September 24 2021

BVI Data Protection Act

Ogier | Tech, Data, Telecoms & Media - British Virgin Islands

Michael Killourhy, Rebecca Clark

The Data Protection Act 2021 (DPA) came into force on 9 July 2021.

Prior to the introduction of this new legislation, there was no specific data protection legislation in the British Virgin Islands. However, the Computer Misuse and Cybercrime Act 2014 restricts the publication of illegally obtained confidential data, and common law duties concerning privacy and confidentiality exist.

The DPA applies to persons who process or who have "control over, or authorise, the processing of any personal data in respect of commercial transactions". Therefore, the DPA applies to all BVI incorporated companies and limited partnerships (unless the limited partnership has elected to have no legal personality; however, these may still be caught under the definition of "established").

The DPA restricts:

  • the ability of a data controller to process personal data without the data subject's express consent (which can be withdrawn at any time);
  • the use of sensitive personal data; and
  • the transfer of personal data outside the British Virgin Islands, unless there are adequate safeguards.

There are exceptions to the restrictions, including in the context of performing a contract with the data subject or to comply with legal obligations. However, even within those exemptions, there are certain overriding principles, such as that personal data processed must not be excessive in relation to the allowed purpose.

Persons who are private bodies and who process personal data will need to make changes to their data processes and procedures to ensure their compliance with the DPA. Some of the necessary changes will depend on the nature of a person's business. For example, a BVI investment fund will need to amend its offering documents or create new policies on data management.

With regard to implementing the requirements of this legislation, a common-sense approach may be taken. For instance, with regard to historic data, it may be that the data subject's consent will not be necessary if the data has already been processed.(1)

For further information on this topic please contact Michael Killourhy or Rebecca Clark at Ogier's British Virgin Islands by telephone (+1 284 852 7300) or email ([email protected] or [email protected]). The Ogier website can be accessed at www.ogier.com.

Endnotes

(1) For more details, please see "Data Protection legislation has arrived in BVI".