Law: Data Protection (Privacy of Personal Information) Act 2003 (the Act)

Regulator: Office of the Data Protection Commissioner (the Commissioner)

Summary: The Data Protection (Privacy of Personal Information) Act 2003 (the Act) which entered into effect on April 2, 2007, addresses certain essential data protection elements, including data subject rights, restrictions on the transfers of personal data, direct marketing, as well as legal bases for processing.

The Act is based around eight principles, which cover data collection, accuracy, processing purposes, disclosure, retention, security measures, and the right of access and erasure. The Act also places a duty of care on data controllers to inform data subjects in regard to their personal data. The Office of the Data Protection Commissioner (the Commissioner), established under the Act, has various powers such as the capacity to prohibit the transfer of personal data outside the Bahamas under specific circumstances and the power to require information.

The Commissioner has published several informational brochures, the Guide for Data Controllers and other material to assist with compliance.