Barbados’ Data Protection Act, 2019-29

August 2019

View the original document

National Regulations

The Data Protection Act, 2019-29, enacted by the Parliament of Barbados, aims to regulate the collection, processing, use, and dissemination of personal data, ensuring the protection of individual privacy. Its primary purpose is to safeguard individuals’ rights regarding their personal data, fostering transparency and accountability among data controllers and processors. The Act introduces robust principles and mechanisms to align data protection practices in Barbados with global standards.

Overview of the Act

Part I: Preliminary

  • Purpose: Introduces definitions and clarifies the Act’s scope. Key terms such as ‘data controller,’ ‘data subject,’ and ‘processing’ are defined.
  • Application: The Act applies to entities processing personal data within Barbados or targeting data subjects in Barbados.

Part II: Data protection principles

This section sets out six core principles:

  1. Lawful, fair, and transparent processing: Data must be processed ethically and with the subject’s awareness.
  2. Purpose limitation: Data must only be collected for specific, legitimate purposes.
  3. Data minimisation: Collection should be limited to what is strictly necessary.
  4. Accuracy: Data must be kept accurate and up-to-date.
  5. Storage limitation: Data should not be kept longer than necessary.
  6. Security: Adequate technical and organisational measures must safeguard data.

Part III: Rights of data subjects

Empowers individuals to control their data:

  • Access and transparency: Individuals can request details of their data held by controllers.
  • Rectification and Erasure: Data subjects can request correction or deletion of inaccurate or unnecessary data.
  • Restriction and objection: Allows individuals to limit data processing under certain conditions.
  • Data portability: Ensures data subjects can transfer their data between controllers in a usable format.
  • Automated decision-making and profiling: Individuals have the right to opt out of automated processes that significantly affect them.

Part IV: Transfers of personal data outside Barbados

  • General principle: Data transfers are allowed only if the recipient country ensures adequate protection.
  • Adequacy and safeguards: Safeguards like binding corporate rules or standard contractual clauses are mandatory.
  • Exceptions: Transfers are permitted in cases of public interest, legal claims, or with explicit consent.

Part V: Exemptions

Specifies scenarios where certain provisions of the Act do not apply:

  • National security: Exempts data processing for safeguarding national security.
  • Law enforcement: Exemptions apply to crime prevention, taxation, and regulatory purposes.
  • Journalism and art: Allows limited exemptions to protect freedom of expression.
  • Research and statistics: Permits data retention for research purposes, provided individual identities are not disclosed.

Part VI: Data controller and data processor

  • Responsibilities:
    • Controllers and processors must register with the Data Protection Commissioner.
    • Implement measures for data protection by design and default.
  • Incident management:
    • Notify breaches to the Commissioner and affected individuals.
  • Data Protection Officers (DPOs):
    • Organisations must designate a DPO to oversee compliance.

Part VII: Data Protection Commissioner

  • Establishes the Commissioner’s role as the primary authority for overseeing compliance.
  • Functions:
    • Monitor adherence to the Act.
    • Investigate complaints.
    • Issue guidance and enforcement notices.
  • Reporting:
    • Annual reports are submitted to Parliament to ensure transparency.

Part VIII: Enforcement

  • Enforcement notices: Issued to organisations to address non-compliance.
  • Penalties: Violations may result in fines of up to $500,000 or imprisonment for up to three years.
  • Warrants: The Commissioner may obtain warrants to investigate suspected breaches.

Part IX: Data Protection Tribunal

  • Purpose: Handles appeals against decisions made by the Data Protection Commissioner.
  • Scope:
    • Reviews enforcement notices.
    • Provides recourse for data subjects and organisations.

Part X: Miscellaneous

  • Crown binding: The Act applies to public entities.
  • Covers supplementary provisions, including:
  • Compensation: Individuals harmed by data breaches may claim damages.
  • Offences: Unauthorised data access or processing attracts severe penalties.