A “personal data breach” is defined by the Data Protection Authority as a security breach resulting in accidental or unlawful destruction, loss, alteration, disclosure or accidental or unlawful access to personal data transmitted, stored or otherwise processed (Section 2 of the DPA). Article 6(1) of the GDPR states: “This Law applies to a controller with regard to personal data only if: Personal data: data relating to a living person who can be identified and contains data such as (Section 2 of the DPA): the Ombudsman is also responsible for the performance of all data protection functions (relating to the protection of natural persons). with regard to the processing of personal data), those of the regulations enabling the Cayman Islands to fulfil their international obligations (§ 37 paragraph 2 DPA). Controller: The person who, alone or jointly with others, determines the purposes, conditions and manner in which personal data are or are to be processed, and to whom a local representative belongs (section 2 of the DPA). Appropriate technical and organisational measures must be taken against the unauthorised or unlawful processing of personal data and against the accidental loss, destruction or damage of personal data. Requests for consent must be clearly visible, concise, distinct from other terms and conditions, and easy to understand. The Data Controller`s Guide also recommends keeping records as evidence of consent and establishing mechanisms for data subjects to withdraw their consent at any time. The Electronic Communications Act defines a personal data breach as any breach of security that results in the unauthorised destruction, loss, alteration or dissemination, is accidental or illegal, or access to personal data transmitted, stored or processed in connection with the provision of a publicly available electronic communications service. Personal data must be processed in good faith and only on the basis of a legitimate purpose or in accordance with Annex 2 of the DPA under the following conditions: the information provided by the controller through the communication, with the exception of the general description of the measures taken to ensure the security of personal data, are published by the Office of the Commissioner in the electronic register of controllers, which is available to the public on the official website. In addition, other countries and territories may be considered appropriate based on a number of factors, including the data protection laws applicable in that country or territory and the international data protection obligations of those countries or territories. The controller shall be required to take these considerations into account when determining whether a country or territory complies with the eighth principle of data protection and shall be held responsible for that determination in this regard. In order to exercise the right of access, the data subject must submit a written request for access by the data subject to a controller, and a data controller is not obliged to respond to a request for access, unless the request is made in writing (Article 8(4) OF THE FADP). In certain circumstances, a controller is also entitled to charge a fee for the processing of a request for information from a data subject (Art.
8 para. 1 DSG). However, if the entrepreneur has proved to the AEPC that he has taken the necessary technical protection measures and that these measures have been applied to the relevant data, the entrepreneur is not obliged to inform the participant or the person of the personal data breach. These technological safeguards ensure that personal data becomes unreadable to anyone who does not have authorized access to the data. In addition, in the event of a personal data breach, the trader providing publicly available electronic communications services shall immediately inform the Electronic and Postal Communications Authority (“AEPC”). If the personal data breach may affect the personal data and privacy of the subscriber or person, the entrepreneur will also inform the designated subscriber or that person without undue delay. Personal data must be accurate and, if necessary, kept up to date. The circumstances that generally lead to such a legal basis exist when personal data (health data) are to be processed for medical purposes (emergency medical care), but the data subject (data subject) is unable to give consent to the processing.
In such cases, the processing consists of sensitive personal data and it is therefore necessary to identify a processing condition in accordance with Annex 3. Graham is an experienced and high-performing business lawyer with extensive experience as General Counsel, covering advising global and technology start-up companies on EU/EEA (GDPR), UK (DPA), US (State-specific Privacy Shield) data protection issues, Canada (PIPEDA) and overseas data protection.