The Personal Data Protection Act BES(PDPA BES) states that “personal data” means any information relating to an identified or identifiable natural person. This means that information can either be about a person directly or be traceable to a person. That it should be a natural person means that data of deceased people or of organizations are not personal data.
There are many types of personal data. Obvious data include a person’s name, address, and place of residence, but also phone numbers and license-plate numbers. Sensitive data such as a person’s race, religion, or health are sometimes referred to as “special personal data.” These enjoy extra legal protection.
Respect for private life is a fundamental right protected under:
These three articles provide that there must be a law for personal data protection so as to safeguard every person’s right to privacy. In the Caribbean Netherlands, this is currently the PDPA BES. Before the introduction of the PDPA BES, Bonaire, Sint Eustatius, and Saba had no general regulations on personal data processing, even though the right to privacy was protected under international treaties.
The term “processing” includes any operations an organization can carry out on personal data, from collecting them to destroying them.
Processing is, therefore, a very broad concept. According to the Personal Data Protection Act BES(PDPA BES), it includes, in any case, the following operations: collecting, recording, organizing, storing, updating, altering, retrieving, consulting, using, transmitting, disseminating, making available, combining, aligning, blocking, erasing, and destroying data.
The Personal Data Protection Act BES (PDPA BES) regulates what can and cannot be done with people’s personal data. It also provides what privacy rights people have when their data are processed by organizations, such as the right to information about the use of their data and the right to demand access to and correction of their data.
The PDPA BES provides that an organization may only process personal data if this is required for a specific purpose and that the organization cannot simply use those data for any other purpose. In addition, organizations have an obligation to properly secure personal data.
Whenever personal data are used, the invasion of a person’s privacy should be as limited as possible. On the other hand, not every instance of personal data processing has to constitute an invasion of privacy. Whether this is the case will depend on the type of data and how the organization uses them.
Special personal data are data about a person’s:
An organization may not use special personal data, unless the law provides an exception for such use.
The data controller is a person or organization that determines the purpose and means of personal data use. The data controller can do so either alone or together with others. This means that the data controller ultimately decides whether an organization will process personal data and, if so:
The data subject is the individual whose personal data are processed by an organization. In other words, it is the person whom the personal data relate to.
A data processor is a person or organization that processes data on behalf of the data controller, such as an administrative office.
A data processor has no independent responsibility for processing the personal data. But a data processor does have a number of derived obligations, relating to, among other things, the security and confidentiality of the data.