The Data Protection Law, 2017 (DPL) came into effect in the Cayman Islands on Sept. 30, 2019. The DPL introduces a legislative framework on data protection in the Cayman Islands and has been drafted around the European Union’s General Data Protection Regulation (GDPR).
The DPL governs and defines both personal data and sensitive personal data. Personal data is any information relating to a living individual who can be directly or indirectly identified. Sensitive personal data includes genetic and health data, as well as information on racial or ethnic origins, political opinions, religious or similar beliefs, sex life, and the commission or alleged commission of an offence. The DPL applies to personal data in any format, including in automated and manual filing systems.
The DPL stipulates that businesses cease processing personal data once the purpose for which that data has been collected has been achieved. The DPL provides the following rights to individuals with respect to the privacy of their personal data:
- The right to be informed
- The right of access
- The right to rectification
- The right to stop/restrict processing
- The right to stop direct marketing
- The rights in relation to automated decision-making
- The right to seek compensation
- The right to complain