Law: Data Protection Act 2011 (the Act) and the Data Protection (Amendment) Act 2014 (the Amendment Act)

Regulator: The Data Protection Commissioner

Summary: The regulatory framework for data protection in Saint Lucia is established by the Data Protection Act 2011 (the Act) and the Data Protection (Amendment) Act 2014 (the Amendment Act).

The Act establishes data protection principles that provide a comprehensive basis for the collection, processing, and use of personal data. The Act provides for obligations for data controllers, such as data processing notifications and detailed rights of access processes. In addition, the Act established the Data Protection Commissioner (the Commissioner) and provides it with a wide range of powers, particularly in relation to investigations. The Amendment Act mostly implemented technical changes, however, it also introduced privacy impact assessments, the exercise of which may be requested from a government department by the Commissioner, and provided further protections for those who notify the Commissioner of possible violations of the Act.

In case of contraventions of the Act, the Commissioner may serve an enforcement notice to a data controller requiring to take steps to rectify the contravention within a timeframe of no less than 30 days. Failure to comply with an enforcement notice constitutes an offense that may lead to a fine of up to $25,000 and/or to a term of imprisonment not exceeding six months.