Friday, October 11, 2024
HomeUncategorizedThe Data Protection DPA Enters into Force in the BVI

The Data Protection DPA Enters into Force in the BVI

In April 2021, the British Virgin Islands (BVI) government passed the Data Protection Act (DPA). The DPA became effective 9 July 2021. (Though BVI is a United Kingdom territory, it is not subject to Europe’s General Data Protection Regulation [GDPR]).
The DPA’s main goals:

protect the personal data that public and private bodies process.
boost personal data processing transparency and accountability.

Essentially, the DPA applies to any person or entity that processes, authorises, or administers personal data regarding eir behalf, regardless of whether such is for their business’ purposes.

located outside the BVI, but uses BVI devices for processing personal data (other than for transit through BVI).

DPA Main Definitions and Provisions

The DPA’s main definitions and provisions are as follows:

A data controller is a person who directly processes and maintains or engages others to process or maintain control over the processing of personal data.
A data processor is a person who processes data for a data controller, but is not the data controller’s employee.
A data controller may process “adequate but not excessive” quantities of personal data, only when such relates to a data controller’s activities and when such is for a lawful purpose, and only with the individual’s direct consent.
If processing is required to prepare a performance contract, to carry out legal duties, for the administration of justice, or to protect an individual’s essential interests, express consent is not required.
Data controllers must take “practical steps” to validate the accuracy of the personal data they process, make sure it is current, retain it, and protect it. And, when the personal data is no longer necessary, they must then delete the personal data.
Data controllers may only process personal data outside BVI when sufficient safeguards exist or if the individual consents.
Unless an individual provides consent or a law requires disclosure, a data controller shall not process “sensitive personal data.” Such includes an individual’s mental and physical health, political beliefs, religious views, and sexual orientation.
Individuals may gain access to and correct their personal information, revoke their permission to process their data, and refuse direct marketing contacts.
The Office of the Information Commissioner can fine business DPA violators up to $500,000 and also imprison individual offenders.

Steps for BVI Individuals and Entities

BVI individuals and entities that are not data controllers or data processors need not take any further steps. Those that are should:

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments