The Data Protection DPA Enters into Force in the BVI

In April 2021, the British Virgin Islands (BVI) government passed the Data Protection Act (DPA).   The DPA became effective 9 July 2021.  (Though BVI is a United Kingdom territory, it is not subject to Europe’s General Data Protection Regulation [GDPR]).  
The DPA’s main goals:

•    protect the personal data that public and private bodies process.   

•    boost personal data processing transparency and accountability.  

Essentially, the DPA applies to any person or entity that processes, authorises, or administers personal data regarding commercial transactions, so long as that person is either:

•    situated in the BVI and processes personal data or employs or otherwise engages another individual to process personal data for them, on their behalf, regardless of whether such is for their business’ purposes.   

•    located outside the BVI, but uses BVI devices for processing personal data (other than for transit through BVI).

DPA Main Definitions and Provisions

The DPA’s main definitions and provisions are as follows:

•    A data controller is a person who directly processes and maintains or engages others to process or maintain control over the processing of personal data.  

•    A data processor is a person who processes data for a data controller, but is not the data controller’s employee.  

•    A data controller may process “adequate but not excessive” quantities of personal data, only when such relates to a data controller’s activities and when such is for a lawful purpose, and only with the individual’s direct consent.  

•    If processing is required to prepare a performance contract, to carry out legal duties, for the administration of justice, or to protect an individual’s essential interests, express consent is not required.


•    Data controllers must take “practical steps” to validate the accuracy of the personal data they process, make sure it is current, retain it, and protect it.  And, when the personal data is no longer necessary, they must then delete the personal data.  

•    Data controllers may only process personal data outside BVI when sufficient safeguards exist or if the individual consents.   

•    Unless an individual provides consent or a law requires disclosure, a data controller shall not process “sensitive personal data.” Such includes an individual’s mental and physical health, political beliefs, religious views, and sexual orientation.  

•    Individuals may gain access to and correct their personal information, revoke their permission to process their data, and refuse direct marketing contacts.

•    The Office of the Information Commissioner can fine business DPA violators up to $500,000 and also imprison individual offenders.   

Steps for BVI Individuals and Entities

BVI individuals and entities that are not data controllers or data processors need not take any further steps.  Those that are should:

•    Gather consents.
•    Draft privacy notices.
•    Obtain third-party  data processor approvals.

The DPA contains other important rules, regulations, and definitions.  If you are a BVI data controller or data processor, it is important that you seek expert advice in order to clearly understand and comply with the DPA.  


CCP Financial Consultants Limited


CCP Financial Consultants Limited (CCP) is a BVI based, multidisciplinary financial services firm dedicated to providing premium financial solutions to clients around the world.  It understands BVI’s rules and regulations and its government structure, so it can help your business navigate them when you do business in the BVI.   


CCP also offers Company Management, BVI Licenced Insolvency Services, BVI Voluntary Liquidation Services, Accounting Service in BVI, Bank Account Opening Service in BVI, Company Incorporation Service in BVI, Company Formation in BVI, BVI Registered Agent, BVI Offshore Company, Ship registration in BVI, and Economic Substance Services.  

Please visit the website and if required you can schedule a consultation for more information.