Guide to Data Protection Act for Data Controllers
- Change log
- Introduction
- How to use this guidance
- Key definitions
- Who does the DPA apply to?
- What is processing of personal data?
- What is a data controller?
- What is a data processor?
- What information does the DPA apply to?
- Data Protection Principles
- First Data Protection Principle - Fair and lawful processing
- Second Data Protection Principle - Purpose limitation
- Third Data Protection Principle - Data minimization
- Fourth Data Protection Principle – Data accuracy
- Fifth Data Protection Principle - Storage limitation
- Sixth Data Protection Principle – Respect for the individual’s rights
- Seventh Data Protection Principle - Security – integrity and confidentiality
- Eighth Data Protection Principle - International transfers
- Legal basis for processing
- Sensitive personal data
- Individual rights
- Personal data breaches
- Exemptions
- National Security
- Crime, government fees and duties
- Health
- Education
- Social Work
- Monitoring, inspection or regulatory function
- Journalism, literature or art
- Research, history or statistics
- Information available to public by or under enactments
- Disclosures required by law or made in connection with legal proceedings
- Personal, family or household affairs
- Honours
- Corporate finance
- Negotiations
- Legal professional privilege and trusts
- Contracts between data controllers and data processors
- Questions or comments?
Who does the DPA apply to?
At a glance
- The DPA applies to personal data processed by ‘data controllers’ and ‘data processors’.
- A ‘data controller’ determines why and how personal data is processed.
- A ‘data processor’ processes personal data on behalf of a data controller and does not itself determine why personal data should be processed. A data processor may, to a certain extent, decide on how the personal data should be processed.
- A data controller who engages a data processor must ensure that the engagement is based on a written contract which contains certain prescribed assurances regarding the processing of personal data.
- The DPA applies to processing carried out by organisations established within the Cayman Islands, as well as to organisations established outside the Cayman Islands that process personal data within the Cayman Islands.
- The DPA does not apply to processing carried out by individuals purely for personal/household activities.