North America

The Personal Data Protection Act 2016 was entered into force on 1st December 2016. Sone of the key features of the law are:

  • Applicability: The Act applies to the processing of personal data, which is carried out in whole or in part by means of electronic data processing, and for non-electronic processing of personal data which is or will be contained in a register . The Act also applies to other non-electronic systematic processing, which is carried out for private individuals and which includes information about individuals’ private or financial circumstances or other information about personal matters, which can reasonably be demanded to be withheld from the public.
  • Rights of data subject: The data subject have the following rights under the law:
    • Right to access
    • Right to object
    • Right to rectify
  • Legal Basis:
    • Consent
    • Contract with data subject
    • Legal obligations
    • Interests of data subjects
    • Public interests
    • Legitimate interests of data controller
  • Obligations of data controller:
    • Notification of Data Processing: The permission of Datatilsynet must be obtained where the processing of personal data is carried out for a private data controller and when the processing.
    • Data Protection Impact Assessment: In cases of high-risk processing, data controller shall, prior to the processing, carry out a data protection impact assessment of the impact of the envisaged processing operations on the protection of personal data.
    • Appointment of Data Protection Officer
    • Data Retention: Data must be kept by the processors only until it is necessary to store the same.
    • Children’s Data: The processing of data of children aged 13 and under is lawful to the extent that consent is given or approved by the holder of parental responsibility for the child. When assessing if a child under the age of 18 can provide consent, the data controller must take the maturity of the child into consideration. According to the guidelines on consent from Datatilsynet, a child aged 15 will generally be sufficiently mature to provide consent on their own.
    • Sensitive Data Processing: As it relates to sensitive personal data, including race, ethnic origin, sex life, and criminal conviction data, the Act stipulates that such data must not be processed unless certain conditions are met that are stipulated in the Act.
    • Contract between controller-processor: The Act provides that where the processing of personal data is carried out by a data processor on behalf of a data controller, the data controller shall happen under a written contract stipulating certain specific conditions as laid out in the Act.
  • Penalties: Basic amount of the fine – 75/150 million DKK or 2/4% of the world wide annual turnover (however adjusted for company size)

Jamaica’s Data Protection Act, passed in 2020, established the Office of the Information Commissioner to enforce data privacy rights outlined in the legislation. Some of the key features of the law are:

  • Applicability: The Act applies to the processing of personal data, by the data controller who is established in Jamaica or in any place where Jamaican law applies by virtue of international public law, and the personal data are processed in the context of that establishment or though not established in Jamaica, uses equipment in Jamaica for processing the personal data otherwise than for the purpose of transit through Jamaica or processes personal data, of a data subject who is in Jamaica.
  • Right of the data subject: The following rights are available to the data subject under the law :
    • Right to access
    • Right to prevent processing
    • Rights in relation to automated decision making
    • Right to rectification of inaccuracies
  • Legal Basis:
    • the data subject consents to the processing and has not withdrawn that consent
    • processing is necessary for the performance of a contract or for legitimate interests
    • processing is necessary for any legal compliance
    • processing is vital to protect the interests of the data subject
  • Obligations of data controller:
    • Registration: All data controllers under the Act are required to register certain ‘registration particulars’ with the Commissioner prior to processing personal data.
    • Limit on Third-Party Data Transfer:  The Act imposes a general obligation on data controllers to obtain consent before transferring personal data to third parties. Such third-parties must have a data security system in place and must be bound by some data protection obligations.
    • Data Protection Impact Assessment (DPIA): data controllers are required to annually submit to the Commissioner, DPIA in respect of all personal data in the custody or control of the data controller, with certain rules and requirements.
    • Data Protection Officer: Every data processor must appoint a DPO, except data controllers who process personal data only for the purpose of a public register or those who are non-profit organisations established for political, philosophical, religious, or trade union purposes.
    • Notify Data Breach: A data controller is required to report any security breach in respect of the data controller’s operations which affects or may affect personal data to the Commissioner within 72 hours after becoming aware of the breach.
    • Data Retention: Data must be kept by the processors only until it is necessary to store the same.
    • Children’s Data: Rights granted to a data subject may be exercised by parent/guardian of child whose data is being processed. The consent for such processing must also be taken from the parent or guardian of the child.
    • Sensitive Data Processing: As it relates to sensitive personal data, including race, ethnic origin, sex life, and criminal conviction data, the Act stipulates that such data must not be processed unless certain conditions are met that are stipulated in the Act.
    • Contract between controller-processor: The Act provides that where the processing of personal data is carried out by a data processor on behalf of a data controller, the data controller shall happen under a written contract stipulating certain specific conditions as laid out in the Act.
  • Penalties: The fines under the data protection law can range from 1 million to 5 million dollars.

Costa Rica enacted Law No. 8968, Protection in the Handling of the Personal Data of Individuals in September 2011. Some features of the law are:

  • Applicability: This law will be applicable to personal data that appears in automated or manual databases, of public or private organizations, and to all forms of subsequent use of these data. The personal data protection regime established in this law shall not apply to databases maintained by natural or legal persons for exclusively internal, personal or domestic purposes, as long as these are not sold or in any way otherwise marketed.
  • Rights of data subject: The data subject have the following rights under the law:
    • Right to Access accurate report of Personal Data
    • Right to modify inaccurate, incomplete or ambiguous data
    • Right to Deletion of personal data
  • Legal Basis:
    • the data subject must obtain the express consent to the processing of personal data
    • there is a substantiated order, issued by a competent judicial authority or an agreement adopted by a special investigation commission of the Legislative Assembly in the exercise of its position.
    • obtained from sources of general public access.
    • the data must be delivered by constitutional or legal provision
  • Obligations of data controller:
    • Consent: It is mandatory to obtain the informed and express consent from data subjects in order to process their personal data. The consent must be unequivocal, freely given, specific, and delivered by written or digital means.
    • Data Security: there must be technical and organisational safeguards in order to keep the data confidential and secure.
    • Registration: All databases, public or private, which are managed for distribution, dissemination, or marketing purposes, must be registered with  Costa Rican data protection authority (PRODHAB).
    • Third-Party Data Transfer: It is mandatory to obtain express consent of the data subject for transfer of data to another country.
    • Data Breach Notification: The data controller must notify the data subjects and PRODHAB within five business days following the discovery of the breach.
    • Data Retention: Personal data cannot be processed for more than ten years upon the conclusion of the purpose for which the data was initially collected, and any retention post this can happen only as specified by the law.
    • Sensitive Data: Sensitive data cannot be processed without express consent of the data subject, who is may to refrain from providing such information.
  • Penalties:
    • For minor offenses, a fine of up to five base salaries for the position of judicial assistant I, according to the Budget Law of the Republic
    • For serious offenses, a fine of five to twenty base salaries for the position of judicial assistant I, according to the Budget Law of the Republic
    • For very serious offenses, a fine of fifteen to thirty basic salaries for the position of judicial assistant I, according to the Budget Law of the Republic, and the suspension of the operation of the file from one to six months.

The Belize Data Protection Act 2021 was enacted in November 2021. Some of the key features of the law are:

  • Applicability: This Act applies to the processing of personal data in the context of the activities of a data controller or a data processor established in Belize; and the processing of personal data of data subjects in Belize by a data controller or a data processor not established in Belize, where the processing activities are related to the offering of goods or services to data subjects in Belize.
  • Rights of data subject:
    • Right of access
    • Right to rectification
    • Right to erasure
    • Right to rectification of the processing
    • Right to data portability
    • Right to prevent processing likely to cause damage or distress
    • Right to prevent processing for purposes of direct marketing
    • Automated individual decision-making, including profiling
  • Legal Basis:
    • consent has been given for a specific purpose
    • processing is necessary for the performance of a contract
    • processing is necessary for compliance with a legal obligation
    • protection of the data subject’s interests
    • for the purposes of legitimate interests
  • Obligations of data controller:
    • Data Security: To implement appropriate technical and organisational measures designed to integrate the necessary safeguards into the processing to protect the rights of data subjects.
    • Data Retention: To ensure only personal data which are necessary for each specific purpose of the processing is processed.
    • Contract between data controller and processor: Processing by a data processor shall be governed by a written contract between the data processor and the data controller with requirements as set out in the Act.
    • Data Breach Notification: Where a personal data breach is likely to result in a high risk to the rights of individuals, a data controller shall notify the data subject of the personal data breach, where feasible, not later than seventy hours after having become aware of it.
    • Appointment of Data Privacy Officer: A data controller and data processor shall designate a data privacy officer in certain cases as prescribed in the Act.
    • Data Protection Impact Assessment: In cases of high-risk processing, data controller shall, prior to the processing, carry out a data protection impact assessment of the impact of the envisaged processing operations on the protection of personal data.
    • Data Transfer: appropriate safeguards and level of protection must be maintained there while transfer of data to another country.
  • Penalties: The fines under the act for different violations can range from 5000 dollars to 500 thousand dollars.

Barbados has enacted the Data Protection Act 2019 in August 2019. The key features of the law are:

  • Applicability: This Act applies to the processing of personal data in the context of the activities of a data controller or a data processor established in Belize; and the processing of personal data of data subjects in Belize by a data controller or a data processor not established in Belize, where the processing activities are related to the offering of goods or services to data subjects in Belize.
  • Rights of data subject:
    • Right of access
    • Right to rectification
    • Right to erasure
    • Right to rectification of the processing
    • Right to data portability
    • Right to prevent processing likely to cause damage or distress
    • Right to prevent processing for purposes of direct marketing
    • Automated individual decision-making, including profiling
  • Legal Basis:
    • consent has been given for a specific purpose
    • processing is necessary for the performance of a contract
    • processing is necessary for compliance with a legal obligation
    • protection of the data subject’s interests
    • for the purposes of legitimate interests
  • Obligations of data controller:
    • Data Transfer: cross-country data transfer shall be done after ensuring proper levels of safety and protection in the country to which data is transferred.
    • Registration: requires data controllers and processors to be registered in the Register of Data Controllers and Register of Data Processors respectively.
    • Contract between Controller and Processor: Processing by a data processor shall be governed by a written contract between the data processor and the data controller with requirements as set out in the Act.
    • Notification of Data Breach: Act requires data controllers to notify the Data Protection Commissioner of any personal data breach not later than 72 hours.
    • Data Processing Records: They are required to maintain a record of their processing activities which must contain all specifications mentioned in the Act.
    • Data Protection Impact Assessment: In cases of high-risk processing, data controller shall, prior to the processing, carry out a data protection impact assessment of the impact of the envisaged processing operations on the protection of personal data.
    • Data Protection Officer: A data controller and data processor shall designate a data privacy officer in certain cases as prescribed in the Act.
    • Data Retention: It is required that data processor would delete or return all personal data to the data controller after the end of the provision of services relating to processing, and delete existing copies .
    • Children’s Data: Rights granted to a data subject may be exercised by parent/guardian of child whose data is being processed. The consent for such processing must also be taken from the parent or guardian of the child.
  • Penalties: The fines under the act for different violations can range from 5000 dollars to 500 thousand dollars.

Barbados enacted the Data Protection (Privacy of Personal Information) Act in 2003. The key features of the law are:

  • Applicability: This Act applies to a data controller in respect of any data only if —
    • the data controller is established in The Bahamas and the data are processed in the context of that establishment; or
    • the data controller is not established in The Bahamas but uses equipment in The Bahamas for processing the data otherwise than for the purpose of transit through The Bahamas.
  • Rights of data subject:
    • Right of access
    • Right to rectification or erasure
    • Right to prohibit processing for purposes of direct marketing
  • Legal Basis:
    • to prevent injury or other damage to the health of a data subject
    • to prevent serious loss or damage to property of the data subject
    • to protect the vital interests of the data subject where the seeking of the consent of the data subject is likely to result in those interests being damaged
    • for the administration of justice
    • for the performance of a function conferred on a person by or under an enactment
    • for the performance of a function of the Minister or the Minister of National Security
    • for the performance of any other function of a public nature performed in the public interest by a person
    • for the purpose of the legitimate interests pursued by a data controller except where the processing is unwarranted in any particular case by reason of prejudice to the fundamental rights and freedoms or legitimate interests of the data subject
  • Obligations of data controller:
    • the data is collected lawfully and fairly in the circumstances of the case;
    • the data is kept accurate (and up-to-date if necessary);
    • the data is kept only for one or more specified and lawful purposes;
    • the data is not used or disclosed in any manner incompatible with such purposes;
    • the data is adequate, relevant, and not excessive in relation to the purpose the data was initially collected;
    • the data is not kept for longer than is necessary for the purpose for which it was collected; and
    • appropriate security measures are taken against unauthorised access to, or alteration, disclosure, or destruction of the data and against its accidental loss or destruction (in practice, appropriate security measures will vary in accordance with standards of data security across various industries, factoring in the volume and sensitivity of the data collected).
    • mandatory to obtain consent of the data subject for transfer of data to another country
  • Penalties: The fines under the act for different violations are:
    • on summary conviction, to a fine not exceeding two thousand dollars or
    • on conviction on information, to a fine not exceeding one hundred thousand dollars

Saint Lucia has enacted the Privacy and Data Protection Act 2009. The key features of the law are:

  • Applicability: This Act applies to the data controller established in Saint Lucia and the data is processed in the context of the business of that establishment, or the data controller is not established in Saint Lucia but uses equipment in Saint Lucia for processing data otherwise than for the purpose of transit through Saint Lucia.
  • Rights of data subject:
    • Right of access
    • Right to rectification of inaccurate data
    • Right in prohibit inaccurate data
    • Right to prohibit processing
  • Legal Basis:
    • consent
    • where the data has been published
    • health and hospital care purposes
    • Processing is necessary
      • performance of a contract
      • to take steps required by the data subject prior to entering into a contract
      • to protect the vital interests of the data subject or another person
      • for compliance with any legal obligation
      • for the administration of justice
      • for the performance of an activity that is carried out in the public interest for a purpose that concerns a legitimate interest of the data controller or of such a third party to whom personal data is provided
  • Obligations of data controller:
    • Inform Data Subjects: Where a data controller collects personal data directly from a data subject, the data controller shall at the time of collecting personal data ensure that the data subject concerned is informed of the fact and purpose of collection of data.
    • Consent: a data controller shall not process personal data unless the data controller has obtained the express consent of the data subject.
    • Accuracy: A data controller shall take all reasonable steps to ensure that personal data within the data controller’s possession is accurate and kept up to date where such data requires regular updating.
    • Data Protection Impact Assessment:  In cases of high-risk processing, data controller shall, prior to the processing, carry out a data protection impact assessment of the impact of the envisaged processing operations on the protection of personal data.
    • Data Retention: ensure that data is kept only for one or more specified and lawful purposes for which the personal data has been collected and processed and is not kept for longer than necessary.
    • Data Security: Data Controller must take appropriate security and organizational measures for the prevention of unauthorized access to, alteration of, disclosure of, accidental loss, and destruction of the personal data in the data controller’s control.
    • Data Transfer:  a data controller shall not transfer personal data to a country or territory outside Saint Lucia unless- (a) with the written consent of the Commissioner; and (a) that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
  • Penalties: Any person who commits an offence under this Act for which no specific penalty is provided shall, on conviction, be liable to a fine not exceeding ten thousand dollars or to imprisonment for a term not exceeding six months or to both

The Data Protection Act (2021 Revision) was enacted in April 2021. The key features of the law are:

  • Applicability: Act applies to data controller established in the Islands and processes personal data, or controllers not established in the Islands but process personal data is processed in the Islands.
  • Rights of data subject:
    • Right of stop processing
    • Right to stop processing for direct marketing
    • Right in relation to automated decision making
    • Right to rectification, blocking, erasure or destruction
  • Legal Basis:
    • consent
    • Processing necessary for contract
    • Processing under legal obligation
    • Processing to protect vital interests
    • Processing necessary for exercise of public functions
    • Processing for legitimate interests
  • Obligations of data controller:
    • Notification of Breach: Where personal data is accidentally or unlawfully accessed, disclosed, altered, lost or destroyed the data controller must notify the data subject and the Information Commissioner of the breach in no longer than five days
    • Data Transfer: personal data must not be transferred to a country or territory unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
    • Data Security: Data Controller must take appropriate security and organizational measures for the prevention of unauthorized access to, alteration of, disclosure of, accidental loss, and destruction of the personal data in the data controller’s control.
    • Data Retention: Personal Data shall not be kept for longer than is necessary for the purpose it was collected.
    • Privacy Notice: The source of any Personal Data should provide a data protection notice containing the information required by the Data Protection Law.
  • Penalties: The penalties under the act for violations is determined by the Ombudsman and shall not exceed two hundred and fifty thousand dollars.

Antigua and Barbuda has enacted The Data Protection Act of 2013. Key features of the law are:

  • Applicability: Act applies to personal data processed by public bodies and private bodies
  • Rights of data subject:
    • Right to access personal data
    • Right to rectification of personal data
  • Legal Basis:
    • consent
    • Processing necessary for contract
    • Processing under legal obligation
    • Processing to protect vital interests
    • Processing is necessary for administration of justice
    • Processing is necessary for the exercise of any functions conferred on a person by or under any law
  • Obligations of data controller:
    • Data Retention: Personal Data shall not be kept for longer than is necessary for the purpose it was collected.
    • Data Security: Data Controller must take appropriate security and organizational measures for the prevention of unauthorized access to, alteration of, disclosure of, accidental loss, and destruction of the personal data in the data controller’s control.
    • Sensitive Data: A data controller shall not process any sensitive personal data of a data subject other than as specified in the Act.
    • Privacy Notice: A data user shall inform a data subject upon a request for personal data the purposes for which the personal data is being or is to be collected and further processed. 
  • Penalties: A person/body corporate who commits an offence under this Act for which a penalty is not specifically provided for is liable on:
    • summary conviction, to a fine of not more than fifty thousand dollars (two hundred thousand dollars for body corporates) or to imprisonment for a term of three years; or
    • conviction on indictment, to a fine of not more than one hundred thousand dollars (five hundred thousand dollars for body corporate) or to imprisonment for a term of not more than five years.

British Virgin Islands enacted the Data Protection Act 2021. The key features of the law are:

  • Applicability: This Act applies to a person who processes; or person who has control over, or authorises, the processing of any personal data in respect of commercial transactions. The act also applies to the person established in the Virgin Islands and processes personal data, or employs or engages any other person to process personal data on his or her behalf, whether or not in the context of that establishment; or the person is not established in the Virgin Islands, but uses equipment in the Virgin Islands for processing personal data otherwise than for the purposes of transit through Virgin Islands.
  • Rights of data subject:
    • Right to access personal data
    • Right to rectification of personal data
    • Right to prevent processing for the purposes of direct marketing
  • Legal Basis:
    • consent
    • Processing necessary for contract
    • Processing under legal obligation
    • Processing to protect vital interests
    • Processing is necessary for administration of justice
    • Processing is necessary for the exercise of any functions conferred on a person by or under any law
  • Obligations of data controller:
    • Consent: Controller shall not process personal data (other than sensitive personal data) without the express consent of the data subject.
    • Purpose Limitation: Personal Data shall be obtained only for one or more specified lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes;
    • Accuracy: Personal Data shall be accurate and, where relevant, kept up to date;
    • Data Retention: Personal Data processed for any purpose shall not be kept for longer than is necessary for that purpose;
    • Data Security: Appropriate technical and organisational measures shall be taken against unauthorized or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to Personal Data.
    • Data Transfer: Personal Data shall not be transferred to a country or territory unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of Personal Data.
    • Sensitive Data: A data controller shall not process any sensitive personal data of a data subject other than as specified in the Act.
  • Penalties: The minister has the authority to levy the following penalties against data controllers and processors who violate the rights of data subjects under the law:
    • A fine not exceeding five thousand dollars or to imprisonment for a term not exceeding six months or, both.
    • A fine of not exceeding fifty thousand dollars or to imprisonment for a term not exceeding three years, or both.
    • A fine not exceeding one hundred thousand dollars or to imprisonment for a term not exceeding five years, or both.