This article offers a concise summary of the data protection framework in the Cayman Islands, outlining the requirements for entities within its scope to achieve compliance.
Understanding the Data Protection Landscape
The Data Protection Act (DP Act) in the Cayman Islands is the primary legislation governing the processing, usage, and storage of personal data. It defines the role and responsibilities of a "data controller" and mandates adherence to eight fundamental data protection principles. Additionally, when a data controller employs a third-party data processor, it must ensure the processor's compliance with these principles.
The DP Act mirrors the General Data Protection Regulation (GDPR) in many respects, providing familiar territory for international clients.
The Eight Data Protection Principles
The eight principles are:
1. Fairness and legality in data handling.
2. Limiting the purposes of data collection.
3. Minimizing the data collected.
4. Ensuring data accuracy.
5. Limiting data storage duration.
6. Upholding accountability and the rights of data subjects.
7. Ensuring data integrity and confidentiality (security).
8. Regulating international data transfers.
Who Needs to Comply?
Compliance with the DP Act is mandatory for:
- Cayman Islands companies or partnerships.
- Foreign companies registered in the Cayman Islands.
- Businesses operating within the Cayman Islands that process personal data.
These regulations apply irrespective of the data subject's location or citizenship.
Defining Data Controllers and Processors
A "data controller" is defined as an entity that decides how and why personal data is processed. Conversely, a "data processor" acts on behalf of a data controller, processing data without owning the decision-making process.
Understanding Personal Data
Personal data encompasses any information that can identify an individual, including names, identification numbers, location data, or online identifiers. Sensitive personal data includes details like racial or ethnic origin, political opinions, and health-related information.
Compliance Requirements for Data Controllers
Data controllers must adhere to the eight principles and ensure lawful data processing, which can be based on consent, contractual necessity, legal obligations, vital interests of the data subject, public function exercise, or legitimate interests of the data controller.
Handling Sensitive Personal Data
For sensitive personal data, additional conditions apply, such as explicit consent, public availability, legal authorization, or processing for specific reasons like employment or legal proceedings.
Consent Management
Consent for data processing must be explicit, opt-in, and verifiable. Data subjects have the right to withdraw consent at any time.
International Data Transfer Rules
Transferring personal data outside the Cayman Islands is subject to the eighth principle, which requires adequate protection in the receiving country, unless exemptions apply.
Exemptions and Data Subject Rights
Certain exemptions from the DP Act exist, such as for national security or legal professional privilege. Data subjects have rights to access, correct, and restrict the use of their data, and can lodge complaints with the Office of the Ombudsman.
Enforcement and Penalties
The Information Commissioner has enforcement powers, including ordering compliance and imposing penalties. Breaches of the DP Act can result in substantial fines and, in some cases, imprisonment.
Guidance and Compliance Steps
The Office of the Ombudsman provides guidance for data controllers. Entities within the DP Act's scope should prepare privacy notices, review data processing procedures, possibly develop data protection policies, and ensure contractual compliance if engaging third-party data processors. For investment funds, this includes sending privacy notices to investors and updating subscription documents.
By understanding and adhering to these regulations, entities can ensure they meet the Cayman Islands' data protection standards, maintaining the privacy and security of personal data they handle.
This article is only intended to give a general overview and summary of the subject matter. It is not, nor is it intended to be, comprehensive and it does not constitute, and should not be taken to be, legal advice. If you would like legal advice or further information on any issue of any kind raised by this guide, please get in touch with one of your usual contacts.
Sign up to our newsletter and get tips and tricks inbox
We promise. No spam. Only high quality content, exciting news and useful tips and tricks from the team.
Privacy Notice
Privacy Statement
Milliard Law, an international law firm with a presence in multiple countries, is dedicated to maintaining the privacy of individuals who utilize our services, including clients and online service subscribers, job applicants and website visitors. This Privacy Statement explains how Milliard Law collects, uses, discloses, transfers, and stores your personal data. This statement is applicable to personal information about you that we handle in the context of your relationship with Milliard Law.
Controller of Personal Information
Operating globally through various interconnected legal entities, Milliard Law processes personal information as dictated by a “data controller” (as defined by applicable data protection laws). For personal data gathered through the website and each of our offices, the specific data controller is listed on our Data Controller page at this statement’s conclusion. As mentioned in this statement, different Milliard Law entities may share your personal data as joint data controllers.
For queries about this Privacy Statement, contact us at privacy@milliard.law
Please note, “website” throughout this statement refers to pages hosted under the milliard.law domain.
Collection and Use of Personal Information
IP Addresses and Technical Information
Visiting our website logs your IP address, visit date, time, and duration. This IP address, like a phone number, allows your computer to connect over the internet. Additional collected technical data includes login details, browser type, and version, time zone, browser plug-ins, operating system, platform, visit specifics including URLs, clickstream data, viewed pages, download errors, and interaction and navigation information. This information is used by Milliard Law to compile statistical data and improve website navigation, reflecting our legitimate interest.
Information Collected via Our Website
Public areas of our website do not require personal data. Personal data, like names, addresses, emails, phone numbers, birth dates, and service-related details, is collected only from voluntary submissions by website users.Using our “Contact” form to contact us for any matter, including the provision of articles and resources on our Articles page and other pages on our website may lead to inclusion in our contact database, depending on the nature of your inquiry or request.
Contact Database
We may add information about you to Milliard Law’s database, using public information or data you’ve provided. Our database typically contains contact details, job titles, organization names, areas of legal or business interest, and more. Being in our database also includes records of mailings, list subscriptions, hyperlink interactions, meetings, event responses, and attendance. We periodically request database contact updates via email to ensure accuracy and relevancy of the information we send.
Interaction with Milliard Law
We keep personal data from interactions with service users, clients, job applicants, employees, contacts, and business partners, relevant to the services provided. This retention adheres to this Privacy Statement’s purposes.
Use of Personal Information
Milliard Law processes personal data legally, including for contract fulfilment, legal compliance, consent, legitimate interest, or public interest. All processing aligns with data privacy laws and our security requirements. We use this data for customer service, product and service improvement, communication, service fulfilment, legal compliance, content provision, administrative purposes, system testing, fraud prevention, and marketing, subject to legal bases and preferences. Sensitive personal data is handled only with explicit consent or as permitted by law, particularly in legal advice or proceedings, and public interest contexts. Optional data collection will be clear, but some data is essential for legal compliance or service performance. Non-provision of such data may impact our serviceability.
Marketing
We use collected personal data for relevant marketing, including tailored emails, analysis, research, advisories, event invitations, and partnership updates, based on legitimate interests or consent. Marketing communications depend on Milliard Law’s legitimate interests or your consent, with the option to unsubscribe in each communication.
Change of Ownership
Business changes may lead to data transfers, including personal information, to new entities or third parties. We commit to notifying such changes through our website or email.
Information Sharing
Milliard Law shares data globally for outlined purposes, ensuring compliance with data protection laws. Third-party disclosures are contractually controlled for data protection compliance. Suppliers and service providers are bound to our processing and security standards. Other disclosures occur only with consent or legal obligations, and in legal proceedings or rights defense.
Information Transfer to Milliard Law Offices and Third Parties
Milliard Law facilitates data exchange among its offices as necessary, following the guidelines of this Privacy Statement. A data-sharing agreement among Milliard Law’s legal entities ensures that personal information is circulated in compliance with applicable data protection laws, safeguarding your personal data and rights. Milliard Law engages with third parties for business purposes. In certain cases, we might share your personal information with these third parties to deliver services you have requested from Milliard Law or for data processing and outsourcing arrangements. In such situations, Milliard Law guarantees that these third parties are contractually obligated to process personal information strictly in line with applicable data protection laws and under Milliard Law’s specific instructions, thus safeguarding your rights under these laws. Our service providers and suppliers are held to our standards of information processing and security. The data shared with them, including yours, is strictly for performing their assigned roles and not for any other purposes as detailed in this Privacy Statement. Regarding other third parties, Milliard Law will only share or transfer your information with your consent or as required by law, regulatory codes, or practices, or when necessary for legal proceedings or to exercise or defend legal rights.
International Information Transfer
Under Clause 8, transferring personal data internationally may involve countries with different levels of personal data protection compared to your country. This is especially relevant if you are in the European Economic Area (EEA), as your information may be transferred outside the EEA. Milliard Law ensures that such cross-border transfers adhere to all pertinent laws and regulations. We maintain the highest standards of privacy and data management across our offices through Milliard’s Data Protection Policy. You can obtain a copy of this policy by contacting Milliard at privacy@milliard.law. Unless: (a) you explicitly consent to the data transfer; (b) the transfer is necessary for service performance or contractual obligations in your interest; or (c) the transfer is sanctioned by applicable data protection laws, Milliard Law will only transfer your personal data to countries recognized as having adequate protection under the relevant data protection laws or where adequate safeguards are in place to protect your information. Specifically, when transferring information from the EEA, Milliard Law only does so where the recipient adheres to: (a) binding corporate rules; (b) standard data protection clauses recognized by law; (c) an approved code of conduct; or (d) an approved certification mechanism. Further information on the safeguards used by Milliard Law can be obtained by contacting us at privacy@milliard.law.
Data Retention
Milliard retains personal information as long as it is reasonably necessary for the purposes outlined in this Privacy Statement. More information on Milliard Law policy regarding retention periods is available in our Record Retention Policy, a copy of which can be requested at privacy@milliard.law.
Security
Milliard Law is dedicated to securing your personal information. We employ various security technologies and procedures to protect your personal information from unauthorized access, use, or disclosure.
Links
Milliard Law website or marketing email messages may include links to external sites not under our control. Once you leave our website or marketing message, we are not responsible for the content or the privacy and protection of information on other sites. Caution is advised, and the privacy statement of each website should be reviewed.
Your Rights
You have several rights regarding the personal information we collect, use, disclose, and transfer about you. These rights include:
– Right of Access: Obtain details about the processing of your personal information.
– Right to Rectification: Correct any incomplete or inaccurate information.
– Right to Erasure (“be forgotten”): Request erasure of personal information in certain circumstances.
– Right to Restrict Processing: Limit how we process your personal information.
– Right to Data Portability: Receive your data in a machine-readable format and transfer it to another controller.
– Right to Object: Object to our processing of your personal information.
– Right to Withdraw Consent: Withdraw consent for using your personal information.
– Right to Complain: Lodge a complaint with a supervisory authority if you have concerns about our handling of your personal information. To exercise these rights, contact us at privacy@milliard.law. Further details about these rights are outlined in the sections above.
Cookies
Cookies are small text files downloaded to your device when visiting a website. They are used to recognize a user’s device and improve the user experience. For details on the cookies used on Milliard Law’s website, refer to our Cookie Policy.
Updates
This Privacy Statement is subject to updates. The current version will be displayed on this page of the Milliard Law website or can be requested at privacy@milliard.law. For access to previous versions, contact us at the same email.
Contact Information
For any questions regarding this Privacy Statement, contact us at privacy@milliard.law.
Disclaimer and Notices
Disclaimer
This website’s content is only meant to be used for informational purposes; it is not meant to be comprehensive or to be used in place of legal or other professional advice. Seeking advice from appropriate experts on certain matters is advised. Milliard Law makes an attempt to confirm that all publications and articles on this website are correct as of the dates of publication. Milliard Law, however, explicitly disclaims all liability for any consequences that arise from using this website or from trusting its contents.
No Liability
Additionally, Milliard Law disclaims all liability for the information on any other website that may be accessed through links on this website. Any past results set forth on this website do not guarantee a similar outcome. The description of any matter, deal or transaction does not in no way suggest that Milliard Law regularly represents a certain client or even that Milliard Law has represented a client. We strongly urge you to speak directly with one of our attorneys before sending any sensitive or confidential material to any of our legal professionals through the firm email addresses or any contact form on our website. Please verify that you have the required authorization to share any information with us before doing so. We cannot agree to act for you in relation to any matter until we have cleared all conflicts of interest and whether we act for you or not will be a matter which we will determine in our sole discretion both prior to any engagement and after said engagement.
It’s crucial to realize that using our email addresses doesn’t automatically mean that an attorney-client relationship has been formed. Moreover, it places no responsibility on Milliard Law or any of its connected companies to act as your legal counsel or to not act for other individuals or entities should we happen to have a conflict of interest.
Regulatory Notices
Copyright
The material on this website is under copyright protection. All copyrights or other intellectual property rights connected with the contents of this site are the property of Milliard Law. Unauthorized use or duplication of the contents is strictly forbidden unless Milliard Law has explicitly granted written permission for such use. However, you are permitted to read the content and create copies for your personal use. You may also distribute reasonable excerpts to your contacts without charge for their personal use, as long as the content remains unmodified, Milliard Law is credited as the source, and the recipients are informed about this copyright notice. Linking to this site or framing it is not allowed without Milliard Laws’s specific consent, which can be requested by reaching out to info@milliard.law.
Data Protection
The designated Data Protection Officer for Milliard Law is Owen Jones, who is reachable at bradley.mindrup@milliard.law.
Cookies Policy
Cookie Policy
We might collect information by sending “cookies” to your web browser, which may include personal data. In order to improve your surfing experience, certain cookies are kept on your computer or mobile device. A cookie is a small data file that is sent to your web browser by our web server and allows you to access our website. It makes it possible for our web server to get data from your web browser. When a user visits our website, a clear notification in the form of a banner appears, requesting their authorization to use cookies on our behalf. Users are given the option to approve cookie usage by clicking on this banner. Furthermore, we offer the ability to reject non-essential cookies by using the options displayed on the banner of our website. The following types of cookies are used by us: 1. Essential cookies: Users need certain cookies in order for websites to function as intended. 2. Analytics cookies: These help us improve the functionality of the website by gathering statistical data about how users interact with it. Strong security features are built into every server and computer system at Milliard Law to thwart outside attacks. All user information gathered by cookies needs to be protected from unwanted access. Your device’s acquired data via cookies is only kept for as long as is required to achieve the aforementioned goals. To limit the amount of data that is gathered when you navigate websites, you can modify the cookie settings in your browser to prevent cookies from being stored on your hard drive. We advise contacting your software supplier or your Internet browser software for guidance on how to block cookies as the process may differ in different software packages. For the best way to use the website, we advise against disabling cookies on your device, but please be aware that doing so may affect some website functionality.