GDPR extends to data controllers and data processors located outside the EU, where data is processed in connection with the offer of goods and services to individuals in the EU or who monitor their behaviour. Of particular note, insurance and reinsur­ance companies located outside of the EU (and, therefore, operating outside of scope of the existing EU data protection regime) may find themselves to be subject to GDPR if they insure/reinsure EU customers.

While the ever-increasing scope of inter­national regulation may be lamented in some quarters, it is welcomed by those who wish to live and work in a modern, sophis­ticated and protected environment. But, in the case of laws that have an extraterritorial impact, it is sometimes difficult for compa­nies to gauge whether or not their activities fall within the accepted parameters of such laws. The good news for Bermuda entities is that the Personal Information Protection Act 2016 (PIPA) is due to come into full effect by December 2018.

PIPA will apply to every organisation that uses personal information by automated means and personal information used other than by automated means that forms part of a structured filing system. It will also regulate the use of personal information by organisations in a manner which recognises the need to protect the rights of individuals In relation to their personal information and the need for organisations to use personal information for legitimate purposes.

PIPA was prepared with the specific aim of achieving adequacy in the EU, thereby enabling the free flow of personal data between EU member states and Bermuda. As a result, there are similar themes underpinning GDPR and PIPA, such as:

organisations are to provide a significant amount of information to individuals at the time of collection of their data

data subjects have the right to obtain confirmation that their data is being pro­cessed and to access that personal data to respond to a subject access request (one month with GDPR and 45 days with PIPA)

personal data should not be kept for longer than is necessary to fulfil the purpose for which it was collected (pre­scribed data retention periods are not set out in either law but an analysis will need to be undertaken to determine how long different types of data should be retained)

if data subjects wish to have their data removed, and the data is no longer required for the reasons for which it was collected, then it must be erased

international transfer of data is permit­ted, provided certain criteria have been satisfied.

As a result, by complying with one regime, Bermuda companies will ensure they are well placed to comply with the other.

Compliance with these new regimes will become an important part of the day-to-day operations of most companies, and Ber­muda companies would do well to ensure they satisfy their obligations under PIPA and GDPR because the consequences for breach are considerable and include:

GDPR: a maximum fine of €20m or 4% of annual worldwide turnover

PIPA: corporations may be fined up to BM$250,000, while individuals may be fined up to BM$25,000 and/or impris­oned for a term of two years.

GDPR will extend to the operations of Bermuda companies in the EU, and PIPA will apply to all Bermuda companies. Bermuda insurers, in particular, will be affected by these regulatory regimes due to the nature of their business. With GDPR now in effect, and PIPA following close behind, the importance of compliance can­not be underestimated.

Locations

Bermuda

Services

Corporate

Sectors

Privacy & Data Protection

Type

Insight

Share
X.com LinkedIn Email Save as PDF
More Publications
Technology and Innovation
31 Jan 2025

Bermuda Monetary Authority’s 2025 Tech Commitment

A focus on the crucial and enabling role that technology plays across all financial service sectors ...

Duncan Card
Duncan Card
Fund Finance
29 Jan 2025

Fund Finance Laws and Regulations 2025 – Bermuda

The Bermuda fund industry sees investment predominantly from North America and Europe, and therefore...

Matthew Ebbs-Brewer
Arielle DeSilva
Matthew Ebbs-Brewer, Arielle DeSilva
Employment-and-Immigration
23 Jan 2025

Fostering Respect: the Importance of Bullying and Sexual Harassment Policies in Bermuda (Part 1)

Under the Employment Act 2000 (EA), it is a requirement for an employer to not only have a compliant...

Theodora Hand
Theodora Hand
Appleby-Website-Insurance-and-Reinsurance
21 Jan 2025

Bermuda: Chambers Insurance & Reinsurance Guide 2025

This guide provides the latest information on sources of insurance and reinsurance law, overseas-bas...

Brad Adderley
Matthew Carr
Max Tetlow
Cathryn Minors
Josephine Noddings
Brad Adderley, Matthew Carr, Max Tetlow, Cathryn Minors, Josephine Noddings
Technology and Innovation
20 Jan 2025

Bermuda: Insurance industry is going through a ‘profound’ tech transformation

One of the most pressing demands on insurers, and their leadership, is coping with the accelerating ...

Duncan Card
Duncan Card
Technology and Innovation
17 Jan 2025

Augmented Advocacy Series (Bermuda): AI and Legal Privilege

The dramatic rise in the use of artificial intelligence in the legal sector raises issues around leg...

Ligaya Sanchez-Wilson
Ligaya Sanchez-Wilson
Appleby-Website-Insurance-and-Reinsurance
2 Jan 2025

Bermuda: Expect a Crazy Start to 2025 After Another Record Year

Brad Adderley
Brad Adderley
Website-Code-Bermuda
13 Dec 2024

Gifting a home in Bermuda: a review of your options

A home can be gifted to a spouse, or the next generation either during an owner’s life, or as an i...

Neil Molyneux
Neil Molyneux
050-Insolvency-Restructuring-Grid-Image
10 Dec 2024

Bermuda: Americas Restructuring Review 2025

This article discusses the defining features of Bermuda’s insolvency landscape and the primary ins...

John Wasty
John Riihiluoma
James Batten
John Wasty, John Riihiluoma, James Batten
Appleby-Website-Privacy-and-Data-Protection
5 Dec 2024

Digital identity services in Bermuda

There is steep demand for the ability to authenticate a person’s identity through the use of a tru...

Duncan Card
Duncan Card