DATA PROTECTION Regulation

Legislation

1. What national laws regulate the collection, use, and disclosure of personal data?

General Laws

The Personal Information Protection Act 2016 (PIPA) is the principal piece of Bermuda legislation regulating the right to personal informational privacy. PIPA Sections 1, 2, 26 to 29, 35, 36, 51, and 52 relating generally to the establishment, staffing, funding, and general powers of the Privacy Commissioner came into force on December 2, 2016. The remaining provisions were set to come into force when the Governor of Bermuda (Governor) appointed a Privacy Commissioner (Commissioner). The Governor appointed a Commissioner on December 11, 2019. The Commissioner assumed its post on January 20, 2020. However, PIPA’s remaining provisions have not been fully implemented as of the date of this Q&A. The remaining provisions will become operative on publication of a Commencement Day Notice in Bermuda’s Official Gazette.

All data protection laws are and will continue to be subject to:

  • The Bermuda Constitution Order 1968, which overrides:
  • domestic legislation, including PIPA; and
  • common law principles.

The Human Rights Act 1981 (HRA), which organisations cannot derogate from unless the HRA specifically authorises.

PIPA prevails over inconsistent legislation unless PIPA is inconsistent with or in conflict with the HRA. In that case, the HRA prevails. (Section 4(4), PIPA.)

Sectoral Laws

Several Bermuda sectoral laws also regulate data protection activities, including:

  • The Banks and Deposit Companies Act 1999.
  • The Electronic Transactions Act 1999.
  • The Public Access to Information Act 2010.

The details of these sectoral laws are outside the scope of this Q&A, which focuses on PIPA.

Scope of Legislation

2. To whom do the laws apply?

The Personal Information Protection Act 2016 (PIPA) (not fully implemented) applies to:

  • Natural persons (individuals).
  • Every individual, entity, or public authority (organisation), whether or not domiciled in Bermuda, that uses personal information in Bermuda:
    • wholly or partly by automated means; or
    • by non-automated means if it forms or is intended to form part of a structured filing system.

(Sections 2 and 3, PIPA.)

For more on:

  • The status of PIPA’s implementation, see Question 1.
  • How PIPA defines personal information, see Question 3.
  • PIPA’s regulated acts, see Question 4.
  • Organisations’ main obligations, see Question 8.
  • How PIPA impacts third-party processors, see Question 17.

3. What personal data does the law regulate?

The Personal Information Protection Act 2016 (PIPA) (not fully implemented) regulates:

  • Personal information, which is any information about an identified or identifiable individual.
  • Sensitive personal information. For more on the definition of, and special rules for processing, sensitive personal information, see Question 11.

(Sections 2 and 7(1), PIPA.)

For information on:

  • The status of PIPA’s implementation, see Question 1.
  • PIPA’s regulated acts, see Question 4.
  • PIPA’s exemptions, see Question 6.

4. What acts are regulated?

The Personal Information Protection Act 2016 (PIPA) (not fully implemented) regulates the use of personal information, which is any operation on personal information, including the following:

  • Collecting, obtaining, or recording.
  • Holding, storing, or organising.
  • Adapting or altering.
  • Retrieving, transferring, consulting, disclosing, disseminating, or otherwise making available.
  • Combining, blocking, erasing, or destroying.

(Section 2, PIPA.)

For more on the status of PIPA’s implementation, see Question 1.

5. What is the jurisdictional scope of the rules?

The Personal Information Protection Act 2016 (PIPA) (not fully implemented) applies to every individual, entity, or public authority (organisation) that uses personal information in Bermuda (Sections 2 and 3, PIPA). PIPA currently does not distinguish between organisations incorporated under Bermuda law and overseas entities that have a business presence, such as an office in Bermuda.

For more on the status of PIPA’s implementation, see Question 1.

6. What are the main exemptions (if any)?

The Personal Information Protection Act 2016 (PIPA) (not fully implemented) does not apply to:

  • Personal information used for:
    • personal or domestic purposes; or
    • journalistic, literary, and artistic purposes with a view to publication in the public interest as necessary to protect the right to freedom of expression.
  • The use of business contact information to contacting an individual in their capacity as an organisation’s employee or official.
  • Personal information:
    • about an individual that has been dead for at least 20 years; or
    • in existence for at least 150 years.
  •  Personal information:
    • transferred to an archival institution where access to the personal information was unrestricted or governed by an agreement between the archival institution and the donor of the personal information before PIPA came into operation;
    • in a court file used by a Bermuda court judge, as part of judicial administration, or in relation judicial support services if necessary for judicial purposes;
    • in a personal note, communication, or draft decision created by or for an individual acting in a judicial, quasi-judicial, or adjudicative capacity; or
    • used by a member of the House of Assembly or the Senate in the exercise of their political function if parliamentary privilege covers the personal information.

(Section 4, PIPA.)

  • Communication providers or their directors, officers, or authorised agents while acting as a communication provider. A communication provider is an internet service provider, telecommunications provider, or other organisation that:
    • acts as a conduit for personal information that a third party transmits; and
    • does not determine the personal information’s use purpose.

(Section 23, PIPA.)

PIPA also does not:

  • Affect any legal privilege.
  • Limit the information legally available to a party in any legal proceeding.
  • Limit or affect the use of information under trust conditions or undertakings to which a lawyer is subject.

(Section 4(3), PIPA).

Except for the minimum requirements set out in PIPA Sections 5, 8, 11, 12, and 13, PIPA Part 2 (General Principles and Rules) and Part 3 (Rights of Individuals) do not apply to the use of personal information:

  • To safeguard national security, provided any exempted organisation obtains a certificate certifying that it requires an exemption (Section 22, PIPA).
  • For specified regulatory activities, such as protecting the public against financial loss, dishonesty, malpractice, and professional misconduct (Section 24, PIPA).
  • To:
    • prevent or detect crime and comply with related international obligations;
    • apprehend or prosecute offenders;
    • assess or collect any tax or duty;
    • prevent, investigate, detect, and prosecute ethical breaches by regulated professionals; and
    • protect Bermuda’s economic or financial interests.

(Section 25, PIPA.)

For more on the status of PIPA’s implementation, see Question 1.

Notification

7. Is notification or registration with a supervisory authority required before processing data?

The Personal Information Protection Act 2016 (PIPA) (not fully implemented) does not require notification or registration with a supervisory authority before processing data.

Main Data Protection Rules and Principles

Main Obligations and Processing Requirements

8. What are the main obligations imposed on data controllers to ensure data is processed properly?

The Personal Information Protection Act 2016 (PIPA) (not fully implemented) requires individuals, entities, and public authorities (organisations) to, among other things:

  • Adopt suitable measures and policies to give effect to their obligations and honor individuals’ rights under PIPA, considering:
  • the personal information’s nature, scope, context, and use purpose; and
  • the risk to individuals of using the personal information.

(Section 5(1), (2), PIPA.)

  • Ensure that:
    • any third parties they engage in connection with the use of personal information comply with PIPA; and
    • any overseas third parties to which they transfer personal information comply with, and offer a level of protection of personal information comparable to, PIPA.

(Sections 5(3) and 15, PIPA; see Question 17.)

  • Designate a privacy officer. A group of organizations under common ownership or control may appoint one privacy officer, if that officer is accessible from each organisation. This applies regardless of whether the organisation has a presence in Bermuda. A privacy officer may delegate its duties to one or more individuals. (Section 5(4) to (6), PIPA.)
  • Act reasonably in complying with its responsibilities under PIPA (Section 5(7), PIPA).
  • Only use personal information if they meet one or more specific lawful conditions (Section 6(1), PIPA; see Question 9 and Question 10).
  • Comply with PIPA’s requirements for the use of sensitive personal information (Section 7, PIPA; see Question 11).
  • Use personal information:
    • lawfully and fairly (Section 8, PIPA); and
    • for the specific purposes set out in their privacy notices or for purposes related to those specific purposes unless an exception applies (Sections 9(1)(b) and 10(1), PIPA; see Purpose Limitation).
  • Provide individuals with a clear and easily accessible privacy notice (Section 9, PIPA; see Question 9).
  • Ensure that personal information is adequate, relevant, and not excessive in relation to the purpose or purposes for which it is used (Section 11, PIPA).
  • Ensure that any personal information they use is:
    • accurate and current for its use purpose; and
    • not kept for longer than is necessary for that use.

(Section 12, PIPA.)

  • Protect personal information they hold with appropriate safeguards against risk (Section 13, PIPA; see Question 15).
  • Notify individuals and the Privacy Commissioner of certain personal information breaches (Section 14, PIPA; see Question 16).
  • Use personal information about a child to provide information society services only in accordance with specific conditions of use, including relating to consent. An information service society means a service
    which is delivered by means of digital or electronic communications. (Section 16, PIPA; see Child Consent for Online Services.)

Purpose Limitation

Organisations must only use personal information for the specific purposes set out in their privacy notices or for purposes related to the stated purposes unless:

  • The individual consents to that use of their personal information.
  • The secondary purpose is:
    • necessary to provide a service or product required by the individual;
    • required by law or court order;
    • to detect or monitor fraud or fraudulent misuse of personal information; or
    • for scientific, statistical, or historical research subject to appropriate safeguards for the individual’s rights.

(Section 10, PIPA.)

For more on the status of PIPA’s implementation, see Question 1. For more on how PIPA impacts third-party processors, see Question 17.

9. Is the consent of data subjects required before processing personal data?

The Personal Information Protection Act 2016 (PIPA) (not fully implemented) sets out eight lawful bases for processing personal information. One of those bases is obtaining the individual’s consent, where the organisation
can reasonably demonstrate that the individual has knowingly consented (Section 6(1)(a), PIPA). For more on the conditions for processing personal information and sensitive personal information without individuals’ consent, see Question 9 and Question 10.

Organisations seeking consent must provide clear, prominent, easily understandable, and accessible mechanisms for an individual to consent to the use of their personal information unless it can be reasonably implied from the individual’s conduct that they consent for all intended purposes communicated to them, including in the organisation’s privacy notice. This exception for implied consent by conduct does not apply to the use of an individual’s sensitive personal information. (Section 6(2)(a), (b), PIPA.)

When individuals consent to the disclosure of their personal information by an intermediary for a specified purpose, they are deemed to have consented to the use of that personal information by the receiving organisation for the specified purpose (Section 6(2)(c), PIPA).

An individual will also be deemed to have consented to an organisation’s use of their personal information either:

  • For coverage or enrollment under an insurance, trust, benefit, or similar plan if the individual has an interest in or derives a benefit from that plan (Section 6(2)(d), PIPA).
  • If the organisation had that information under its control before PIPA came into force, in which case the organisation can use the information for the collection purpose (Section 4(2), PIPA).

PIPA does not define consent or specify mechanisms for providing or withdrawing consent.

Child Consent for Online Services

Special consent requirements apply to organizations that use personal information about a child under 14 to provide an online service by means of digital or electronic communications (information society services) if either:

  • The organisation targets the service at children.
  • The organisation has actual knowledge that it uses personal information about children.

(Section 16(1), (6), PIPA.)

An online service provider relying on consent as the legal basis for processing must:

  • Obtain consent from a child’s parent or guardian before collecting or using their personal information.
  • Be reasonably satisfied that consent obtained from a child’s parent or guardian is verifiable as coming only from the child’s parent or guardian.
  • Establish procedures to verify whether the individual is a child when it is reasonably likely that the provider will use a child’s personal information.
  • Provide a privacy notice that is easily understandable and appropriate to the child’s age (see Question 12).

(Section 16(1), (2), and (4), PIPA.)

10. If consent is not given, on what other grounds (if any) can processing be justified?

The Personal Information Protection Act 2016 (PIPA) (not fully implemented) sets out eight legal bases for processing personal information. One of those bases is obtaining the individual’s consent (see Question 9). PIPA permits personal information processing without individuals’ consent if at least one of the following applies:

  • For non-sensitive personal information, a reasonable person giving due weight to the information’s sensitivity would consider that:
    • the individual would not reasonably be expected to request that the use of their personal information should not begin or cease; and
    • the use does not prejudice the individual’s rights.
  • The personal information is publicly available and the organisation will use it for a purpose consistent with its public availability.
  • The use of the personal information is:
    • necessary to perform a contract with the individual or to take steps at the individual’s request to enter into a contract;
    • legally authorised;
    • necessary to respond to an emergency that threatens the life, health, or security of an individual or the public;
    • necessary to perform a task carried out in the public interest or in the exercise of official authority vested in the organisation or in a third-party recipient of the personal information is disclosed; or
    • necessary in the context of an individual’s present, past, or potential employment relationship with the organisation.

(Section 6(1)(b) to (h), PIPA.)

An organisation that cannot obtain consent or meet any of the above conditions may use personal information only if:

  • Applicable law authorises or requires a public authority to disclose the information to the organisation.
  • The organisation uses the information:
    • to comply with an order by a court, individual, or body that has jurisdiction over the organisation;
    • to contact the next of kin or a friend of an injured, ill, or deceased individual;
    • to collect or repay debt;
    • in connection with disclosure to a deceased individual’s surviving spouse or relative if appropriate in the organisation’s reasonable opinion; or
    • reasonably to protect or defend the organization in any legal proceedings.

(Section 6(3), PIPA.)

For more on the conditions for processing sensitive personal information without individuals’ consent, see Question 11.

Special Rules

11. Do special rules apply for certain types of personal data, such as sensitive data?

The Personal Information Protection Act 2016 (PIPA) (not fully implemented) defines sensitive personal information as any personal information relating to an individual’s:

  • Place of origin, race, or color.
  • National or ethnic origin.
  • Sex, sexual orientation, or sexual life.
  • Marital status.
  • Physical or mental disability or health.
  • Family status.
  • Religious beliefs.
  • Political opinions.
  • Trade union membership.
  • Biometric information, which is information that uniquely identifies an individual’s physical, physiological, or behavioral characteristics, such as facial images or fingerprint information.
  • Genetic information, which is personal information relating to an individual’s inherited or acquired genetic characteristics that gives unique information about the individual’s physiology or health, resulting from, for example, analysis of a biological sample.

(Sections 2 and 7(1), PIPA.)

PIPA prohibits organisations from using sensitive personal information to illegally discriminate against any person in violation of Part II of the Human Rights Act 1981 (Section 7(2), PIPA). Organisations using sensitive personal information under PIPA Section 7(2) may use the information if and only to the extent they use it:

  • With the consent of any individual to whom the information relates.
  • According to an order by the court or the Privacy Commissioner.
  • For any criminal or civil proceeding.
  • For recruitment or employment if the nature of the role justifies the use.

(Section 7(3), PIPA.)

For more on processing non-sensitive personal information, see Question 9 and Question 10.

Rights of Individuals

12. What information rights do data subjects have?

The Personal Information Protection Act 2016 (PIPA) (not fully implemented) requires organisations using individuals’ personal information to provide a clear and easily accessible statement (privacy notice) about its personal information practices and policies that includes:

  • The fact that the organisation is using personal information.
  • The purposes for which the personal information is or may be used.
  • The identity and types of individuals or organizations to whom personal information may be disclosed.
  • The organisation’s identity and location, including information on how to contact it about its handling of personal information.
  • The privacy officer’s name.
  • The choices and means the organisation provides to an individual for limiting the use of, and for accessing, rectifying, blocking, erasing, and destroying, their personal information.

(Section 9(1), PIPA.)

Organisations must take all reasonably practicable steps to ensure that they provide the privacy notice before or at the time of collecting personal information, or, where that is not possible, as soon as reasonably practical thereafter (Section 9(2), PIPA).

PIPA does not require an organisation to provide a privacy notice if either:

  • The personal information it holds is publicly available.
  • It can reasonably determine that all current or future uses of the personal information are within the reasonable expectations of the individual to whom the personal information relates.

(Section 9(3), PIPA.)

For more on:

  • The status of PIPA’s implementation, see Question 1.
  • Other individual rights, see Question 13.

13. Other than information rights, what other specific rights are granted to data subjects?

The Personal Information Protection Act 2016 (PIPA) (not fully implemented) grants individuals the right:

  • To have access, if reasonable and subject to certain exemptions, to:
    • their personal information in the organisation’s custody or control;
    • the purposes for which the organisation uses the personal information; and
    • the name of any personal data recipients and the circumstances of the disclosure.

(Section 17(1) to (4), PIPA.)

  • To access their medical records, subject to the organisation’s legal right to refuse an access request in certain circumstances (Section 18, PIPA).
  • To request that an organisation refrain from or cease using their personal information:
    • for advertising, marketing, or public relations purposes; or
    • when using the personal information causes or is likely to cause substantial damage or substantial distress to the individual or another person.

(Section 19(6), (8), PIPA.)

  • To request rectification of any error or omission in their personal information (Section 19(1), PIPA).
  • To request erasure or destruction of their personal information that is no longer relevant for the purposes of its use (Section 19(10), PIPA).

PIPA Section 20 sets out the procedural requirements for controllers to respond to data subject requests.

Individuals may also engage the Privacy Commissioner’s (Commissioner’s) supervisory powers:

  • To request a review of an organisation’s decision, action, or failure to act regarding the individual’s personal information.
  • To initiate a complaint to the Commissioner to investigate whether an organisation:
    • failed to perform an obligation imposed by the PIPA;
    • failed to observe a right granted by the PIPA;
    • used personal information contrary to the PIPA; and
    • is not in compliance with the PIPA.

(Sections 29(2) and 38(1), (2), PIPA.)

For more on:

  • The status of PIPA’s implementation, see Question 1.
  • PIPA’s regulated acts, see Question 4.
  • Processing sensitive information, see Question 11.
  • Data subject information rights, see Question 12.

14. Do data subjects have a right to request the deletion of their data?

See Question 13.

Security Requirements

15. What security requirements are imposed in relation to personal data?

The Personal Information Protection Act 2016 (PIPA) (not fully implemented) requires organisations to safeguard all personal information they hold against risk, including the risk of:

  • Loss.
  • Unauthorised access, destruction, use, modification, or disclosure.

(Section 13(1), PIPA.)

These safeguards must be subject to periodic review and reassessment and be proportional to:

  • The likelihood and severity of the harm threatened by the personal information’s loss, access, or misuse.
  • The sensitivity of the personal information, especially whether it is sensitive personal information.
  • The context in which the personal information is held.

(Section 13(2), PIPA.)

For more on the status of PIPA’s implementation, see Question 1.

16. Is there a requirement to notify data subjects or the supervisory authority about personal data security breaches?

The Personal Information Protection Act 2016 (PIPA) (not fully implemented) requires organisations to provide notice of any security breach leading to loss, unlawful destruction, or unauthorised disclosure of or unauthorised access to personal information that is likely to adversely affect an individual, without undue delay, to:

  • The Privacy Commissioner (Commissioner).
  • Any individual affected by the breach.

(Section 14(1), PIPA.)

The notification to the Commissioner:

  • Must describe:
    • the nature of the breach;
    • the breach’s likely consequences for the affected individual; and
    • current or future measures to address the breach.
  • Allows the Commissioner:
    • to determine whether it should order the organization to take further steps; and
    • to maintain a record of the beach and the remedial measures taken.

(Section 14(2), PIPA.)

For more on the status of PIPA’s implementation, see Question 1.

Processing by Third Parties

17. What additional requirements (if any) apply where a third party processes the data on behalf of the data controller?

Under the Personal Information Protection Act 2016 (PIPA) (not fully implemented), organisations that engage a third party’s services, by contract or otherwise, in connection with the use of personal information, are responsible for ensuring that the third party complies with PIPA at all times (Section 5(3), PIPA). PIPA does not place any obligations on a third-party processor.

Organisations transferring personal information to a third-party processor must have the individual’s consent or another legal basis for the transfer, as the transfer is considered a use of that information (Sections 2 and 6, PIPA; see Question 9 and Question 10). However, they are not required to have a data processing agreement.

For more information on:

  • The status of PIPA’s implementation, see Question 1.
  • Organisations’ main obligations, see Question 8.
  • Data transfers to overseas third parties, see Question 20.

Electronic Communications

18. Under what conditions can data controllers store cookies or equivalent devices on the data subject’s terminal equipment?

The Personal Information Protection Act 2016 does not specifically address the storage of cookies or equivalent devices on an individual’s terminal equipment. However, organisations collecting or using personal information
must comply with PIPA’s requirements relating to that use.

The Standard for Electronic Transactions (E-Transaction Standards), established under the Electronic Transactions Act 1999, also does not specifically address cookie use. However, the E-Transaction Standards regulate the use and disclosure of personal information by e-commerce intermediaries and e-commerce service providers (Paragraph 4(A)(iv), 7(D), E-Transaction Standards).

19. What rules regulate sending commercial or direct marketing communications?

Under the Personal Information Protection Act 2016 (PIPA) (not fully implemented), individuals may request that organisations refrain from or cease using their personal information for marketing, advertising, or public relations purposes (Section 19(6), PIPA). For more on the status of PIPA’s implementation, see Question 1.

The Standard for Electronic Transactions (E-Transactions Standard), established under the Electronic Transactions Act 1999, provides that intermediaries and e-commerce service providers should:

  • Refrain from sending bulk, unsolicited electronic records to individuals:
    • with whom they do not have a contractual or personal relationship; or
    • that have not given consent.
  • Establish reasonable practices to prevent the use of their services to send bulk, unsolicited electronic records.
  • Stop providing services to senders who engage in this conduct.

(Section 7(E), E-Transactions Standard.)

International Transfer of Data

Transfer of Data Outside the Jurisdiction

20. What rules regulate the transfer of data outside your jurisdiction?

The Personal Information Protection Act 2016 (PIPA) (not fully implemented) requires organisations to assess the level of protection that an overseas third party provides before transferring any personal information for use on either the organisation’s behalf or for the third party’s own business purposes. If the organisation reasonably believes that the overseas third party provides a comparable level of protection as that required by PIPA, it may rely on that comparable level of protection while the overseas third party is using the transferred information. If the organisation cannot rely on the overseas third party’s level of protection, it must employ contractual mechanisms, corporate codes of conduct, or other means to ensure a comparable level of protection as required by PIPA. (Section 15(2), (4), and (5), PIPA.) The Privacy Commissioner can approve binding corporate rules for these purposes, but has not done so has of the date of this Q&A.

The transferring organisation is responsible for ensuring that the overseas third party complies with PIPA in relation to the personal information transferred (Section 15(1), PIPA). PIPA does not expressly place any obligations on the third party.

An organisation need not comply with these rules if the transfer of personal information to an overseas third party:

  • Is necessary to establish, exercise, or defend legal rights.
  • Occurs after the organisation’s assessment that the transfer is reasonably considered to be small-scale, occasional, and unlikely to prejudice the individual’s rights.

(Section 15(6), PIPA.)

Organisations transferring personal information to an overseas third party must have the individual’s consent or another legal basis for the transfer (Section 6(4), PIPA; see Question 9 and Question 10). However, they are not required to have a data processing agreement.

The Privacy Commissioner has discretion to allow a cross-border transfer that does not comply with PIPA’s requirements if:

  • The organisation reasonably demonstrates that it is unable to comply.
  • The transfer does not undermine the individual’s rights.

(Section 29(1)(l), PIPA.)

For more on the status of PIPA’s implementation, see Question 1.

21. Is there a requirement to store any type of personal data inside the jurisdiction?

There is no requirement to store any type of personal information inside Bermuda.

Data Transfer Agreements

22. Are data transfer agreements contemplated or in use? Has the supervisory authority approved any standard forms or precedents for cross-border transfers?

Data transfer agreements are not currently used in Bermuda, and the Privacy Commissioner has not approved any standard forms or precedents.

23. For cross-border transfers, is a data transfer agreement sufficient, by itself, to legitimise transfer?

See Question 20 and Question 22.

24. Must the relevant supervisory authority approve the data transfer agreement for cross-border transfers?

See Question 22.

Enforcement and Sanctions

25. What are the enforcement powers of the supervisory authority?

Section 29 of the Personal Information Protection Act 2016 (PIPA) specifying the general powers of the Privacy Commissioner (Commissioner) is fully implemented. The Commissioner may, among other things:

  • Conduct investigations concerning PIPA compliance.
  • Order an organisation to commence or cease the performance of an activity (Section 44, PIPA).
  • Issue formal warnings, admonish an organization, and bring to the organization’s attention any failure to comply with PIPA.
  • Provide guidance and recommendations on the application of an organisation’s rights and obligations under PIPA.
  • Attempt to resolve any matter under application for review or after a complaint by negotiation, conciliation, mediation, or other methods.
  • Liaise and cooperate with domestic and foreign law enforcement agencies and regulators to ensure PIPA compliance.

(Section 29, PIPA.)

For more on sanctions and remedies for non-compliance with PIPA, see Question 26.

26. What are the sanctions and remedies for non-compliance with data protection laws?

The Personal Information Protection Act 2016 (PIPA) (not fully implemented) establishes the following sanctions for non-compliance:

  • For summary convictions of individuals:
    • a fine not exceeding BD25,000;
    • imprisonment not exceeding two years; or
    • both.
  • For convictions on indictment of persons other than individuals, a fine not exceeding BD250,000.

(Section 47(3), PIPA.)

For certain offenses, it is a defense for both individuals and organisations if they can prove to the court’s satisfaction that they acted reasonably in the circumstances that gave rise to the offense (Section 47(2) and (4), PIPA).

A director, manager, secretary, similar officer, or person acting in a similar capacity may be subject to liability and punishment if the Privacy Commissioner proves they committed the offense with the consent or connivance of, or attributable to, any neglect (Section 47(6), PIPA).

For more on the status of PIPA’s implementation, see Question 1.

 

First Published in Practical Law – Thomson Reuters, June 2020

Share
X.com LinkedIn Email Save as PDF
More Publications
Appleby-Website-Privacy-and-Data-Protection
29 Oct 2024

Cyber & IT Security Law and Regulation Guide 2025: Bermuda

By the end of the last decade, the incidence rate of cybercrime, ransomware attacks and online secur...

Appleby-Website-Privacy-and-Data-Protection
17 Oct 2024

Privacy Law and Compliance Guide 2025: Bermuda

Privacy Law and Compliance Guide 2025: Bermuda. Bermuda’s privacy laws and regulations concerning ...

BDA-1024x576
10 Oct 2024

Guide to Mergers & Acquisitions (M&A) in Bermuda 2024

A guide to Mergers & Acquisitions (M&A) law and practices in Bermuda, with a focus on key areas incl...

Website-Code-Bermuda
3 Jul 2024

Guide to freezing orders in Bermuda

A closer look at the remedies available to protect assets in Bermuda, specifically around how a free...

BDA-1024x576
11 May 2024

Technology and Innovation Guide 2024 – Bermuda

As the pace of technological change accelerates, so too does the legal and regulatory landscape. The...

BDA-1024x576
12 Feb 2024

Overview of Fintech laws and regulations in Bermuda 2024

This country-specific Q&A provides an overview of Fintech laws and regulations applicable in Bermuda...

Intellectual Property
1 Feb 2024

2024 Technology & Innovation Guide

As the pace of technological change accelerates, so too does the legal and regulatory landscape. The...

Dispute Resolution
23 Nov 2023

Regulatory Compliance: Bermuda Economic Substance and AML/ATF Regimes

Regulatory compliance has seen developments at a global scale over recent years, with continued focu...

BDA-1024x576
24 Jul 2023

Charitable Structures in Bermuda

Bermuda has become an increasingly attractive jurisdiction for the establishment of trusts and chari...

Dispute Resolution
28 Oct 2022

Advising Directors

The company, limited by shares, is the most common corporate entity worldwide. A company generally h...