Mobile Menu

Data Protection Law for Insolvency Practitioners (“IPs”)

This article considers what an IP’s role is in respect of the recently enacted Data Protection Law, 2017 (“DPL”) and some practical considerations for IPs in the Cayman Islands when faced with managing personal data.

The DPL came into effect as of 30 September 2019. The Office of the Ombudsman is Cayman’s supervisory authority for data protection. The DPL applies to personal data processed by “data controllers” and “data processors”. Cayman financial sector entities established in the Cayman Islands will generally be considered “data controllers”, “data processors” or both. The DPL also applies to “processing” carried out by data controllers established within the Cayman Islands and to data controllers outside of the Cayman Islands that process personal data within the Cayman Islands. The DPL does not carve-out or exempt companies facing financial difficulties or in formal insolvency proceedings.  As a result, the DPL applies to insolvent companies and any appointment taker such as an IP in formal insolvency proceedings.

Definitions under the DPL

The first step in ascertaining whether or not the DPL is applicable to an IP is to establish if the IP is a data controller or a data processor.

  • A “data controller” is the person who alone or jointly with others determines the purposes, conditions and manner in which any personal data are, or are to be processed.
  • A “person” includes any corporation, either aggregate or sole, and any club, society, association, public authority or other body, of one or more persons.
  • A “data processor” is any person which processes personal data on behalf of a data controller but does not include an employee of the data controller.
  • The term “personal data” means data relating to an identifiable living individual referred to as a “data subject”. The data subject does not need to be in the Cayman Islands.
  • The term “processing”, in relation to data, means obtaining, recording or holding data or carrying out any operation or set of operations on personal data.
  • The term “personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to, personal data transmitted, stored or otherwise processed.

Under the DPL the data controller is responsible for ensuring that the eight data protection principles are complied with.


To continue reading full articles in PDF format:
Data Protection Law for Insolvency Practitioners (“IPs”)


Paul Smith
Partner and Commercial Litigation Advocate

Bermuda   +1 345 925 1881

Róisín Liddy-Murphy

Cayman Islands   +1 345 814 7371


"Few firms can come close to Conyers on one critical metric, and this is the breadth of the client base."
- IFLR1000