<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=5678177&amp;fmt=gif">

    Jamaica Data Protection Act 2020

    Jamaica's data privacy law.

    Book a Demo
    Back to regulations

    What is the Jamaica Data Protection Act 2020?

    The Jamaica Data Protection Act (DPA) 2020 is Jamaica’s data privacy law, passed in June 2020, and effective as of December 1, 2021. 

    It bears many similarities to other privacy laws, notable among them the GDPR, establishing compliance standards for  the collection, processing, storage, and sharing of personal data to ensure that Jamaican individuals' information is handled lawfully and securely.

     

    How does the Jamaica Data Protection Act 2020 define Personal Information and what are other key definitions?

    Under Jamaica’s DPA 2020 “personal data” is defined as “information relating to

    • a living individual; or
    • an individual who has been deceased for less than thirty years,"

    who can be identified from that information alone or from that information and other information that is either already in the possession of the data controller or is likely to come into the possession of the data controller. Personal data includes any expression of opinion about that individual and any indication of the intentions of the data controller or any other person in respect of that individual.”

     

    ‘Sensitive personal data’ is here understood to mean “personal data consisting of any of the following information in respect of a data subject: genetic data or biometric data; filiation, or racial or ethnic origin; political opinions, philosophical beliefs, religious beliefs or other beliefs of a similar nature; membership in any trade union; physical or mental health or condition; sex life; the alleged commission of any offense by the data subject or any proceedings for any offense alleged to have been committed by the data subject.”

    When referring to ‘biometric data’ Jamaica’s privacy law defines this as “any information relating to the physical, physiological or behavioral characteristics of that individual, which allows for the unique identification of the individual, and includes physical characteristics such as the photograph or other facial image, finger print, palm print, toe print, foot print, iris scan, retina scan, blood type, height, vein pattern, or eye color, of the individual, or such other biological attribute of the individual as may be prescribed; and behavioral characteristics such as a person’s gait, signature, keystrokes or voice.” There are no exclusions listed in the text of the law as regards biometric data.

    Same as with the GDPR, an individual is here called a ‘data subject’ and defined as “a named or otherwise identifiable individual who is the subject of personal data, and in determining whether an individual is identifiable account shall be taken of all means used or reasonably likely to be used by the data controller or any other person to identify the individual, such as reference to an identification number or other identifying characteristics (whether physical, social or otherwise) which are reasonably likely to lead to the identification of the individual.”

    Rather than defining what a ‘child’ is, Jamaica’s DPA offers a definition for ‘minor,’ namely “an individual under the age of eighteen years,” and a rather lengthy definition for ‘data controller,’ understood to mean “any person; or public authority, who, either alone or jointly or in common with other persons determines the purposes for which and the manner in which any personal data are, or are to be, processed, and where personal data are processed only for purposes for which they are required under any enactment to be processed, the person on whom the obligation to process the personal data is imposed by or under that enactment is for the purposes of this Act a data controller.”

    Last but not least, a ‘data processor’ is “any person, other than an employee of the data controller,who processes the data on behalf of the data controller.”

    There is no definition in the text of the law for the sale of personal data. 

     

    Who does the Jamaica Data Protection Act 2020 apply to?

    The Jamaica Data Protection Act 2020 applies to any data controller who

    • is established in Jamaica or in any place where Jamaican law applies by virtue of international public law, and the personal data are processed in the context of that establishment;
    • is not established in Jamaica but uses equipment over there for processing personal data other than for transit through the country, in which case the data controller is required to appoint a representative established in Jamaica;
    • processes the personal data of data subjects located in Jamaica, and the personal data processing relates to the offering of products or services to Jamaican residents, regardless of whether data subjects pay for services and products, or to the monitoring of data subjects behavior within Jamaica.

    Talk to one of our experts today about your compliance needs! Speak to an Expert →

    Who does the Jamaica Data Protection Act 2020 exempt?

    Part V of DPA 2020 lists out the exemptions of the DPA as follows: 

    • Personal data processed for purposes of national security;
    • Personal data processed for any of the following purposes
      • the prevention, detection, or investigation of crime;
      • the apprehension or prosecution of offenders; or
      • the assessment or collection of any tax or duty or of any imposition of a similar nature.
    • Personal data processed for purposes of regulatory activity;
    • Personal data processed for journalism, literature, and art;
    • Personal data processed for research, history, and statistics
    • Personal data made publicly available under the law;
    • Personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes) 
    • Personal data for which an exemption is required in order to avoid the infringement of the privileges of either House of Parliament.
    • Miscellaneous exemptions as set out in the Second Schedule.

    The Complete Guide to DSRs

    Get Yours Today
    6-things-to-know-about-data-subject-access-requests
    What are the requirements for businesses under the Jamaica Data Protection Act 2020?

    Jamaica’s privacy act mandates the same processor obligations as other laws, namely assisting the data controller with meeting its obligations under Jamaican law and having in place a contract that governs any data processing done on behalf of the controller. 

    As regards controller obligations, the DPA 2020 mandates the following: 

    • Data controllers must not use personal data for direct marketing unless the individual has given their consent or is already a customer of the controller;
    • Data controllers have to register with the Information Commissioner, providing the following information:
      • Contact Details: The name, address, and contact information of the data controller.
      • Representative Information: If there is a data controller representative, their name, address, and contact details.
      • Data Protection Officer: The name, address, and contact details of the appointed data protection officer.
      • Data Description: A description of the personal data being processed and the types of individuals (data subjects) to whom the data relates.
      • Processing Purpose: The reasons why the personal data is being processed.
      • Recipients: Information about any recipients to whom the data may be disclosed.
      • International Transfers: Names of any countries outside Jamaica to which the data may be transferred.
      • Public Authority Statement: A statement if the data controller is a public authority.
      • Additional Information: Any other information required by the Commissioner.
      • Fees: Payment of any registration fees.
    • Data controllers have to appoint a Data Protection Officer (DPO) if they are a public authority, if they process sensitive data or criminal conviction data, if they handle personal data on a large scale, or if they fall into a category specified by the Commissioner. The DPO  is responsible for independently monitoring compliance with the Jamaica DPA 2020.
    • Data controllers have to respect the eight data protection standards set by Jamaica’s privacy law: 
      • Fair and Lawful Processing: Personal data must be processed fairly and lawfully.
      • Specified Purposes: Data should be collected only for specified and lawful purposes and not processed in ways incompatible with those purposes.
      • Adequate and Relevant Data: Data should be adequate, relevant, and limited to what is necessary for its purposes.
      • Accuracy: Data should be accurate and kept up to date.
      • Retention: Data should not be kept longer than necessary.
      • Rights of Data Subjects: Data processing should respect the rights of data subjects.
      • Security Measures: Appropriate technical and organizational measures should be taken to protect data from unauthorized processing, loss, or damage. Any security breaches must be reported to the Commissioner without undue delay.
      • International Transfers: Data should not be transferred to a country outside Jamaica unless that country ensures adequate protection for the data subjects' rights.
    • Data controllers have an obligation to conduct and submit a Data Protection Impact Assessment (DPIA) each calendar year, within ninety days after the end of the calendar year, in the prescribed form. The assessment should include the following details:
      • A detailed description of the data processing activities and purposes.
      • An evaluation of the necessity and proportionality of the processing.
      • An assessment of risks to data subjects’ rights and freedoms.
      • Measures to address risks, including safeguards and security measures to protect personal data and ensure compliance with the Act.
    • In the event of a data breach, data controllers have to notify the Information Commissioner no later than 72 hours. 

    Jamaica Data Protection Act 2020 compliance: 

    See how Clym can help you

    Book a Demo

    What are the consumer rights under the Jamaica Data Protection Act 2020?

    The Jamaica Data Protection Act 2020 gives data subjects the following rights: 

    • The right to access their personal data.
    • The right to object to processing: “an individual is entitled at any time, by notice in writing to the data controller, to require the data controller within a period which is reasonable in the circumstances, to cease; or not to begin, processing, or processing for a specified purpose or in a specified manner, any personal data in respect of which the individual is the data subject, if the following apply: 
      • the processing of the personal data, or the processing of the personal data for that purpose or in that manner, is causing or is likely to cause, substantial damage or substantial distress to the data subject or to another, and that the damage or distress caused or likely to be caused (as the case may be) is unwarranted;
      • the personal data is incomplete, or irrelevant, having regard to the purpose of the processing;
      • the processing of the personal data, or the processing of the personal data for that purpose or in that manner, is prohibited under any law; or
      • the personal data has been retained by the data controller for longer than the period of time for which it may be retained by the data controller under any law.”
    • The right to object to automatic decision making: “An individual is entitled at any time, by notice in writing to the data controller, to require the data controller to ensure that no decision to which this section applies is based solely on the processing, by automatic means, of personal data in respect of the data subject for the purpose of evaluating matters relating to the data subject (for example, the individual’s performance at work, creditworthiness, reliability, or conduct).”
    • The right to correct personal data.
    • The right to delete personal data.

     

    How to respond to consumer requests under the Jamaica Data Protection Act 2020?

    Data controllers have to respond to data subject requests no later than 30 days after receiving the request and there is no possibility of an extension mentioned by the text of the law. Information provided in response to a data subject request has to be provided free of charge, in an intelligible form, and if requested, data can be transmitted to another controller in a structured, commonly used, and machine-readable format. In such cases controllers may charge a prescribed fee for this service.

    Before responding to a data subject request, controllers have to verify the identity of the requester. If further information is needed to verify the identity of the requester or to locate the data, the controller is not obliged to comply with the request until this information is provided. If complying with a request would involve disclosing data about another individual, the controller must either obtain consent from the other individual or ensure it is reasonable to comply without their consent.

    In cases where a data subject is not satisfied with the response received to a data subject request, they can appeal this with the Information Commissioner. 

    Manage Your DSARs Easily!

    Here's How
    data subject access request clym

    Jamaica Data Protection Act 2020 enforcement and penalties

    The Jamaica Data Protection Act 2020 is enforced by the Office of the Information Commissioner, who can issue notices for compliance, can conduct assessments and inspections, and impose penalties for non-compliance which may consist of fines or imprisonment. 

    Penalties range between 2 million JMD (approx. 12,800 $) and 5 million JMD (approx. 32,000$) and imprisonment between 6 months and 10 years for individuals. In the case of corporate bodies or directors, violations of the DPA 2020 can result in “a fine not exceeding four percent of the annual gross worldwide turnover of that body corporate for the preceding year of assessment in accordance with the Income Tax Act.”

     

    Data Subject Rights - GDPR vs. Jamaica Data Protection Act 2020

     

    How can Clym help?

    Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:

    • All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
    • Seamless integration into your website;
    • Adaptability to your users’ location and applicable regulation;
    • Customizable branding;
    • ReadyCompliance™: Covering 50+ data privacy regulations;
    • Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.

    You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.

     

    See Clym in action today!

    Book a free demo

    FAQs about the Jamaica Data Protection Act 2020

    What does the Jamaica Data Protection Act 2020 apply to?

    The Jamaica Data Protection Act 2020 applies to any data controller who

    • is established in Jamaica or in any place where Jamaican law applies by virtue of international public law, and the personal data are processed in the context of that establishment;
    • is not established in Jamaica but uses equipment over there for processing personal data other than for transit through the country, in which case the data controller is required to appoint a representative established in Jamaica;
    • processes the personal data of data subjects located in Jamaica, and the personal data processing relates to the offering of products or services to Jamaican residents, regardless of whether data subjects pay for services and products, or to the monitoring of data subjects behavior within Jamaica.
    What is exempt under Jamaica's Data Protection Act?

    Jamaica's Data Protection Act exempts the following:

    • Personal data processed for purposes of national security;
    • Personal data processed for any of the following purposes
      • the prevention, detection, or investigation of crime;
      • the apprehension or prosecution of offenders; or
      • the assessment or collection of any tax or duty or of any imposition of a similar nature.
    • Personal data processed for purposes of regulatory activity;
    • Personal data processed for journalism, literature, and art;
    • Personal data processed for research, history, and statistics
    • Personal data made publicly available under the law;
    • Personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes) 
    • Personal data for which an exemption is required in order to avoid the infringement of the privileges of either House of Parliament.
    • Miscellaneous exemptions as set out in the Second Schedule.
    What data subject rights does the Jamaica Data Protection Act 2020 grant?

    The Data Protection Act of Jamaica gives data subjects the following rights: 

    • The right to access;
    • The right to object to processing; 
    • The right to object to automatic decision making;
    • The right to correct personal data;
    • The right to delete personal data.



    •  
    What are the penalties for non-compliance with Jamaica's Data Protection Act?

    Violations of the Data Protec tion Act 2020 of Jamaica  range between 2 million JMD (approx. 12,800 $) and 5 million JMD (approx. 32,000$) and imprisonment between 6 months and 10 years for individuals. In the case of corporate bodies or directors, violations of the DPA 2020 can result in “a fine not exceeding four percent of the annual gross worldwide turnover of that body corporate for the preceding year of assessment in accordance with the Income Tax Act.”




    Table of contents
    illustration of means of contact

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596