On 30 September 2019, the Data Protection Law, 2017 (“DPL”) – the Cayman Islands’ answer to the EU’s General Data Protection Regulation (the “GDPR”) – came into force.
The DPL is modelled on and has many similarities with the GDPR; it regulates the processing of personal data, transfers of personal data out of the Cayman Islands, and establishes the Cayman Islands Information Commissioner which has extensive investigatory and enforcement powers.
The DPL will apply if any personal data is processed in the Cayman Islands, regardless of whether the data controller is established there or not.
Transfers of personal data outside of the Cayman Islands must meet one of the grounds as set out in the DPL. The Cayman Islands will permit transfers of personal data to countries within the EEA and those deemed adequate by the EU Commission for data protection purposes. Nonetheless, the Cayman Islands’ application to the EU Commission for reciprocal treatment under the GDPR is yet to be made.
The DPL is a step towards seamless data flow between the EU and Cayman Islands. It will have important consequences for the processing and transfer of personal data between Cayman Islands investment funds, their service providers, investors and operators in light of the potentially significant penalties that may be imposed for non-compliance.
If you would like further advice, or need to review existing or proposed arrangements, please contact your usual MJ Hudson contact or firstname.lastname@example.org
Copyright © 2019. All rights reserved.