Data protection regime now in force in British Virgin Islands

Monday, 19 July 2021
The British Virgin Island’s (BVI’s) Data Protection Act 2021 came into force on 9 July.
Files padlocked

The law aims to meet UK and EU standards of data protection, as established by the EU’s General Data Protection Regulation (GDPR). Until now, there has been no specific data protection legislation in the BVI, although the current Computer Misuse and Cybercrime Act 2014 does restrict the publication of illegally obtained confidential data. Common law duties of privacy and confidentiality also exist.

All BVI-incorporated companies and limited partnerships with legal personality are within scope of the law. Limited partnerships without legal personality may also be in scope ‘by virtue of being established in the BVI,’ says law firm Mourant.

As well as the usual constraints on holding, disclosing and processing data, data controllers must also undertake certain other duties. These include informing a data subject of the purposes for processing, the source of the personal data, the rights to request access to and correction of personal data, the class of third parties to whom the personal data will be disclosed, whether the data subject is obliged to supply the personal data and the consequences of non-compliance.

Data controllers must also take practical steps to protect personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction. They must not transfer personal data outside of the BVI unless there are adequate safeguards in the destination jurisdiction or unless the data subject consents.

For regulated entities in the BVI that have to process personal data as part of their onboarding processes and anti-money laundering obligations, ‘this will capture the persons engaged to process such on-boarding,’ says law firm Ogier. It also notes that the law will apply ‘if the process of personal data is engaged on behalf of a person established in the BVI, or is not for a person established in the BVI but is processed in the BVI’.

Data subjects must be given access to their personal data on written request and be able to request corrections where the personal data is inaccurate, incomplete, misleading or not up-to-date.

There are potential exemptions for data controllers where personal data is processed for the assessment or collection of taxes, crime prevention, detection or investigation, compliance with a court order or judgment, or the discharge of regulatory functions.

Offences by bodies corporate under the new law can give rise to fine up to USD500,000 and the entity's directors and officers may also be liable to imprisonment if the offence was committed with their consent, or was due to their neglect.

'Persons who are private bodies and who process personal data, will need to make changes to their data processes and procedures to ensure compliance,' says Ogier. ‘Some of the necessary changes will depend on the nature of a person’s business, for example: a BVI investment fund will need to amend its offering documents and/or create new policies on data management.’

The BVI Trustee (Amendment) Act 2021 also took effect on 9 July, introducing a range of new provisions into the Trustee Act 1961. The principal changes include powers of the court to vary trusts without beneficiary consent, setting aside the flawed exercise of a fiduciary power, extending the firewall, reserving trust powers and introducing record-keeping obligations for trustees.


The content displayed here is subject to our disclaimer. Read more