Mobile Menu

Data Protection Act Enters Into Force in the BVI

On 9 July 2021, the Data Protection Act, 2021 (the DPA) came into force in the British Virgin Islands (the BVI). The DPA applies to all BVI companies, limited partnerships and other entities that process, have control over or authorise, the processing of, personal data anywhere in the world (such an entity, a “data controller”). It also applies to non-BVI entities that use equipment in the BVI for processing personal data otherwise than for the purposes of transit of data through the BVI.

1. Practical impact

  • BVI entities that are not data controllers do not need to take any action.
  • BVI entities that are data controllers need to take certain limited steps – such as preparing a privacy notice, obtaining consents and getting third party data processor confirmations.
  • As the DPA is similar to the GDPR, the practical implications should be minimal for groups that are already familiar with GDPR compliance.

2. Data protection principles

Data controllers must now comply with the data protection principles set out in the DPA including:

  • not processing personal data except with the express consent of the data subject (being the natural person, whether living or deceased, whose data is being processed) or where it is necessary for certain specified reasons, such as the performance of a contract to which the data subject is a party. Additional conditions apply in respect of “sensitive personal data” (examples of which include political opinions, religious beliefs, health, sexual orientation and offences). However, processing will be permitted if it is for a lawful purpose directly related to an activity of the data controller, the processing is necessary for, or directly related to that purpose and the personal data are adequate but not excessive in relation to that purpose. Personal data must not be transferred outside the BVI unless there is proof of adequate protection safeguards or consent from the data subject;
  • informing a data subject of the purposes for processing, the source of the personal data, the rights to request access to and correction of personal data, the class of third parties to whom the personal data will be disclosed, whether the data subject is obliged to supply the personal data and the consequences of non-compliance;
  • taking practical steps to protect the personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction; and
  • giving data subjects the right to request access to their personal data and correction of that data where they are inaccurate, incomplete, misleading or not up-to-date.

For the purposes of the DPA, “personal data” means any information in respect of commercial transactions1 that relates directly or indirectly to a data subject, who is identified or identifiable from that information, or from that and other information in the possession of a data user, including any sensitive personal data and expression of opinion about the data subject.


To continue reading full articles in PDF format:
Data Protection Act Enters Into Force in the BVI


Robert J.D. Briant
Partner, Head of BVI Corporate

British Virgin Islands   +1 284 852 1100

Anton Goldstein

British Virgin Islands   +1 284 852 1119

Audrey M. Robertson

British Virgin Islands   +1 284 852 1111

1 These are defined as “any transaction of a commercial nature, whether contractual or not, which includes any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance”.


"I enjoy working with them - they are very dependable, reliable and responsive."
- Chambers Global