Personal Data

The Personal Data Protection Act BES(PDPA BES) states that “personal data” means any information relating to an identified or identifiable natural person. This means that information can either be about a person directly or be traceable to a person. That it should be a natural person means that data of deceased people or of organizations are not personal data.

Examples of Personal Data

There are many types of personal data. Obvious data include a person’s name, address, and place of residence, but also phone numbers and license-plate numbers. Sensitive data such as a person’s race, religion, or health are sometimes referred to as “special personal data.” These enjoy extra legal protection.

Personal Data Protection

Respect for private life is a fundamental right protected under:

• Article 10, paragraph 1, of the Constitution;
• Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR);
• Article 17 of the International Covenant on Civil and Political Rights (ICCPR).

These three articles provide that there must be a law for personal data protection so as to safeguard every person’s right to privacy. In the Caribbean Netherlands, this is currently the PDPA BES. Before the introduction of the PDPA BES, Bonaire, Sint Eustatius, and Saba had no general regulations on personal data processing, even though the right to privacy was protected under international treaties.

What exactly is personal data processing?

The term “processing” includes any operations an organization can carry out on personal data, from collecting them to destroying them.
Processing is, therefore, a very broad concept. According to the Personal Data Protection Act BES(PDPA BES), it includes, in any case, the following operations: collecting, recording, organizing, storing, updating, altering, retrieving, consulting, using, transmitting, disseminating, making available, combining, aligning, blocking, erasing, and destroying data.

What does the Personal Data Protection Act BES regulate?

The Personal Data Protection Act BES (PDPA BES) regulates what can and cannot be done with people’s personal data. It also provides what privacy rights people have when their data are processed by organizations, such as the right to information about the use of their data and the right to demand access to and correction of their data.

The PDPA BES provides that an organization may only process personal data if this is required for a specific purpose and that the organization cannot simply use those data for any other purpose. In addition, organizations have an obligation to properly secure personal data.

Whenever personal data are used, the invasion of a person’s privacy should be as limited as possible. On the other hand, not every instance of personal data processing has to constitute an invasion of privacy. Whether this is the case will depend on the type of data and how the organization uses them.

What special personal data are there?

Special personal data are data about a person’s:

• religious or philosophical beliefs;
• race;
• political opinions;
• health;
• sex life;
• trade-union membership;
• criminal record.

An organization may not use special personal data, unless the law provides an exception for such use.

Who is the data controller and who is the data subject in personal data processing?

The data controller is a person or organization that determines the purpose and means of personal data use. The data controller can do so either alone or together with others. This means that the data controller ultimately decides whether an organization will process personal data and, if so:

• What sort of processing will be applied;
• What personal data will be processed by the organization;
• For what purpose the organization will do so;
• How the organization will do so.

The data subject is the individual whose personal data are processed by an organization. In other words, it is the person whom the personal data relate to.

Who is the data processor in personal data processing?

A data processor is a person or organization that processes data on behalf of the data controller, such as an administrative office.

A data processor has no independent responsibility for processing the personal data. But a data processor does have a number of derived obligations, relating to, among other things, the security and confidentiality of the data.