The key legislation that governs data protection in Barbados is the Data Protection Act, 2019-29 (“the DPA”).

There has not yet been any case law applying this legislation. However, since the DPA is modelled on the EU General Data Protection Regulation (“GDPR”), authorities and case law interpreting the GDPR may hold persuasive value in guiding the application of the DPA.

Per section 2 of the DPA, “personal data” means “data which relates to an individual who can be (a) identified from that data; or (b) from that data together with other information which is in the possession of or is likely to come into the possession of the data controller”.

The DPA defines “sensitive personal data” as “personal data consisting of information on a data subject’s

1. racial or ethnic origin;
2. political opinions;
3. religious beliefs or other beliefs of a similar nature;
4. membership of a political body;
5. membership of a trade union;
6. genetic data;
7. biometric data;
8. sexual orientation or sexual life;
9. financial record or position;
10. criminal record; or
11. proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court of competent jurisdiction in such proceedings;”

The defined data is protected through data protection principles and measures outlined in the DPA.

Data protection principles

According to section 4, personal data must be processed lawfully, fairly, and in a transparent manner. It must be collected for specified, explicit, and legitimate purposes and not further processed incompatibly with those purposes. The data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed and accurate. Reasonable steps must be taken to ensure that inaccurate data is erased or rectified without delay.

Security measures

Data is to be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage using appropriate technical or organizational measures.

Data must be kept in a form which permits identification of data subjects for as long as is necessary for processing purposes. It is to be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

Pursuant to section 3(1) the DPA applies to (a) the processing of personal data in the context of the activities of a “data controller” or a “data processor” established in Barbados; or (b) the processing of personal data of data subjects in Barbados by a “data controller” or a “data processor” not established in Barbados, where the processing activities are related to the offering of goods or services to data subjects in Barbados.
 
“Data controller” means a person who alone, jointly or in common with others determines the purposes for which, and the manner in which, any personal data is or should be processed; or where personal data is processed only for the purpose for which the data is required by or under an enactment to be processed, the person on whom the obligation to process the data is imposed by or under an enactment.

“Data processor” means any person, other than an employee of a data controller, who processes personal data on behalf of the data controller, e.g. contracted third party service providers.

According to section 2 of the DPA, data processing is obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including the:

1. organization, adaptation or alteration of the information or data;
2. retrieval, consultation or use of the information or data;
3. disclosure of the information or data by transmission, dissemination or otherwise making available; or
4. alignment, combination, blocking, erasure or destruction of the information or data

Data controllers and data processors must comply with the following data protection principles set out in section 4(1) of the DPA:

• Lawfulness, Fairness and Transparency - the personal data must be processed lawfully (i.e., on one of the legal bases set out in section 6(1) of the DPA) and fairly and transparently (e.g,. by providing the data subject with certain information in relation to the data processing).
• Purpose limitation - Personal data shall only be collected for specified, explicit and legitimate purposes and shall not be further processed in a manner that is incompatible with those purposes.
• Data minimisation - Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which processed.
• Accuracy - Personal data shall be accurate and kept up to date if necessary. Every reasonable step must be taken to ensure that inaccurate data is erased or rectified.
• Storage limitation - Personal data is to be kept for no longer than is necessary for the purposes for which it is processed.
• Appropriate Security - Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

Personal data cannot be processed lawfully unless any one of the conditions set out in section 6(1) of the DPA is satisfied:

• Consent – The data subject has given consent to the processing of personal data for one or more specific purposes. Where the processing is based on consent, the data controller must be able to prove that the subject has given consent. If consent is in a written format and a part of a document that includes other matters, the consent must be clearly distinguishable and presented in an accessible, clear, plain language. Data subjects have the right to withdraw their consent at any time and must be informed of this right before giving consent. Withdrawal does not affect the lawfulness of processing that occurred before withdrawal. In determining whether consent is freely given, it must be considered whether the consent was made a condition for performance of a contract or service, especially if the data processing is not necessary for the performance of that contract.
• Contract – The processing is necessary for the performance of a contract to which the data subject is a party; or for the taking of steps at the request of the data subject with a view to entering a contract.
• Legal obligation – the processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract
• Vital interests – The processing is necessary in order to protect the vital interests of the data subject.
• Public functions – The processing is necessary for the exercise of public functions, namely the administration of justice; any functions of either House of Parliament; any functions conferred on any person by or under any enactment; or for the exercise of functions of a public authority.
• Legitimate interests – The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party to whom the data is disclosed, except if the processing is overridden or unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

Section 62 of the DPA requires that data controllers and data processors implement appropriate technical and organisational measures to ensure data security. A data controller or data processor should therefore take into account:

• The state of the art
• Implementation costs
• Nature, scope, context and purposes of processing
• The risk of varying likelihood and severity for the rights and freedoms of the data subject.

Organisational and technical measures should include:

• Pseudonymisation (i.e., a way of processing personal data so it can't be linked to a specific person ) and encryption of personal data
• Ensuring the ongoing confidentiality, integrity, availability, and resilience of systems and services
• The ability to quickly restore data access after a physical or technical incident
• Regular testing and evaluation of technical and organisational measures (e.g., staff training, policies)

• Right of access – the data subject has the right to request from a data controller and be provided a copy of his or her personal data undergoing processing (section 10 DPA).
• Right to rectification – the data subject has the right to have inaccurate personal data corrected without undue delay. They also have the right to have incomplete data completed (section 11, DPA).
  
• Right to erasure – where certain circumstances arise (e.g. consent is withdrawn or processing is no longer necessary), a data subject has the right to obtain the erasure of personal data concerning him or her (section 12, DPA).
• Right to restriction of processing – the data subject has the right to request restriction of processing in certain circumstances (e.g., where the accuracy of the data is disputed, pending verification or where processing is unlawful, but the data subject prefers restriction over erasure (section 13, DPA).
• Right to data portability – the data subject has the right to receive the personal data which he or she has provided to a data controller, in a structured, commonly used and machine-readable format and to have that data transmitted from one controller to another where feasible (section 15 DPA).
• Right to prevent processing – data subjects can object to processing if it is causing or likely to cause substantial damage or distress that is unwarranted or if the processing is for the purposes of direct marketing. (sections 16 and 17, DPA)
• Right to not be subject to automated decision-making – data subjects have the right not to be subject to decisions made solely by automated processing, including profiling, if such decisions have legal or significant effects on them. Exceptions apply where the processing is:
  • Necessary for entering into or performing a contract
  • Authorised by an enactment with suitable safeguards to the data subject’s rights, freedoms and legitimate interests; or
  • Based on the data subject’s consent

In the aforementioned cases, the controller must implement safeguards to protect the data subject’s rights, freedoms and legitimate interests.

Sensitive personal data is not included in these exceptions and cannot be processed this way unless it is in the public interest and suitable safeguards to the data subject’s rights, freedoms and legitimate interests are in place.

Under section 2 of the DPA, “consent” in relation to a data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him.

The conditions for consent are outlined in section 7 of the DPA as follows:

1. The data controller must show that the data subject consented to the processing of their personal data.
2. Where a written declaration of consent was given which concerned other matters, the request for consent must be clearly distinguishable from other matters in an intelligible and easily accessible form using clear and plain language.
3. A data subject has the right to withdraw consent at any time, which he should be informed of prior to consent being given for the data to be processed.
4. Withdrawal of consent does not affect the lawfulness of processing based on consent prior to withdrawal

There are separate conditions applicable to a child’s consent per section 8 of the DPA. Consent must be given or authorized by the parent or guardian of the child and reasonable efforts by the data controller shall be made to verify such.

Personal data cannot be processed lawfully unless any one of the conditions set out in section 6(1) of the DPA is satisfied:

• Consent – The data subject has given consent to the processing of personal data for one or more specific purposes. Where the processing is based on consent the data controller must be able to prove that the subject has given consent. If consent is in a written format and a part of a document that includes other matters, the consent must be clearly distinguishable and presented in an accessible, clear, plain language. Data subjects have the right to withdraw their consent at any time and must be informed of this right before giving consent. Withdrawal does not affect the lawfulness of processing that occurred before withdrawal. In determining whether consent is freely given, it must be considered whether the consent was made a condition for performance of a contract or service, especially if the data processing is not necessary for the performance of that contract.
• Contract – The processing is necessary for the performance of a contract to which the data subject is a party; or for the taking of steps at the request of the data subject with a view to entering a contract.
• Legal obligation – the processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract
• Vital interests – The processing is necessary in order to protect the vital interests of the data subject.
• Public functions – The processing is necessary for the exercise of public functions, namely the administration of justice; any functions of either House of Parliament; any functions conferred on any person by or under any enactment; or for the exercise of functions of a public authority.
• Legitimate interests – The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party to whom the data is disclosed, except if the processing is overridden or unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

Cross-border data transfers are regulated under Part IV of the DPA. The DPA restricts the transfer of personal data to a country or territory outside of Barbados unless that country or territory provides for:

1. an adequate level of protection for the rights and freedoms of data subjects; and;
2. appropriate safeguards on the condition that the rights of the data subject are enforceable and there are available, effective legal remedies for data subjects.

An adequate level of protection is one that is adequate in all the circumstances of the case, having regard to factors such as:

• the nature of the personal data;
• the country or territory of origin;
• the country or territory of the final destination;
• the purposes for which and period during which the data is intended to be processed;
• the law in force in the country or territory in question; the international obligations of that country or territory;
• any relevant codes of conduct or other rules which are enforceable in that country or territory;
• any security measures taken in respect of the data in that country or territory.

Appropriate safeguards may be provided by:

• a legally binding and enforceable instrument between public authorities;
• binding corporate rules (These are personal data protection policies which are adhered to by a data controller or data processor for transfers or a set of transfers of personal data to a data controller or a data processor in one or more countries within a group of undertakings, or group of enterprises engaged in a joint economic activity. These are required to be submitted to the Data Protection Commissioner for authorisation);
• Standard data protection clauses prescribed by the Data Protection Commissioner with the approval of the Minister;
• contractual clauses authorized by the Data Protection Commissioner between the data processor and the data controller,
• data processor or the recipient of the personal data; or
• provisions which are authorized by the Data Protection Commissioner to be inserted into administrative arrangements between public authorities.

Section 26 of the DPA provides for specified instances where the restriction of the transfer of personal data outside of Barbados will not apply, such as where the data subject has given consent; it is necessary for the performance of a contract or for the purpose of obtaining legal advice.

The Minister has the power to specify the circumstances in which a transfer of the personal data outside of Barbados is to be considered necessary for reasons of substantial public interest and the circumstances in which a transfer not required by or under an enactment is not to be considered necessary for reasons of substantial public interest.

A “personal data breach” is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

“Incidents” are not defined in the DPA.

Under section 63 of the DPA, where there is a personal data breach, the data controller must notify the Commissioner without delay and, where feasible, no later than 72 hours after awareness of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of an individual. Likewise, the data processor must notify the data controller without undue delay after becoming aware of a personal data breach.

Under section 64 of the DPA, where a personal data breach is likely to result in a high risk to the rights and freedoms of a data subject, the data controller shall communicate a personal data breach to the data subject without undue delay and, where feasible, not later than 72 hours after having become aware of it.

Communication to the data subject about a personal data breach is not required if:

• The data controller implemented and applied appropriate technical and organizational measures;
• The controller has taken steps to eliminate the high risk to individuals' rights and freedoms; or
• Informing data subjects directly would require disproportionate effort, in which case a public notice or similar method must be used to inform them effectively.

The Data Protection Commissioner is responsible for the general administration of the DPA.

If personal data is not processed according to the established principles, that person is guilty of an offense and is liable on summary conviction to a fine of
$500,000 or imprisonment for 3 years or both. (section 83, DPA)
 
Where the Commissioner is satisfied that a data controller or a data processor has contravened or is contravening the DPA, the Commissioner may serve an “enforcement notice” requiring the data controller or the data processor to do either or both of the following:

• to take within such time as may be specified in the notice, or to refrain from taking after such time as may be so specified, such steps as are so specified; or
• to refrain from processing any personal data, or any personal data of a description specified in the notice, or to refrain from processing the personal data for a purpose so specified or in a manner so specified, after such time as may be so specified

Failure to comply with an enforcement notice is an offence and the person is liable on summary conviction to a fine of $15 000 or to a term of imprisonment of 6 months. (section 83, DPA)

Unlawfully obtaining personal data is an offence and a person is liable on summary conviction to a fine of $10 000 or to a term of imprisonment of 6 months or to both. A person who sells such data is liable on summary conviction to a fine of $100 000 or to a term of imprisonment of 3 years or to both. (section 94, DPA)

An individual who suffers damage or distress due to any contravention of this Act by the data controller or the data processor is entitled to compensation from that data controller or the data processor for that damage. (section 93, DPA)

The DPA makes provision for regulation of direct marketing which is communication, by whatever means, of any advertising or marketing material which is directed to particular individuals. This therefore includes electronic marketing.

A person is entitled at any time, by written notice to a data controller, to require the data controller at the end of a 21 day period to cease processing of personal data.

Under Part V of the DPA some sectors are exempt from the obligations typically required for data controllers. In some cases, data subjects may not be entitled to exercise rights such as access. These sectors include:

• National security
• Crime and taxation
• Health, education and social work
• Regulatory activity
• Journalism, literature and art
• Research, history and statistics
• Armed forces
• Corporate finance

According to section 67 of the DPA, data controllers and data processors must designate a data privacy officer where:

1. The processing is carried out by a public authority or body, except for a court of competent jurisdiction acting in its judicial capacity;
2. The core activities of the data controller or the data processor consist of processing operations which, by virtue of their nature, their scope and their purposes, require regular and systematic monitoring of data subjects on a large scale or;
3. The core activities of the data controller or the data processor consist of processing on a large scale of sensitive personal data.

Data controllers must maintain a record of processing activities as outlined in section 60 of the DPA. The record of processing shall contain:

• the name and contact details of the data controller and, where applicable, the joint data controller, the data controller's representative and the data privacy officer;
• the purposes of the processing;
• a description of the categories of data subjects and of the categories of personal data;
• the categories of recipients to whom the personal data has been or will be disclosed including recipients in other countries or international organisations;
• where applicable, transfers of personal data to another country or an international organisation, including the identification of that country or international organisation and, in the case of transfers which are not prohibited by the DPA, the documentation of suitable safeguards;
• where possible, the envisaged time limits for erasure of the different categories of data
• where possible, a general description of the technical and organisational security measures

DPIAs must be carried out where a type of processing, particularly one involving new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of an individual.

Under section 65(4) a DPIA is required in the following cases:

1. a systematic and extensive evaluation of personal aspects relating to individuals, which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning an individual or similarly significantly affect the individual;
2. processing on a large scale of sensitive personal data; or
3. a systematic monitoring of a publicly accessible area on a large scale.

Additionally, the Data Protection Commissioner is obligated to establish and make a public list of the kind of processing operations that need a data protection impact assessment, as well as those that do not require data protection impact assessments. These lists are to be published in the Official Gazette.

The DPA sets out several obligations regarding third-party vendor relationships and the sharing of personal data. These parties will be subject to the obligations set out in sections 58 and 59 of the DPA.
 
Use of third parties by a data controller

A data controller may only engage a third party who implements appropriate technical and organizational measures to ensure that processing is in accordance with the requirements of the DPA and will ensure the protection of the data subject’s rights.

Sub-processing (third-party data processor engaging a data processor)

A third party cannot engage another data processor without the data controller’s prior (specific or general) written authorisation. In instances of general authorisation, the third party must notify the controller of any intended changes (e.g., new or replacement sub-processors) and give the data controller an opportunity to object.

Written Contract Required

Processing by third parties must be governed by a written contract between the controller and the third party, specifying:

• The subject and duration of processing
• The nature and purpose of processing
• The type of personal data and categories of data subjects
• The obligations and rights of the data controller

Mandatory Contractual Obligations

The written contract referenced above must require the third party to:

• Process data only on documented instructions from the data controller
• Maintain confidentiality
• Implement all necessary security measures pursuant to the DPA
• Respect the conditions for engaging sub-processors pursuant to the DPA
• Assist the data controller in fulfilling data subject rights by implementing the appropriate technical and organisational measures
• Assist the data controller with compliance of its obligations (e.g., data breach responses, security, DPIAs)
• Delete or return personal data to the data controller at the end of service (unless otherwise required by law)
• Make available to the data controller all information necessary to demonstrate compliance with obligations and facilitate audits, including inspections, conducted by the data controller or another auditor mandated by the data controller.

The Data Protection Commissioner (with the approval of the Minister) may prescribe standard contractual clauses governing these relationships.

Joint Responsibility with Sub-Processors

• If a third party hires a sub-processor for carrying out specific processing activities on behalf of the data controller, the same obligations must be imposed on that sub-processor via contract.
• If the sub-processor fails to meet those obligations, the original third party remains fully liable to the data controller.
• If a third party determines the purposes or means of processing (instead of the data controller), they will be considered a data controller for the purposes of the DPA and will be held liable accordingly.

Enforcement notices

The Data Protection Commissioner is empowered to issue an enforcement notice when a data controller or processor is found to be contravening the DPA. Such an enforcement notice may require the controller or processor to:

• Take or stop taking specific actions within a specified time; and/or
• Stop processing certain personal data either entirely, for specific purposes, or in a specified manner, within a specified timeframe

Warrants

A High Court Judge may issue a warrant if the Data Protection Commissioner provides sworn evidence that there are reasonable grounds to suspect that a data controller or processor has contravened the DPA or committed an offence under the DPA. The warrant is valid for 7 days and authorises a police officer, along with the Data Protection Commissioner, staff, or such other person skilled in information technology as the police officer may deem necessary for the purpose, to:

• Enter and search the premises
• Inspect and test data processing equipment
• Seize documents or materials
• Question individuals on the premises for explanations or relevant information as may reasonably be required for the purpose of determining whether the data controller or processor has contravened or is contravening the DPA.

Financial Penalties

Contraventions of the DPA can result in fines ranging from BDS$10,000 up to BDS
$500,000.00. These penalties can be imposed for breaches of data protection principles, unauthorized cross-border data transfers, failure to register as a data controller or processor, unlawfully obtaining personal data, or when a processor acts outside the controller’s instructions.

Imprisonment

Contraventions of the DPA may also lead to a term of imprisonment, carrying possible terms from 2 months up to 3 years.

The DPA sets out ongoing compliance and audit obligations for data controllers, processors, and the Data Protection Commissioner.

Data Controllers and Processors

A data processor must provide the data controller with all necessary information to demonstrate compliance with the Act. The processor must also permit and cooperate with audits, including inspections carried out by the controller or an auditor appointed by the controller.

Data Privacy Officer

The Data Privacy Officer is responsible for monitoring ongoing compliance with the DPA. This includes:

• Advising the data controller, processor, and staff on their obligations under the DPA
• Monitoring compliance with the Act and internal data protection policies, including staff training and audits
• Providing guidance on data protection impact assessments and overseeing their performance
• Cooperating with the Data Protection Commissioner
• Serving as the main contact for the Data Protection Commissioner on processing matters, including prior consultations.

Data Protection Commissioner

The Data Protection Commissioner may, either on their own initiative or upon request, conduct audits of personal data processing activities.

In addition to audits and oversight by the Data Privacy Officer and the Commissioner, the DPA requires data controllers and processors to maintain up-to-date records of processing activities (Section 60), conduct regular data protection impact assessments where required (Sections 65–66), and implement appropriate technical and organizational security measures (Section 62). They must also fully cooperate with the Commissioner during any investigations or audits (Section 67).

At present, the existing DPA framework remains in effect, with no pending amendments publicly confirmed.