Guide to Data Protection Act for Data Controllers

What is a data controller?

When does the DPA apply to me as a data controller? 1

The DPA applies to you as a data controller if you are:

  • established in the Cayman Islands, and the personal data is processed in the context of that establishment; or,
  • not established in the Cayman Islands but the data is being processed in the Cayman Islands (otherwise than for transit purposes).

“Established” in the Cayman Islands means:

  • you are ordinarily resident in the Islands;
  • you are a body incorporated or registered as a foreign company in the Cayman Islands;
  • you are a partnership or other unincorporated association formed under Cayman Islands Act;
  • you maintain an office, branch or agency, or regular practice in the Cayman Islands.

An example of where a data controller is not established in the Cayman Islands but where personal data is being processed in the Cayman Islands other than for transit purposes would be where an overseas entity targets and collects personal data of Cayman residents. The applicability of the DPA will not be triggered simply because a foreign-based service is accessible or available to Cayman residents; there must be an indication that the data controller is seeking out Cayman residents for its service. 

Example 

An online social network based in a third country solicits Cayman residents as users. The personal data is processed in the Cayman Islands because the personal data of residents is collected locally. The DPA is triggered because the social network actively targets Cayman residents. 

Another example of where a data controller is not established in the Cayman Islands but where personal data is being processed in the Cayman Islands is where a data processor within the Cayman Islands processes personal data on behalf of a foreign data controller.

Previous Next