Law: National Ordinance of May 19, 2011 Laying Down New Rules for the Protection of Privacy in Connection with the Recording and Dissemination of Personal Data (only available in Dutch here) (the Ordinance)

Regulator: There is no general data protection authority.

Summary: Aruba is yet to establish a general data protection law and there is no bespoke regulator for personal data protection. However, on May 19, 2011, the National Ordinance Laying Down New Rules for the Protection of Privacy in Connection with the Recording and Dissemination of Personal Data (only available in Dutch here) (the Ordinance) was introduced. The Ordinance establishes rules and procedures for data subject rights, and the Minister of Justice and Security is responsible for oversight of the Ordinance.

In addition, the Netherlands Antilles and the Aruba Civil Code (only available in Dutch here) outlines a duty of confidentiality for all contracts between a bank and its customers and requires that information about a customer cannot be disclosed without the customer's consent. Furthermore, the Financial Intelligence Unit of Aruba is responsible for overseeing compliance with Aruba's financial sector privacy related laws including State Ordinance for the Prevention and Combating of Money Laundering and Terrorist Financing (including AB 2019 no. 26).

Notably, there are no provisions concerning data breach notifications nor is there a requirement to register with an authority in Aruba. Although, any international business established in Aruba and processing personal data or monitoring individuals within the EU will be subject to the GDPR.