This Q&A does not cover notification, registration, or authorization requirements for data processors or arising under sectoral laws. For an overview of the data protection law in Bermuda, see Data Protection in Bermuda: Overview.

Data Protection Authority

1.What is the name and contact information of Bermuda’s data protection authority or supervisory authority responsible for data protection?

The Office of the Privacy Commissioner for Bermuda was established as an independent public office in accordance with the Personal Information Protection Act 2016 (PIPA).

Notification or Registration

2. Does the country’s comprehensive data protection law require private-sector data controllers to notify or register with the data protection authority before processing personal data?

No. PIPA, which is not fully implemented, does not require data controllers to notify or register with the Privacy Commissioner before processing personal data. For more on the country’s PIPA implementation, see Data Protection in Bermuda: Overview.

Authorization

3. Does the country’s comprehensive data protection law require private-sector data controllers to seek authorization from the data protection authority before processing personal data?

General Authorization Requirements

No. PIPA, which is not fully implemented, does not require data controllers to obtain authorization from the Privacy Commissioner before processing personal data.

Cross-Border Data Transfers

PIPA does not require the Privacy Commissioner to authorize cross-border data transfers. Before transferring data outside of Bermuda, organizations should determine whether the third party provides a comparable level of protection as required by PIPA. The Privacy Commissioner can designate any jurisdiction as providing a comparable level of protection for these purposes and can also recognize a certification mechanism that, if adopted by the overseas third party, can be relied on as providing adequate protection, but has not made any of these decisions as of the date of this Q&A. If the organization  cannot rely on the overseas third party’s level of protection it must employ contractual mechanisms, corporate codes of conduct, or other means to ensure a comparable level of protection as required by PIPA. (Section 15(2), (3), (4), and (5), PIPA.) The Privacy Commissioner can approve binding corporate rules for these purposes, but has not done so as of the date of this Q&A.

The Privacy Commissioner has discretion to allow a cross-border transfer that does not comply with PIPA’s requirements if, both:

  • The organization reasonably demonstrates that is cannot complay.
  • The transfer does not undermine the individual’s rights.

(Section 29(1(I), PIPA.)

Data Protection Officers

4. Does the country’s comprehensive data protection law require private-sector data controllers to appoint a data protection officer?

Yes. Once it is fully implemented, PIPA requires organizations to appoint a data protection officer (DPO). A group of organizations under common ownership or control may appoint on DPO, if that DPO is accessible from each organization. This applies regardless of whether the organization has a presence in Bermuda. A DPO may delegate its duties to one or more individuals. (Section 5(4) to (6), PIPA)

5. If the comprehensive data protection law requires private-sector data controllers to appoint a data protection officer (DPO), do data controllers have any obligations to notify or communicate the DPO’s contact details to the data protection authority or register with the data protection authority?

PIPA, which is not fully implemented, does not require data controllers to notify or communicate the data protection officer’s contact details to the Privacy Commissioner.

First Published in Practical Law – Thomson Reuters, August 2020

Locations

Bermuda

Services

Intellectual Property, Corporate, Regulatory Advice, Technology & Innovation

Sectors

Privacy & Data Protection

Type

Insight

Share
Twitter LinkedIn Email Save as PDF
More Publications
22 Sep 2023

Reinsurance Strategies in a Hard Market

The extent to which improved market conditions for reinsurers will endure and the importance of main...

Brad Adderley
Brad Adderley
22 Sep 2023

Bermuda’s Catastrophe Bond Market Is Enjoying A Record Year

Bermuda’s catastrophe bond market is enjoying a record year, but Bermuda Managing Partner Brad Add...

Brad Adderley
Brad Adderley
7 Sep 2023

Bermuda Captives: Reps and Warranties Coverage

The Bermuda captive market is seeing increasing interest in representations and warranty coverage.

Matthew Carr
Matthew Carr
16 Aug 2023

In The Spotlight: Bermuda’s Vanessa Schrum

Francesca Ffiske of Private Client Global Elite sat down with Vanessa Schrum from Appleby in Bermuda...

Vanessa Schrum
Vanessa Schrum
27 Jul 2023

Tech Innovation Financing Alternative

Creators of technology, whether financial services software, biotechnology, data analytics solutions...

Duncan Card
Duncan Card
12 Jul 2023

Thought Leaders – Commercial Litigation 2023 Q&A

Read John's Q&A with Who's Who Legal.

John Wasty
John Wasty
10 Jul 2023

A Bird’s-eye View of Some Key Restructuring Options and Processes in Bermuda, the British Virgin Islands and the Cayman Islands

This article focuses on restructuring options and processes only, and will merely touch on formal in...

Lorinda Peasland
Ida Nylund
Denise Tse
Lorinda Peasland, Ida Nylund, Denise Tse
6 Jul 2023

Employers, employees and PIPA

Now that a date has been set for the coming into force of the Personal Information Protection Act 20...

Theodora Hand
Theodora Hand
3 Jul 2023

Pricing Still Not Where It Needs To Be

In spite of climate impacts and some large insurers pulling out of certain markets, there’s been s...

Brad Adderley
Brad Adderley
29 Jun 2023

Bermuda’s Pragmatic Regulations

Increasingly, onshore and offshore jurisdictions alike seek to ensure that international business is...

Duncan Card
Duncan Card