The government of British Virgin Islands (hereinafter “BVI”) has passed on the 6th of April 2021 the Data Protection Act (hereinafter referred to as the “DPA”).

The DPA was published in the gazette of the BVI government on 13th of April but has not come into force yet. The date of enactment of the newly passed Act will be announced by the Government soon.

The purpose of this new regime is for the BVI to reach a status equivalent with those of United Kingdom and European Union in this particular area by providing protection of personal data processed by public and private bodies and for related matters.

The DPA applies to:

1. “Private Body” (an entity only in its capacity as it carries on any trade, business or profession or has legal personality), a person who processes or a person who has control over or authorises the “processing” of any personal data in respect of commercial transactions. “commercial transaction” is defined by the DPA as any transaction of commercial nature, whether contractual or not, including any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance.
2. A person established in the BVI and who processes personal data or employs or engages any other person to process personal data on his or her behalf, regardless if the processing takes places within the context of that establishment.
3. In cases where the person is not established in the BVI but uses equipment in the BVI for processing personal data for purpose other than for the transit through the BVI. In this case, such persons are required by the DPA to appoint a person established in the BVI for DPA purposes.

Supervisory Authority

The BVI supervisory authority for the DPA will be the Office of the Information Commissioner, responsible for investigating complaints relating to violations of the personal data protection rules under the Act.

Important definitions

Despite the fact that data protection legislation among English speaking common law jurisdictions tend to be similar and with identical use of the terms, it is important to clarify how certain terms are defined in the BVI under the DPA, since not all terms defined in the Act bear the same meaning with those used elsewhere.

Below are laid down the most pertinent of the terms defined under the DPA:

“Data processor” means a person who processes data on behalf of a data controller, but does not include an employee of the data controller.

“Data subject” means a natural person, whether living or deceased.

“Data controller” means a person who either alone or jointly or in common with other persons processes any personal data, or has control over, or authorises the processing of any personal data, but does not include a data processor.

“Process or processing” means, in relation to personal data: collecting, recording, holding or storing the personal data or carrying out any operation or set of operations on the personal data, including the:

• organisation, adaption or alteration or personal data;
• retrieval, consultation or use of personal data;
• disclosure of personal data by transmission, transfer, dissemination or otherwise making available;
• alignment, combination, correction, erasure or destruction of personal data.

“Personal data” means any information in respect of commercial transactions which:

• is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose;
• is recorded with the intention that it should wholly or partly be processed by means of such equipment;
• is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, that relates directly or indirectly to a data subject, who is identified;
• identifiable from that information, or from that and other information in the possession of a data user, including any sensitive personal data and expression of opinion about the data subject.

“Sensitive personal data” means any personal data subject’s:

• physical or mental health;
• sexual orientation;
• political opinions;
• religious beliefs or other beliefs of a similar nature;
• criminal convictions, the commission or alleged commission, of any offence;
• any other personal data that the Minister for Information may by Order prescribe.

The information provided by A.G. Paphitis & Co. LLC is for general informational purposes only and should not be construed as professional or formal legal advice. You should not act or refrain from acting based on any information provided above without obtaining legal or other professional advice.

Should you have any questions please contact us.