Data Protection Authority Registration and Data Protection Officer Requirements for Data Controllers: Bermuda

Published: 5 Nov 2020
Type: Insight

This Q&A discusses the obligations for private-sector data controllers in Bermuda to notify, register with, or obtain authorization from the data protection authority under Bermuda’s comprehensive data protection law before processing personal data. It also discusses any requirements for data controllers to appoint a data protection officer (DPO) and any applicable notification or registration obligations relating to DPO appointments.

This Q&A does not cover notification, registration, or authorization requirements for data processors or arising under sectoral laws. For an overview of the data protection law in Bermuda, see Data Protection in Bermuda: Overview.

Data Protection Authority

1.What is the name and contact information of Bermuda’s data protection authority or supervisory authority responsible for data protection?

The Office of the Privacy Commissioner for Bermuda was established as an independent public office in accordance with the Personal Information Protection Act 2016 (PIPA).

Notification or Registration

2. Does the country’s comprehensive data protection law require private-sector data controllers to notify or register with the data protection authority before processing personal data?

No. PIPA, which is not fully implemented, does not require data controllers to notify or register with the Privacy Commissioner before processing personal data. For more on the country’s PIPA implementation, see Data Protection in Bermuda: Overview.

Authorization

3. Does the country’s comprehensive data protection law require private-sector data controllers to seek authorization from the data protection authority before processing personal data?

General Authorization Requirements

No. PIPA, which is not fully implemented, does not require data controllers to obtain authorization from the Privacy Commissioner before processing personal data.

Cross-Border Data Transfers

PIPA does not require the Privacy Commissioner to authorize cross-border data transfers. Before transferring data outside of Bermuda, organizations should determine whether the third party provides a comparable level of protection as required by PIPA. The Privacy Commissioner can designate any jurisdiction as providing a comparable level of protection for these purposes and can also recognize a certification mechanism that, if adopted by the overseas third party, can be relied on as providing adequate protection, but has not made any of these decisions as of the date of this Q&A. If the organization  cannot rely on the overseas third party’s level of protection it must employ contractual mechanisms, corporate codes of conduct, or other means to ensure a comparable level of protection as required by PIPA. (Section 15(2), (3), (4), and (5), PIPA.) The Privacy Commissioner can approve binding corporate rules for these purposes, but has not done so as of the date of this Q&A.

The Privacy Commissioner has discretion to allow a cross-border transfer that does not comply with PIPA’s requirements if, both:

  • The organization reasonably demonstrates that is cannot complay.
  • The transfer does not undermine the individual’s rights.

(Section 29(1(I), PIPA.)

Data Protection Officers

4. Does the country’s comprehensive data protection law require private-sector data controllers to appoint a data protection officer?

Yes. Once it is fully implemented, PIPA requires organizations to appoint a data protection officer (DPO). A group of organizations under common ownership or control may appoint on DPO, if that DPO is accessible from each organization. This applies regardless of whether the organization has a presence in Bermuda. A DPO may delegate its duties to one or more individuals. (Section 5(4) to (6), PIPA)

5. If the comprehensive data protection law requires private-sector data controllers to appoint a data protection officer (DPO), do data controllers have any obligations to notify or communicate the DPO’s contact details to the data protection authority or register with the data protection authority?

PIPA, which is not fully implemented, does not require data controllers to notify or communicate the data protection officer’s contact details to the Privacy Commissioner.

First Published in Practical Law – Thomson Reuters, August 2020

locations

Bermuda

services

Data Protection Authority Registration and Data Protection Officer Requirements for Data Controllers: Bermuda, Corporate, Data Protection Authority Registration and Data Protection Officer Requirements for Data Controllers: Bermuda, Data Protection Authority Registration and Data Protection Officer Requirements for Data Controllers: Bermuda

Sector

Privacy & Data Protection

types

Data Protection Authority Registration and Data Protection Officer Requirements for Data Controllers: Bermuda

Insight

Share
More publications
Appleby-Website-Private-Client-and-Trusts-Practice-1905px-x-1400px
13 Mar 2026

A will trust can keep a home in the family

In Bermuda, a family homestead represents more than financial value; it embodies ancestral heritage and housing security.

Neil Molyneux
Dalia Sainsbury
Neil Molyneux, Dalia Sainsbury
Appleby-Website-Employment-and-Immigration
12 Mar 2026

Privacy at Work: What PIPA Means for Bermuda Employers

The Personal Information Protection Act 2016 (PIPA), which came into force on 1 January 2025, represents Bermuda’s first comprehensive date protection regime. The legislation regulates the collection, use, disclosure and storage of personal information with the objective of protecting individuals’ privacy while allowing organisations to use data in a responsible and transparent manner. PIPA applies broadly to organisations operating in Bermuda, including employers. As a result, the employment relationship is one of the contexts in which the practical impact of PIPA is the most significant. Employers routinely process large volumes of personal information relating to employees and job applicants, and PIPA imposes obligations that affect recruitment, workplace monitoring, record-keeping, and disciplinary processes.

Anna Markiewicz
Anna Markiewicz
IWD website preview
9 Mar 2026

International Women’s Day 2026 Roundtable: Rights. Justice. Action. For all women and girls.

As we recognise International Women’s Day 2025, we are reminded that gender equality is not just a vision – it’s a call to action.

Dispute Resolution
4 Mar 2026

Bermuda: An Overview of Insurance: Contentious

There has been a recent increase in policyholder disputes involving coverage challenges by (re)insurers in the context of Bermuda high-value, excess-of-loss policies. This is, in part, due to Bermuda’s commercial (re)insurers facing a marked and sustained rise in the volume of claims, incurring claims costs globally of BMD1.1 trillion from 2016 through 2024. The massive volume and quantum of claims can be attributed in part to the significance of the Bermuda (re)insurance market in the global economy, as well as Bermuda’s exposure to catastrophic losses caused by natural disasters over this period. Bermuda’s increased exposure to global (re)insurance risks has naturally resulted in an increase in complex claims and coverage disputes.

John Wasty
Khiyara Krige
Ryan Taylor
John Wasty, Khiyara Krige, Ryan Taylor
Employment-and-Immigration
27 Feb 2026

Pay transparency heading Bermuda’s way?

The culture of secrecy with respect to pay traditionally found in workplaces may soon experience a shift, as global lawmakers and governments have enacted or moved toward enacting legislation to mandate greater pay transparency.

Anna Markiewicz
Anna Markiewicz
Appleby-Website-Insurance-and-Reinsurance
27 Feb 2026

Bermuda Monetary Authority: Modern, Thoughtful and Competitive

The Bermuda Monetary Authority (BMA) has signaled a clear direction for the future of insurance supervision in Bermuda by the release of its latest Notice on Regulatory Burden Reduction for Better Policyholder Outcomes (Notice).

Brad Adderley
Cathryn Minors
Brad Adderley, Cathryn Minors
Appleby-Website-Banking-and-Asset-Finance-1905px-x-1400px
19 Feb 2026

Bermuda Monetary Authority 2026 Business Plan: Overview & Expertise – Banking

Bermuda is not considered an international banking center and only banks licensed by the Bermuda Monetary Authority (BMA) under the Banks and Deposit Companies Act 1999 (BDCA) are entitled to undertake banking businesses in or from Bermuda. As banking is defined as deposit taking (as opposed to lending), international banks are generally able to lend to Bermuda-based borrowers subject to applicable restrictions relating to carrying on business in Bermuda.

David Clark
David Clark
Appleby-Website-Insurance-and-Reinsurance
19 Feb 2026

Bermuda Monetary Authority 2026 Business Plan: Overview & Expertise – Insurance (Captives)

Bermuda is one of the leading captive insurance markets in the world with over 600 registered captive insurers writing an impressive ~$30 billion of annual gross written premiums.

Brad Adderley
Matthew Carr
Brad Adderley, Matthew Carr
Appleby-Website-Corporate-Practice
19 Feb 2026

Bermuda Monetary Authority 2026 Business Plan: Overview & Expertise – General Corporate

The Bermuda Monetary Authority (BMA), an independent body that has been in existence since 1969, is an integrated regulator and supervisor responsible for the licensing, supervision and regulation of financial institutions in Bermuda. The BMA’s mandate includes entities conducting insurance, deposit taking, investment and trust business. The BMA conducts risk-based supervision and enforcement, including enforcing anti-money laundering and counter-terrorist financing standards. The BMA sets prudential rules, issues codes of conduct and devises industry guidance to ensure the jurisdiction adheres to international standards.

Matthew Ebbs-Brewer
Sally Penrose
Matthew Ebbs-Brewer, Sally Penrose
Appleby-Website-Insurance-and-Reinsurance
19 Feb 2026

Bermuda Monetary Authority 2026 Business Plan: Overview & Expertise – Insurance (Commercial)

The Bermuda Monetary Authority’s (BMA) 2026 Business Plan (Plan) outlines continued strengthening of Bermuda’s position as a leading global insurance and reinsurance jurisdiction.

Brad Adderley
Cathryn Minors
Brad Adderley, Cathryn Minors