	Global Data Privacy Guide
	Cayman Islands
	(Caribbean) Firm Walkers Contributors Lucy Frew Updated 07 Aug 2025
1. What is the key legislation?	The key legislation in the Cayman Islands is: The Confidential Information Disclosure Act 2016 ("CIDA") The Data Protection Act (2021 Revision) ("DPA"). CIDA governs the broad duty on persons not to disclose confidential information, while the DPA governs the processing of personal data and associated requirements. Generally, CIDA is considered to codify the common law position, which recognizes a general equitable duty of confidentiality applicable to persons coming into possession of information in circumstances where it would be unconscionable to disclose it. The CIDA operates on a model based on civil remedies for any breach of the duty of confidence owed by one party to another. The DPA came into force on September 30, 2019. The DPA requires a data controller to comply with eight data protection principles when processing personal data and to ensure that those principles are complied with in relation to personal data processed on the data controller’s behalf by means of a written contract. The DPA also deals with data security, data breaches and the rights of individual data subjects.
2. What are the key decisions applying that legislation?	The responsible authority, the Cayman Islands Ombudsman, has made various rulings and brought a number of enforcement actions under the DPA. Whilst these are not court rulings or key decisions as such, they show how such are generally dealt with in the Cayman Islands.
1. How are “personal data” and “sensitive data” defined?	“personal data” means data relating to a living individual who can be identified and includes data such as — the living individual’s location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the living individual; an expression of opinion about the living individual; or any indication of the intentions of the data controller or any other person in respect of the living individual; “sensitive personal data” means, in relation to a data subject, personal data consisting of — the racial or ethnic origin of the data subject; the political opinions of the data subject; the data subject’s religious beliefs or other beliefs of a similar nature; whether the data subject is a member of a trade union; genetic data of the data subject; the data subject’s physical or mental health or condition; medical data; the data subject’s sex life; the data subject’s commission, or alleged commission, of an offence; or any proceedings for any offence committed, or alleged to have been committed, by the data subject, the disposal of any such proceedings or any sentence of a court in the Islands or elsewhere.
2. How is the defined data protected?	Generally, personal data is protected under the DPA by the placing of requirements on data processors, in the form of eight data protection principles (please see answer 5 below). In particular, data controllers may only process personal data if they have a lawful condition for such processing. Data controllers are required, under the other principles, to process data in accordance with requirements that ensure further protections, including to ensure that data is kept safe and secure, accurate and up to date, and is only transferred to another jurisdiction where adequate protection is provided. These protections are more particularly set out in the eight principles. In the case of sensitive personal data, there are additional controls. Processing of sensitive personal data may only be undertaken where one of a set of conditions is met, including: Where the data subject has given consent to such; In the case of employment, processing is necessary for the purposes of performing a right, or an obligation, conferred or imposed by law on the data controller in connection with the data subject's employment; In the case of vital interests, the processing is necessary in order to protect the vital interests of the data subject or another person, in a case where consent cannot be given by or on behalf of the data subject, or the data controller cannot reasonably be expected to obtain the consent of the data subject or in order to protect the vital interests of another person in a case where consent by the data subject has been unreasonably withheld; Where the information contained in the personal data has been made public as a result of the steps taken by the data subject; In the case of legal proceedings, the processing is necessary for the purpose of or in connection with any legal proceedings, or is necessary for the purpose of obtaining legal advice or is otherwise necessary for the purposes of establishing, exercising or defending legal rights; In the case of public functions, the processing is necessary for the administration of justice, the exercise of any functions conferred on any person by or under an enactment, or the exercise of any functions of the Crown or any public authority; In the case of medical purposes (including the purposes of preventative medicine, medical diagnosis, provision of care and treatment and the management of healthcare services), the processing is necessary for medical purposes and is undertaken by a health professional, or a person who in the circumstances owes a duty of confidentiality equivalent to that which would arise if that person were a health professional.
3. Who is subject to privacy obligations?	*Application of CIDA:* The CIDA applies to any person in receipt of confidential information as defined above. Application of DPA: The DPA applies to "data controllers," being the person who, alone or jointly with others, determines the purposes, conditions and manner in which any personal data are, or are to be, processed and includes a local representative. The term “processing”, in relation to data, means obtaining, recording or holding data, or carrying out any operation or set of operations on personal data. The DPA only applies to data controllers in respect of personal data if: The data controller is established in the Cayman Islands and the personal data are processed in the context of that establishment; or The data controller is not established in the Cayman Islands but the personal data are processed in the Cayman Islands otherwise than for the purposes of the transit of the data through the Cayman Islands. There are also obligations that data controllers must apply to data processors through a contract. "Data processor" means any person who processes personal data on behalf of a data controller, but, for the avoidance of doubt, does not include an employee of the data controller.
4. How is “data processing” defined?	“processing”, in relation to data, means obtaining, recording or holding data, or carrying out any operation or set of operations on personal data, including — organising, adapting or altering the personal data; retrieving, consulting or using the personal data; disclosing the personal data by transmission, dissemination or otherwise making it available; or aligning, combining, blocking, erasing or destroying the personal data;
5. What are the principles applicable to personal data processing?	The collection of personal data is regulated under the DPA. In particular, a data controller must comply with the following eight data protection principles, which are set out below and further expanded on in the DPA: Lawfulness, fairness and transparency - Personal data shall be processed fairly. In addition, personal data may be processed only if at least one of a number of conditions, discussed below, for lawful processing is met. Data subjects also have the right to be informed, as also discussed below. Purpose limitation - Personal data shall be obtained only for one or more specified lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. Data minimization - Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are collected or processed. Accuracy - Personal data shall be accurate and, where necessary, kept up to date. Storage limitation - Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose. Data subject rights - Personal data shall be processed in accordance with the rights of data subjects under the DPA. Integrity, confidentiality and security - Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Cross-border transfer - Personal data shall not be transferred to a country unless that country ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
6. How is the processing of personal data regulated?	Use and disclosure under the CIDA: CIDA lists a number of categories under which the duty to keep the information confidential can be overridden. The CIDA lists a number of categories under which the duty to keep the information confidential can be overridden. Disclosure of confidential information does not give rise to a civil action when made: in compliance with the evidential directions of a court; in the normal course of business or with the consent (express or implied) or a principal; to constables of the rank of Inspector or above investigating offenses alleged to have been committed within the Cayman Islands; in compliance with orders or search warrants; in compliance with orders made pursuant to the Mutual Legal Assistance (United States of America) Law ("2015 Revision"); in compliance with an order for evidence made by the Grand Court; to the Cayman Islands Monetary Authority ("CIMA"), where the disclosure is made pursuant to the duty under the Monetary Authority Act (2020 Revision) or other local regulatory laws; to the Financial Reporting Authority pursuant to a duty imposed by the Proceeds of Crime Act (2020 Revision) or Terrorism Act (2018 Revision); to the Anti-Corruption Commission pursuant to a duty imposed by the Anti-Corruption Act (2019 Revision); and in accordance with or pursuant to a right or duty created by any other local law or regulation. Adding further background to the two most common methods of disclosure: Ordinary course of business Disclosures made in "the ordinary and necessary routine involved in the efficient carrying out of the instructions of a principal" will not be actionable. This exception is designed to ensure that service providers (and similar) are not prevented or delayed in carrying out routine operations by the need to deal with confidentiality issues or to seek specific consent. Consent Disclosure may always be made with the consent of the principal. The confidentiality that exists in the information belongs to the principal, and as such is theirs to waive. Consent from a principal is specific and individual. For example, there is no authority to disclose confidential information relating to an entire class of persons on the basis that consent has been obtained from the majority. Additionally, there is a statutory defense in the CIDA to claims for breach of confidence in cases where there is a serious threat to the life, health or safety of a person or where there is a serious threat to the environment. The party seeking to rely on the defense must have acted in good faith and reasonably believed that the information was true and disclosed such a serious threat. Use and disclosure under the DPA: Personal data cannot be processed unless a relevant condition under the DPA is satisfied. Personal data cannot be processed unless at least one of these conditions is met: Consent - The data subject has given consent to the processing. In order to be valid, consent needs to meet a number of tests. Moreover, it can be withdrawn at any time; Contract - The processing is necessary for the performance of a contract to which the individual data subject is a party or the taking of steps at the request of the data subject with a view to entering into a contract; Legal obligation - The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract; Vital interests - The processing is necessary in order to protect the vital interests (generally understood to mean matters of life and death) of the data subject; Public functions - The processing is necessary for the exercise of public functions, namely the administration of justice; any functions conferred on any person by or under any enactment; any functions of the Crown or any public authority; or of any other functions of a public nature exercised in the public interest by any person; or Legitimate interests - The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except if the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.
7. How are storage, security and retention of personal data regulated?	The DPA requires that appropriate technical and organizational measures be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. There are different aspects to this principle, including: organizational measures, such as staff training and policy development; technical measures, such as physical protection of data, pseudonymization, and encryption; and securing ongoing availability, integrity, and accessibility, for example, by ensuring backups
8. What are the data subjects' rights under the data legislation?	Under the DPA, data subjects have a number of rights: The right to be informed: Individuals have the right to be informed about the collection and use of their personal data. They must be provided with information, including who the data controller is and the purposes for processing their personal data. The right of access: Individuals have the right to access their own personal data. Controllers must respond to such a subject access request within 30 days (subject to extension where further information is required from the requestor) and there must be no cost to the requestor other than in exceptional circumstances. The right to rectification: Individuals may request to have inaccurate personal data rectified or completed if it is incomplete, as long as the data controller is convinced of the validity of the request. Whilst there is not an explicit legal obligation on the data controller to act on such a request for rectification from an individual, the interpretation of the first data protection principle (fair and lawful processing) and fourth data protection principle (data accuracy) means that data controllers should take steps to correct data without undue delay. The right to stop or restrict processing: Individuals have the right to require that processing stop, or not begin, or cease processing for a specified purpose or in a specified way, however this is not an absolute right and does not apply in certain specified circumstances (including matters of national security, where disclosure is required by the DPA or relating to personal, family and household affairs). The right to stop direct marketing: Individuals have an absolute right to stop the processing of their personal data for direct marketing purposes. Rights in relation to automated decision making: Individuals may at any time give notice in writing requiring that a decision which affects them significantly is not solely based on processing by automated means. If decisions that significantly affect individuals are made solely by automated means, individuals must be notified that the decision was taken on that basis. The right to complain/seek compensation: Individuals have the right to complain to the Ombudsman about any perceived violation of the DPA. Individuals who suffer damage due to a contravention of the DPA by a data controller may seek compensation in the courts.
9. What are the consent requirements for data subjects?	Under the DPA, there are a number of consent requirements for data subjects. In particular: The data controller bears the burden of proving the data subject's consent to the processing of the data subject's personal data; If the consent of the data subject is to be given in a written declaration which also concerns another matter, the requirement to give consent shall be presented in an appearance that is distinguishable from the other matter. The data subject shall have the right to withdraw consent at any time. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal. Where there is a significant imbalance between the position of the data subject and the data controller, consent shall not provide a legal basis for the processing.
10. How is authorization for use of data handled?	Typically authorization for use of data is handled by way of privacy notices, delivered to persons who will provide personal data prior to the in-scope entity carrying on any data processing.
11. Are cross-border data transfers regulated? If so, what are the restrictions on cross-border data transfers?	Under the DPA, the Eighth Data Protection Principle requires that personal data not be transferred outside the Cayman Islands to another country or territory unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. In practice, the Ombudsman will approve the following terms relating to safeguards for cross-border transfers: data transfer agreements based on standard contractual clauses published by the Ombudsman (forthcoming); or data transfer agreements which replicate the rights and obligations contained in the EU 'standard contractual clauses' pursuant to Article 46 paras (2)(c), (2)(d), or (5) GDPR. However, there are certain transfers to which the eighth principle does not apply, provided the transfer is: made with the individual’s consent; necessary for the performance of a contract between the individual and the organisation, or for pre-contractual steps taken at the individual’s request; necessary for the performance of a contract made in the interests of the individual between the controller and another person; necessary for important reasons of substantial public interest; necessary for the establishment, exercise or defence of legal claims; necessary to protect the vital interests of the data subject; made in regard to public data on a public register, and any conditions subject to which the register is open to inspection are complied with; made on terms of a kind approved by the Ombudsman as ensuring adequate safeguards for the individual(s); authorised by the Ombudsman as being made in such a manner as to ensure adequate safeguards for the rights and freedoms of data subjects; or, required under international cooperation arrangements between intelligence agencies or regulatory agencies, if permitted or require under an enactment or an order issued by the Grand Court.
12. How are data "incidents" and "breaches" defined?	Under the DPA a "personal data breach" is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or, access to personal data transmitted, stored or otherwise processed. The term "incident" is not specifically defined under the DPA and therefore only the ordinary English meaning should be ascribed to it.
13. Are there any notification requirements for incidents and/or data breaches?	Entities licensed by the CIMA should consider making a disclosure to CIMA. All CIMA licensees are under a general duty to "conduct [their] affairs with [CIMA] in a transparent, open and honest manner always sufficiently disclosing to [CIMA] anything that [CIMA] would reasonably expect notice of." In addition, the DPA requires that a data controller must notify the Ombudsman and the affected data subject(s) of a personal data breach without undue delay (but no longer than five days after the data controller should, with the exercise of reasonable diligence, have been aware of that breach). The notification should include specified information, including but not limited to a description of the nature and consequences of the breach, the measures proposed or taken by the data controller to address it,t and the measures recommended to mitigate the possible adverse effects of the breach. A “personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or, access to, personal data transmitted, stored or otherwise processed.
14. Who is/are the privacy regulator(s)?	In respect of obligations under the DPA, the Ombudsman is the Cayman Islands regulator. The courts resolve civil disputes. The DPA provides a detailed framework for complaints to the Ombudsman and the Ombudsman’s power to investigate and make information orders, enforcement orders and monetary penalty orders. The DPA also provides for a number of offenses and fines. Where an offense under the DPA has been committed by an entity, a director, member, secretary or similar officer of that entity may also be regarded as having committed that offense.
15. What are the consequences of a data breach?	The CIDA operates on a model based on civil remedies for any breach of the duty of confidence owed by one party to another. There are no criminal penalties for breach of confidence. The DPA provides that if the personal data breach processes are not adhered to, this is an offense liable on conviction to a fine of CI $100,000.
16. How is electronic marketing regulated?	Entities licensed by CIMA are subject to regulation regarding the use of the internet (including electronic marketing). The DPA introduces an absolute right for individuals to demand that direct marketing cease or not begin. Direct marketing is defined as the communication, by whatever means, of any advertising, marketing, promotional or similar material that is directed to particular individuals. Note: The relevant confidentiality requirement under the CIDA is as follows: "Licensees should take appropriate measures to preserve the confidentiality of key information gathered over the Internet. Measures taken to preserve confidentiality should be commensurate with the sensitivity of the information being transmitted and/or stored in databases."
17. Are there sector-specific or industry-specific privacy requirements?	The DPA provides that the Cabinet may, after consulting with the Ombudsman, make regulations for the preparation and dissemination of codes of practice which could be specific to industries or processing operations. Currently, no such industry-specific measures are in existence. CIMA has published its Rule & Statement of Guidance – Cybersecurity for Regulated Entities, which addresses data protection matters with reference to the DPA.
18. What are the requirements for appointing Data Protection Officers or similar roles?	There is no general requirement to appoint a data protection officer. However, a data controller who is not established in the Cayman Islands but processes data in the Cayman Islands shall nominate a local representative established in the Cayman Islands. Where a data controller has personal data processed in the Cayman Islands, then such appointed individual shall be treated as the data controller and bear all obligations under the DPA as if it were the data controller.
19. What are the record-keeping and documentation obligations?	The Eight Data Protection Principles in the DPA implicitly create requirements as to record-keeping and documentation. In particular: Fair and Lawful Processing – a controller should maintain records of the legal basis/bases under which it conducts processing activities Purpose limitation – a controller must document the purpose for which personal data is collected and processed Data minimization – maintain logs of data types collected and justification Accuracy – Keep up to date and maintain processes for data correction Define and document retention schedules and keep deletion practices under review Data subject rights – maintain logs of data subject access requests and how they were handled Record technical and organizational
20. What are the requirements for conducting Data Protection Impact Assessments (DPIAs)?	The Cayman Islands data protection regime does not specifically require Data Protection Impact Assessments. However, in guidance, the Ombudsman refers to it being good practice for data controllers to carry out a privacy impact assessment, which sets out ways of mitigating risks of processing, where the controller thinks it is impossible to provide privacy information to affected individuals or where there is to be automated decision-making. The Ombudsman further refers to the UK Information Commissioner's Office in relation to DPIAs.
21. What are the requirements for third-party vendor management and data sharing?	Any data controller who engages with a data processor must ensure that the engagement is based on a written contract which contains certain prescribed assurances regarding processing, noting that data controllers remain liable for compliance with the DPA even where processing is delegated. The contractual requirements are as follows: The data processor must only act on the written instructions of the data controller (unless required by law to act without such instructions); The data processor must take appropriate measures to ensure the security of processing. The following points should be included: The contract should describe the subject matter and duration of the processing, specify the nature and purpose of the processing, the type of personal data and categories of data subject and set out the obligations and rights of the controller; The data processor must ensure that people processing data are subject to a duty of confidence; The data processor must only engage any sub-processor with the prior consent of the data controller and subject to a written contract; The data processor must assist the data controller in providing subject access and allowing data subjects to exercise rights under the DPA; The data processor must assist the data controller in meeting its DPA obligations in relation to the security of processing, the notification of personal data breaches, and any impact assessments; The data processor must delete or return all personal data to the data controller as requested at the end of the contract; The data processor must submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their legal obligations, and tell the controller immediately if it is asked to do something that infringes the DPA. As a matter of good practice, as per Ombudsman guidance, the following points should be included in contracts: State that nothing within the contract relieves the data processor of its own direct responsibilities and liabilities under the DPA; and Reflect any indemnity agreed between the parties.
22. What are the penalties and enforcement mechanisms for non-compliance?	The DPA specifies that a breach of the DPA constitutes a criminal offence, punishable on conviction with a fine of up to approximately USD 125,000, imprisonment for a term of up to 5 years, or both. Further, the Ombudsman is empowered to issue monetary penalty orders up to approximately USD300,000 where the Ombudsman is satisfied, on the balance of probabilities, that there has been a serious contravention of the DPA and such is of a kind likely to cause substantial damage or substantial distress to the relevant data subject.
23. What are the ongoing compliance and audit requirements?	Generally, data controllers must comply with the DPA, in particular the 8 Principles, on an ongoing basis. Data controllers are required to implement appropriate technical and organizational measures to demonstrate compliance. CIMA licensees are subject to specific requirements in relation to data, as specified in various rules and guidance, including CIMA's Rule and Statement of Guidance – Internal Controls for Regulated Entities, as well as its Rule – Cybersecurity for Regulated Entities.
24. Are there any recent developments or expected reforms?	The DPA and related Data Protection Regulations, 2018, are in effect as of September 30, 2019. The Office of the Ombudsman has issued a Guide for Data Controllers which aims to explain how the Ombudsman interprets certain provisions of the DPA.

Global Data Privacy Guide

Back XLS

1. What is the key legislation?

The key legislation in the Cayman Islands is:

The Confidential Information Disclosure Act 2016 ("CIDA")
The Data Protection Act (2021 Revision) ("DPA").

CIDA governs the broad duty on persons not to disclose confidential information, while the DPA governs the processing of personal data and associated requirements.

Generally, CIDA is considered to codify the common law position, which recognizes a general equitable duty of confidentiality applicable to persons coming into possession of information in circumstances where it would be unconscionable to disclose it.

The CIDA operates on a model based on civil remedies for any breach of the duty of confidence owed by one party to another.

The DPA came into force on September 30, 2019.

The DPA requires a data controller to comply with eight data protection principles when processing personal data and to ensure that those principles are complied with in relation to personal data processed on the data controller’s behalf by means of a written contract. The DPA also deals with data security, data breaches and the rights of individual data subjects.

2. What are the key decisions applying that legislation?

The responsible authority, the Cayman Islands Ombudsman, has made various rulings and brought a number of enforcement actions under the DPA. Whilst these are not court rulings or key decisions as such, they show how such are generally dealt with in the Cayman Islands.

1. How are “personal data” and “sensitive data” defined?

“personal data” means data relating to a living individual who can be identified and includes data such as —

the living individual’s location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the living individual;
an expression of opinion about the living individual; or
any indication of the intentions of the data controller or any other person in respect of the living individual;

“sensitive personal data” means, in relation to a data subject, personal data consisting of —

the racial or ethnic origin of the data subject;
the political opinions of the data subject;
the data subject’s religious beliefs or other beliefs of a similar nature;
whether the data subject is a member of a trade union;
genetic data of the data subject;
the data subject’s physical or mental health or condition;
medical data;
the data subject’s sex life;
the data subject’s commission, or alleged commission, of an offence; or
any proceedings for any offence committed, or alleged to have been committed, by the data subject, the disposal of any such proceedings or any sentence of a court in the Islands or elsewhere.

2. How is the defined data protected?

Generally, personal data is protected under the DPA by the placing of requirements on data processors, in the form of eight data protection principles (please see answer 5 below). In particular, data controllers may only process personal data if they have a lawful condition for such processing. Data controllers are required, under the other principles, to process data in accordance with requirements that ensure further protections, including to ensure that data is kept safe and secure, accurate and up to date, and is only transferred to another jurisdiction where adequate protection is provided. These protections are more particularly set out in the eight principles.

In the case of sensitive personal data, there are additional controls. Processing of sensitive personal data may only be undertaken where one of a set of conditions is met, including:

Where the data subject has given consent to such;
In the case of employment, processing is necessary for the purposes of performing a right, or an obligation, conferred or imposed by law on the data controller in connection with the data subject's employment;
In the case of vital interests, the processing is necessary in order to protect the vital interests of the data subject or another person, in a case where consent cannot be given by or on behalf of the data subject, or the data controller cannot reasonably be expected to obtain the consent of the data subject or in order to protect the vital interests of another person in a case where consent by the data subject has been unreasonably withheld;
Where the information contained in the personal data has been made public as a result of the steps taken by the data subject;
In the case of legal proceedings, the processing is necessary for the purpose of or in connection with any legal proceedings, or is necessary for the purpose of obtaining legal advice or is otherwise necessary for the purposes of establishing, exercising or defending legal rights;
In the case of public functions, the processing is necessary for the administration of justice, the exercise of any functions conferred on any person by or under an enactment, or the exercise of any functions of the Crown or any public authority;
In the case of medical purposes (including the purposes of preventative medicine, medical diagnosis, provision of care and treatment and the management of healthcare services), the processing is necessary for medical purposes and is undertaken by a health professional, or a person who in the circumstances owes a duty of confidentiality equivalent to that which would arise if that person were a health professional.

3. Who is subject to privacy obligations?

Application of CIDA:

The CIDA applies to any person in receipt of confidential information as defined above.

Application of DPA:

The DPA applies to "data controllers," being the person who, alone or jointly with others, determines the purposes, conditions and manner in which any personal data are, or are to be, processed and includes a local representative.
The term “processing”, in relation to data, means obtaining, recording or holding data, or carrying out any operation or set of operations on personal data.
The DPA only applies to data controllers in respect of personal data if:
- The data controller is established in the Cayman Islands and the personal data are processed in the context of that establishment; or
- The data controller is not established in the Cayman Islands but the personal data are processed in the Cayman Islands otherwise than for the purposes of the transit of the data through the Cayman Islands.

There are also obligations that data controllers must apply to data processors through a contract. "Data processor" means any person who processes personal data on behalf of a data controller, but, for the avoidance of doubt, does not include an employee of the data controller.

4. How is “data processing” defined?

“processing”, in relation to data, means obtaining, recording or holding data, or
carrying out any operation or set of operations on personal data, including —

organising, adapting or altering the personal data;
retrieving, consulting or using the personal data;
disclosing the personal data by transmission, dissemination or otherwise making it available; or
aligning, combining, blocking, erasing or destroying the personal data;

5. What are the principles applicable to personal data processing?

The collection of personal data is regulated under the DPA. In particular, a data controller must comply with the following eight data protection principles, which are set out below and further expanded on in the DPA:

Lawfulness, fairness and transparency - Personal data shall be processed fairly. In addition, personal data may be processed only if at least one of a number of conditions, discussed below, for lawful processing is met. Data subjects also have the right to be informed, as also discussed below.
Purpose limitation - Personal data shall be obtained only for one or more specified lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
Data minimization - Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are collected or processed.
Accuracy - Personal data shall be accurate and, where necessary, kept up to date.
Storage limitation - Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose.
Data subject rights - Personal data shall be processed in accordance with the rights of data subjects under the DPA.
Integrity, confidentiality and security - Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Cross-border transfer - Personal data shall not be transferred to a country unless that country ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

6. How is the processing of personal data regulated?

Use and disclosure under the CIDA:

CIDA lists a number of categories under which the duty to keep the information confidential can be overridden.

The CIDA lists a number of categories under which the duty to keep the information confidential can be overridden. Disclosure of confidential information does not give rise to a civil action when made:

in compliance with the evidential directions of a court;
in the normal course of business or with the consent (express or implied) or a principal;
to constables of the rank of Inspector or above investigating offenses alleged to have been committed within the Cayman Islands;
in compliance with orders or search warrants;
in compliance with orders made pursuant to the Mutual Legal Assistance (United States of America) Law ("2015 Revision");
in compliance with an order for evidence made by the Grand Court;
to the Cayman Islands Monetary Authority ("CIMA"), where the disclosure is made pursuant to the duty under the Monetary Authority Act (2020 Revision) or other local regulatory laws;
to the Financial Reporting Authority pursuant to a duty imposed by the Proceeds of Crime Act (2020 Revision) or Terrorism Act (2018 Revision);
to the Anti-Corruption Commission pursuant to a duty imposed by the Anti-Corruption Act (2019 Revision); and
in accordance with or pursuant to a right or duty created by any other local law or regulation.

Adding further background to the two most common methods of disclosure:

Ordinary course of business

Disclosures made in "the ordinary and necessary routine involved in the efficient carrying out of the instructions of a principal" will not be actionable. This exception is designed to ensure that service providers (and similar) are not prevented or delayed in carrying out routine operations by the need to deal with confidentiality issues or to seek specific consent.

Consent

Disclosure may always be made with the consent of the principal. The confidentiality that exists in the information belongs to the principal, and as such is theirs to waive.

Consent from a principal is specific and individual. For example, there is no authority to disclose confidential information relating to an entire class of persons on the basis that consent has been obtained from the majority.

Additionally, there is a statutory defense in the CIDA to claims for breach of confidence in cases where there is a serious threat to the life, health or safety of a person or where there is a serious threat to the environment. The party seeking to rely on the defense must have acted in good faith and reasonably believed that the information was true and disclosed such a serious threat.

Use and disclosure under the DPA:

Personal data cannot be processed unless a relevant condition under the DPA is satisfied.

Personal data cannot be processed unless at least one of these conditions is met:

Consent - The data subject has given consent to the processing. In order to be valid, consent needs to meet a number of tests. Moreover, it can be withdrawn at any time;
Contract - The processing is necessary for the performance of a contract to which the individual data subject is a party or the taking of steps at the request of the data subject with a view to entering into a contract;
Legal obligation - The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract;
Vital interests - The processing is necessary in order to protect the vital interests (generally understood to mean matters of life and death) of the data subject;
Public functions - The processing is necessary for the exercise of public functions, namely the administration of justice; any functions conferred on any person by or under any enactment; any functions of the Crown or any public authority; or of any other functions of a public nature exercised in the public interest by any person; or
Legitimate interests - The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except if the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

7. How are storage, security and retention of personal data regulated?

The DPA requires that appropriate technical and organizational measures be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. There are different aspects to this principle, including:

organizational measures, such as staff training and policy development;
technical measures, such as physical protection of data, pseudonymization, and encryption; and
securing ongoing availability, integrity, and accessibility, for example, by ensuring backups

8. What are the data subjects' rights under the data legislation?

Under the DPA, data subjects have a number of rights:

The right to be informed: Individuals have the right to be informed about the collection and use of their personal data. They must be provided with information, including who the data controller is and the purposes for processing their personal data.
The right of access: Individuals have the right to access their own personal data. Controllers must respond to such a subject access request within 30 days (subject to extension where further information is required from the requestor) and there must be no cost to the requestor other than in exceptional circumstances.
The right to rectification: Individuals may request to have inaccurate personal data rectified or completed if it is incomplete, as long as the data controller is convinced of the validity of the request. Whilst there is not an explicit legal obligation on the data controller to act on such a request for rectification from an individual, the interpretation of the first data protection principle (fair and lawful processing) and fourth data protection principle (data accuracy) means that data controllers should take steps to correct data without undue delay.
The right to stop or restrict processing: Individuals have the right to require that processing stop, or not begin, or cease processing for a specified purpose or in a specified way, however this is not an absolute right and does not apply in certain specified circumstances (including matters of national security, where disclosure is required by the DPA or relating to personal, family and household affairs).
The right to stop direct marketing: Individuals have an absolute right to stop the processing of their personal data for direct marketing purposes.
Rights in relation to automated decision making: Individuals may at any time give notice in writing requiring that a decision which affects them significantly is not solely based on processing by automated means. If decisions that significantly affect individuals are made solely by automated means, individuals must be notified that the decision was taken on that basis.
The right to complain/seek compensation: Individuals have the right to complain to the Ombudsman about any perceived violation of the DPA. Individuals who suffer damage due to a contravention of the DPA by a data controller may seek compensation in the courts.

9. What are the consent requirements for data subjects?

Under the DPA, there are a number of consent requirements for data subjects. In particular:

The data controller bears the burden of proving the data subject's consent to the processing of the data subject's personal data;
If the consent of the data subject is to be given in a written declaration which also concerns another matter, the requirement to give consent shall be presented in an appearance that is distinguishable from the other matter.
The data subject shall have the right to withdraw consent at any time. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.
Where there is a significant imbalance between the position of the data subject and the data controller, consent shall not provide a legal basis for the processing.

10. How is authorization for use of data handled?

Typically authorization for use of data is handled by way of privacy notices, delivered to persons who will provide personal data prior to the in-scope entity carrying on any data processing.

11. Are cross-border data transfers regulated? If so, what are the restrictions on cross-border data transfers?

Under the DPA, the Eighth Data Protection Principle requires that personal data not be transferred outside the Cayman Islands to another country or territory unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. In practice, the Ombudsman will approve the following terms relating to safeguards for cross-border transfers:

data transfer agreements based on standard contractual clauses published by the Ombudsman (forthcoming); or
data transfer agreements which replicate the rights and obligations contained in the EU 'standard contractual clauses' pursuant to Article 46 paras (2)(c), (2)(d), or (5) GDPR.

However, there are certain transfers to which the eighth principle does not apply, provided the transfer is:

made with the individual’s consent;
necessary for the performance of a contract between the individual and the organisation, or for pre-contractual steps taken at the individual’s request;
necessary for the performance of a contract made in the interests of the individual between the controller and another person;
necessary for important reasons of substantial public interest;
necessary for the establishment, exercise or defence of legal claims;
necessary to protect the vital interests of the data subject;
made in regard to public data on a public register, and any conditions subject to which the register is open to inspection are complied with;
made on terms of a kind approved by the Ombudsman as ensuring adequate safeguards for the individual(s);
authorised by the Ombudsman as being made in such a manner as to ensure adequate safeguards for the rights and freedoms of data subjects; or, required under international cooperation arrangements between intelligence agencies or regulatory agencies, if permitted or require under an enactment or an order issued by the Grand Court.

12. How are data "incidents" and "breaches" defined?

Under the DPA a "personal data breach" is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or, access to personal data transmitted, stored or otherwise processed. The term "incident" is not specifically defined under the DPA and therefore only the ordinary English meaning should be ascribed to it.

13. Are there any notification requirements for incidents and/or data breaches?

Entities licensed by the CIMA should consider making a disclosure to CIMA.
All CIMA licensees are under a general duty to "conduct [their] affairs with [CIMA] in a transparent, open and honest manner always sufficiently disclosing to [CIMA] anything that [CIMA] would reasonably expect notice of."

In addition, the DPA requires that a data controller must notify the Ombudsman and the affected data subject(s) of a personal data breach without undue delay (but no longer than five days after the data controller should, with the exercise of reasonable diligence, have been aware of that breach). The notification should include specified information, including but not limited to a description of the nature and consequences of the breach, the measures proposed or taken by the data controller to address it,t and the measures recommended to mitigate the possible adverse effects of the breach.

A “personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or, access to, personal data transmitted, stored or otherwise processed.

14. Who is/are the privacy regulator(s)?

In respect of obligations under the DPA, the Ombudsman is the Cayman Islands regulator. The courts resolve civil disputes.

The DPA provides a detailed framework for complaints to the Ombudsman and the Ombudsman’s power to investigate and make information orders, enforcement orders and monetary penalty orders. The DPA also provides for a number of offenses and fines. Where an offense under the DPA has been committed by an entity, a director, member, secretary or similar officer of that entity may also be regarded as having committed that offense.

15. What are the consequences of a data breach?

The CIDA operates on a model based on civil remedies for any breach of the duty of confidence owed by one party to another. There are no criminal penalties for breach of confidence.

The DPA provides that if the personal data breach processes are not adhered to, this is an offense liable on conviction to a fine of CI $100,000.

16. How is electronic marketing regulated?

Entities licensed by CIMA are subject to regulation regarding the use of the internet (including electronic marketing).

The DPA introduces an absolute right for individuals to demand that direct marketing cease or not begin. Direct marketing is defined as the communication, by whatever means, of any advertising, marketing, promotional or similar material that is directed to particular individuals.

Note: The relevant confidentiality requirement under the CIDA is as follows:
"Licensees should take appropriate measures to preserve the confidentiality of key information gathered over the Internet.

Measures taken to preserve confidentiality should be commensurate with the sensitivity of the information being transmitted and/or stored in databases."

17. Are there sector-specific or industry-specific privacy requirements?

The DPA provides that the Cabinet may, after consulting with the Ombudsman, make regulations for the preparation and dissemination of codes of practice which could be specific to industries or processing operations. Currently, no such industry-specific measures are in existence.
CIMA has published its Rule & Statement of Guidance – Cybersecurity for Regulated Entities, which addresses data protection matters with reference to the DPA.

18. What are the requirements for appointing Data Protection Officers or similar roles?

There is no general requirement to appoint a data protection officer. However, a data controller who is not established in the Cayman Islands but processes data in the Cayman Islands shall nominate a local representative established in the Cayman Islands.

Where a data controller has personal data processed in the Cayman Islands, then such appointed individual shall be treated as the data controller and bear all obligations under the DPA as if it were the data controller.

19. What are the record-keeping and documentation obligations?

The Eight Data Protection Principles in the DPA implicitly create requirements as to record-keeping and documentation. In particular:

Fair and Lawful Processing – a controller should maintain records of the legal basis/bases under which it conducts processing activities
Purpose limitation – a controller must document the purpose for which personal data is collected and processed
Data minimization – maintain logs of data types collected and justification
Accuracy – Keep up to date and maintain processes for data correction
Define and document retention schedules and keep deletion practices under review
Data subject rights – maintain logs of data subject access requests and how they were handled
Record technical and organizational

20. What are the requirements for conducting Data Protection Impact Assessments (DPIAs)?

The Cayman Islands data protection regime does not specifically require Data Protection Impact Assessments.

However, in guidance, the Ombudsman refers to it being good practice for data controllers to carry out a privacy impact assessment, which sets out ways of mitigating risks of processing, where the controller thinks it is impossible to provide privacy information to affected individuals or where there is to be automated decision-making. The Ombudsman further refers to the UK Information Commissioner's Office in relation to DPIAs.

21. What are the requirements for third-party vendor management and data sharing?

Any data controller who engages with a data processor must ensure that the engagement is based on a written contract which contains certain prescribed assurances regarding processing, noting that data controllers remain liable for compliance with the DPA even where processing is delegated. The contractual requirements are as follows:

The data processor must only act on the written instructions of the data controller (unless required by law to act without such instructions);
The data processor must take appropriate measures to ensure the security of processing.
The following points should be included:
The contract should describe the subject matter and duration of the processing, specify the nature and purpose of the processing, the type of personal data and categories of data subject and set out the obligations and rights of the controller;
The data processor must ensure that people processing data are subject to a duty of confidence;
The data processor must only engage any sub-processor with the prior consent of the data controller and subject to a written contract;
The data processor must assist the data controller in providing subject access and allowing data subjects to exercise rights under the DPA;
The data processor must assist the data controller in meeting its DPA obligations in relation to the security of processing, the notification of personal data breaches, and any impact assessments;
The data processor must delete or return all personal data to the data controller as requested at the end of the contract;
The data processor must submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their legal obligations, and tell the controller immediately if it is asked to do something that infringes the DPA.
As a matter of good practice, as per Ombudsman guidance, the following points should be included in contracts:
State that nothing within the contract relieves the data processor of its own direct responsibilities and liabilities under the DPA; and
Reflect any indemnity agreed between the parties.

22. What are the penalties and enforcement mechanisms for non-compliance?

The DPA specifies that a breach of the DPA constitutes a criminal offence, punishable on conviction with a fine of up to approximately USD 125,000, imprisonment for a term of up to 5 years, or both.

Further, the Ombudsman is empowered to issue monetary penalty orders up to approximately USD300,000 where the Ombudsman is satisfied, on the balance of probabilities, that there has been a serious contravention of the DPA and such is of a kind likely to cause substantial damage or substantial distress to the relevant data subject.

23. What are the ongoing compliance and audit requirements?

Generally, data controllers must comply with the DPA, in particular the 8 Principles, on an ongoing basis. Data controllers are required to implement appropriate technical and organizational measures to demonstrate compliance.

CIMA licensees are subject to specific requirements in relation to data, as specified in various rules and guidance, including CIMA's Rule and Statement of Guidance – Internal Controls for Regulated Entities, as well as its Rule – Cybersecurity for Regulated Entities.

24. Are there any recent developments or expected reforms?

The DPA and related Data Protection Regulations, 2018, are in effect as of September 30, 2019. The Office of the Ombudsman has issued a Guide for Data Controllers which aims to explain how the Ombudsman interprets certain provisions of the DPA.