The personal data landscape in the Dutch Caribbean has changed recently, due to the new General Data Protection Regulation (GDPR), a regulation in European Union (EU) law on data protection and privacy for all individuals within the EU. It also addresses the export of personal data outside the EU. The GDPR aims to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

The GDPR, which is applicable as of May 25th, affects the different jurisdictions in the Dutch Caribbean, such as Curaçao for example. The GDPR does not have direct effect in Curaçao. However, it may have consequences for organizations in Curaçao. Firstly, the GDPR sets conditions for the transfer of personal data from the EU to countries outside the EU, such as Curaçao. Structural transfer of personal data is permitted if the organizations established in Curacao can offer “appropriate guarantees”, or if “binding company regulations” are used. These are contractual rules respectively internal guidelines, that basically enforce the rights of those involved and the duties of those responsible and processors (alike to the GDPR).

Incidental transfer of personal data is possible, but with the requirement of express consent of the parties involved. In addition, they must have been informed about the risks associated with the transfer. The second category of data processing to which the GDPR applies is the data processing by organizations located in Curaçao, and which is related to (i) the providing of goods and services to those in the EU or (ii) the monitoring of their behavior, insofar as this behavior takes place in the EU. In this category, the GDPR applies in principle in full.

Curaçao also has its own regulation in place, in the form of the Privacy Ordinance, which deals with personal data protection. There are differences however, between the ordinance and the GDPR, such as with respect to the consequences of noncompliance and whereby the GDPR provides for severe (financial) penalties.