National Ordinance of September 4, 2010, containing rules on the protection of personal
data (“Personal Data Protection Ordinance”).

Currently, we are not aware of local key decisions applying this legislation. 

“Personal data” is defined as any data related to an identified or identifiable natural person.
“Sensitive data” is not a definition included in the Personal Data Protection Ordinance. Instead we have the definition “special personal data” and this means personal data concerning a person’s religion or personal beliefs, race, political persuasion, health, sexual life, and personal data concerning the membership of a labor union, criminal data and personal data regarding unlawful or objectionable conduct. 

The data are protected by the rights and obligations provided by the Ordinance. Pursuant hereto, organizations that want to process data need a valid reason and basis; sometimes explicit consent; are required to store the data safely and implement (technical) measures to protect the data from being copied or hacked by third parties; and, need to delete such information as soon as it is no longer required for the purpose for which the data was collected in the beginning. 

The Personal Data Protection Ordinance applies to apply to the processing of personal data in the context of activities of an establishment of a responsible party in Curaçao. 

“Data processing” is defined as any act or set of acts concerning personal data, including in any event the collection, recording, organization, saving, updating, modification, retrieval, consultation, use, provision by means of transferring, distribution, or making available in any other form, merging, linking, as well as blocking, deletion, or destruction of data.

Pursuant to the Personal Data Protection Ordinance, personal data must be processed properly, in compliance with the law, and with due care. In order for personal data to be processed in a lawful manner, persona; data should process (i) for a predetermined, carefully considered, explicitly described and justified objective, (ii) on one of the grounds that justify data processing and (iiI) the personal data should not qualify as special personal data  that, in principle, may not be collected, processed and/or used unless this is on the basis of one of the exceptions provided in the Personal Data Protection Ordinance. Further, when processing personal data, the responsible party must always adhere to the principles of proportionality and subsidiarity.

The processing of personal data is regulated in the Ordinance. Basically, personal data may only be processed if there is a legal basis for doing so, such as consent, an agreement, a legal obligation, or a legitimate interest. Organizations must make the processing transparent, comply with rules for data exchange, and comply with specific rules for sensitive data. Organizations must comply with the following rules when processing personal data:
Transparency: Communicate how and why personal data is processed so that those involved are informed in an open and clear manner.
Propriety: Data processing must be carried out properly.
Limited scope: Data is only processed for specific and legitimate purposes.
Limited storage: Data is not stored for longer than necessary.
Security: Take adequate measures to prevent unauthorized access.
When a third party is engaged to actually process the personal data on behalf of the responsible party (requesting for collecting and processing of the relevant personal data) the responsible party needs to enter into a processing agreement with the processing party, which provide for the terms and conditions applicable to the processing of data and the data itself in accordance with the Ordinance: purpose of the processing, the confidentiality obligation, the security measures to be taken, the handling of sub-processors, the deletion of data, and participation in audits.

Personal data may not be saved in a form that makes it possible to identify the data subject
longer than necessary for the realization of the purposes for which they are collected or
subsequently processed. Personal data can be saved longer than stipulated in the aforementioned sentence if they are saved for historical, statistic, or scientific purposes, and the responsible party has taken the necessary measures to ensure that the relevant data are exclusively used for these specific purposes.
With respect to security, the responsible party is required to implement appropriate technical and organizational measures to safeguard the personal data against loss, damage or any form of unlawful processing. These measures must be proportionate to the nature of the data and the risks associated with its processing, considering the current state of technology and the cost of implementation.

The data subjects have the following rights under the Personal Data Protection Ordinance:
    the data subject has the right to request the responsible party to inform him whether his personal data is being processed;
    if personal data is being processed, the data subject has the right to receive a complete, clear summary hereof, a description of the purpose or the purposes of the processing, the data categories the processing relates to, and the recipient or categories of recipients, as well as the available information on the origin of the data;
    the data subject who has been informed of personal data related to him is being processed 
can request the responsible parties to correct, supplement, delete, or block these data if they are actually inaccurate, incomplete, or irrelevant for the purpose or purposes of the processing, or are being processed in conflict with a statutory provision in any other way;
    the data subject has the right to object at all times against to the processing of his personal data for the purpose of creating or maintaining a direct relationship between the responsible party or a third party and the data subject with a view to recruitment for commercial or charitable purposes.

The Personal Data Protection Ordinance requires consent to be unequivocal, voluntary, specific, and informed expression of will with which the data subject accepts that personal data related to him are processed. The term “unequivocal” excludes passive behavior: silence or inactivity cannot be interpreted as consent. The intention of the data subject must be made clear through an affirmative act.

An organization may only process personal data and subsequently use that information if at least one of the following conditions is met:
    Consent: The data subject has given consent for the published purpose and use.
    Contract: Processing or use is necessary for the performance of a contract.
    Legal obligation: Processing or use is necessary to comply with a legal obligation.
    Vital interests: The processing or use is necessary to protect a person's life or health.
    Task carried out in the public interest: The processing or use is necessary for the performance of a task carried out in the public interest.
    Legitimate interests: The processing or use is necessary for the purposes of the legitimate interests, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

The Personal Data Protection Ordinance provides that personal data may be transferred to other countries only if the country in question, guarantees an appropriate level of protection. The explanatory memorandum of the Personal Data Protection Ordinance provides the following reference points to assess whether there is an appropriate level of protection:
    the nature of the data; 
    the purpose or purposes of the proposed processing; 
    the duration of the proposed processing; 
    the general and sectoral rules applying in the country concerned; 
    compliance with security measures observed in the country concerned.
In case the country in question does not provide for appropriate levels of protection, the personal data can only be transferred on the grounds mentioned in the Personal Data Protection Ordinance. 

The Personal Data Protection Ordinance does not include any definitions for these terms or similar terms. 

The Personal Data Protection Ordinance does not provide for any notification requirements for incidents and/or data breaches. However, it should be taken into account that a notification to the relevant data subject would be strongly suggested in order to mitigate the risk of civil liability. 

The privacy regulator is the Data Protection Committee.

The Personal Data Protection Ordinance does not impose consequences specifically for a data breach. However, the Personal Data Protection Ordinance does provide that if a person suffers any harm by acts against him that are in conflict with the provisions laid down by the Personal Data Protection Ordinance, the aggrieved party is entitled to fair compensation. Please note that the responsible party can also be held liable in a civil procedure for damages incurred by the data subject due toa data breach. 

The Personal Data Protection Ordinance does not make a distinction in marketing and electronic marketing. 

The Personal Data Protection Ordinance does not contain sector-specific or industry-specific privacy requirements. However, please take into account the category of special personal data mentioned above which can be relevant in certain sectors or industries. 

The Personal Data Protection Ordinance does not provide for Data Protection Officers or similar roles.

The responsible party is required to determine the purposes of the processing beforehand. In light of the burden of proof to be bearded by the responsible party, it is strongly recommended that the determined purposes for processing are documented. In addition, if the responsible party is using a processor, the processing by the processor must be governed by a written agreement. 

The Personal Data Protection Ordinance does not provide for Data Protection Impact Assessments.

A responsible party who engages a third party to process personal data on its behalf must ensure that such processor processes the data in accordance with the Personal Data Protection Ordinance and that it provides adequate guarantees regarding technical and organizational security measures. Furthermore, the processing by the processor must be governed by a written agreement. Furthermore, the responsible party may only share the collected data with a third party for the previously determined purpose(s) for which the data has been collected. 

The penalties for non-compliance range from, administrative enforcement actions, administrative fine of up to Cg 10,000.00 (approximately USD 6,000), criminal sanctions of up to Cg 10,000.00 (approximately USD 6,000) or imprisonment not exceeding six months.

The Personal Data Protection Ordinance does not provide for ongoing compliance and audit requirements.

We are not aware of any recent developments or expected changes to legislation.