Understanding the Bermuda Personal Information Protection Act (PIPA)

Bermuda’s Personal Information Protection Act 2016 (PIPA) is a comprehensive data

protection act designed to protect the personal information of individuals while allowing

data controllers and data processors to use personal information responsibly. Enacted in

2016, PIPA officially came into effect on January 1, 2025. The Act establishes data protection principles of fairness, transparency, and accountability for data controllers and data processors processing personal information.

PIPA Data Protection Principles: PIPA establishes twelve key principles and rules:

• Responsibility and Compliance

• Conditions for using Personal Information

• Sensitive Personal Information

• Fairness

• Privacy Notices

• Purpose Limitation

• Proportionality

• Integrity of Personal Information

• Security Safeguards

• Breach of Security

• Transfer of Personal Information to an Overseas Third Party

• Personal Information about Children in the Information Society

Applicability and Scope: PIPA applies to any organization that uses personal information

in Bermuda, including businesses, non-profits, and government agencies. It covers

personal information processed wholly or partly by automated means and non-automated

information that forms part of a structured filing system.

Additional Applicability Requirements: PIPA’s additional applicability requirements

include:

• PIPA applies to the use of personal information that is:

  • Used wholly or partly by automated means; and

  • Used from other than automated means of personal information which form, or are intended to form, part of a structured filing system.

• Personal information only includes information relating to natural persons who:

  • Can be identified or who are identifiable from the information in question; or

  • Can be identified from that information used in conjunction with other available information.

• Personal information may also include sensitive personal information. This information is considered more sensitive, and you may only use it in more limited circumstances.

• Information about data controllers and data processors (i.e., companies and public authorities) is not personal information.

• PIPA does not apply to the use of business contacts formation for the purpose of contacting an individual in their capacity as an employee or official of an organization.

• However, information about individuals acting as sole traders, employees, partners, and company directors, where they are individually identifiable and the information relates to them as an individual, may constitute personal information.

• PIPA does not apply to personal information about an individual that has been in existence for at least 150 years.

• PIPA does not apply to personal information about an individual that has been dead for at least 20 years.

Exemptions from PIPA: PIPA’s exemptions include:

• Personal or domestic use of personal data.

• Journalistic, artistic, or literary purposes in the public interest.

• Information about individuals deceased for more than 20 years.

• Court records used in judicial proceedings.

Privacy Program Compliance Levels: PIPA identifies three privacy program compliance

levels.

• Full Compliance: PIPA applies fully to how an organization uses personal information.

• Partial Exemption: Uses of personal information that are exempt under Section 22 (National Security), Section 24, Regulatory Activity and Honors), and Section 25 (General).

• No Compliance: Required for use of personal information that is excluded under Section 4 exclusions.

Key Definitions under PIPA:

• Data Breach: A security incident leading to unauthorized access, loss, disclosure,

  or alteration of personal information.

• Data Controller: An individual or organization that determines the purposes and

  means of processing personal information.

• Data Processor: An individual or entity that processes personal information on

  behalf of a data controller.

• Data Protection Officer (DPO): A designated individual within an organization

  responsible for monitoring compliance with PIPA, advising on data protection

  obligations, and liaising with the Privacy Commissioner.

• Individuals: A natural person (i.e., a living human being) to whom personal information relates.

• Note: PIPA does not apply to legal persons (i.e., corporations, etc.).

• Minimum Requirements: The requirements of Section 5 (Responsibility and

  Compliance), Section 8 (Fairness), Section 11 (Proportionality), and Section 13

  (Security Safeguards).

• Personal Information: Any information about an identified or identifiable individual.

• Processing of Personal Data: Any operation performed on personal information,

  such as collection, recording, storage, retrieval, use, disclosure, alteration, and

  destruction.

• Sensitive Personal Information: Any personal information relating to an individual

  that includes:

  • Place of origin

  • Race

  • Color

  • National or ethnic origin

  • Sex, sexual orientation, or sex life

  • Marital status

  • Physical or mental disability

  • Physical or mental health

  • Family status

  • Religious beliefs

  • Political opinions

  • Trade union membership

  • Biometric information, or

  • Genetic information

Supervisory Authority: PIPA establishes the Office of the Privacy Commissioner, an

independent regulatory body responsible for ensuring compliance with the Act.

Responsibilities of the Privacy Commissioner: The Privacy Commissioner’s

responsibilities include:

• Enforce compliance with PIPA.

• Conduct investigations into complaints and violations.

• Provide guidance and issuing directives to data controllers and data processors.

• Promote public awareness of data privacy rights.

• Advise government bodies on data protection matters.

Role of the Data Protection Officer (DPO): A DPO is responsible for:

• Ensuring compliance with PIPA.

• Conducting data protection impact assessments.

• Acting as a liaison between the organization and the Privacy Commissioner.

• Providing employee training on data protection.

Legal Representative Provisions: Data controllers and data processors without a physical

presence in Bermuda, but processing the personal information of Bermuda residents may be required to appoint a local representative to ensure compliance with PIPA.

Legal Bases for Processing Personal Information: Data controllers and data processors

can process personal information under PIPA if:

• The individual has given consent.

• Required for contractual obligations.

• Required by Act.

• Involves publicly available information.

• Required for emergencies or public safety.

• In the public interest or required by official authority.

Individual Rights and Freedoms under PIPA: PIPA requires data controllers and data

processors to respond to individual rights requests within 45 days of receiving a complete

written request. If necessary, this period may be extended by up to 30 additional days

under specific circumstances, such as:

• Large volumes of personal information being involved.

• Meeting the original deadline interfering with the organization's operations.

• They need to consult third parties before determining whether to grant access.

• If an extension is required, the organization must inform the individual of the delay

  and provide an estimated response time.

• Data controllers and data processors are not obligated to comply with requests that are deemed "manifestly unreasonable."

• This determination must be justifiable and may require consultation with the Privacy Commissioner.

• Additionally, data controllers and data processors may charge a fee for processing rights requests, but no fee can be charged for correcting inaccurate information.

• PIPA grants individuals the following individual freedoms and rights regarding their personal information:

  • Right to Access: Request details about their personal information held by an organization.

  • Right to Correction: Request corrections of inaccurate or incomplete data.

  • Right to Blocking: Request that an organization stops processing their personal information.

  • Right to Erasure: Request deletion of personal information that is no longer needed.

  • Right to Object: Object to processing under certain conditions.

Personal Information about Children in the Information Society: Where an organization

uses personal information about a child under the age of fourteen in the provision of an

information society service and:

• The service is targeted at children, or

• The organization has actual knowledge that it is using personal information about children, and consent is relied upon, the organization must obtain consent from a parent or guardian before the personal information is collected or otherwise used.

• An organization must:

  • Be satisfied that consent obtained is verifiable so that it can be obtained only from the child’s parent or guardian, and

  • Establish procedures to verify whether the individual is a child when it is likely that the organization will use personal information about a child.

• Note:

  • When providing an information society service to a child, an organization shall not seek to obtain information from the child about other individuals.

  • The organization must not ask questions about the professional activity of parents or guardians, financial information, or sociological information.

  • Personal information about the identity and address of the child’s parent or guardian may be used for the sole purpose of obtaining consent.

Obligations of Data Controllers and Processors: Data controllers and data processors

processing personal data must:

• Appoint a Privacy Officer (DPO) responsible for compliance with PIPA.

• Provide privacy notices explaining data collection and use.

• Ensure data accuracy and update personal information when necessary.

• Implement security measures to protect personal data.

• Limit data retention to only as long as needed.

• Enter into contracts with data processors: Data controllers must have a legally binding agreement with processors to ensure compliance with PIPA.

Contractual Requirements for Data Controllers and Processors: Data controllers must

enter contracts with data processors that include:

• Data Processor Guidance: Data processors must only process data according to the data controller’s instructions.

• Confidentiality Obligations: Data processors must ensure that authorized personnel processing data maintain confidentiality.

• Security Measures: Data processors must implement technical and organizational

  safeguards to protect personal information.

• Sub-Processing Conditions: Data processors must not engage sub-processors without prior authorization from the data controller.

• Personal Information Breach Notification: Data processors must inform data controllers immediately upon discovering a personal information breach.

• Assistance with Individual Rights: Data processors must help data controllers comply with requests related to data subject rights.

• Data Deletion or Return: Upon termination of services, data processors must either delete or return personal information as directed by the data controller.

• Audit Rights: Data controllers must have the right to audit and inspect data processor compliance with PIPA.

Duty to Inform Individuals (Privacy Notice): Data controllers and data processors must

provide individuals with a clear and easily accessible statement about its practices and

policies with respect to personal information that include:

• The fact that personal information is being used.

• The purposes for which personal information is or might be used.

• The identity and types of individuals or data controllers and data processors to whom personal information might be disclosed.

• The identity and location of the organization, including information on how to

  contact it about its handling of personal information,

• The contact information of the DPO.

• The choices and means the organization provides an individual for limiting the use

  of, and for accessing, correcting, blocking, erasing, and destroying, his or her

  personal information.

• Data controllers and data processors must take all reasonably practicable steps to

  ensure that the privacy notice is provided to individuals before or at the time of

  collection, or where that is not possible, as soon thereafter as is reasonably

  practicable.

• Data controllers and data processors are not obligated to provide a privacy notice if:

  • All personal information held by it is publicly available information, or

  • The organization can determine that all uses made, or to be made, of the

    personal information are within the reasonable expectations of the individual to

    whom the personal information relates.

• Clarity and Accessibility:

  • The notice must be clear, easily accessible, and understandable to

    individuals.

  • Information should be provided at or before the time of collection, or as soon

  • is reasonably possible.

• Changes to Data Use: If a data controller or a data processor decides to modify

  how it uses an individual's personal information, it must provide a new privacy

  notice and, where required, obtain fresh consent from the individual.

• Exceptions to Notice Requirements: Data controllers and data processors may

  not need to provide notice if:

  • The individual already knows the information.

  • Legal, national security, or regulatory requirements prevent disclosure.

    
    

Consent Requirements: PIPA’s consent requirements include:

• The consent must provide clear, prominent, easily understandable, accessible

  mechanisms for an individual to give consent in relation to the use of their personal

  information.

•  A clear and specific statement of consent is needed for an individual to consent

  knowingly.

• Consent means offering individuals real choice and control. Consent should put

  individuals in charge, build trust and engagement, and enhance an organization

  reputation.

• Data controllers and data processors must keep consent requests separate from

  other terms and conditions.

• Data controllers and data processors must obtain separate consent for separate

  things. Vague or blanket consent is not enough.

• Name any overseas third party who will rely on consent.

• Data controllers and data processors must make it easy for individuals to withdraw

  consent and they must instruct them how to do so.

• Data controllers and data processors should keep records of consent (e.g., who, when, how, and what the organization shares with individuals.

• Note: Save old copies of privacy notices.

• Data controllers and data processors should avoid making consent to processing a precondition of a service.

• Data controllers and data processors should avoid over-reliance on consent.

Processing of Sensitive Personal Information: Data controllers and data processors

must obtain explicit consent from individuals before processing sensitive personal

information. Additionally, such information must not be used to discriminate against any person in a manner contrary to the Human Rights Act 1981, unless authorized.

• Consent must be informed, voluntary, and explicit.

• Individuals must be aware of what information is collected, how it is used, and

  their rights.

• Data controllers and data processors must provide opt-in and opt-out options

  where applicable.

Cross-Border Data Transfers: Data controllers and data processors may transfer personal

information outside of Bermuda only if:

• The destination ensures an adequate level of protection comparable to PIPA's

  standards.

• Individuals consent to the transfer, provided they are fully informed.

• There are contractual safeguards in place to ensure protection of personal data.

Appropriate Safeguards for Cross-Border Data Transfers: PIPA requires data controllers

and data processors to implement one or more of the following safeguards when

transferring personal data internationally:

• Adequacy Determinations: Transfers can take place if the receiving jurisdiction has

  laws or regulations that provide a level of protection comparable to PIPA. However, as of now, the Office of the Privacy Commissioner for Bermuda has not published an official list of countries deemed to provide an adequate level of protection. Data controllers and data processors are responsible for assessing the adequacy of protection in the destination country before transferring personal information. This assessment should consider factors such as the legal framework, data protection practices, and the ability to enforce an individual’s rights in the recipient country.

• Binding Corporate Rules (BCRs): Multinational data controllers and data

  processors can adopt legally enforceable rules that ensure compliance with PIPA

  for intra-group transfers.

• Standard Contractual Clauses (SCCs): Agreements between data exporters and

  importers that establish legally binding obligations to protect transferred data.

• Derogations: Transfers may be allowed in specific situations such as contractual

  necessity, vital interests of individuals, or important public interest grounds.

• Codes of Conduct: Data controllers and data processors can adopt industry-recognized codes of conduct that demonstrate compliance with PIPA requirements for data transfers.

Security Safeguards: PIPA requires data controllers and data processors to implement the

appropriate safeguards against risk to an individual’s personal information. They include:

• An organization must protect personal information that holds with appropriate

  safeguards against risk, including:

  • Loss

  • Unauthorized access, destruction, use, modification, or disclosure; or

  • Any other misuse

• Such safeguards must be proportional to:

  • The likelihood and severity of the harm threatened by the loss, access, or misuse

    of personal information.

  • The sensitivity of personal information (including whether it is sensitive

    personal information), and the context in which it is held and must be subject to

    a periodic review and reassessment.

• Note: PIPA does not specify what are the specific appropriate safeguards protecting

  personal information an organization should be, but encryption is often the best

  practice and it is highly recommended.

Personal Information Breach Notification Requirements: Data controllers and data processors must comply with the following personal information breach

notification requirements:

• Notification to the Privacy Commissioner:

  • Data controllers and data processors must report a data breach to the Privacy Commissioner without undue delay if there is a real risk of significant harm to affected individuals. Data controllers and data processors must:

    • Notify the Privacy Commissioner of the breach, and

    • Then notify any individual affected by the breach.

  • The notification to the Privacy Commissioner shall describe:

    • The nature of the breach.

    • Its likely consequences for that individual, and

    • The measures are taken and to be taken by the organization to address

      the breach, so that the Privacy Commissioner can determine whether to

      order the organization to take further steps and for the Privacy

      Commissioner to maintain a record of the personal information breach

      and the measures taken mitigate its impact.

• Notification to Affected Individuals:

  • The name and contact details of any DPO or other contact point where

    information can be obtained.

  • A description of the consequences of the personal information breach

    and, where appropriate, a description of the measures taken to mitigate any

    possible adverse effects.

  • Note: The organization may have to notify third parties such as law enforcement,

    insurers, etc.

• Record-Keeping Obligations: Data controllers and data processors must maintain

  records of all personal information breaches, regardless of their severity, and be

  prepared to demonstrate compliance with reporting requirements.

• Remediation Measures: Data controllers and data processors must take

  immediate action to contain the personal information breach, investigate its cause,

  and implement measures to prevent recurrence.

  • Data controllers and data processors must implement technical and organizational measures to protect personal information.

  • In the event of a data breach, they must notify affected individuals and the

  • Privacy Commissioner if there is a significant risk of harm.

• Failure to Notify of a Notifiable Personal Information Breach:

  • A person who commits an offense is liable, on summary conviction, in the case

    of an individual, to a fine not exceeding $25,000 or to imprisonment not

    exceeding two years or to both.

  • On conviction of indictment, in the case of a person other than an individual, to a

    fine not exceeding $250,000.

• Note:

  • It is important for data controllers and data processors to have a robust personal information breach-reporting process in place to detect and to notify of personal information breaches on time.

  • It is important to provide the necessary details, unless the personal information

    is unlikely to have an adverse effect on individuals.

  • Data controllers and data processors must document and justify their decisionsnot to report a personal information breach.

Administrative Penalties and Fines: Non-compliance with PIPA's provisions can result in:

• For Individuals: Upon summary conviction, an individual may face a fine of up to

  BMD $25,000, imprisonment for up to two years, or both.

• For Data Controllers and Data Processors: Upon conviction on indictment, entities

  other than individuals can be fined up to BMD $250,000.

• Orders to cease data processing or implement corrective measures.

• Reputational damage for data controllers and data processors failing to comply.

• If an offense is committed with consent, connivance, or due to the neglect of any

  director, manager, secretary, or similar officer of a corporate body, that individual, as well as the organization, may be held liable.

• Non-compliance with PIPA can result in:

  • Financial penalties imposed by the Privacy Commissioner.

  • Orders to cease data processing or implement corrective measures.

  • Reputational damage for data controllers and data processors failing to comply.

Key Questions for Businesses Preparing for PIPA Compliance: Before concluding,

businesses should consider the following key questions to ensure they are prepared for

PIPA compliance:

• Do we have a designated Privacy Officer (DPO) with sufficient authority and expertise to oversee compliance with PIPA?

• Have we conducted a Privacy Impact Assessment (PIA) to identify risks associated with our personal information processing activities?

• Do we have legally binding contracts in place with data processors that meet PIPA’s requirements, including security measures and breach notification obligations?

Conclusion: Bermuda’s PIPA is a robust framework designed to balance data protection

rights and responsible personal information use. Data controllers and data processors

must take proactive steps to comply, including appointing a DPO, safeguarding personal

information, and providing transparent data protection policies. As PIPA becomes

enforceable, data controllers and data processors complying with PIPA must prioritize

compliance to avoid administrative and / or criminal penalties. They also must strive to protect an individual's personal information in compliance with PIPA at all times.

Appendix 1: Bermuda PIPA and European Union General Data Protection Regulation (EU GDPR) Comparative Analysis

Appendix 1 outlines the key differences and similarities between Bermuda's PIPA and the EU GDPR: