	Global Data Privacy Guide
	British Virgin Islands
	(Caribbean) Firm O'Neal Webster Updated 08 Aug 2025
1. What is the key legislation?	Data Protection Act 2021 (the “Act”).
2. What are the key decisions applying that legislation?	Not applicable
1. How are “personal data” and “sensitive data” defined?	“personal data” means any information in respect of commercial transactions, which is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose; is recorded with the intention that it should wholly or partly be processed by means of such equipment; or is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, that relates directly or indirectly to a data subject, who is identified or identifiable from that information, or from that and other information in the possession of a data user, including any sensitive personal data and expression of opinion about the data subject. “sensitive data” is not defined by the Act, but “sensitive personal data” means any personal data about a data subject’s physical or mental health; sexual orientation; political opinions; religious beliefs or other beliefs of a similar nature; criminal convictions, the commission or alleged commission, of any offence; or any other personal data that the Minister may by Order prescribe.
2. How is the defined data protected?	Data controllers must take practical steps to protect personal data from loss, misuse, modification, unauthorised access, disclosure, alteration or destruction (s.10). Personal data cannot be kept longer than necessary for its purpose (s.11). Controllers must ensure data is accurate, complete, not misleading and up-to-date (s.12). Data cannot be disclosed without consent except for specified purposes or to authorised third parties (s.9). The Information Commissioner monitors compliance (s.26(a)) and can serve enforcement notices for contraventions (s.33(1)).
3. Who is subject to privacy obligations?	Privacy obligations apply to private bodies that process or control personal data in commercial transactions (s.4(1)), and public and private bodies that process personal data. Data controllers - persons who alone or jointly process, control, or authorise processing of personal data - are the primary entities subject to these obligations, excluding data processors who only process data on behalf of controllers.
4. How is “data processing” defined?	The Act does not define “data processing” but “processing” n relation to personal data, means collecting, recording, holding or storing the personal data or carrying out any operation or set of operations on the personal data, including the organisation, adaptation or alteration of personal data; retrieval, consultation or use of personal data; disclosure of personal data by transmission, transfer, dissemination or otherwise making available; or alignment, combination, correction, erasure or destruction of personal data.
5. What are the principles applicable to personal data processing?	The seven applicable principles are: General – Express consent required for processing; lawful basis necessary; restriction on transfer of data out of the BVI. Notice and Choice – Inform subjects of purposes; allow consent withdrawal. Disclosure – No disclosure without consent except for specified purposes. Security – Protect data from loss, misuse and unauthorised access. Retention – Keep data only as long as necessary. Data Integrity – Ensure data is accurate, complete and up-to-date. Access – Give subjects access to correct their personal data.
6. How is the processing of personal data regulated?	Processing of personal data is regulated through privacy and data protection principles requiring data controllers to obtain express consent, process data lawfully for specific purposes, and ensure data is adequate but not excessive (s.7). The Information Commissioner monitors compliance, provides advice, and investigates complaints (s.26), with enforcement notices requiring corrective action when contraventions occur (s.33(1)-(2)).
7. How are storage, security and retention of personal data regulated?	Storage, security and retention are regulated through the Security Principle (s.10) requiring practical steps to protect data from loss, misuse or unauthorised access, and the Retention Principle (s.11) mandating data not be kept longer than necessary and be destroyed when no longer required.
8. What are the data subjects' rights under the data legislation?	Data subjects have the right of access to their personal data held by public or private bodies, including the right to know whether their data is being processed, receive descriptions of the data and processing purposes, learn about recipients, and obtain source information (s.14(1)). They can request rectification when personal data is incomplete, incorrect, misleading, excessive, or irrelevant (s.18(1). Data subjects may prevent processing for direct marketing purposes by written notice (s.21(1)) and can withdraw consent for data processing at any time (s.8(2)). They also have the right to seek civil remedies through the courts for damages or distress caused by contraventions (s.35(1)).
9. What are the consent requirements for data subjects?	Data controllers must obtain express consent from data subjects before processing personal data (s7(1)). Data subjects may withdraw their consent at any time (s.8(2)), and withdrawal does not affect the lawfulness of processing that occurred before withdrawal (s.8(3)). For sensitive personal data, explicit consent is required (s.20(1)(a)). Data controllers must inform subjects whether providing data is obligatory or voluntary, and the consequences of not providing it (s.8(1)(e)(f)).
10. How is authorization for use of data handled?	Authorization for use of data is handled through express consent requirements, where data controllers cannot process personal data unless the data subject has given express consent, and for sensitive personal data, explicit consent is required (s.7(1)(a); s.20(1)(a)). However, processing may occur without consent when necessary for contract performance, legal compliance, vital interests protection, justice administration, or statutory functions (s.7(2)).
11. Are cross-border data transfers regulated? If so, what are the restrictions on cross-border data transfers?	Yes, cross-border data transfers are regulated under the Virgin Islands Data Protection Act 2021. Data controllers cannot transfer personal data outside the Virgin Islands unless there is proof of adequate data protection safeguards or consent from the data subject (s7(1)(c)). Controllers must also take measures to ensure the secure transfer of personal data (s.10(1)(e)). Entities not established in the Virgin Islands but using equipment there for processing must nominate a local representative (s.4(2)(b); s.4(3)).
12. How are data "incidents" and "breaches" defined?	Neither of these terms is defined by the Act. The Act does, however, stipulate that a breach of confidentiality imposed on the Information Commissioner and a person acting on his/her behalf (s.45) is an offense which incurs penalties including fines up to $100,000 and imprisonment up to five years (s.39).
13. Are there any notification requirements for incidents and/or data breaches?	Not applicable.
14. Who is/are the privacy regulator(s)?	The Information Commissioner and any other appointed staff (s.25) monitor compliance, provide advice, receive and investigate complaints, educate, research, cooperate, exchange and exercise such other functions conferred, in relation to the Act.
15. What are the consequences of a data breach?	As mentioned in response to question 12, breaches are not specifically defined. However: wilfully obstructing the Information Commissioner or authorised officer in conducting their duties, punishable by fine up to $5,000 or imprisonment up to 6 months, or both (s.37); wilfully disclosing personal information or collecting, storing or disposing of personal information in contravention of the act, punishable by fine up to $5,000 or imprisonment up to 6 months, or both (s.38(1)); breaching confidentiality obligations, punishable by fine up to $50,000 or imprisonment up to 3 years (summary conviction) or fine up to $100,000 or imprisonment up to 5 years (indictment) (s.39); contravening restrictions on processing sensitive personal data, punishable by fine up to $200,000 or imprisonment up to 2 years, or both (s.20(3)); and bodies corporate face fines up to $250,000 (summary) or $500,000 (indictment), with individual officers also liable if complicit (s.40).
16. How is electronic marketing regulated?	Electronic marketing is regulated through specific provisions that give individuals control over direct marketing communications. Data subjects have the right to require data controllers to stop processing their personal data for direct marketing purposes at any time by written notice (s.21(1)). Controllers must comply within three days of receiving such a request and notify the data subject accordingly (s.21(2)). Direct marketing is defined as communication of advertising or marketing material directed to particular individuals by any means (s.21(4)).
17. Are there sector-specific or industry-specific privacy requirements?	The Act does not contain any distinct sector-specific or industry-specific privacy requirements. The Act applies broadly to private bodies processing personal data in commercial transactions and public bodies, without creating distinct regulatory frameworks for particular industries (s.4(1)). Limited sector-specific provisions exist only for healthcare (allowing processing by healthcare professionals) (s.20(1)(b)(iii)) and journalism/media (exempting processing for journalistic, literary or artistic purposes under certain conditions) (s.22(2)(f)). The Minister may also exempt specific data controllers from provisions upon the Information Commissioner's recommendation (s.23).
18. What are the requirements for appointing Data Protection Officers or similar roles?	The Act stipulates that, does not contain any requirements for an entity to appoint a data protection officer. However, it does impose certain data protection obligations directly on the Chief Executive Officer of any private or public organisation.
19. What are the record-keeping and documentation obligations?	The Act’s record-keeping and documentation obligations require data controllers to provide access to personal data, information about, and documentation of, processing activities, and security-related information upon request from the Information Commissioner (s.31). Personal data must not be kept longer than necessary for its purpose, with controllers required to destroy or permanently delete data when no longer needed (s.11). Controllers must maintain accurate, complete, and up-to-date records (s.12).
20. What are the requirements for conducting Data Protection Impact Assessments (DPIAs)?	The Act does not establish Data Protection Impact Assessment ("DPIA") requirements. The Act only provides for the Information Commissioner to conduct assessments of personal data processing to determine compliance, conducted in whatever manner appears appropriate to the Commissioner (s.34(1)-(2)). No specific DPIA obligations, procedures, or thresholds are defined in this legislation.
21. What are the requirements for third-party vendor management and data sharing?	The Act establishes limited third-party vendor management requirements. Data processors are defined as persons who process data on behalf of controllers, excluding employees. Controllers must ensure processors provide sufficient guarantees for technical and organisational security measures and take reasonable steps to ensure compliance (s.10(2)). Personal data disclosure requires consent unless for original purposes or to specified third-party classes (s.9). Cross-border transfers require adequate safeguards or consent (s.7(1)(c)).
22. What are the penalties and enforcement mechanisms for non-compliance?	The Act establishes the following penalties and enforcement mechanisms for non-compliance: Criminal Penalties: Obstruction of the Information Commissioner carries fines up to $5,000 or imprisonment up to six months (s.37). Wilful disclosure or improper collection or storage of personal information results in fines up to $5,000 or imprisonment up to six months (s.37). Breach of confidentiality carries the most severe penalties with fines on summary conviction up to $50,000 or three years imprisonment, or on conviction on indictment fines of up to $100,000 or five years imprisonment (s.39). Corporate offences result in fines up to $250,000 (summary) or $500,000 (indictment) (s.40(2)). Enforcement Powers: The Information Commissioner can issue enforcement notices requiring corrective action within specified timeframes (s.33(1)). The Commissioner may conduct assessments of data processing compliance at their discretion or upon request (s.34(1)-(2)). Civil Remedies: Data subjects may pursue civil proceedings for damages or other relief when suffering harm from Act contraventions (s.35(1),(3)).
23. What are the ongoing compliance and audit requirements?	The Act establishes limited ongoing compliance and audit requirements. The Information Commissioner monitors compliance by public and private bodies with the Act's requirements (s.26). The Commissioner may conduct assessments of personal data processing at their discretion or upon request to determine compliance, conducted in whatever manner appears appropriate (s.34(1)-(2)). The Information Commissioner must submit annual reports to the Minister within three months after the financial year (s.46(1)). However, the Act does not establish specific ongoing audit schedules or mandatory compliance reporting requirements for data controllers themselves.
24. Are there any recent developments or expected reforms?	Not applicable.

Global Data Privacy Guide

Back XLS

1. What is the key legislation?

Data Protection Act 2021 (the “Act”).

2. What are the key decisions applying that legislation?

Not applicable

1. How are “personal data” and “sensitive data” defined?

“personal data” means any information in respect of commercial transactions, which

is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose;
is recorded with the intention that it should wholly or partly be processed by means of such equipment; or
is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, that relates directly or indirectly to a data subject, who is identified or identifiable from that information, or from that and other information in the possession of a data user, including any sensitive personal data and expression of opinion about the data subject.

“sensitive data” is not defined by the Act, but “sensitive personal data” means any personal data about a data subject’s

physical or mental health;
sexual orientation;
political opinions;
religious beliefs or other beliefs of a similar nature;
criminal convictions, the commission or alleged commission, of any offence; or
any other personal data that the Minister may by Order prescribe.

2. How is the defined data protected?

Data controllers must take practical steps to protect personal data from loss, misuse, modification, unauthorised access, disclosure, alteration or destruction (s.10). Personal data cannot be kept longer than necessary for its purpose (s.11). Controllers must ensure data is accurate, complete, not misleading and up-to-date (s.12). Data cannot be disclosed without consent except for specified purposes or to authorised third parties (s.9). The Information Commissioner monitors compliance (s.26(a)) and can serve enforcement notices for contraventions (s.33(1)).

3. Who is subject to privacy obligations?

Privacy obligations apply to private bodies that process or control personal data in commercial transactions (s.4(1)), and public and private bodies that process personal data. Data controllers - persons who alone or jointly process, control, or authorise processing of personal data - are the primary entities subject to these obligations, excluding data processors who only process data on behalf of controllers.

4. How is “data processing” defined?

The Act does not define “data processing” but “processing” n relation to personal data, means collecting, recording, holding or storing the personal data or carrying out any operation or set of operations on the personal data, including the

organisation, adaptation or alteration of personal data;
retrieval, consultation or use of personal data;
disclosure of personal data by transmission, transfer, dissemination or otherwise making available; or
alignment, combination, correction, erasure or destruction of personal data.

5. What are the principles applicable to personal data processing?

The seven applicable principles are:

General – Express consent required for processing; lawful basis necessary; restriction on transfer of data out of the BVI.
Notice and Choice – Inform subjects of purposes; allow consent withdrawal.
Disclosure – No disclosure without consent except for specified purposes.
Security – Protect data from loss, misuse and unauthorised access.
Retention – Keep data only as long as necessary.
Data Integrity – Ensure data is accurate, complete and up-to-date.
Access – Give subjects access to correct their personal data.

6. How is the processing of personal data regulated?

Processing of personal data is regulated through privacy and data protection principles requiring data controllers to obtain express consent, process data lawfully for specific purposes, and ensure data is adequate but not excessive (s.7). The Information Commissioner monitors compliance, provides advice, and investigates complaints (s.26), with enforcement notices requiring corrective action when contraventions occur (s.33(1)-(2)).

7. How are storage, security and retention of personal data regulated?

Storage, security and retention are regulated through the Security Principle (s.10) requiring practical steps to protect data from loss, misuse or unauthorised access, and the Retention Principle (s.11) mandating data not be kept longer than necessary and be destroyed when no longer required.

8. What are the data subjects' rights under the data legislation?

Data subjects have the right of access to their personal data held by public or private bodies, including the right to know whether their data is being processed, receive descriptions of the data and processing purposes, learn about recipients, and obtain source information (s.14(1)). They can request rectification when personal data is incomplete, incorrect, misleading, excessive, or irrelevant (s.18(1). Data subjects may prevent processing for direct marketing purposes by written notice (s.21(1)) and can withdraw consent for data processing at any time (s.8(2)). They also have the right to seek civil remedies through the courts for damages or distress caused by contraventions (s.35(1)).

9. What are the consent requirements for data subjects?

Data controllers must obtain express consent from data subjects before processing personal data (s7(1)). Data subjects may withdraw their consent at any time (s.8(2)), and withdrawal does not affect the lawfulness of processing that occurred before withdrawal (s.8(3)). For sensitive personal data, explicit consent is required (s.20(1)(a)). Data controllers must inform subjects whether providing data is obligatory or voluntary, and the consequences of not providing it (s.8(1)(e)(f)).

10. How is authorization for use of data handled?

Authorization for use of data is handled through express consent requirements, where data controllers cannot process personal data unless the data subject has given express consent, and for sensitive personal data, explicit consent is required (s.7(1)(a); s.20(1)(a)). However, processing may occur without consent when necessary for contract performance, legal compliance, vital interests protection, justice administration, or statutory functions (s.7(2)).

11. Are cross-border data transfers regulated? If so, what are the restrictions on cross-border data transfers?

Yes, cross-border data transfers are regulated under the Virgin Islands Data Protection Act 2021. Data controllers cannot transfer personal data outside the Virgin Islands unless there is proof of adequate data protection safeguards or consent from the data subject (s7(1)(c)). Controllers must also take measures to ensure the secure transfer of personal data (s.10(1)(e)). Entities not established in the Virgin Islands but using equipment there for processing must nominate a local representative (s.4(2)(b); s.4(3)).

12. How are data "incidents" and "breaches" defined?

Neither of these terms is defined by the Act. The Act does, however, stipulate that a breach of confidentiality imposed on the Information Commissioner and a person acting on his/her behalf (s.45) is an offense which incurs penalties including fines up to $100,000 and imprisonment up to five years (s.39).

13. Are there any notification requirements for incidents and/or data breaches?

Not applicable.

14. Who is/are the privacy regulator(s)?

The Information Commissioner and any other appointed staff (s.25) monitor compliance, provide advice, receive and investigate complaints, educate, research, cooperate, exchange and exercise such other functions conferred, in relation to the Act.

15. What are the consequences of a data breach?

As mentioned in response to question 12, breaches are not specifically defined. However:

wilfully obstructing the Information Commissioner or authorised officer in conducting their duties, punishable by fine up to $5,000 or imprisonment up to 6 months, or both (s.37);
wilfully disclosing personal information or collecting, storing or disposing of personal information in contravention of the act, punishable by fine up to $5,000 or imprisonment up to 6 months, or both (s.38(1));
breaching confidentiality obligations, punishable by fine up to $50,000 or imprisonment up to 3 years (summary conviction) or fine up to $100,000 or imprisonment up to 5 years (indictment) (s.39);
contravening restrictions on processing sensitive personal data, punishable by fine up to $200,000 or imprisonment up to 2 years, or both (s.20(3)); and
bodies corporate face fines up to $250,000 (summary) or $500,000 (indictment), with individual officers also liable if complicit (s.40).

16. How is electronic marketing regulated?

Electronic marketing is regulated through specific provisions that give individuals control over direct marketing communications. Data subjects have the right to require data controllers to stop processing their personal data for direct marketing purposes at any time by written notice (s.21(1)). Controllers must comply within three days of receiving such a request and notify the data subject accordingly (s.21(2)). Direct marketing is defined as communication of advertising or marketing material directed to particular individuals by any means (s.21(4)).

17. Are there sector-specific or industry-specific privacy requirements?

The Act does not contain any distinct sector-specific or industry-specific privacy requirements. The Act applies broadly to private bodies processing personal data in commercial transactions and public bodies, without creating distinct regulatory frameworks for particular industries (s.4(1)). Limited sector-specific provisions exist only for healthcare (allowing processing by healthcare professionals) (s.20(1)(b)(iii)) and journalism/media (exempting processing for journalistic, literary or artistic purposes under certain conditions) (s.22(2)(f)). The Minister may also exempt specific data controllers from provisions upon the Information Commissioner's recommendation (s.23).

18. What are the requirements for appointing Data Protection Officers or similar roles?

The Act stipulates that, does not contain any requirements for an entity to appoint a data protection officer. However, it does impose certain data protection obligations directly on the Chief Executive Officer of any private or public organisation.

19. What are the record-keeping and documentation obligations?

The Act’s record-keeping and documentation obligations require data controllers to provide access to personal data, information about, and documentation of, processing activities, and security-related information upon request from the Information Commissioner (s.31). Personal data must not be kept longer than necessary for its purpose, with controllers required to destroy or permanently delete data when no longer needed (s.11). Controllers must maintain accurate, complete, and up-to-date records (s.12).

20. What are the requirements for conducting Data Protection Impact Assessments (DPIAs)?

The Act does not establish Data Protection Impact Assessment ("DPIA") requirements. The Act only provides for the Information Commissioner to conduct assessments of personal data processing to determine compliance, conducted in whatever manner appears appropriate to the Commissioner (s.34(1)-(2)). No specific DPIA obligations, procedures, or thresholds are defined in this legislation.

21. What are the requirements for third-party vendor management and data sharing?

The Act establishes limited third-party vendor management requirements. Data processors are defined as persons who process data on behalf of controllers, excluding employees. Controllers must ensure processors provide sufficient guarantees for technical and organisational security measures and take reasonable steps to ensure compliance (s.10(2)). Personal data disclosure requires consent unless for original purposes or to specified third-party classes (s.9). Cross-border transfers require adequate safeguards or consent (s.7(1)(c)).

22. What are the penalties and enforcement mechanisms for non-compliance?

The Act establishes the following penalties and enforcement mechanisms for non-compliance:

Criminal Penalties: Obstruction of the Information Commissioner carries fines up to $5,000 or imprisonment up to six months (s.37). Wilful disclosure or improper collection or storage of personal information results in fines up to $5,000 or imprisonment up to six months (s.37). Breach of confidentiality carries the most severe penalties with fines on summary conviction up to $50,000 or three years imprisonment, or on conviction on indictment fines of up to $100,000 or five years imprisonment (s.39). Corporate offences result in fines up to $250,000 (summary) or $500,000 (indictment) (s.40(2)).
Enforcement Powers: The Information Commissioner can issue enforcement notices requiring corrective action within specified timeframes (s.33(1)). The Commissioner may conduct assessments of data processing compliance at their discretion or upon request (s.34(1)-(2)).
Civil Remedies: Data subjects may pursue civil proceedings for damages or other relief when suffering harm from Act contraventions (s.35(1),(3)).

23. What are the ongoing compliance and audit requirements?

The Act establishes limited ongoing compliance and audit requirements. The Information Commissioner monitors compliance by public and private bodies with the Act's requirements (s.26). The Commissioner may conduct assessments of personal data processing at their discretion or upon request to determine compliance, conducted in whatever manner appears appropriate (s.34(1)-(2)). The Information Commissioner must submit annual reports to the Minister within three months after the financial year (s.46(1)). However, the Act does not establish specific ongoing audit schedules or mandatory compliance reporting requirements for data controllers themselves.

24. Are there any recent developments or expected reforms?

Not applicable.

Global Data Privacy Guide

British Virgin Islands

Global Data Privacy Guide

British Virgin Islands