National Ordinance Personal Data Protection
Pursuant to article 13 of the National Ordinance Personal Data Protection the responsible party shall execute appropriate technical and organizational measures to secure personal data against loss or any form of unlawful processing. These measures shall guarantee an appropriate level of security, taking account of the technical state of the art and the costs of execution, in view of the risks associated with that processing and the nature of the data to be protected. The measures shall be aimed partly at preventing unnecessary gathering and further processing of personal data.
GDPR
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (article 32 GDPR).
- National ordinance personal data protection (Landsverordening bescherming persoonsgegevens, National Gazette 2010, Consolidated text no. 84) “(National Ordinance Personal Data Protection”);
- General Data Protection Regulation (the “GDPR”) – a regulation of the European Union which became effective on May 25, 2018 – may have implications for a data controller / data processor as the extra-territorial reach of the GDPR is not only relevant to businesses established in the European Union but also to international businesses established in Curaçao which offer goods or services to individuals in the European Union or monitor their behaviour in the European Union.
Definition of Personal Data
National Ordinance Personal Data Protection
According to the Explanatory Memorandum on the National Ordinance Personal Data Protection the term personal data has a broad meaning. This does not only concern data that can identify a person, but concerns any data that can be associated with a particular person; it is foreseeable that under certain circumstances data can be traced to one person through systematic comparison and lengthy investigations. Personal identifiable confidential data is therefore not only limited to home address, email address, telephone number, membership number and/or identity number.
GDPR
Personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Definition of Sensitive Personal Data
National Ordinance Personal Data Protection
A person’s religion or belief, race, political views, health, sexual life as well as personal data concerning membership of a trade union.
GDPR
Data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.
National Ordinance Personal Data Protection
The Personal Data Protection Committee as referred to in article 42 of the National Ordinance Personal Data Protection.
GDPR
An independent public authority established by a Member state pursuant to article 51 of the GDPR (Article 4(21), GDPR). The authority is responsible for monitoring the application of the GDPR in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the EU.
National Ordinance Personal Data Protection
No registration required.
GDPR
Article 30 GDPR requires companies to keep an internal electronic registry, which contains the information of all personal data processing activities carried out by the company.
National Ordinance Personal Data Protection
Pursuant to article 13 of the National Ordinance Personal Data Protection the responsible party shall execute appropriate technical and organizational measures to secure personal data against loss or any form of unlawful processing. These measures shall guarantee an appropriate level of security, taking account of the technical state of the art and the costs of execution, in view of the risks associated with that processing and the nature of the data to be protected. The measures shall be aimed partly at preventing unnecessary gathering and further processing of personal data.
Besides the measures above, the National Ordinance Personal Data Protection does not contain any clauses on any type of registration, filings of documents to any public agency or having a mandatory data protection officer in place.
GDPR
The appointment of a data protection officer under the GDPR is only mandatory in three situations:
- When the organisation is a public authority or body;
- If the core activities require regular and systematic monitoring of data subjects on a large scale; or
- If the core activities involve large scale processing of special categories of personal data and data relating to criminal convictions.
National Ordinance Personal Data Protection
Collection: a natural or legal person, public authority, agency or other body which who has control over a person registration.
Processor: a natural or legal person, public authority, agency or other body which who owns all or part of the has equipment in his possession, with which a personal registration of which he is not the holder.
GDPR
Collection: a natural or legal person, public authority, agency or other body that collect personal data and use it for certain purposes, like a website that markets to users based on their online behaviour.
Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. Processors act on behalf of the relevant controller and under their authority.
National Ordinance Personal Data Protection
Contains no clauses.
GDPR
The GDPR restricts transfers of personal data outside the European Economic Area, or the protection of the GDPR, unless the rights of the individuals in respect of their personal data is protected in another way, or one of a limited number of exceptions applies.
National Ordinance Personal Data Protection
Pursuant to article 13 of the National Ordinance Personal Data Protection the responsible party shall execute appropriate technical and organizational measures to secure personal data against loss or any form of unlawful processing. These measures shall guarantee an appropriate level of security, taking account of the technical state of the art and the costs of execution, in view of the risks associated with that processing and the nature of the data to be protected. The measures shall be aimed partly at preventing unnecessary gathering and further processing of personal data.
GDPR
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (article 32 GDPR).
National Ordinance Personal Data Protection
Contains no specific clauses.
GDPR
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with article 55 GDPR, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
National Ordinance Personal Data Protection
Pursuant to article 54 the responsible party who acts in contravention of the provisions of or pursuant to Article 4(3) may be penalized by the Curaçao committee of data protection with a financial penalty in the maximum amount of Naf. 10,000.00 (USD. 5,714.29. 2).
GDPR
The GDPR holds a variety of potential penalties for businesses.
For example, article 77 of GDPR states that:
“Every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating him or her infringes this Regulation.”
Additionally, article 79 of the Regulation states that “such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence.”
Penalties
Compensation to Data Subjects. One penalty that may be imposed is compensation to, as stated in article 82 of the Regulation, “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation” for the damage they’ve suffered.
Fines
Article 83 of GDPR specifies a number of different fines that may vary based on the nature of the infraction, its severity, and the level of cooperation that “data processors” (i.e. you) provide to the “supervisory authority.” Less severe infringements may incur administrative fines of up to 10,000,000 Euros or 2% of your total worldwide annual turnover for the preceding year (whichever is greater), while more severe infractions may double these fines (20,000,000 or 4% annual turnover).
Individual Member States of the EU may have additional fines and penalties that may be applied as well. However, these additional penalties are not specifically listed in the text of the Regulation since they’re up to the individual EU nations to set—the only guidelines in article 84 of GDPR are that “Such penalties shall be effective, proportionate and dissuasive” and that “Each Member State shall notify to the Commission the provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018.”
National Ordinance Personal Data Protection
N/A.
GDPR
Under article 22 GDPR organizations cannot send marketing emails without active, specific consent.
Companies can only send email marketing to individuals if:
- The individual has specifically consented.
- They are an existing customer who previously bought a similar service or product and were given a simple way to opt out.
National Ordinance Personal Data Protection
Contains no specific clauses.
GDPR
Cookies, insofar as they are used to identify users, qualify as personal data and are therefore subject to the GDPR. Companies do have a right to process their users’ data as long as they receive consent or if they have a legitimate interest.
Location data, the GDPR will apply if the data collector collects the location data from the device and if it can be used to identify a person.
If the data is anonymized such that it cannot be linked to a person, then the GDPR will not apply. However, if the location data is processed with other data related to a user, the device or the user’s behavior, or is used in a manner to single out individuals from others, then it will be “personal data” and fall within the scope of the GDPR even if traditional identifiers such as name, address etc. are not known.