Transfer of personal data is unlawful unless certain conditions are satisfied. Where the data subject has given their consent to the transfer of their personal data, the restrictions on the transfer of the data do not apply. The Act also sets out various other exemptions for the restrictions where transfer of the personal data is necessary e.g. for the performance of a contract between the data subject and the data controller, reasons of substantial public interest, for the purpose of obtaining legal advice, etc. 

Personal data obtained must not be transferred to a country or territory outside Barbados unless that country or territory provides for (a) an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data and (b) appropriate safeguards on condition that the rights of the data subject are enforceable and there are available, effective legal remedies for data subjects. 

The circumstances for determining an adequate level of protection as well as methods for providing appropriate safeguards including the development of binding corporate rules must submitted to the Commissioner for authorisation. 

The "binding corporate rules" must specify (but not limited to) the following: 

• the structure and contact details of the group of undertakings, or group of enterprises engaged in a joint economic activity and of each of its members;
• the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question;
• their legally binding nature, both in and outside of Barbados.