 Revision) SCHEDULE 2 (Section 5(3)) FIRST PRINCIPLE - CONDITIONS FOR PROCESSING OF PERSONAL DATA Consent 1. The data subject has given consent to the processing. Processing necessary for contract 2. The processing is necessary for \u2014 (a) the performance of a contract to which the data subject is a party; or (b) the taking of steps at the request of the data subject with a view to entering into a contract. Processing under legal obligation 3. The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract. Processing to protect vital interests 4. The processing is necessary in order to protect the vital interests of the data subject. Processing necessary for exercise of public functions 5. The processing is necessary for \u2014 (a) the administration of justice; (b) the exercise of any functions conferred on any person by or under any enactment; (c) the exercise of any functions of the Crown or any public authority; or (d) the exercise of any other functions of a public nature exercised in the public interest by any person. Processing for legitimate interests 6. The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except if the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject. Regulations about legitimate interests 7. The Cabinet may, by regulations, specify particular circumstances in which the condition set out in paragraph 6 shall, or shall not, be taken to be satisfied. Data Protection Act (2021 Revision) SCHEDULE 3 SCHEDULE 3 (Section 5(3)) FIRST PRINCIPLE - CONDITIONS FOR PROCESSING OF SENSITIVE PERSONAL DATA Consent 1. The data subject has given consent to the processing of the personal data. Employment 2. The processing is necessary for the purposes of exercising or performing a right, or obligation, conferred or imposed by law on the data controller in connection with the data subject\u2019s employment. Vital interests 3. The processing is necessary \u2014 (a) in order to protect the vital interests of the data subject or another person, in a case where consent cannot be given by or on behalf of the data subject, or the data controller cannot reasonably be expected to obtain the consent of the data subject; or (b) in order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld. Non-profit associations 4. The processing \u2014 (a) is carried out in the course of its legitimate activities by a body, or association, that is not established or conducted for profit, and exists for political, philosophical, religious or trade union purposes; (b) is carried out with appropriate safeguards for the rights and freedoms of data subjects; (c) relates only to data subjects who are members of the body or association or have regular contact with it in connection with its purposes; and (d) does not involve disclosure of the personal data to a third party without the consent of the data subject. Information made public by data subject 5. The information contained in the personal data has been made public as a result of steps taken by the data subject. Legal proceedings, etc. 6. The processing \u2014 SCHEDULE 3 Data Protection Act (2021 Revision) (a) is necessary for the purpose of, or in connection with, any legal proceedings; (b) is necessary for the purpose of obtaining legal advice; or (c) is otherwise necessary for the purposes of establishing, exercising or defending legal rights. Public functions 7. The processing is necessary for \u2014 (a) the administration of justice; (b) the exercise of any functions conferred on any person by or under an enactment; or (c) the exercise of any functions of the Crown or any public authority. Medical purposes 8. (1) The processing is necessary for medical purposes and is undertaken by \u2014 (a) a health professional; or (b) a person who, in the circumstances, owes a duty of confidentiality equivalent to that which would arise if that person were a health professional. (2) In this paragraph, \u201cmedical purposes\u201d includes the purposes of preventative medicine, medical diagnosis, the provision of care and treatment and the management of healthcare services. Circumstances prescribed by regulations 9. The personal data are processed in such circumstances as may be prescribed by regulations. Regulations relating to paragraph 2 or 7 10. The Cabinet may by regulations \u2014 (a) exclude the application of paragraph 2 or 7 in such cases as may be specified; or (b) provide that, in such cases as may be specified, the conditions in paragraph 2 or 7 shall not be regarded as satisfied unless such further conditions, as may be specified in the regulations, are also satisfied. Data Protection Act (2021 Revision) SCHEDULE 4 SCHEDULE 4 (Section 5(3)) TRANSFERS TO WHICH EIGHTH PRINCIPLE DOES NOT APPLY Consent 1. The data subject has consented to the transfer. Contract between data subject and data controller 2. The transfer is necessary for \u2014 (a) the performance of a contract between the data subject and the data controller; or (b) the taking of steps at the request of the data subject with a view to the data subject\u2019s entering into a contract with the data controller. Third-party contract in interest of data subject 3. The transfer is necessary for \u2014 (a) the conclusion of a contract between the data controller and a person other than the data subject, being a contract that is entered into at the request of the data subject, or is in the interests of the data subject; or (b) the performance of such a contract. Public interest 4. The transfer is necessary for reasons of substantial public interest. Legal proceedings, etc. 5. The transfer \u2014 (a) is necessary for the purpose of, or in connection with, any legal proceedings; (b) is necessary for the purpose of obtaining legal advice; or (c) is otherwise necessary for the purposes of establishing, exercising or defending legal rights. Vital interests 6. The transfer is necessary in order to protect the vital interests of the data subject. Public register 7. The transfer is part of the personal data on a public register and any conditions subject to which the register is open to inspection are complied with by a person to whom the data are or may be disclosed after the transfer. Transfer made on terms approved by Ombudsman 8. The transfer is made on terms of a kind approved by the Ombudsman as ensuring adequate safeguards for the rights and freedoms of data subjects. SCHEDULE 4 Data Protection Act (2021 Revision) Ombudsman has authorised transfer 9. The transfer has been authorised by the Ombudsman as being made in such a manner as to ensure adequate safeguards for the rights and freedoms of data subjects. International cooperation between intelligence agencies or regulatory agencies 10. The transfer is required under international cooperation arrangements between intelligence agencies or between regulatory agencies to combat organised crime, terrorism or drug trafficking or to carry out other cooperative functions. Regulations concerning the public interest 11. The Cabinet may, by regulations, specify in broad, non-exhaustive terms \u2014 (a) circumstances in which a transfer shall be taken for the purposes paragraph 4 to be necessary for reasons of substantial public interest; and (b) circumstances in which a transfer not required by or under an enactment shall not be taken, for the purposes of paragraph 4, to be necessary for reasons of substantial public interest. Data Protection Act (2021 Revision) SCHEDULE 5 SCHEDULE 5 (Section 5 (5)) CONDITIONS OF CONSENT 1. The data controller shall bear the burden of proving the data subject\u2019s consent to the processing of the data subject\u2019s personal data for the specified purposes. 2. If the data subject\u2019s consent is to be given in the form of a written declaration which also concerns another matter, the requirement to give consent shall be presented in an appearance that is distinguishable from the other matter. 3. The data subject shall have the right to withdraw consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. 4. Where there is a significant imbalance between the position of the data subject and the data controller, consent shall not provide a legal basis for the processing. Publication in consolidated and revised form authorised by the Cabinet this 6th day of April, 2021. Kim Bullings Clerk of the Cabinet Data Protection Act (2021 Revision) SCHEDULE 5 Data Protection Act (2021 Revision) ENDNOTES ENDNOTES Table of Legislation history: SL # Law # Legislation Commencement Gazette 56\/2020 Citation of Acts of Parliament Act, 2020 3-Dec-2020 LG89\/2020\/s1 16\/2019 Data Protection Law, 2017 (Commencement) Order, 2019 2-Apr-2019 LG9\/2019\/s1 33\/2017 Data Protection Law, 2017 30-Sep-2019 G12\/2017\/s1 ENDNOTES Data Protection Act (2021 Revision) Data Protection Act (2021 Revision) ENDNOTES ENDNOTES Data Protection Act (2021 Revision) (Price: $11.20)\", \"element\": \"section\", \"heading\": null}], \"meta\": {\"notes\": null, \"workflow\": null, \"lifecycle\": {\"source\": \"#cilegis\", \"eventRef\": [{\"eId\": \"e_commence_2021_04_30\", \"date\": \"2021-04-30\", \"type\": \"generation\", \"source\": \"#cilegis\"}]}, \"references\": {\"source\": \"#canary\", \"TLCRole\": [], \"TLCEvent\": [{\"eId\": \"ev_commencement\", \"href\": \"\/akn\/ontology\/canary\/event\/commencement\", \"showAs\": \"commencement\"}], \"TLCPerson\": [], \"TLCConcept\": [{\"eId\": \"inForce\", \"href\": \"\/akn\/ontology\/canary\/concept\/temporal\/in-force\", \"showAs\": \"in force\"}], \"TLCProcess\": [], \"TLCLocation\": [], \"TLCOrganization\": [{\"eId\": \"cilegis\", \"href\": \"\/akn\/ontology\/canary\/organization\/editor\/cilegis\", \"showAs\": \"Cayman Islands legislation mirror (kyleg)\"}]}, \"temporalData\": {\"source\": \"#cilegis\", \"temporalGroup\": [{\"eId\": \"tg_inforce_2021_04_30\", \"timeInterval\": [{\"end\": null, \"start\": \"#e_commence_2021_04_30\", \"duration\": null, \"refersTo\": \"#inForce\"}]}]}, \"classification\": null, \"identification\": {\"source\": \"#cilegis\", \"FRBRWork\": {\"FRBRuri\": \"\/akn\/ky\/act\/2017\/33\", \"FRBRdate\": [{\"date\": \"2021-04-30\", \"name\": \"generation\"}], \"FRBRthis\": \"\/akn\/ky\/act\/2017\/33\/!main\", \"FRBRalias\": [{\"name\": \"cmsId\", \"value\": \"2017-0033\"}], \"FRBRauthor\": [{\"as\": \"#editor\", \"href\": \"\/akn\/ontology\/canary\/organization\/editor\/cilegis\"}], \"FRBRnumber\": \"33 of 2017\", \"FRBRcountry\": \"ky\", \"FRBRsubtype\": \"principal\"}, \"FRBRExpression\": {\"FRBRuri\": \"\/akn\/ky\/act\/2017\/33\/eng@2021-04-30\", \"FRBRdate\": [{\"date\": \"2021-04-30\", \"name\": \"generation\"}], \"FRBRthis\": \"\/akn\/ky\/act\/2017\/33\/eng@2021-04-30\/!main\", \"FRBRauthor\": [{\"as\": \"#editor\", \"href\": \"\/akn\/ontology\/canary\/organization\/editor\/cilegis\"}], \"FRBRlanguage\": \"eng\"}, \"FRBRManifestation\": {\"FRBRuri\": \"\/akn\/ky\/act\/2017\/33\/eng@2021-04-30.xml\", \"FRBRdate\": [{\"date\": \"2026-06-22\", \"name\": \"generation\"}], \"FRBRthis\": \"\/akn\/ky\/act\/2017\/33\/eng@2021-04-30.xml\", \"FRBRauthor\": [{\"as\": \"#editor\", \"href\": \"\/akn\/ontology\/canary\/organization\/editor\/cilegis\"}], \"FRBRformat\": \"application\/xml\"}}}, \"name\": \"act\", \"header\": {\"title\": \"Data Protection Act\", \"actNumber\": \"33 of 2017\", \"longTitle\": null}}, \"doc\": null, \"bill\": null, \"judgment\": null}}","akn_full_text":"CAYMAN ISLANDS\n\nDATA PROTECTION ACT\n(2021 Revision)\nSupplement No. 1 published with Legislation Gazette No. 29 dated 30th April, 2021.\n\nPage 2\nRevised as at 31st March, 2021\nc\n\nPUBLISHING DETAILS\nLaw 33 of 2017 consolidated with Law 56 of 2021.\n\nRevised under the authority of the Law Revision Act (2020 Revision).\n\nOriginally enacted \u2014\nLaw 23 of 2017-27th March, 2017\nLaw 56 of 2020-7th December, 2020.\n\nConsolidated and revised this 31st day of March, 2021.\n\nData Protection Act (2021 Revision)\nArrangement of Sections\n\nc\nRevised as at 31st March, 2021\nPage 5\n\nCAYMAN ISLANDS\n\nDATA PROTECTION ACT\n(2021 Revision)\nArrangement of Sections\nSection\nPage\nPART 1 - INTERPRETATION, PRINCIPLES, APPLICATION,\nOBLIGATIONS AND OFFICE\n1.\nShort title and commencement ..................................................................................................... 9\n2.\nInterpretation ................................................................................................................................ 9\n3.\nSensitive personal data .............................................................................................................. 12\n4.\nSpecial purposes ........................................................................................................................ 12\n5.\nThe data protection principles: content, consent and duty to comply ......................................... 12\n6.\nApplication of Act; duty to nominate a Cayman Islands representative ..................................... 13\n7.\nOmbudsman ............................................................................................................................... 14\nPART 2 - RIGHTS AND RESPONSIBILITIES OF DATA\nSUBJECTS AND OTHERS\n8.\nFundamental rights of access to personal data .......................................................................... 14\n9.\nTreatment of requests under section 8 ....................................................................................... 16\n10.\nRight to stop processing ............................................................................................................. 17\n11.\nRight to stop processing for direct marketing ............................................................................. 17\n12.\nRights in relation to automated decision-making ........................................................................ 18\n13.\nCompensation for failure to comply ............................................................................................ 19\n14.\nRectification, blocking, erasure or destruction ............................................................................ 19\n\nArrangement of Sections\nData Protection Act (2021 Revision)\n\nPage 6\nRevised as at 31st March, 2021\nc\n\nPART 3 - RESTRICTED PROCESSING AND PERSONAL\nDATA BREACHES\n15.\nPreliminary determination by Ombudsman as to restricted processing ..................................... 20\n16.\nPersonal data breaches ............................................................................................................. 20\nPART 4 - EXEMPTIONS\n17.\nEffect of this Part ........................................................................................................................ 20\n18.\nNational security ........................................................................................................................ 21\n19.\nCrime, government fees and duties ........................................................................................... 21\n20.\nHealth, education or social work ................................................................................................ 22\n21.\nMonitoring, inspection or regulatory function ............................................................................. 22\n22.\nJournalism, literature or art ........................................................................................................ 23\n23.\nResearch, history or statistics .................................................................................................... 23\n24.\nInformation available to public by or under enactments ............................................................. 24\n25.\nDisclosures required by law or made in connection with legal proceedings .............................. 25\n26.\nPersonal, family or household affairs ......................................................................................... 25\n27.\nHonours ..................................................................................................................................... 25\n28.\nCorporate finance ...................................................................................................................... 25\n29.\nNegotiations ............................................................................................................................... 26\n30.\nLegal professional privilege and trusts ....................................................................................... 26\n31.\nExemptions by regulations ......................................................................................................... 27\nPART 5 - FUNCTIONS OF THE OMBUDSMAN\n32.\nIndependence and powers ......................................................................................................... 27\n33.\nOmbudsman to be subject to Public Service Management Act ................................................. 28\n34.\nFunctions of Ombudsman .......................................................................................................... 28\n35.\nDocuments signed by Ombudsman ........................................................................................... 28\n36.\nReports to Cayman Islands Parliament and budget .................................................................. 28\n37.\nInternational cooperation ........................................................................................................... 29\n38.\nProtection of Ombudsman ......................................................................................................... 29\n39.\nDefamation ................................................................................................................................. 29\n40.\nConsultation of Ombudsman ..................................................................................................... 29\n41.\nPromotion of this Act by Ombudsman ....................................................................................... 29\n42.\nCodes of practice ....................................................................................................................... 29\nPART 6 - ENFORCEMENT\n43.\nComplaints ................................................................................................................................. 30\n44.\nInformation orders ...................................................................................................................... 31\n45.\nEnforcement orders ................................................................................................................... 32\n46.\nFailure to comply with order ....................................................................................................... 33\n47.\nRight to seek judicial review ....................................................................................................... 33\n48.\nOmbudsman to certify ................................................................................................................ 33\n49.\nDisclosure of information ........................................................................................................... 33\n50.\nConfidentiality of information ...................................................................................................... 34\n51.\nEntry and search of premises .................................................................................................... 34\n52.\nWarrant not exercisable ............................................................................................................. 35\n\nData Protection Act (2021 Revision)\nArrangement of Sections\n\nc\nRevised as at 31st March, 2021\nPage 7\n\n53.\nOffences in respect of warrants .................................................................................................. 35\n54.\nUnlawful obtaining etc. of personal data..................................................................................... 36\n55.\nPower of the Ombudsman to impose monetary penalty............................................................. 36\n56.\nGuidance about monetary penalty orders .................................................................................. 37\n57.\nGeneral provisions relating to offences ...................................................................................... 37\n58.\nLiability for offences .................................................................................................................... 38\nPART 7 - GENERAL\n59.\nAct binds Crown ......................................................................................................................... 38\n60.\nService of orders, etc. ................................................................................................................. 38\n61.\nRegulations ................................................................................................................................. 39\nSCHEDULE 1\n41\nTHE DATA PROTECTION PRINCIPLES AND THEIR INTERPRETATION\n41\nSCHEDULE 2\n44\nFIRST PRINCIPLE - CONDITIONS FOR PROCESSING OF PERSONAL DATA\n44\nSCHEDULE 3\n45\nFIRST PRINCIPLE - CONDITIONS FOR PROCESSING OF SENSITIVE PERSONAL DATA\n45\nSCHEDULE 4\n47\nTRANSFERS TO WHICH EIGHTH PRINCIPLE DOES NOT APPLY\n47\nSCHEDULE 5\n49\nCONDITIONS OF CONSENT\n49\nENDNOTES\n53\nTable of Legislation history: ................................................................................................................. 53\n\nData Protection Act (2021 Revision)\nSection 1\n\nc\nRevised as at 31st March, 2021\nPage 9\n\nCAYMAN ISLANDS\n\nDATA PROTECTION ACT\n(2021 Revision)\n\nPART 1 - INTERPRETATION, PRINCIPLES, APPLICATION,\nOBLIGATIONS AND OFFICE\n1.\nShort title and commencement\n1.\nThis Act may be cited as the Data Protection Act (2021 Revision).\n2.\nInterpretation\n2.\nIn this Act \u2014\n\u201cbusiness\u201d includes any trade or profession;\n \u201cOmbudsman\u201d means the Ombudsman appointed under section 3 of the\nOmbudsman Act (2021 Revision);\n\u201cconsent\u201d in relation to a data subject means any freely given, specific,\ninformed and unambiguous indication of the data subject\u2019s wishes by which the\ndata subject, by a statement or by a clear affirmative action, signifies agreement\nto the processing of personal data relating to the said data subject;\n\u201cdata controller\u201d means the person who, alone or jointly with others\ndetermines the purposes, conditions and manner in which any personal data are,\nor are to be, processed and includes a local representative referred to in\nsection 6(2);\n\nSection 2\nData Protection Act (2021 Revision)\n\nPage 10\nRevised as at 31st March, 2021\nc\n\n\u201cdata processor\u201d means any person who processes personal data on behalf of\na data controller but, for the avoidance of doubt, does not include an employee\nof the data controller;\n\u201cdata protection principles\u201d has the meaning referred to in section 5;\n\u201cdata subject\u201d means \u2014\n(a) an identified living individual; or\n(b) a living individual who can be identified directly or indirectly by means\nreasonably likely to be used by the data controller or by any other person;\n\u201cenforcement order\u201d means an order under section 45;\n\u201chealth professional\u201d means an individual registered to practise under any of\nthe professions specified in the Health Practice Act (2021 Revision) or any other\nLaw relating to health;\n\u201chealth record\u201d means a record that \u2014\n(a) consists of information relating to the physical health, mental health or\ncondition of a data subject; and\n(b) has been made by or on behalf of a health professional in connection with\nthe care of that data subject;\n\u201cinaccurate\u201d, in relation to personal data, includes data that are misleading,\nincomplete or out of date;\n\u201cnon-disclosure provisions\u201d means the following provisions to the extent that\nthey are inconsistent with the disclosure in question \u2014\n (a) the first data protection principle, except to the extent to which it requires\ncompliance with the conditions in Schedules 2 and 3;\n(b) the second and third data protection principles; and\n(c) sections 10 and 14;\n\u201cperson\u201d includes any corporation, either aggregate or sole, and any club,\nsociety, association, public authority or other body, of one or more persons;\n\u201cpersonal data\u201d means data relating to a living individual who can be identified\nand includes data such as \u2014\n(a) the living individual\u2019s location data, online identifier or one or more\nfactors specific to the physical, physiological, genetic, mental, economic,\ncultural or social identity of the living individual;\n(b) an expression of opinion about the living individual; or\n(c) any indication of the intentions of the data controller or any other person\nin respect of the living individual;\n\nData Protection Act (2021 Revision)\nSection 2\n\nc\nRevised as at 31st March, 2021\nPage 11\n\n \u201cpersonal data breach\u201d means a breach of security leading to the accidental\nor unlawful destruction, loss, alteration, unauthorised disclosure of or, access to,\npersonal data transmitted, stored or otherwise processed;\n\u201cprocessing\u201d, in relation to data, means obtaining, recording or holding data, or\ncarrying out any operation or set of operations on personal data, including \u2014\n(a) organising, adapting or altering the personal data;\n(b) retrieving, consulting or using the personal data;\n(c) disclosing the personal data by transmission, dissemination or otherwise\nmaking it available; or\n(d) aligning, combining, blocking, erasing or destroying the personal data;\n\u201cpublic authority\u201d means \u2014\n(a) a ministry, portfolio or department;\n(b) a statutory body or authority, whether incorporated or not;\n(c) a company which \u2014\n(i)\nis wholly owned by the Government or in which the Government has\na direct or indirect controlling interest; or\n(ii) is specified in an Order made by the Cabinet; and\n(d) any other body or organisation specified by the Cabinet by Order as a\npublic authority on account of providing services of a public nature which\nare essential to the welfare of Caymanian society;\n\u201cpublic register\u201d means any register that, pursuant to a requirement imposed\nby Law or in pursuance of an international agreement, is open to public\ninspection or open to inspection by any person having a legitimate interest in\nthe subject matter of the register;\n\u201cpublish\u201d, in relation to journalistic, literary or artistic material, means to make\navailable to the public or any section of the public;\n\u201crecipient\u201d, in relation to personal data, includes a person to whom the data are\ndisclosed, as well as any person (such as an employee or agent of the relevant\ndata controller, a relevant data processor, or an employee or agent of a data\nprocessor) to whom they are disclosed in the course of processing the data for\nthe data controller, but does not include a person to whom disclosure is or may\nbe made as a result of, or with a view to, a particular inquiry by or on behalf of\nthat person made in the exercise of any power conferred by law;\n\u201cregistered company\u201d means a company within the meaning of section 2 of the\nCompanies Act (2021 Revision);\n\u201cregulations\u201d means regulations made under this Act;\n\u201csensitive personal data\u201d has the meaning assigned in section 3;\n\u201cspecial purposes\u201d has the meaning assigned in section 4;\n\nSection 3\nData Protection Act (2021 Revision)\n\nPage 12\nRevised as at 31st March, 2021\nc\n\n\u201cstaff\u201d, in relation to the Ombudsman, includes any individual employed in the\noffice of the Ombudsman;\n\u201csubject information provisions\u201d means \u2014\n(a) the first data protection principle to the extent to which it requires\ncompliance with paragraph 2 of Part 2 of Schedule 1; and\n(b) section 8; and\n\u201cthird party\u201d, in relation to personal data, means any person other than \u2014\n(a) the data subject;\n(b) the data controller; or\n(c) any data processor or other person authorised to process data for the data\ncontroller or data processor.\n3.\nSensitive personal data\n3.\nIn this Act, \u201csensitive personal data\u201d means, in relation to a data subject, personal\ndata consisting of \u2014\n(a) the racial or ethnic origin of the data subject;\n(b) the political opinions of the data subject;\n(c) the data subject\u2019s religious beliefs or other beliefs of a similar nature;\n(d) whether the data subject is a member of a trade union;\n(e) genetic data of the data subject;\n(f)\nthe data subject\u2019s physical or mental health or condition;\n(g) medical data;\n(h) the data subject\u2019s sex life;\n(i)\nthe data subject\u2019s commission, or alleged commission, of an offence; or\n(j)\nany proceedings for any offence committed, or alleged to have been\ncommitted, by the data subject, the disposal of any such proceedings or\nany sentence of a court in the Islands or elsewhere.\n4.\nSpecial purposes\n4.\nIn this Act, \u201cspecial purposes\u201d means any one or more of the following \u2014\n(a) the purposes of journalism;\n(b) artistic purposes; and\n(c) literary purposes.\n5.\nThe data protection principles: content, consent and duty to comply\n5.\n(1) References in this Act to the data protection principles are to the principles set\nout in Part 1 of Schedule 1.\n\nData Protection Act (2021 Revision)\nSection 6\n\nc\nRevised as at 31st March, 2021\nPage 13\n\n(2) The data protection principles shall be interpreted in accordance with Part 2 of\nSchedule 1.\n(3) Schedules 2 and 3 set out conditions that apply for the purposes of the first\nprinciple and Schedule 4 sets out transfers to which the eighth principle does\nnot apply.\n(4) Subject to section 17, a data controller shall comply with the data protection\nprinciples that relate to the personal data that the data controller processes, and\nshall ensure that the data protection principles are complied with in relation to\nthe personal data that are processed on the data controller\u2019s behalf.\n(5) In determining consent under this Act, the provisions of Schedule 5 shall apply.\n6.\nApplication of Act; duty to nominate a Cayman Islands representative\n6.\n(1) This Act applies to a data controller in respect of any personal data only if \u2014\n(a) the data controller is established in the Islands and the personal data are\nprocessed in the context of that establishment; or\n(b) the data controller is not established in the Islands but the personal data are\nprocessed in the Islands otherwise than for the purposes of transit of the\ndata through the Islands.\n(2) A data controller referred to in subsection (1)(b) shall nominate, for the purposes\nof this Act, a local representative established in the Islands who shall, for all\npurposes within the Islands, be the data controller and, without limiting the\ngenerality of this provision, bear all obligations under this Act as if the\nrepresentative were the data controller.\n(3) For the purposes of subsections (1) and (2), each of the following is to be treated\nas established in the Islands \u2014\n(a) an individual who is ordinarily resident in the Islands;\n(b) a body incorporated or registered as a foreign company under the law of\nthe Islands;\n(c) a partnership or other unincorporated association formed under the law of\nthe Islands; or\n(d) any person who does not fall within paragraph (a), (b) or (c) but maintains\nin the Islands \u2014\n(i)\nan office, branch or agency through which the person carries on any\nactivity; or\n(ii) a regular practice.\n\nSection 7\nData Protection Act (2021 Revision)\n\nPage 14\nRevised as at 31st March, 2021\nc\n\n7.\nOmbudsman\n7.\nThe provisions of the Freedom of Information Act (2021 Revision) relating to the\noffice of the Ombudsman shall have effect with respect to the Ombudsman referred\nto in this Act.\nPART 2 - RIGHTS AND RESPONSIBILITIES OF DATA\nSUBJECTS AND OTHERS\n8.\nFundamental rights of access to personal data\n8.\n(1) A person is entitled to be informed by a data controller whether the personal\ndata of which the person is the data subject are being processed by or on behalf\nof that data controller, and, if that is the case, to be given by that data controller\na description of \u2014\n(a) the data subject\u2019s personal data;\n(b) the purposes for which they are being or are to be processed by or on behalf\nof that data controller;\n(c) the recipients or classes of recipients to whom the data are or may be\ndisclosed by or on behalf of that data controller;\n(d) any countries or territories outside the Islands to which the data controller,\nwhether directly or indirectly, transfers, intends to transfer or wishes to\ntransfer the data;\n(e) general measures to be taken for the purpose of complying with the seventh\ndata protection principle; and\n(f)\nsuch other information as the Ombudsman may require the data controller\nto provide.\n(2) A data subject is entitled to communication in an intelligible form, by the\nrelevant data controller, of \u2014\n(a) the data subject\u2019s personal data; and\n(b) any information available to the relevant data controller as to the source of\nthose personal data.\n(3) If the processing by automatic means of the data subject\u2019s personal data for the\npurpose of evaluating matters relating to the data subject, including the data\nsubject\u2019s performance at work, creditworthiness, reliability or conduct, has\nconstituted or is likely to constitute the sole basis for any decision significantly\naffecting the data subject, the data subject is entitled to be informed by the\nrelevant data controller of the reasons for that decision.\n(4) A data controller shall not be obliged under subsection (1), (2) or (3) to supply\nany personal data unless the data controller has received \u2014\n\nData Protection Act (2021 Revision)\nSection 8\n\nc\nRevised as at 31st March, 2021\nPage 15\n\n(a) a request in writing; and\n(b) the fee that the data controller may require, such fee, being within the\nlimits prescribed by regulations.\n(5) If a data controller reasonably requires further information in order to be\nsatisfied as to the identity of the data subject making the request or to locate the\ninformation that the data subject seeks, and has informed the data subject in\nwriting of the requirement, the data controller is not obliged to comply with the\nrequest unless supplied with that information, during which period the time\nspecified in subsection (6) shall automatically stand suspended.\n(6) A data controller shall comply with a request under this section within thirty\ndays (or such other period as may be prescribed by regulations) of the date on\nwhich the data controller receives both the request and fee referred to in\nsubsection (4), but where the data controller has requested further information\nunder subsection (5), the period shall not resume until the information has been\nsupplied.\n(7) If a data controller cannot comply with the request without disclosing personal\ndata relating to another data subject who can be identified from that personal\ndata, the data controller is not obliged to comply with the request unless \u2014\n(a) the other data subject has consented to the disclosure of the personal data\nto the person making the request; or\n(b) it is reasonable in all the circumstances to comply with the request without\nthe consent of the other data subject.\n(8) In subsection (7), the reference to personal data relating to another data subject\nincludes a reference to personal data identifying that other data subject as the\nsource of the personal data sought in the request.\n(9) Subsection (7) shall not be construed as excusing a data controller from\ncommunicating so much of the personal data sought in the request as can be\ncommunicated without disclosing the identity of the other data subject\nconcerned, whether by the omission of names or other identifying particulars or\notherwise.\n(10) In determining for the purposes of subsection (7)(b) whether it is reasonable in\nall the circumstances to comply with the request without the consent of the other\ndata subject concerned, the data controller shall have regard to, in particular \u2014\n(a) any duty of confidentiality owed to the other data subject;\n(b) any steps taken by the data controller to seek the consent of the other data\nsubject;\n(c) whether the other data subject is capable of giving consent; and\n(d) any express refusal of consent by the other data subject.\n\nSection 9\nData Protection Act (2021 Revision)\n\nPage 16\nRevised as at 31st March, 2021\nc\n\n(11) If the Ombudsman is satisfied on the application of a data subject who has made\na request under this section that a data controller has contravened this section in\nfailing to comply with the request, the Ombudsman shall issue an enforcement\norder under section 45 ordering the data controller to comply with the request.\n(12) If personal data are being processed by or on behalf of a data controller who\nreceives a request under this section from the data subject, the obligation to\nsupply the personal data under this section includes an obligation to give the\ndata subject a statement of the data subject\u2019s rights under this Act in such form,\nand to such extent, as may be prescribed by regulations.\n9.\nTreatment of requests under section 8\n9.\n(1) The obligation imposed by section 8(2)(a) shall be complied with by supplying\nthe data subject with a copy of the personal data in the format requested\nunless \u2014\n(a) the supply of such a copy is not possible or would involve disproportionate\neffort; or\n(b) the data subject agrees otherwise.\n(2) If any of the personal data referred to in section 8(2)(a) are expressed in terms\nthat are not intelligible without explanation the copy shall be accompanied by\nan adequate explanation.\n(3) If a data controller has previously complied with a request under section 8 by\nthe data subject referred to therein, the data controller is not obliged to comply\nwith a subsequent identical or similar request under that section by the data\nsubject unless the interval between compliance with the previous request and\nthe making of the current request is reasonable.\n(4) In determining whether the interval referred to in subsection (3) is reasonable,\nregard shall be had to the nature of the personal data, the purpose for which the\npersonal data are processed and the frequency with which the personal data are\naltered.\n(5) Section 8(3) shall not be regarded as requiring the provision of information as\nto the logic of any decision-making where the information constitutes a trade\nsecret.\n(6) Personal data and other information supplied under section 8 shall be supplied\nby reference to the data in question at the time when the request for the personal\ndata is received, except that account may be taken of any amendment or deletion\nmade between that time and the time when the information is supplied, the\namendment or deletion being such that would have been made regardless of the\nreceipt of the request.\n\nData Protection Act (2021 Revision)\nSection 10\n\nc\nRevised as at 31st March, 2021\nPage 17\n\n10.\nRight to stop processing\n10. (1) A data subject is entitled at any time, by notice in writing to a data controller, to\nrequire the data controller to cease processing, or not to begin processing, or to\ncease processing for a specified purpose or in a specified manner, the data\nsubject\u2019s personal data.\n(2) The data controller shall, as soon as practicable, but in any case within twentyone days of receiving a notice under subsection (1), comply with that notice\nunless \u2014\n(a) the processing is necessary for the performance of a contract to which the\ndata subject is a party or the taking of steps at the request of the data subject\nwith a view to entering into a contract;\n(b) the processing is necessary for compliance with any legal obligation to\nwhich the data controller is subject, other than an obligation imposed by\ncontract;\n(c) the processing is necessary in order to protect the vital interests of the data\nsubject; or\n(d) the processing is necessary in such other circumstances as may be\nprescribed by regulations,\nand the data controller shall state to the data subject the reasons for the noncompliance with the notice.\n(3) If, on the application of a data subject who has given notice under subsection (1),\nthe Ombudsman is satisfied that the data controller in question has failed to\ncomply with the notice, the Ombudsman may issue an enforcement order under\nsection 45.\n(4) The failure by a data subject to exercise the right conferred by subsection (1)\ndoes not affect any other right conferred on the data subject by this Act.\n11.\nRight to stop processing for direct marketing\n11. (1) In this section, \u201cdirect marketing\u201d means the communication, by whatever\nmeans, of any advertising, marketing, promotional or similar material, that is\ndirected to particular individuals.\n(2) A data subject is entitled at any time, by notice in writing to a data controller, to\nrequire the data controller at the end of such period as is reasonable in the\ncircumstances, to cease, or not to begin, processing for the purposes of direct\nmarketing personal data relating to the data subject.\n(3) If, on the application of a data subject who has given notice under subsection (1),\nthe Ombudsman is satisfied that the data controller in question has failed to\ncomply with the notice, the Ombudsman may issue an enforcement order under\nsection 45.\n\nSection 12\nData Protection Act (2021 Revision)\n\nPage 18\nRevised as at 31st March, 2021\nc\n\n(4) The failure by a data subject to exercise the right conferred by subsection (2)\ndoes not affect any other right conferred on the data subject by this Act.\n12.\nRights in relation to automated decision-making\n12. (1) A data subject is entitled at any time, by notice in writing to a data controller, to\nrequire the data controller to ensure that no decision taken by or on behalf of the\ndata controller that significantly affects the data subject is based solely on the\nprocessing by automatic means of the data subject\u2019s personal data for the\npurpose of evaluating the data subject\u2019s performance at work, creditworthiness,\nreliability, conduct or any other matters relating to the data subject.\n(2) If no notice has been given under subsection (1) and a decision that significantly\naffects a data subject is based solely on processing specified in that\nsubsection \u2014\n(a) the data controller shall as soon as reasonably practicable notify the data\nsubject that the decision was taken on that basis; and\n(b) the data subject is entitled, within twenty-one days of receiving that\nnotification from the data controller, by notice in writing, to require the\ndata controller to reconsider the decision or to take a new decision\notherwise than on that basis.\n(3) The data controller shall, within twenty-one days of receiving a notice under\nsubsection (2)(b), give the data subject a written notice specifying the steps that\nthe data controller intends to take to comply with the notice.\n(4) A notice under subsection (1) does not have effect in relation to, and nothing in\nsubsection (2) applies to, a decision \u2014\n(a) in respect of which one condition in each of subsections (5) and (6) is\nsatisfied; or\n(b) that is made in such other circumstances as may be prescribed by\nregulations.\n(5) The first condition is that the decision \u2014\n(a) is taken in the course of steps taken \u2014\n(i)\nfor the purpose of considering whether to enter into a contract with\nthe data subject;\n(ii) with a view to entering into such a contract; or\n(iii) in the course of performing such a contract; or\n(b) is authorised or required by or under any enactment.\n(6) The second condition is that \u2014\n(a) the effect of the decision is to grant a request of the data subject; or\n(b) steps have been taken to safeguard the legitimate interests of the data\nsubject including by allowing the data subject to make representations.\n\nData Protection Act (2021 Revision)\nSection 13\n\nc\nRevised as at 31st March, 2021\nPage 19\n\n(7) If the Ombudsman is satisfied on the application of a data subject that a person\ntaking a decision in respect of the data subject has failed to comply with a notice\nunder subsection (1) or (2)(b), the Ombudsman may, among other things, issue\nan enforcement order directing the data controller to reconsider the decision\nwhere that decision is not based solely on the processing mentioned in\nsubsection (1).\n13.\nCompensation for failure to comply\n13. A person who suffers damage by reason of a contravention by a data controller of any\nrequirement of this Act has a cause of action for compensation from the data\ncontroller for that damage.\n14.\nRectification, blocking, erasure or destruction\n14. (1) If the Ombudsman is satisfied on a complaint made under section 43 that\npersonal data are inaccurate, the Ombudsman may order the data controller to\nrectify, block, erase or destroy \u2014\n(a) those data; and\n(b) any other personal data in respect of which the person is the data controller\nand that contain an expression of opinion that appears to the Ombudsman\nto be based on the inaccurate data.\n(2) Subsection (1) applies whether or not the personal data accurately record\ninformation received or obtained by the data controller from the data subject or\na third party, but, if the data accurately record such information, then the\nOmbudsman may instead of making an order under subsection (1) \u2014\n(a) make an order requiring the personal data to be supplemented by a\nstatement of the facts relating to the matters dealt with by the data as the\nOmbudsman may approve;\n(b) make such order as the Ombudsman thinks fit to ensure the accuracy of\nthe data, having regard to the purpose or purposes for which the data were\nobtained and further processed, with or without a further order requiring\nthe data to be supplemented by a statement of the facts relating to the\nmatters dealt with by the data as the Ombudsman may approve; or\n(c) make an order requiring the data controller to ensure that the data indicate\nthat, in the data subject\u2019s view, the data are inaccurate.\n(3) If the Ombudsman \u2014\n(a) makes an order under subsection (1); or\n(b) is satisfied on a complaint made under section 43 that personal data that\nhave been rectified, blocked, erased or destroyed were inaccurate,\n\nSection 15\nData Protection Act (2021 Revision)\n\nPage 20\nRevised as at 31st March, 2021\nc\n\nthe Ombudsman may, if it is considered reasonably practicable, order the data\ncontroller to notify third parties to whom the data have been disclosed of the\nrectification, blocking, erasure or destruction.\nPART 3 - RESTRICTED PROCESSING AND PERSONAL DATA\nBREACHES\n15.\nPreliminary determination by Ombudsman as to restricted processing\n15. The Cabinet may, after consultation with the Ombudsman and such other persons that\nthe Cabinet may consider appropriate, make regulations prescribing the types of\nprocessing that require the prior approval of the Ombudsman, being processing that\nis considered particularly likely to \u2014\n(a) cause substantial damage or substantial distress to data subjects; or\n(b) otherwise significantly prejudice the rights and freedoms of data subjects.\n16.\nPersonal data breaches\n16. (1) In the case of a personal data breach, the data controller shall, without undue\ndelay, but no longer than five days after the data controller should, with the\nexercise of reasonable diligence, have been aware of that breach, notify the data\nsubject of the data in question and the Ombudsman of that personal data breach,\ndescribing \u2014\n(a) the nature of the breach;\n(b) the consequences of the breach;\n(c) the measures proposed or taken by the data controller to address the\nbreach; and\n(d) the measures recommended by the data controller to the data subject of the\npersonal data in question to mitigate the possible adverse effects of the\nbreach.\n(2) A data controller who contravenes subsection (1) commits an offence and is\nliable on conviction to a fine of one hundred thousand dollars.\nPART 4 - EXEMPTIONS\n17.\nEffect of this Part\n17. Except as provided by this Part, the subject information provisions shall have effect\nnotwithstanding any law prohibiting or restricting the disclosure, or authorising the\nwithholding, of information.\n\nData Protection Act (2021 Revision)\nSection 18\n\nc\nRevised as at 31st March, 2021\nPage 21\n\n18.\nNational security\n18. (1) Personal data are exempt from any of the provisions of \u2014\n(a) the data protection principles; and\n(b) Parts 2, 3 and 6,\nif the exemption from any or all of the provisions is required for the purpose of\nsafeguarding national security.\n(2) The Governor may, for the purpose mentioned in subsection (1), issue a\ncertificate with respect to any personal data exempting that data from all or any\nof the provisions referred to in that subsection and that certificate shall be\nsufficient evidence of that fact.\n(3) In the exercise of the discretion to issue a certificate under subsection (2), the\nGovernor may consult with the National Security Council.\n(4) The certificate issued under subsection (2) shall identify the personal data to\nwhich it applies.\n(5) If in any consideration of a matter by the Ombudsman it is claimed by a data\ncontroller that a certificate under this section applies to any personal data, any\nparty, that is, the Governor, the data controller or the data subject, may make an\napplication to the Ombudsman contending that the certificate does not apply to\nthe personal data with respect to which the complaint is made.\n(6) Notwithstanding subsection (5), unless the Ombudsman makes a determination\nunder subsection (7), the certificate shall be conclusively presumed so to apply.\n(7) On an application under subsection (5), the Ombudsman may determine that the\ncertificate does not apply to the personal data with respect to which the\ncomplaint is made.\n(8) A document purporting to be a certificate under this section and signed by the\nGovernor shall be received in evidence and taken to be such a certificate unless\nthe contrary is proved.\n19.\nCrime, government fees and duties\n19. (1) Personal data processed for any of the following purposes \u2014\n(a) the prevention, detection or investigation of crime;\n(b) the apprehension or prosecution of persons who are suspected to have\ncommitted an offence anywhere; or\n(c) the assessment or collection of any fees or duty, or of any imposition of a\nsimilar nature, in the Islands,\nare exempt from the first data protection principle (except to the extent to which\nit requires compliance with the conditions in Schedules 2 and 3), the nondisclosure provisions and section 8, to the extent to which the application of\n\nSection 20\nData Protection Act (2021 Revision)\n\nPage 22\nRevised as at 31st March, 2021\nc\n\nthose provisions to the data would be likely to prejudice any of the matters\nreferred to in paragraphs (a) to (c).\n(2) Personal data that \u2014\n(a) are processed for the purpose of discharging functions under any Law; and\n(b) consist of information obtained for such a purpose from a person who had\npossession of it for any of the purposes referred to in subsections (1)(a)\nto (c),\nare exempt from the subject information provisions to the same extent as\npersonal data processed for any of the purposes referred to in subsections (1)(a)\nto (c).\n20.\nHealth, education or social work\n20. (1) The Cabinet may, by regulations, exempt from the subject information\nprovisions, or modify those provisions in relation to, personal data consisting of\ninformation as to the physical or mental health or condition of the data subject.\n(2) The Cabinet may, by regulations, exempt from the subject information\nprovisions, or modify those provisions, in relation to personal data in respect of\nwhich the data controller is the proprietor, governor, governing body, director\nor manager of, or a principal or teacher at a school, and the personal data consist\nof information relating to persons who are or have been pupils at the school.\n(3) The Cabinet may, by regulations, exempt from the subject information\nprovisions, (or modify those provisions in relation to,) personal data of such\nother descriptions as may be specified in the regulations, being information \u2014\n(a) processed by a public authority; and\n(b) appearing to the Cabinet to be processed in the course of, or for the\npurposes of, carrying out social work in relation to the data subject or other\nindividuals,\nto the extent that the Cabinet consider that the application to the data of those\nprovisions, (or of those provisions without modification), would be likely to\nprejudice the carrying out of social work.\n21.\nMonitoring, inspection or regulatory function\n21. (1) Personal data which are processed for the purposes of any monitoring,\ninspection or regulatory function connected with the exercise of a public\nfunction in cases of \u2014\n(a) public safety;\n(b) the prevention, investigation, detection and prosecution of criminal\noffences, or of breaches of ethics for regulated professions; or\n(c) an important economic or financial interest of the Islands, including \u2014\n\nData Protection Act (2021 Revision)\nSection 22\n\nc\nRevised as at 31st March, 2021\nPage 23\n\n(i)\ncompliance with international tax treaties or international cooperation purposes;\n(ii) any monitoring, inspection or regulatory function exercised by\nofficial authorities (including regulation of the financial services\nindustry); and\n(iii) any monetary, budgetary and taxation purposes in the Islands,\nare exempt from the subject information provisions to the extent to which the\napplication of those provisions to the data would be likely to prejudice the\nproper discharge of the function.\n(2) Subsection (1) applies to \u2014\n(a) a public function conferred on any person by or under any Law or\nregulations;\n(b) a function of the Crown, the Governor in Cabinet or a public authority; or\n(c) any other function of a public nature.\n22.\nJournalism, literature or art\n22. (1) Personal data which are processed only for the special purposes are exempt from\nany provision to which this section relates if \u2014\n(a) the processing is undertaken with a view to the publication by a person of\nany journalistic, literary or artistic material;\n(b) the data controller reasonably believes that, having regard in particular to\nthe special importance of the public interest in freedom of expression,\npublication would be in the public interest; and\n(c) the data controller reasonably believes that, in all the circumstances,\ncompliance with that provision is incompatible with the special purposes.\n(2) This section relates to the following provisions \u2014\n(a) the data protection principles except the seventh data protection principle;\nand\n(b) section 10.\n(3) In considering, for the purposes of subsection (1)(b), whether the belief of a data\ncontroller that publication would be in the public interest was or is a reasonable\none, regard may be had to the data controller\u2019s compliance with any code of\npractice that is relevant to the publication in question.\n23.\nResearch, history or statistics\n23. (1) In this section, \u201crelevant conditions\u201d means \u2014\n(a) the condition that the personal data are not processed to support a measure\nor decision with respect to a particular data subject; and\n\nSection 24\nData Protection Act (2021 Revision)\n\nPage 24\nRevised as at 31st March, 2021\nc\n\n(b) the condition that the personal data are not processed in such a way that\nsubstantial damage or substantial distress is likely to be caused to any data\nsubject.\n(2) Personal data processed for statistical purposes or for the purposes of historical\nor scientific research in compliance with the relevant conditions are exempt\nfrom the first data protection principle to the extent to which it requires\ncompliance with paragraph 2(b) of Part 2 of Schedule 1.\n(3) Subsection (2) applies if \u2014\n(a) the provision of such information proves impossible or would involve a\ndisproportionate effort; or\n(b) processing is required by or under an enactment.\n(4) For the purposes of the second data protection principle, the further processing\nof personal data for the purpose of research, history or statistics in compliance\nwith the relevant conditions is not to be regarded as incompatible with the\npurposes for which they were obtained.\n(5) Personal data processed solely for the purposes of scientific research or kept in\na form that identifies a data subject for a period which does not exceed the period\nnecessary for the sole purpose of creating statistics are exempt from section 8.\n(6) Subsection (5) applies if \u2014\n(a) the data are processed in compliance with the relevant conditions;\n(b) there is no risk of breaching the rights and freedoms of the data\nsubject; and\n(c) the results of the research or any resulting statistics are not made available\nin a form that identifies one or more of the data subjects.\n(7) Personal data processed for historical, statistical or scientific purposes in\ncompliance with the relevant conditions are exempt from the fifth data\nprotection principle to the extent to which compliance would be likely to\nprejudice those purposes.\n24.\nInformation available to public by or under enactments\n24. Personal data are exempt from \u2014\n(a) the subject information provisions;\n(b) the fourth data protection principle and section 14(1) to (3); and\n(c) the non-disclosure provisions,\nif the data consist of information that the data controller is obliged by or under\nany enactment to make available to the public, including by inspection,\ngratuitously or on payment of a fee.\n\nData Protection Act (2021 Revision)\nSection 25\n\nc\nRevised as at 31st March, 2021\nPage 25\n\n25.\nDisclosures required by law or made in connection with legal proceedings\n25. (1) Personal data are exempt from the non-disclosure provisions if the disclosure is\nrequired by or under any enactment, by any law or by the order of a court.\n(2) Personal data are exempt from the non-disclosure provisions if their disclosure\nis necessary \u2014\n(a) for the purpose of, in connection with, or in contemplation of, any quasijudicial or legal proceedings;\n(b) for the purpose of obtaining legal advice; or\n(c) otherwise for the purposes of establishing, exercising or defending a legal\nright.\n26.\nPersonal, family or household affairs\n26. Personal data processed by an individual only for the purposes of that individual\u2019s\npersonal, family or household affairs are exempt from the data protection principles\nand Parts 2 and 3.\n27.\nHonours\n27. Personal data are exempt from the subject information provisions if processed for the\npurposes of the conferring by the Crown or the Premier of any honour or dignity.\n28.\nCorporate finance\n28. (1) If personal data are processed for the purposes of, or in connection with, a\ncorporate finance service provided by a relevant person \u2014\n(a) the data are exempt from the subject information provisions to the extent\nto which either \u2014\n(i)\nthe application of those provisions to the data could affect the price\nof any instrument already in existence or that is to be or may be\ncreated; or\n(ii) the data controller reasonably believes that the application of those\nprovisions to the data could affect the price of any such\ninstrument; and\n(b) to the extent that the data are not exempt from the subject information\nprovisions by virtue of paragraph (a), they are exempt from those\nprovisions if the exemption is required for the purpose of safeguarding an\nimportant economic or financial interest of the Islands.\n(2) For the purposes of subsection (1)(b) the Cabinet may by regulations specify \u2014\n(a) matters to be taken into account in determining whether exemption from\nthe subject information provisions is required for the purpose of\nsafeguarding an important economic or financial interest of the Islands; or\n\nSection 29\nData Protection Act (2021 Revision)\n\nPage 26\nRevised as at 31st March, 2021\nc\n\n(b) circumstances in which exemption from those provisions is, or is not, to\nbe taken to be required for that purpose.\n(3) In this section \u2014\n\u201ccorporate finance service\u201d means a service consisting of \u2014\n(a) underwriting in respect of issues of, or the placing of issues of, any\ninstrument;\n(b) advice to undertakings on capital structure, industrial strategy and related\nmatters and advice and service relating to mergers and the purchase of\nundertakings; or\n(c) services relating to such underwriting as mentioned in paragraph (a);\n\u201cinstrument\u201d means an instrument representing investment within the meaning\nof any Law in the Islands;\n\u201cprice\u201d includes value;\n\u201crelevant person\u201d means \u2014\n(a) a registered person within the meaning of any Law providing for\ninvestment business or a person who is exempted by the respective Law\nfrom the obligation to be registered in respect of an investment business;\n(b) a person who is an authorised person under any Law providing for\ninvestment business, or is an exempt person under that Law, in respect of\nthe investment business;\n(c) a person who may be prescribed by regulations for the purposes of this\nsection;\n(d) a person who, in the course of the person\u2019s employment, provides to the\nemployer a service falling within paragraph (b) or (c) of the definition of\n\u201ccorporate finance service\u201d; or\n(e) a partner who provides to other partners in a partnership a service falling\nwithin the provisions of either paragraph (b) or (c) of the definition of\n\u201ccorporate finance service\u201d.\n29.\nNegotiations\n29. Personal data which consist of records of the intentions of the data controller in\nrelation to any negotiations with the data subject are exempt from the subject\ninformation provisions in any case to the extent to which the application of those\nprovisions would be likely to prejudice those negotiations.\n30.\nLegal professional privilege and trusts\n30. Personal data are exempt from the subject information provisions if the data consist\nof information \u2014\n(a) in respect of which legal professional privilege applies;\n\nData Protection Act (2021 Revision)\nSection 31\n\nc\nRevised as at 31st March, 2021\nPage 27\n\n(b) in relation to \u2014\n(i)\nany structure or arrangement that is an ordinary trust;\n(ii) any structure or arrangement that is a trust established pursuant to the\nTrusts Act (2021 Revision); or\n(iii) any will made pursuant to the Wills Act (2021 Revision).\n31.\nExemptions by regulations\n31. (1) Subject to subsection (2), the Cabinet may, after consultation with the\nOmbudsman, by regulations \u2014\n(a) exempt from subject information provisions personal data consisting of\ninformation, the disclosure of which is prohibited or restricted by or under\nany enactment; or\n(b) exempt from the non-disclosure provisions personal data consisting of\ninformation, the disclosure of which is made in circumstances specified in\nthe regulations.\n(2) The Cabinet shall not grant an exemption under subsection (1) unless it\nconsiders the exemption to be necessary for the purpose of safeguarding the\ninterests of data subjects or the rights and freedoms of any other individual.\nPART 5 - FUNCTIONS OF THE OMBUDSMAN\n32.\nIndependence and powers\n32. (1) The Ombudsman shall have all powers, direct and incidental, as are necessary\nor convenient to undertake the Ombudsman\u2019s functions as provided for under\nthis Act and for purposes of this section, the word \u201cfunctions\u201d includes power,\nauthority and duty.\n(2) In the exercise of the Ombudsman\u2019s functions under this Act, the Ombudsman\nshall be independent and shall not be subject to the direction or control of any\nother person or authority.\n(3) The Ombudsman may appoint such officers and employees as are necessary to\nenable the performance of the Ombudsman\u2019s functions under this Act.\n(4) The Ombudsman shall, from moneys appropriated by the Cayman Islands\nParliament, meet operational expenses of the office and the provision of a\nreserve fund and, where there is any balance separate from the reserve fund, pay\nsuch balance into the general revenues of the Islands.\n(5) The Cabinet may, by regulations, provide for the operation of the reserve fund.\n\nSection 33\nData Protection Act (2021 Revision)\n\nPage 28\nRevised as at 31st March, 2021\nc\n\n33.\nOmbudsman to be subject to Public Service Management Act\n33. Except as otherwise stated in this Act or the Freedom of Information Act\n(2021Revision), the Ombudsman shall be subject to the Public Service Management\nAct (2018 Revision).\n34.\nFunctions of Ombudsman\n34. The principal functions of the Ombudsman include \u2014\n(a) to hear, investigate and rule on complaints made under this Act;\n(b) to monitor, investigate and report on the compliance by data controllers\nwith their obligations under this Act;\n(c) to intervene and deliver opinions and orders related to processing\noperations;\n(d) to order the rectification, blocking, erasure or destruction of data;\n(e) to impose a temporary or permanent ban on processing;\n(f)\nto make recommendations for reform both of a general nature and directed\nat specific data controllers;\n(g) to engage in proceedings where the provisions of this Act have been\nviolated, or refer these violations to the appropriate authorities;\n(h) to co-operate with other data protection supervisory authorities;\n(i)\nto publicise and promote the requirements of this Act and the rights of data\nsubjects under it; and\n(j)\nto do anything which appears to the Ombudsman to be incidental or\nconducive to the carrying out of the Ombudsman\u2019s functions under this\nAct.\n35.\nDocuments signed by Ombudsman\n35. A document that appears to have been signed by or on behalf of the Ombudsman shall\nbe presumed to have been so signed and be admissible in any proceedings unless the\ncontrary is shown.\n36.\nReports to Cayman Islands Parliament and budget\n36. The Ombudsman shall, as soon as reasonably practicable after the end of each year,\nlay before the Cayman Islands Parliament \u2014\n(a) a report of the operation of this Act during the year and may from time to\ntime submit such other reports as the Ombudsman thinks appropriate; and\n(b) accounts audited in accordance with the Public Management and Finance\nAct (2020 Revision).\n\nData Protection Act (2021 Revision)\nSection 37\n\nc\nRevised as at 31st March, 2021\nPage 29\n\n37.\nInternational cooperation\n37. (1) The Ombudsman is the designated authority in the Islands for the purposes of\ninternational cooperation related to data protection.\n(2) The Ombudsman shall also carry out any data protection functions (that is,\nfunctions relating to the protection of individuals with respect to the processing\nof personal information) that may be prescribed by regulations for the purpose\nof enabling the Islands to give effect to any of its international obligations.\n38.\nProtection of Ombudsman\n38. Neither the Ombudsman nor any member of staff of the Ombudsman\u2019s office shall\nbe liable in damages for anything done or omitted in the discharge or purported\ndischarge of their respective functions under this Act unless it is shown that the act\nor omission was negligent or in bad faith.\n39.\nDefamation\n39. (1) It is a defence to any proceedings in libel or slander that information supplied\nto the Ombudsman was communicated to the Ombudsman pursuant to this Act.\n(2) It is a defence to any proceedings in libel or slander that information\ncommunicated by a data controller to any person under this Act was\ncommunicated to the data controller in the first instance by a third person, unless\nthe communication to or by the data controller was made maliciously.\n40.\nConsultation of Ombudsman\n40. A public authority that is drawing up administrative measures or rules relating to the\nprotection of data subjects\u2019 rights and freedoms with regard to data processing shall\nconsult the Ombudsman on the content of such measures or rules.\n41.\nPromotion of this Act by Ombudsman\n41. (1) The Ombudsman shall promote good practice and observance of this Act by\ndata controllers.\n(2) The Ombudsman may arrange for the dissemination of information about the\noperation of this Act, about good practice, and about other matters within the\nscope of the Ombudsman\u2019s functions under this Act, and may give advice to any\nperson as to any of those matters.\n42.\nCodes of practice\n42. (1) The Cabinet may, after consulting with the Ombudsman, make regulations for\nthe preparation and dissemination of codes of practice which may be specific to\na particular industry or processing operation.\n\nSection 43\nData Protection Act (2021 Revision)\n\nPage 30\nRevised as at 31st March, 2021\nc\n\n(2) Any guidance under subsection (3) shall describe the personal data or\nprocessing to which the code of practice shall relate, and may also describe the\npersons or classes of persons to whom it shall relate.\n(3) The Ombudsman shall also \u2014\n(a) if the Ombudsman considers it appropriate to do so, encourage trade\nassociations to prepare, and to disseminate to their members, codes of\npractice for guidance as to good practice; and\n(b) if a trade association submits a code of practice for the Ombudsman\u2019s\nconsideration, consider the code and, after such consultation with data\nsubjects or persons representing data subjects as appears to the\nOmbudsman to be appropriate, notify the trade association whether, in the\nOmbudsman\u2019s opinion, the code promotes good practice.\n(4) The Ombudsman may, with the consent of the relevant data controller, assess\nany processing of personal data for the adherence to good practice and shall\ninform the data controller of the results of the assessment.\n(5) The Ombudsman may charge such fees as may be considered fit for any services\nprovided by the Ombudsman under this Act.\n(6) In this section \u2014\n\u201cgood practice\u201d means such practice in the processing of personal data as\nappears to the Ombudsman to be desirable having regard to the interests of data\nsubjects and others, and includes compliance with the requirements of this Act;\nand\n\u201ctrade association\u201d includes any body representing data controllers.\n(7) The Ombudsman shall also provide the Cabinet with a copy of any code of\npractice prepared under subsection (1), unless the code is included in any report\nprovided to the Cabinet.\n(8) The Ombudsman shall cause to be laid a copy of a report, or of a code provided\nunder subsection (7) before the Cayman Islands Parliament as soon as\npracticable after the Cabinet receives the report or a copy of the code.\nPART 6 - ENFORCEMENT\n43.\nComplaints\n43. (1) A complaint may be made to the Ombudsman by or on behalf of any person\nabout the processing of personal data that has not been or is not being carried\nout in compliance with the provisions of this Act or anything required to be done\npursuant to this Act.\n(2) A person submitting a complaint on behalf of another under subsection (1) shall\nprovide written authorisation from the aggrieved person.\n\nData Protection Act (2021 Revision)\nSection 44\n\nc\nRevised as at 31st March, 2021\nPage 31\n\n(3) On receiving a complaint referred to in subsection (1), or on the Ombudsman\u2019s\nown motion, the Ombudsman may conduct an investigation.\n(4) The matters to which the Ombudsman may have regard in determining whether\nor not to conduct an investigation referred to in subsection (1) include \u2014\n(a) the extent to which the complaint appears to the Ombudsman to raise a\nmatter of substance;\n(b) any undue delay in making the complaint;\n(c) whether a complaint is frivolous or vexatious; and\n(d) whether or not the person making the complaint is entitled to make a\nrequest under section 8 in respect of the personal data in question.\n(5) The Ombudsman may consult with the Information and Communications\nTechnology Authority with regards to the enforcement functions under this Act\nwhere the matters before the Ombudsman relate to the operation of information\nand communications technology networks, the provision of related services or\non the application of the seventh data protection principle.\n(6) The Information and Communications Technology Authority shall comply with\nany reasonable request made by the Ombudsman, in accordance with the\nOmbudsman\u2019s enforcement functions, for advice on technical and similar\nmatters relating to the operation of information and communications technology\nnetworks, the provision of related services or on the application of the seventh\ndata protection principle.\n44.\nInformation orders\n44. (1) The Ombudsman may require any person to provide such information as the\nOmbudsman may reasonably consider appropriate for the purpose of carrying\nout the Ombudsman\u2019s functions under this Act including any information with\nrespect to which an exemption is claimed.\n(2) A person who is required to provide information under this section shall provide\nit in such a manner, form and within such reasonable period as the Ombudsman\nmay specify.\n(3) An information requirement under this section shall also contain particulars of\nthe right to seek judicial review conferred by section 47.\n(4) A person who refuses or, without reasonable excuse, fails to supply information\nrequired under subsection (1) commits an offence and is liable on conviction to\na fine of one hundred thousand dollars or to imprisonment for a term of five\nyears, or both.\n(5) A person who intentionally alters, suppresses or destroys information that is\nrequired to be produced under subsection (1) commits an offence and is liable\non conviction to a fine of one hundred thousand dollars or to imprisonment for\na term of five years or both.\n\nSection 45\nData Protection Act (2021 Revision)\n\nPage 32\nRevised as at 31st March, 2021\nc\n\n(6) A person commits an offence if, in purported compliance with a requirement\nmade under subsection (1), the person \u2014\n(a) makes a false statement that the person knows to be false in a material\nrespect; or\n(b) recklessly makes a statement that is false in a material respect,\nand is liable on conviction to a fine of one hundred thousand dollars or to\nimprisonment for a term of five years, or to both.\n45.\nEnforcement orders\n45. (1) If the Ombudsman is satisfied that there are reasonable grounds for believing\nthat a data controller has contravened, is contravening or is likely to contravene\nany provision of this Act, the Ombudsman may, with a view to effecting the\ndata controller\u2019s compliance with the provision, by way of an order served on\nthe data controller, require that data controller to \u2014\n(a) take specified steps within a specified time, or to refrain from taking\nspecified steps after a specified time;\n(b) refrain from processing any personal data, or any personal data of a\nspecified description;\n(c) refrain from processing data for a specified purpose or in a specified\nmanner, after a specified time; or\n(d) do anything which appears to the Ombudsman to be incidental or\nconducive to the carrying out of the Ombudsman\u2019s functions under this\nAct.\n(2) An enforcement order shall include \u2014\n(a) a statement of the provision which the Ombudsman is satisfied has been\nor is being contravened and the reasons for reaching that conclusion; and\n(b) particulars of the right to seek judicial review conferred by section 47.\n(3) If \u2014\n(a) an order requires a data controller to rectify, block, erase or destroy any\npersonal data; or\n(b) the Ombudsman is satisfied that personal data that have been rectified,\nblocked, erased or destroyed had been processed in contravention of any\nof the data protection principles,\nthat order may, if it is reasonably practicable, require the data controller to notify\nthird parties to whom the data have been disclosed of the rectification, blocking,\nerasure or destruction.\n(4) The Ombudsman shall, in determining whether it is reasonably practicable to\nrequire an enforcement order under subsection (3), have regard in particular to\nthe number of persons who would have to be notified.\n\nData Protection Act (2021 Revision)\nSection 46\n\nc\nRevised as at 31st March, 2021\nPage 33\n\n46.\nFailure to comply with order\n46. (1) Subject to sections 47 and 48, a person who fails to comply with an information\nrequirement, enforcement order or monetary penalty order under this Act\ncommits an offence and is liable on conviction to a fine of one hundred thousand\ndollars or to imprisonment for a term of five years, or both.\n(2) It is a defence for a person charged with an offence under subsection (1) to prove\nthat all due diligence has been exercised to comply with the information\nrequirement, enforcement order or monetary penalty order in question.\n47.\nRight to seek judicial review\n47. A person who has received an information requirement, enforcement order or\nmonetary penalty order under this Act may, within forty-five days of receipt and upon\nnotice to the Ombudsman, seek judicial review of the information requirement or the\norder in the Grand Court.\n48.\nOmbudsman to certify\n48. (1) Where the person concerned has not sought judicial review upon the expiry of\nthe forty-five day period referred to in section 47, the Ombudsman may certify\nin writing to the court any failure to comply with an information requirement,\nenforcement order or monetary penalty order made under sections 44, 45 or 55\nand the court may consider such failure under the rules relating to contempt of\ncourt.\n(2) The Rules Committee referred to in section 19 of the Grand Court Act (2015\nRevision) may make rules providing for \u2014\n(a) the effect on proceedings referred to in subsection (1) of a person obtaining\nleave to seek judicial proceedings out of the time referred to in section 47;\nand\n(b) any other matters relating to proceedings under this section.\n49.\nDisclosure of information\n49. (1) Except as provided in this Act, no enactment or law prohibiting or restricting\nthe disclosure of information shall preclude a person from furnishing the\nOmbudsman with any information required for the discharge of the\nOmbudsman\u2019s functions under this Act.\n(2) Subsection (1) shall not be read so as to compel an individual to utter anything\nthat tends to incriminate that individual.\n\nSection 50\nData Protection Act (2021 Revision)\n\nPage 34\nRevised as at 31st March, 2021\nc\n\n50.\nConfidentiality of information\n50. (1) A current or former Ombudsman, current or former member of the\nOmbudsman\u2019s staff, current or former agent of the Ombudsman, or current or\nformer consultant to the Ombudsman, shall not knowingly or wilfully disclose\nany information which \u2014\n(a) has been or was obtained by, or furnished to, the Ombudsman under or for\nthe purposes of this Act or the Freedom of Information Act (2021Revision);\n(b) relates to an identified or identifiable person; and\n(c) is not at the time of the disclosure, and has not previously been, available\nto the public from other sources,\nunless the disclosure is made with lawful authority.\n(2) For the purposes of subsection (1) a disclosure of information is made with\nlawful authority if \u2014\n(a) the disclosure is made with the consent of the person to whom the\ninformation relates;\n(b) the information was provided for the purpose of it being made available to\nthe public, in whatever manner, under any provision of this Act;\n(c) the disclosure is made for the purposes of the discharge of \u2014\n(i)\nfunctions under this Act or the Freedom of Information Act (2021\nRevision); or\n(ii) any retained-European Union obligation of the United Kingdom that\nhas been extended to the Islands;1\n(d) the disclosure is made for the purposes of any proceedings, whether\ncriminal or civil and whether arising under, or by virtue of, this Act or\notherwise; or\n(e) having regard to the rights and freedoms or legitimate interests of any\nperson, the disclosure is necessary in the public interest.\n(3) A person who knowingly or recklessly discloses information in contravention\nof subsection (1) commits an offence.\n\n51.\nEntry and search of premises\n51. (1) In this Part \u2014\n\u201coccupier\u201d, in relation to premises, includes a person in charge of premises;\n\u201cpremises\u201d includes \u2014\n\n1 Note (not forming part of this Act): As of 31st December 2020, the United Kingdom (UK) ceased to be a\nMember of the European Union (EU).  The UK-EU Withdrawal Agreement provides, in Article 3(1)(e), that the\nCayman Islands falls within the territorial scope of the UK-EU Withdrawal Agreement. (see: https:\/\/eurlex.europa.eu\/legal-content\/EN\/TXT\/PDF\/?uri=OJ:C:2019:384I:FULL&from=EN)\n\nData Protection Act (2021 Revision)\nSection 52\n\nc\nRevised as at 31st March, 2021\nPage 35\n\n(a) any ship, aircraft, vessel or other vehicle; and\n(b) any hovercraft or other floating or airborne contrivance,\nregistered in the Islands.\n(2) If a judge is satisfied by information on oath supplied by the Ombudsman that\nthere are reasonable grounds for believing \u2014\n(a) that a data controller has contravened, is contravening or is likely to\ncontravene any of the data protection principles; or\n(b) that an offence under this Act has been or is being committed,\nand that there are reasonable grounds to believe that evidence of the\ncontravention or of the commission of the offence is to be found on any premises\nspecified in the information, the judge may grant a warrant to the Ombudsman.\n(3) A warrant granted under subsection (2) may authorise the Ombudsman or any\nof the Ombudsman\u2019s staff at any time \u2014\n(a) to enter the premises and search them;\n(b) to inspect, examine, operate and test any equipment found there which is\nused or intended to be used for the processing of personal data; and\n(c) to inspect, examine and seize any documents, equipment or other thing\nfound there which may be evidence of the contravention of subsection (2).\n52.\nWarrant not exercisable\n52. (1) The powers of inspection and seizure conferred by a warrant shall not be\nexercisable in respect of personal data that are exempt under section 18.\n(2) The powers of inspection and seizure conferred by a warrant shall not be\nexercisable in respect of information for which legal professional privilege is\nclaimed; in the event of such a claim, the relevant material shall be sealed, held\nby a neutral party, and the party claiming privilege shall bring the matter before\nthe Grand Court no later than five days following such claim, at which time the\nGrand Court shall determine the matter, and the costs of this procedure shall be\nin accordance with an order of the Grand Court.\n53.\nOffences in respect of warrants\n53. A person who \u2014\n(a) obstructs a person in the execution of a warrant granted under this Act;\n(b) fails, without reasonable excuse, to give a person executing such a warrant\nsuch assistance as may be reasonably required for the execution of the\nwarrant;\n(c) makes a statement in response to a requirement under this Act which the\nperson knows to be false in a material respect; or\n\nSection 54\nData Protection Act (2021 Revision)\n\nPage 36\nRevised as at 31st March, 2021\nc\n\n(d) recklessly makes a statement in response to such a requirement which is\nfalse in a material respect,\ncommits an offence and is liable \u2014\n(i)\non summary conviction, to a fine of twenty thousand dollars; or\n(ii) on conviction on indictment, to a fine of one hundred thousand\ndollars or a term of imprisonment of four years, or to both.\n54.\nUnlawful obtaining etc. of personal data\n54. (1) A person shall not, knowingly or recklessly, without the consent of the data\ncontroller \u2014\n(a) obtain or disclose personal data; or\n(b) procure the disclosure to another person of the personal data.\n(2) Subsection (1) does not apply to a person who shows that the obtaining,\ndisclosing or procuring \u2014\n(a) was necessary for the purpose of preventing or detecting a crime; or\n(b) was required or authorised by or under any enactment, by any law or by\nthe order of the Grand Court.\n(3) A person who contravenes subsection (1) commits an offence and is liable, upon\nconviction, to a fine of one hundred thousand dollars.\n(4) A person who sells personal data commits an offence if the person has obtained\nthe data in contravention of subsection (1) and is liable, upon conviction, to a\nfine of one hundred thousand dollars.\n(5) A person who offers to sell personal data commits an offence if \u2014\n(a) the person has obtained the data in contravention of subsection (1); or\n(b) the person subsequently obtains the data in contravention of that\nsubsection.\n(6) For the purposes of subsection (5), an advertisement indicating that personal\ndata are or may be for sale is an offer to sell the data.\n55.\nPower of the Ombudsman to impose monetary penalty\n55. (1) The Ombudsman may serve a data controller with a monetary penalty order if\nthe Ombudsman is satisfied on a balance of probabilities that \u2014\n(a) there has been a serious contravention of this Act by the data\ncontroller; and\n(b) the contravention was of a kind likely to cause substantial damage or\nsubstantial distress to the data subject.\n\nData Protection Act (2021 Revision)\nSection 56\n\nc\nRevised as at 31st March, 2021\nPage 37\n\n(2) A monetary penalty order is an order requiring the data controller to pay a\nmonetary penalty of an amount determined by the Ombudsman and specified in\nthe order.\n(3) The amount of the monetary penalty determined by the Ombudsman shall not\nexceed two hundred and fifty thousand dollars.\n(4) The monetary penalty order shall be paid into the general revenues of the Islands\nwithin the period specified in the order.\n(5) The Ombudsman, before serving a monetary penalty order, shall serve the data\ncontroller with a notice of intent that the Ombudsman proposes to serve a\nmonetary penalty order.\n(6) A notice of intent shall state that the data controller may make written\nrepresentations in relation to the Ombudsman\u2019s proposal within a period of\ntwenty-one days and such other information as may be prescribed.\n(7) The Ombudsman may not serve a monetary penalty order until the period\nspecified in subsection (6) has expired.\n56.\nGuidance about monetary penalty orders\n56. (1) The Ombudsman shall prepare and issue guidance, after consultation with\nCabinet, on the exercise of the Ombudsman\u2019s functions under section 55.\n(2) The guidance shall, in particular, deal with \u2014\n(a) the circumstances in which the Ombudsman would consider it appropriate\nto issue a monetary penalty order; and\n(b) how the Ombudsman will determine the amount of the penalty.\n57.\nGeneral provisions relating to offences\n57. (1) A person who commits an offence under this Act is liable, except where this Act\notherwise provides \u2014\n(a) on summary conviction, to a fine of ten thousand dollars; or\n(b) on conviction on indictment, to a fine of twenty thousand dollars.\n(2) A fine ordered under this Act shall be in addition to any monetary penalty\nimposed by the Ombudsman under section 55.\n(3) The Grand Court by or before which a person is convicted of \u2014\n(a) an offence under section 16 or 54; or\n(b) an offence under section 46 relating to an enforcement order,\nmay order any document or other material used in connection with the\nprocessing of personal data and appearing to the court to be connected with the\ncommission of the offence to be forfeited, destroyed or erased.\n\nSection 58\nData Protection Act (2021 Revision)\n\nPage 38\nRevised as at 31st March, 2021\nc\n\n(4) The Grand Court shall not make an order under subsection (3) in relation to any\nmaterial if a person, (other than the offender), claiming to be the owner of, or\notherwise interested in, the material applies to be heard by the court, unless an\nopportunity is given to the person to show cause why the order should not be\nmade.\n58.\nLiability for offences\n58. (1) Where an offence under this Act has been committed by a body corporate and\nis proved to have been committed with the consent or connivance of, or to be\nattributable to, any neglect on the part of \u2014\n(a) any director, secretary or similar officer of the body corporate; or\n(b) any person who was purporting to act in any such capacity,\nthe director, secretary, similar officer of the body corporate or any person\npurporting to act in any such capacity, as well as the body corporate, commit\nthat offence and are liable to be proceeded against and punished accordingly.\n(2) Where the affairs of a body corporate are managed by its members,\nsubsection (1) applies, in relation to the acts and defaults of a member in\nconnection with the member\u2019s functions of management, as if the member were\na director of the body corporate.\nPART 7 - GENERAL\n59.\nAct binds Crown\n59. This Act binds the Crown.\n60.\nService of orders, etc.\n60. (1) A notice required by this Act to be given to the Ombudsman shall not be\nregarded as given until it is in fact received by the Ombudsman.\n(2) A notice or other document which is required or authorised under this Act to be\ngiven to the Ombudsman may be given by electronic or other means on the\ncondition that the Ombudsman is able to obtain or recreate the notice or\ndocument in intelligible form.\n(3) An order, notice, direction or other document required or authorised by or under\nthis Act to be given to or served on any person other than the Ombudsman may\nbe given or served \u2014\n(a) by delivering it to the person;\n(b) by leaving it at the person\u2019s address;\n(c) by sending it by registered post to the person at the person\u2019s address; or\n\nData Protection Act (2021 Revision)\nSection 61\n\nc\nRevised as at 31st March, 2021\nPage 39\n\n(d) by sending it to the person by electronic or other means to the person\u2019s\ngiven facsimile number or electronic mail address or such other given\naddress by which the order, notice, direction or document may be obtained\nor recreated in intelligible form.\n(4) Without limiting the generality of subsection (3), any such order, notice,\ndirection or other document may be given to or served on a partnership,\ncompany incorporated outside the Islands or unincorporated association by\nbeing given to or served \u2014\n(a) in any case, on a person who is, or purports, under whatever description,\nto act as, its secretary, clerk or other similar officer;\n(b) in the case of a partnership, on the person having the control or\nmanagement of the partnership business;\n(c) in the case of a partnership or company incorporated outside the Islands,\non the local representative referred to in section 6(2); or\n(d) by being delivered to the registered or administrative office of a person\nreferred to in paragraph (a), (b) or (c) if the person is a body corporate.\n(5) If the person to or on whom an order, notice, direction or other document\nreferred to in subsection (3) is to be given or served has notified the Ombudsman\nof an address within the Islands as the one at which the person or someone on\nthe person\u2019s behalf will accept documents of the same description as that order,\nnotice, direction or other document, that address shall also be treated for the\npurposes of this section as the person\u2019s address.\n(6) If the name or the address of an owner, lessee or occupier of premises on whom\nan order, notice, direction or other document referred to in subsection (3) is to\nbe served cannot, after reasonable enquiry, be ascertained it may be served by \u2014\n(a) addressing it to the person on whom it is to be served by the description of\n\u201cowner\u201d, \u201clessee\u201d or \u201coccupier\u201d of the premises;\n(b) specifying the premises on it; and\n(c) delivering it to a responsible person resident or appearing to be resident on\nthe premises or, if there is no person to whom it can be delivered, by\naffixing it, or a copy of it, to a conspicuous part of the premises.\n(7) Upon the service of a notice or other document under this section, the person\ncarrying out the service shall, where required, provide an affidavit of service in\naccordance with Order 65 Rule 8 of the Grand Court Rules, 1995 as proof of\nservice.\n61.\nRegulations\n61. (1) The Cabinet may make regulations prescribing all matters that are required or\npermitted by this Act to be prescribed, or are necessary or convenient to be\nprescribed for giving effect to the purposes of this Act.\n\nSection 61\nData Protection Act (2021 Revision)\n\nPage 40\nRevised as at 31st March, 2021\nc\n\n(2) Regulations made under this Act may \u2014\n(a) make different provisions in relation to different cases or circumstances;\n(b) apply in respect of particular persons or particular cases or particular\nclasses of persons or particular classes of cases, and define a class by\nreference to any circumstances whatsoever;\n(c) contain such transitional, consequential, incidental or supplementary\nprovisions as appear to the Cabinet to be necessary or expedient for the\npurposes of this Act; or\n(d) create an offence punishable by a fine of one hundred thousand dollars.\n\nData Protection Act (2021 Revision)\nSCHEDULE 1\n\nc\nRevised as at 31st March, 2021\nPage 41\n\n SCHEDULE 1\n (Section 5(1) and (2))\nTHE DATA PROTECTION PRINCIPLES AND THEIR\nINTERPRETATION\nPART 1\nThe Data Protection Principles\nFirst principle\n1.\nPersonal data shall be processed fairly. In addition, personal data may be processed\nonly if \u2014\n(a) in every case, at least one of the conditions set out in paragraphs 1 to 6 of\nSchedule 2 is met; and\n(b) in the case of sensitive personal data, at least one of the conditions in\nparagraphs 1 to 10 of Schedule 3 is also met.\nSecond principle\n2.\nPersonal data shall be obtained only for one or more specified lawful purposes, and\nshall not be further processed in any manner incompatible with that purpose or those\npurposes.\nThird principle\n3.\nPersonal data shall be adequate, relevant and not excessive in relation to the purpose\nor purposes for which they are collected or processed.\nFourth principle\n4.\nPersonal data shall be accurate and, where necessary, kept up to date.\nFifth principle\n5.\nPersonal data processed for any purpose shall not be kept for longer than is necessary\nfor that purpose.\nSixth principle\n6.\nPersonal data shall be processed in accordance with the rights of data subjects under\nthis Act.\nSeventh principle\n7.\nAppropriate technical and organisational measures shall be taken against\nunauthorised or unlawful processing of personal data and against accidental loss or\ndestruction of, or damage to, personal data.\n\nSCHEDULE 1\nData Protection Act (2021 Revision)\n\nPage 42\nRevised as at 31st March, 2021\nc\n\nEighth principle\n8.\nPersonal data shall not be transferred to a country or territory unless that country or\nterritory ensures an adequate level of protection for the rights and freedoms of data\nsubjects in relation to the processing of personal data.\n\nPART 2\nInterpretation of Data Protection Principles\nFirst principle: source\n1.\n(1) In determining for the purposes of the first principle whether personal data are\nprocessed fairly, regard is to be had to \u2014\n(a) the method by which they are obtained, including in particular whether any\nperson from whom they are obtained is deceived or misled as to the\npurpose or purposes for which they are to be processed; and\n(b) whether the information contained in the personal data has previously been\nmade public as a result of steps deliberately taken by the data subject.\n(2) Subject to paragraph 2, for the purposes of the first principle, personal data are\nprima facie to be treated as obtained fairly if they consist of information\nobtained from a person who is required to supply it by or under an enactment or\nby a convention or other instrument imposing an international obligation on the\nIslands.\nFirst principle: specified information at relevant time\n2.\nFor the purposes of the first principle personal data shall not be treated as processed\nfairly unless the data subject has, as soon as reasonably practicable, been provided\nwith, at a minimum \u2014\n(a) the identity of the data controller; and\n(b) the purpose for which the data are to be processed.\nSeventh principle: processing contract to ensure reliability\n3.\nIf processing of personal data is carried out by a data processor on behalf of a data\ncontroller, the data controller shall not to be regarded as complying with the seventh\nprinciple unless the processing is carried out under a contract \u2014\n(a) that is made or evidenced in writing;\n(b) under which the data processor is to act only on instructions from the data\ncontroller; and\n(c) that requires the data processor to comply with obligations equivalent to\nthose imposed on a data controller by the seventh principle.\n\nData Protection Act (2021 Revision)\nSCHEDULE 1\n\nc\nRevised as at 31st March, 2021\nPage 43\n\nEighth principle: what is adequate protection in foreign country\n4.\nFor the purposes of the eighth principle, an adequate level of protection is one that is\nadequate in all the circumstances of the case, having regard, among other things, to \u2014\n(a) the nature of the personal data;\n(b) the country or territory of origin of the information contained in the data;\n(c) the country or territory of final destination of that information;\n(d) the purposes for which and period during which the personal data are\nintended to be processed;\n(e) the law in force in the country or territory in question;\n(f)\nthe international obligations of that country or territory;\n(g) any relevant codes of conduct or other rules that are enforceable in that\ncountry or territory, whether generally or by arrangement in particular\ncases; and\n(h) any security measures taken in respect of the data in that country or\nterritory.\nExceptions to Eighth principle\n5.\nThe eighth principle does not apply to a transfer falling within Schedule 4, except in\nsuch circumstances and to such extent as may be prescribed by regulations.\nEighth principle: European Union finding decisive\n6.\n(1) If in any proceedings under this Act a question arises as to whether the\nrequirement of the eighth principle as to an adequate level of protection is met\nin relation to the transfer of any personal data to a country or territory outside\nthe Islands which is a member state of the European Union or with respect to\nwhich a European Union finding has been made in relation to transfers of the\nkind in question, that question shall be determined in accordance with that\nfinding.\n(2) In this paragraph \u201cEuropean Union finding\u201d means a finding of the European\nCommission, under the procedure provided for in Article 93 of Directive\n2016\/679\/EC or such other provision or instrument as may for the time being be\nin force on the protection of data subjects with regard to the processing of\npersonal data and on the free movement of such data, that a country or territory\noutside the European Economic Area does, or does not, ensure an adequate level\nof protection within the meaning of Article 45 of Regulation (EU) 2016\/679 or\nsuch other provision or instrument as may for the time being be in force for that\npurpose.\n\nSCHEDULE 2\nData Protection Act (2021 Revision)\n\nPage 44\nRevised as at 31st March, 2021\nc\n\nSCHEDULE 2\n(Section 5(3))\nFIRST PRINCIPLE - CONDITIONS FOR PROCESSING OF PERSONAL\nDATA\nConsent\n1.\nThe data subject has given consent to the processing.\nProcessing necessary for contract\n2.\nThe processing is necessary for \u2014\n(a) the performance of a contract to which the data subject is a party; or\n(b) the taking of steps at the request of the data subject with a view to entering\ninto a contract.\nProcessing under legal obligation\n3.\nThe processing is necessary for compliance with any legal obligation to which the\ndata controller is subject, other than an obligation imposed by contract.\nProcessing to protect vital interests\n4.\nThe processing is necessary in order to protect the vital interests of the data subject.\nProcessing necessary for exercise of public functions\n5.\nThe processing is necessary for \u2014\n(a) the administration of justice;\n(b) the exercise of any functions conferred on any person by or under any\nenactment;\n(c) the exercise of any functions of the Crown or any public authority; or\n(d) the exercise of any other functions of a public nature exercised in the\npublic interest by any person.\nProcessing for legitimate interests\n6.\nThe processing is necessary for the purposes of legitimate interests pursued by the\ndata controller or by the third party or parties to whom the data are disclosed, except\nif the processing is unwarranted in any particular case by reason of prejudice to the\nrights and freedoms or legitimate interests of the data subject.\nRegulations about legitimate interests\n7.\nThe Cabinet may, by regulations, specify particular circumstances in which the\ncondition set out in paragraph 6 shall, or shall not, be taken to be satisfied.\n\nData Protection Act (2021 Revision)\nSCHEDULE 3\n\nc\nRevised as at 31st March, 2021\nPage 45\n\nSCHEDULE 3\n(Section 5(3))\nFIRST PRINCIPLE - CONDITIONS FOR PROCESSING OF SENSITIVE\nPERSONAL DATA\nConsent\n1.\nThe data subject has given consent to the processing of the personal data.\nEmployment\n2.\nThe processing is necessary for the purposes of exercising or performing a right, or\nobligation, conferred or imposed by law on the data controller in connection with the\ndata subject\u2019s employment.\nVital interests\n3.\nThe processing is necessary \u2014\n(a) in order to protect the vital interests of the data subject or another person,\nin a case where consent cannot be given by or on behalf of the data subject,\nor the data controller cannot reasonably be expected to obtain the consent\nof the data subject; or\n(b) in order to protect the vital interests of another person, in a case where\nconsent by or on behalf of the data subject has been unreasonably withheld.\nNon-profit associations\n4.\nThe processing \u2014\n(a) is carried out in the course of its legitimate activities by a body, or\nassociation, that is not established or conducted for profit, and exists for\npolitical, philosophical, religious or trade union purposes;\n(b) is carried out with appropriate safeguards for the rights and freedoms of\ndata subjects;\n(c) relates only to data subjects who are members of the body or association\nor have regular contact with it in connection with its purposes; and\n(d) does not involve disclosure of the personal data to a third party without the\nconsent of the data subject.\nInformation made public by data subject\n5.\nThe information contained in the personal data has been made public as a result of\nsteps taken by the data subject.\nLegal proceedings, etc.\n6.\nThe processing \u2014\n\nSCHEDULE 3\nData Protection Act (2021 Revision)\n\nPage 46\nRevised as at 31st March, 2021\nc\n\n(a) is necessary for the purpose of, or in connection with, any legal\nproceedings;\n(b) is necessary for the purpose of obtaining legal advice; or\n(c) is otherwise necessary for the purposes of establishing, exercising or\ndefending legal rights.\nPublic functions\n7.\nThe processing is necessary for \u2014\n(a) the administration of justice;\n(b) the exercise of any functions conferred on any person by or under an\nenactment; or\n(c) the exercise of any functions of the Crown or any public authority.\nMedical purposes\n8.\n(1) The processing is necessary for medical purposes and is undertaken by \u2014\n(a) a health professional; or\n(b) a person who, in the circumstances, owes a duty of confidentiality\nequivalent to that which would arise if that person were a health\nprofessional.\n(2) In this paragraph, \u201cmedical purposes\u201d includes the purposes of preventative\nmedicine, medical diagnosis, the provision of care and treatment and the\nmanagement of healthcare services.\nCircumstances prescribed by regulations\n9.\nThe personal data are processed in such circumstances as may be prescribed by\nregulations.\nRegulations relating to paragraph 2 or 7\n10. The Cabinet may by regulations \u2014\n(a) exclude the application of paragraph 2 or 7 in such cases as may be\nspecified; or\n(b) provide that, in such cases as may be specified, the conditions in paragraph\n2 or 7 shall not be regarded as satisfied unless such further conditions, as\nmay be specified in the regulations, are also satisfied.\n\nData Protection Act (2021 Revision)\nSCHEDULE 4\n\nc\nRevised as at 31st March, 2021\nPage 47\n\nSCHEDULE 4\n(Section 5(3))\nTRANSFERS TO WHICH EIGHTH PRINCIPLE DOES NOT APPLY\nConsent\n1.\nThe data subject has consented to the transfer.\nContract between data subject and data controller\n2.\nThe transfer is necessary for \u2014\n(a) the performance of a contract between the data subject and the data controller; or\n(b) the taking of steps at the request of the data subject with a view to the data subject\u2019s\nentering into a contract with the data controller.\nThird-party contract in interest of data subject\n3.\nThe transfer is necessary for \u2014\n(a) the conclusion of a contract between the data controller and a person other than the\ndata subject, being a contract that is entered into at the request of the data subject, or\nis in the interests of the data subject; or\n(b) the performance of such a contract.\nPublic interest\n4.\nThe transfer is necessary for reasons of substantial public interest.\nLegal proceedings, etc.\n5.\nThe transfer \u2014\n(a) is necessary for the purpose of, or in connection with, any legal proceedings;\n(b) is necessary for the purpose of obtaining legal advice; or\n(c) is otherwise necessary for the purposes of establishing, exercising or defending legal\nrights.\nVital interests\n6.\nThe transfer is necessary in order to protect the vital interests of the data subject.\nPublic register\n7.\nThe transfer is part of the personal data on a public register and any conditions subject\nto which the register is open to inspection are complied with by a person to whom the\ndata are or may be disclosed after the transfer.\nTransfer made on terms approved by Ombudsman\n8.\nThe transfer is made on terms of a kind approved by the Ombudsman as ensuring\nadequate safeguards for the rights and freedoms of data subjects.\n\nSCHEDULE 4\nData Protection Act (2021 Revision)\n\nPage 48\nRevised as at 31st March, 2021\nc\n\nOmbudsman has authorised transfer\n9.\nThe transfer has been authorised by the Ombudsman as being made in such a manner\nas to ensure adequate safeguards for the rights and freedoms of data subjects.\nInternational cooperation between intelligence agencies or regulatory agencies\n10. The transfer is required under international cooperation arrangements between\nintelligence agencies or between regulatory agencies to combat organised crime,\nterrorism or drug trafficking or to carry out other cooperative functions.\nRegulations concerning the public interest\n11. The Cabinet may, by regulations, specify in broad, non-exhaustive terms \u2014\n(a) circumstances in which a transfer shall be taken for the purposes paragraph 4 to be\nnecessary for reasons of substantial public interest; and\n(b) circumstances in which a transfer not required by or under an enactment shall not be\ntaken, for the purposes of paragraph 4, to be necessary for reasons of substantial\npublic interest.\n\nData Protection Act (2021 Revision)\nSCHEDULE 5\n\nc\nRevised as at 31st March, 2021\nPage 49\n\nSCHEDULE 5\n(Section 5 (5))\nCONDITIONS OF CONSENT\n1.\nThe data controller shall bear the burden of proving the data subject\u2019s consent to the\nprocessing of the data subject\u2019s personal data for the specified purposes.\n2.\nIf the data subject\u2019s consent is to be given in the form of a written declaration which\nalso concerns another matter, the requirement to give consent shall be presented in an\nappearance that is distinguishable from the other matter.\n3.\nThe data subject shall have the right to withdraw consent at any time. The withdrawal\nof consent shall not affect the lawfulness of processing based on consent before its\nwithdrawal.\n4.\nWhere there is a significant imbalance between the position of the data subject and\nthe data controller, consent shall not provide a legal basis for the processing.\nPublication in consolidated and revised form authorised by the Cabinet this 6th day\nof April, 2021.\nKim Bullings\nClerk of the Cabinet\n\nData Protection Act (2021 Revision)\nSCHEDULE 5\n\nc\nRevised as at 31st March, 2021\nPage 51\n\nData Protection Act (2021 Revision)\nENDNOTES\n\nc\nRevised as at 31st March, 2021\nPage 53\n\nENDNOTES\nTable of Legislation history:\nSL #\nLaw #\nLegislation\nCommencement\nGazette\n\n56\/2020\nCitation of Acts of Parliament Act, 2020\n3-Dec-2020\nLG89\/2020\/s1\n16\/2019\n\nData Protection Law, 2017 (Commencement) Order, 2019\n2-Apr-2019\nLG9\/2019\/s1\n\n33\/2017\nData Protection Law, 2017\n30-Sep-2019\nG12\/2017\/s1\n\nENDNOTES\nData Protection Act (2021 Revision)\n\nPage 54\nRevised as at 31st March, 2021\nc\n\nData Protection Act (2021 Revision)\nENDNOTES\n\nc\nRevised as at 31st March, 2021\nPage 55\n\nENDNOTES\nData Protection Act (2021 Revision)\n\nPage 56\nRevised as at 31st March, 2021\nc\n\n(Price: $11.20)","akn_extracted_at":"2026-06-22 15:32:21.029231+00","cms_id":"2017-0033","law_type":"principal","year":"2017","number":"33","title":"Data Protection Act","status":"in_force"},"provenance":{"files":[{"file_id":"5443","expr_id":"464","kind":"akn_xml","filename":"2017-0033_2021 Revision.akn.xml","source_url":null,"storage_path":"\/Users\/q\/kyleg-data\/working\/PRINCIPAL\/2017\/2017-0033\/2017-0033_2021 Revision.akn.xml","content_md5":"45d4794bdaabca307f0d068ffabca704","byte_size":"94215","http_last_modified":null,"fetched_at":"2026-06-22 15:32:22.272873+00"},{"file_id":"927","expr_id":"464","kind":"pristine_pdf","filename":"2017-0033_2021 Revision.pdf","source_url":"\/cms\/images\/LEGISLATION\/PRINCIPAL\/2017\/2017-0033\/2017-0033_2021 Revision.pdf","storage_path":"\/Users\/q\/kyleg-data\/pristine\/PRINCIPAL\/2017\/2017-0033\/2017-0033_2021 Revision.pdf","content_md5":"54a477d13c0e40d48067f510dd4bc8a5","byte_size":"1077288","http_last_modified":null,"fetched_at":"2026-06-21 23:09:34.732319+00"},{"file_id":"928","expr_id":"464","kind":"working_pdf","filename":"2017-0033_2021 Revision.pdf","source_url":"\/cms\/images\/LEGISLATION\/PRINCIPAL\/2017\/2017-0033\/2017-0033_2021 Revision.pdf","storage_path":"\/Users\/q\/kyleg-data\/working\/PRINCIPAL\/2017\/2017-0033\/2017-0033_2021 Revision.pdf","content_md5":"54a477d13c0e40d48067f510dd4bc8a5","byte_size":"1077288","http_last_modified":null,"fetched_at":"2026-06-21 23:09:34.732319+00"}],"paragraph_count":53,"latest_history":null},"quality":{"expr_id":"464","doc_id":"464","quality_state":"needs_review","quality_score":"84","needs_human_review":"t","deterministic_categories":"{duplicate_text,page_header_footer_noise}","llm_categories":"{other,page_header_footer_noise}","repair_actions":"{collapse_duplicate_text,manual_review,strip_page_furniture}","finding_severity_counts":"{\"low\": 1, \"medium\": 1}","finding_summary":"Sample ends abruptly with a partial clause; likely truncation after omitted characters marker. Non\u2011legal headers\/footers present.","assessed_at":"2026-06-22 15:29:44.980248+00","updated_at":"2026-06-22 15:29:44.980248+00"}}