Data Protection Act, 2021

KEY POINTS

• Introduction of Data Protection legislation in the BVI.
• Rights of access, correction and deletion of personal data.
• Creation of the office of Information Commissioner to monitor compliance with the Data Protection legislation.
• Right to lodge complaints.
• Security and retention of personal data.

‍

The BVI introduced data protection legislation, the Data Protection Act, 2021 (“the DPA”), which came into force on 9 July 2021.

‍

OBJECTIVES OF THE DPA

The objectives of the DPA are to

(a) safeguard personal data processed by public bodies and private bodies; and
(b) to promote transparency and accountability in the processing of personal data.

‍

WHO DOES THE DPA APPLY TO?

The DPA applies to:

• Public bodies such as Government ministries, local authorities and statutory bodies.
• the Crown and the BVI Government
• Private bodies that carry on trade, business or a profession but only in that capacity or has legal personality.
• Persons not established in the BVI, but who use equipment in the BVI for processing personal data.

the DPA will apply to you if you are a public or private body and processes personal data of a data subject in respect of commercial transactions.

‍

EXEMPTIONS UNDER THE DPA

The DPA does not apply to personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs, including recreational purposes. Other exemptions apply in respect of personal data processed for the prevention or detection of crime or for the purpose of investigation.

‍

A data controller may process personal data without the express consent of a data subject where such processing is necessary:

• for the performance of a contract to which the data subject is a party;
• for compliance with any legal obligation to which the data controller is the subject, other than an obligation imposed by a contract;
• for the exercise of any functions conferred on a person by or under any law;
  or
• for a lawful purpose directly related to an activity of the data controller.

‍

RIGHTS OF DATA SUBJECTS

A data subject has the following rights:

• Right of access to personal data upon written request
• Right to prevent processing for the purposes of direct marketing
• Right to withdraw consent previously given in respect of the collection, use or disclosure of his/her personal data
• Right to request correction, deletion or amendment of personal data
• Right to lodge a complaint with the Information Commissioner in relation to the denial of access/correction to/of personal data.
• Right to institute civil proceedings

‍

No personal data shall be disclosed without the consent of the data subject and shall not be used for any other purpose other than the original purpose for which the personal data was disclosed.

However, personal data may be disclosed in the following circumstances:

• for the purpose of preventing, investigating or detecting a crime;
• by or under any law or by the order of a court;
• where Portcullis reasonably believes that it has in law the right to disclose the personal data;
• where Portcullis reasonably believes that it has the consent of the data subject; or
• the disclosure was justified as being in the public interest in circumstances as determined by the Minister.

‍

SECURITY OF DATA

Portcullis has taken robust steps to protect all personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction. Portcullis will continue to review and monitor its security systems to ensure optimum protection of personal data at all times.

Personal data shall not be kept longer than is necessary for the original purpose for which the personal data was provided.

Portcullis shall take all reasonable steps to ensure that all personal data is destroyed or permanently deleted if it is no longer required for the purpose for which it was obtained.

‍

KEY DEFINITIONS UNDER THE DPA

“Data subject” is a natural person (whether living or deceased).

“Personal data” means any information in respect of commercial transactions, such as matters relating to the supply or exchange of goods or services, investments and banking which:

(a) is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose;
(b) is recorded with the intention that it should wholly or partly be processed by means of such equipment; or|
(c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, that relates directly or indirectly to a data subject.

“Process or processing” means, in relation to personal data, collecting, recording, holding or storing the personal data or carrying out any operation or set of operations on the personal data, including:

(a) the organisation, adaption or alteration of personal data;
(b) the retrieval, consultation or use of personal data;
(c) disclosure of personal data by transmission, transfer, dissemination or otherwise making available; or
(d) alignment, combination, correction, erasure or destruction of personal data.

“Sensitive personal data” means any personal data about a data subject’s physical or mental health, sexual orientation, political opinions, religious beliefs or other similar nature, criminal convictions, the commission or alleged commission of any offence or any other personal data prescribed by the Government.

“Information Commissioner” means the person appointed as the data protection regulator.

Please contact your Portcullis Relationship Manager or one of our representatives for assistance or further information should you have any questions or difficulty in meeting these regulatory requirements.

‍

‍

Portcullis Group
www.portcullis.co

‍

‍

2021年資料保護法

‍

KEY POINTS

• 說明英屬維京群島的資料保護法。
• 得以存取、更正、刪除個人資料的權利。
• 設立資訊管理局，監督資料保護法的遵守情形。
• 提出申訴的權利。
• 個人資料的安全及留存。

英屬維京群島已制定資料保護法，亦即「2021年資料保護法」（以下稱「2021資保法」），自2021年7月9日起施行。

‍

2021資保法宗旨

2021資保法宗旨如下：

(1) 保護公家及私人機構經手處理的個人資料。
(2) 提高個人資料處理的透明度及問責度。

‍

誰是2021資保法的適用對象?

2021資保法適用於：

• 政府部會、地方政府及法定機構等公家機關。
• 王室及英屬維京群島政府。
• 從事貿易、商業或專業業務的私人機構，但僅限其從事該等業務或具有法人資格時始適用。
• 非設立於英屬維京群島但使用英屬維京群島境內設備處理個人資料的人。

在商業交易上處理資料當事人的個人資料者，無論公家或私人機構，皆屬2021 資保法的適用對象。

‍

2021資保法的豁免規定

2021資保法不適用於個人純因其私人、家族或居家事務（包括娛樂目的）而予處理的個人資料。因防止或偵查犯罪或為調查目的而處理的個人資料，則適用其他豁免規定。

‍

若資料控制者因下列事由而必須處理個人資料，則未經資料當事人的明確同意，亦得為之：

• 為履行資料當事人身為簽約人的契約。
• 為遵守資料控制者必須遵守契約義務以外的任何法律義務。
• 為行使法律賦予人的任何職能。
• 為與資料控制者活動直接相關的合法目的。

‍

資料當事人的權利

資料當事人擁有下列權利：

• 以書面要求存取個人資料的權利。
• 阻止為直銷目的而予處理的權利。
• 撤銷先前就蒐集、使用或揭露其個人資料所給予同意的權利。
• 要求更正、刪除或修改個人資料的權利。
• 就存取/更正個人資料遭拒情事，向資訊管理局提出申訴的權利。
• 提出民事訴訟的權利。

‍

未經資料當事人同意，不得擅自揭露任何個人資料，個人資料不得使用於其最初揭露用途以外的任何其他用途。

在下列情況下，個人資料得予揭露：

• 基於防止、調查或偵查犯罪行為的目的。
• 依據任何法律或法院命令。
• 保得利合理認為其依法有權揭露個人資料。
• 保得利合理認為其已獲得資料當事人同意。
• 經內閣官員認定，在該情況下揭露乃符合公眾利益。

‍

資料安全性

保得利已採取強健措施保護所有個人資料，使其免遭丟失、濫用、更改、擅自或意外存取或揭露、竄改或破壞。保得利將持續檢測及監控其安全系統，以確保個人資料隨時受到最好的保護。

個人資料的留存期限，不得超過其最初提供用途所必要的期限。

保得利應採取一切合理措施，確保已不再符合原取得用途需要的所有個人資料，皆已銷毀或永久刪除。

‍

2021資保法重要用詞定義

「資料當事人」係指自然人（無論在世或已故）。

「個人資料」係指關於商業交易的任何資訊，例如：涉及貨物或服務供應或交換、投資及金融業務等事項的資訊，而且：

1. 該資訊乃全部或部分由回應相關用途指令而自動運作的設備所處理。
2. 該資訊的記錄，具有資訊應全部或部分由上述設備予以處理的意圖。
3. 該資訊被記錄為相關檔案系統的一部分，或有意使其成為相關檔案系統的一部分，而記錄內容直接或間接與資料當事人有關。

‍

「處理」就個人資料而言，係指蒐集、記錄、持有或儲存個人資料，或對個人資料進行單一操作或一系列操作，包括：

1. 整理、改寫或變更個人資料。
2. 調閱、諮詢或使用個人資料。
3. 以傳輸、調用、傳播或其他方式揭露個人資料。
4. 校準、併用、改正、刪除或銷毀個人資料。

‍

「機密性個人資料」係指有關資料當事人個人身心健康、性取向、政治觀點、宗教信仰或其它類似性質、刑事記錄、觸犯或涉嫌觸犯任何罪行的任何個人資料，或經政府規定的任何其他個人資料。

‍

「資訊局長」係指經任命的資料保護主管人。

倘 貴公司在遵守上述規定上有任何問題或困難，請洽詢 貴公司的關係經理或業務代表提供協助或進一步資訊。

‍

‍

保得利集團
www.portcullis.co