Data Protection Authority

1.What is the name and contact information of the country’s data protection authority or supervisory authority responsible for data protection?

Name

Bermuda Privacy Commissioner.

DPA Contract Information

W: privacy.bm

Notification or Registration

2. Does the country’s comprehensive data protection law require private-sector data controllers to notify or register with the data protection authority before processing personal data?

No. Bermuda’s Personal Information Protection Act 2016 (PIPA), which is not fully implemented, does not require data controllers to notify or register with the Privacy Commissioner before processing personal data. For more information on Bermuda’s authorization requirements, see Question3; for more on the country’s PIPA implementation, see Data Protection in Bermuda: Overview.

Authorization

3. Does the country’s comprehensive data protection law require private-sector data controllers to seek authorization from the data protection authority before processing personal data?

General Authorization Requirements

No, Bermuda’s Personal Information Protection Act 2016 (PIPA), which is not fully implemented, does not require data controllers to obtain authorization from the Privacy Commissioner before processing personal data. For more information on the country’s PIPA implementation, see Data Protection in Bermuda: Overview.

Cross-Border Data Transfers

PIPA does not require the Privacy Commissioner to authorize cross-border data transfers. Before transferring data outside of Bermuda, organizations should determine whether the third party provides a comparable level of protection as required by PIPA. The Privacy Commissioner can designate any jurisdiction as providing a comparable level of protection for these purposes and can also recognize a certification mechanism that, if adopted by the overseas third party, can be relied on as providing adequate protection, but has not made any of these decisions as of the date of this Q&A. If the organization  cannot rely on the overseas third party’s level of protection it must employ contractual mechanisms, corporate codes of conduct, or other means to ensure a comparable level of protection as required by PIPA. (Section 15(2), (3), (4), and (5), PIPA.) The Privacy Commissioner can approve binding corporate rules for these purposes, but has not done so as of the date of this Q&A.

The Privacy Commissioner has discretion to allow a cross-border transfer that does not comply with PIPA’s requirements if, both:

  • The organization reasonably demonstrates that is cannot complay.
  • The transfer does not undermine the individual’s rights.

(Section 29(1(I), PIPA.)

Data Protection Officers

4. Does the country’s comprehensive data protection law require private-sector data controllers to appoint a data protection officer?

Yes, Once it is fully implemented, Bermuda’s Personal Information Protection Act 2016 (PIPA) requires organizations to appoint a data protection officer (DPO). A group of organizations under common ownership or control may appoint on DPO, if that DPO is accessible from each organization. This applies regardless of whether the organization has a presence in Bermuda. A DPO may delegate its duties to one or more individuals. (Section 5(4) to (6), PIPA; for more on the country’s PIPA implementation, see Data Protection in Bermuda: Overview.

5. If the comprehensive data protection law requires private-sector data controllers to appoint a data protection officer (DPO), do data controllers have any obligations to notify or communicate the DPO’s contact details to the data protection authority or register with the data protection authority?

Bermuda’s Personal Information Protection Act 2016 (PIPA), which is not fully implemented, does not require data controllers to notify or communicate the data protection officer’s contact details to the Privacy Commissioner. For more on the country’s PIPA implementation, see Data Protection in Bermuda: Overview.

For the Privacy Commissioner’s contact information, see Question 1.

Type

Insight

Locations

Bermuda

Share
Twitter LinkedIn Email Save as PDF
More Publications
28 Jun 2022

Bermuda: a restructuring destination

Bermuda has an outsized, first-class insurance and financial sector, attracting complex, multination...

Contributors: James Batten
27 Jun 2022

Insurtech ILS and the New Normal

As Bermuda and the global markets with which the Island transacts move towards the so-called  ‘ne...

Contributors: Josephine Noddings
23 Jun 2022

Digital Assets in a Crypto Winter

In 2013, IT engineer James Howells was cleaning out his house. He had two identical hard drives: one...

Contributors: James Batten
22 Jun 2022

Bloomberg Tax Country Guide: Bermuda

Bloomberg Tax Country Guides provide overviews of the tax regimes of more than 200 jurisdictions. Th...

Contributors: Ashley Bento
9 Jun 2022

Bermuda’s long-term re/insurance landscape

Bermuda’s long-term re/insurance market has grown considerably in recent years. The island now has...

2 Jun 2022

Provisional Liquidation In Bermuda

Provisional liquidation in Bermuda is a distinctive, flexible regime that operates to support compan...

Contributors: James Batten
23 May 2022

The good life: Bermuda’s new economic pillar

The life sector has moved swiftly from being a new ‘nice-to-have’ in the Bermuda marketplace, to...

5 May 2022

Restructuring of (Re) Insurers during Covid-19

Restructuring involves changing the financial, operational, legal or other structures of a business ...

28 Apr 2022

Assignment, novation or sub-participation of loans             

Transfers of loan portfolios between lending institutions have always been commonplace in the financ...

21 Apr 2022

Defining digital assets in insolvency proceedings

It has been more than a decade since the creation of the first cryptocurrency, bitcoin, yet digital ...

Contributors: James Batten