The General Data Protection Regulation 2016/679, or “GDPR”, is a set of EU regulations aimed at the protection of personal data and privacy of natural persons (not corporations) based within the EU. The GDPR has extraterritorial effect in that it applies to the processing of personal data of persons who are situated in the EU by a controller or processor (such as a captive or insurance manager) not established in the EU where the processing activities are related to the offering of goods or services, or the monitoring of the data subject’s behavior within the EU.
Does the GDPR apply to Cayman captives and insurance managers?
Yes, possibly. However, it’s not very common to find Cayman captives and insurance managers who are in scope for GDPR purposes because, firstly, the vast majority of Cayman’s captive insurance business originates from the USA. As a result, it’s not often that a Cayman captive or insurance manager will find themselves controlling or processing the personal data of any natural person situated within the EU. Secondly, it’s not often that a Cayman captive or insurance manager could be said to be processing the personal data of a natural person situated within the EU in relation to the offering of goods or services or the monitoring of that person’s behaviour, though this may occur from time to time. An example of which might be where personal data of an EU based insured is processed by the captive or the manager in relation to certain travel, health or life insurance policies.
What is the Cayman Islands’ position on the protection of personal data and privacy?
Cayman has sensibly decided to follow suit with the EU and numerous other jurisdictions around the world by enacting its own data protection regime, largely in line with the data protection principles set out in the GDPR. The Cayman Islands Data Protection Law (DPL), 2017 came into force on 30 September, 2019 and serves to address the genuine need for protection of personal data within the Cayman Islands, and also to meet international standards on data protection in an effort not to impede the transfer of personal data between Cayman and other jurisdictions for legitimate purposes. The DPL will affect any individual or organisation established in Cayman which processes personal data, even where that data is being processed outside of Cayman.