DLA Piper Intelligence

Data Protection
Laws of the World

National Data Protection Authority

National Ordinance Personal Data Protection 

The Personal Data Protection Committee as referred to in article 42 of the National Ordinance Personal Data Protection. 

GDPR 

An independent public authority established by a Member state pursuant to article 51 of the GDPR (Article 4(21), GDPR). The authority is responsible for monitoring the application of the GDPR in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the EU.

Last modified 21 Dec 2021
Law
Curaçao
  • National ordinance personal data protection (Landsverordening bescherming persoonsgegevens, National Gazette 2010, Consolidated text no. 84) “(National Ordinance Personal Data Protection”);
  • General Data Protection Regulation (the “GDPR”) – a regulation of the European Union which became effective on May 25, 2018 – may have implications for a data controller / data processor as the extra-territorial reach of the GDPR is not only relevant to businesses established in the European Union but also to international businesses established in Curaçao which offer goods or services to individuals in the European Union or monitor their behaviour in the European Union.
Last modified 21 Dec 2021
Definitions

Definition of Personal Data

National Ordinance Personal Data Protection 

According to the Explanatory Memorandum on the National Ordinance Personal Data Protection the term personal data has a broad meaning. This does not only concern data that can identify a person, but concerns any data that can be associated with a particular person; it is foreseeable that under certain circumstances data can be traced to one person through systematic comparison and lengthy investigations. Personal identifiable confidential data is therefore not only limited to home address, email address, telephone number, membership number and/or identity number. 

GDPR 

Personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Definition of Sensitive Personal Data

National Ordinance Personal Data Protection 

A person’s religion or belief, race, political views, health, sexual life as well as personal data concerning membership of a trade union.

GDPR 

Data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.

Last modified 21 Dec 2021
Authority

National Ordinance Personal Data Protection 

The Personal Data Protection Committee as referred to in article 42 of the National Ordinance Personal Data Protection. 

GDPR 

An independent public authority established by a Member state pursuant to article 51 of the GDPR (Article 4(21), GDPR). The authority is responsible for monitoring the application of the GDPR in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the EU.

Last modified 21 Dec 2021
Registration

National Ordinance Personal Data Protection 

No registration required. 

GDPR 

Article 30 GDPR requires companies to keep an internal electronic registry, which contains the information of all personal data processing activities carried out by the company.

Last modified 21 Dec 2021
Data Protection Officers

National Ordinance Personal Data Protection 

Pursuant to article 13 of the National Ordinance Personal Data Protection the responsible party shall execute appropriate technical and organizational measures to secure personal data against loss or any form of unlawful processing. These measures shall guarantee an appropriate level of security, taking account of the technical state of the art and the costs of execution, in view of the risks associated with that processing and the nature of the data to be protected. The measures shall be aimed partly at preventing unnecessary gathering and further processing of personal data. 

Besides the measures above, the National Ordinance Personal Data Protection does not contain any clauses on any type of registration, filings of documents to any public agency or having a mandatory data protection officer in place. 

GDPR 

The appointment of a data protection officer under the GDPR is only mandatory in three situations:

  • When the organisation is a public authority or body;
  • If the core activities require regular and systematic monitoring of data subjects on a large scale; or
  • If the core activities involve large scale processing of special categories of personal data and data relating to criminal convictions.
Last modified 21 Dec 2021
Collection & Processing

National Ordinance Personal Data Protection 

Collection: a natural or legal person, public authority, agency or other body which who has control over a person registration. 

Processor: a natural or legal person, public authority, agency or other body which who owns all or part of the has equipment in his possession, with which a personal registration of which he is not the holder. 

GDPR 

Collection: a natural or legal person, public authority, agency or other body that collect personal data and use it for certain purposes, like a website that markets to users based on their online behaviour. 

Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. Processors act on behalf of the relevant controller and under their authority.

Last modified 21 Dec 2021
Transfer

National Ordinance Personal Data Protection 

Contains no clauses. 

GDPR 

The GDPR restricts transfers of personal data outside the European Economic Area, or the protection of the GDPR, unless the rights of the individuals in respect of their personal data is protected in another way, or one of a limited number of exceptions applies.

Last modified 21 Dec 2021
Security

National Ordinance Personal Data Protection 

Pursuant to article 13 of the National Ordinance Personal Data Protection the responsible party shall execute appropriate technical and organizational measures to secure personal data against loss or any form of unlawful processing. These measures shall guarantee an appropriate level of security, taking account of the technical state of the art and the costs of execution, in view of the risks associated with that processing and the nature of the data to be protected. The measures shall be aimed partly at preventing unnecessary gathering and further processing of personal data. 

GDPR 

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (article 32 GDPR).

Last modified 21 Dec 2021
Breach Notification

National Ordinance Personal Data Protection 

Contains no specific clauses. 

GDPR 

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with article 55 GDPR, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. 

Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

Last modified 21 Dec 2021
Enforcement

National Ordinance Personal Data Protection 

Pursuant to article 54 the responsible party who acts in contravention of the provisions of or pursuant to Article 4(3) may be penalized by the Curaçao committee of data protection with a financial penalty in the maximum amount of Naf. 10,000.00 (USD. 5,714.29. 2). 

GDPR 

The GDPR holds a variety of potential penalties for businesses. 

For example, article 77 of GDPR states that: 

“Every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating him or her infringes this Regulation.” 

Additionally, article 79 of the Regulation states that “such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence.” 

Penalties 

Compensation to Data Subjects. One penalty that may be imposed is compensation to, as stated in article 82 of the Regulation, “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation” for the damage they’ve suffered. 

Fines 

Article 83 of GDPR specifies a number of different fines that may vary based on the nature of the infraction, its severity, and the level of cooperation that “data processors” (i.e. you) provide to the “supervisory authority.” Less severe infringements may incur administrative fines of up to 10,000,000 Euros or 2% of your total worldwide annual turnover for the preceding year (whichever is greater), while more severe infractions may double these fines (20,000,000 or 4% annual turnover). 

Individual Member States of the EU may have additional fines and penalties that may be applied as well. However, these additional penalties are not specifically listed in the text of the Regulation since they’re up to the individual EU nations to set—the only guidelines in article 84 of GDPR are that “Such penalties shall be effective, proportionate and dissuasive” and that “Each Member State shall notify to the Commission the provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018.”

Last modified 21 Dec 2021
Electronic Marketing

National Ordinance Personal Data Protection 

N/A. 

GDPR

Under article 22 GDPR organizations cannot send marketing emails without active, specific consent.

Companies can only send email marketing to individuals if:

  • The individual has specifically consented.
  • They are an existing customer who previously bought a similar service or product and were given a simple way to opt out.
Last modified 21 Dec 2021
Online Privacy

National Ordinance Personal Data Protection

Contains no specific clauses. 

GDPR 

Cookies, insofar as they are used to identify users, qualify as personal data and are therefore subject to the GDPR. Companies do have a right to process their users’ data as long as they receive consent or if they have a legitimate interest. 

Location data, the GDPR will apply if the data collector collects the location data from the device and if it can be used to identify a person. 

If the data is anonymized such that it cannot be linked to a person, then the GDPR will not apply. However, if the location data is processed with other data related to a user, the device or the user’s behavior, or is used in a manner to single out individuals from others, then it will be “personal data” and fall within the scope of the GDPR even if traditional identifiers such as name, address etc. are not known. 

Last modified 21 Dec 2021
Contacts
Maarten Willems
Maarten Willems
Senior Associate
HBN Law & Tax
T +297 588 6060
Misha Bemer
Misha Bemer
Partner
HBN Law & Tax
T +297 588 6060
Last modified 21 Dec 2021