Caribbean Credit Bureau

Highlights Privacy Acts

 

Highlights Curaçao and the BES Islands 

Whereas Privacy Acts are currently becoming part of the local laws in Curaçao and the BES Islands (Bonaire, Sint Eustatius en Saba), and are largely based on the principles in the laws of the Netherlands, such laws have already been adopted in the Netherlands many years ago and generally follow the principles established in the EU Privacy Directive of 1995 (Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data). 

Personal data encompasses all information that (could) disclose information directly tied to a natural person (“consumer”, or “data subject”). Such as the person’s characteristics, opinions or (payment) behavior.  To evaluate whether data is “Personal Data”, the extent to which such data could be a factor in the way the person would be judged or treated in the community must be considered. Because the data that is stored by a credit bureau, such as CCB, could cause certain judgments about the consumer, they must adhere to the local Privacy Acts while storing and processing personal data that is submitted by its members, being then credit issuing institutions subscribing to the services of CCB. 

In accordance with the Privacy Acts, the confidentiality and specified and limited distribution of the personal data must ensured.

The local Privacy Acts in Curaçao and the BES islands form the legal framework in which CCB operates.  The Privacy Acts stipulate the boundaries within which the personal data which are submitted by the members are allowed to be stored, processed and shared.  In addition, as part of the registration process, security protocols, the general terms and conditions and the credit application procedures, as well as requirements of the local banking laws (for the bank members) must be complied with. 

Bonaire, Sint Eustatius en Saba (“BES”)

Since October 10, 2010, the constitution of the Netherlands applies directly to the BES Islands. Article 10 of the constitution states that every individual has the right of respect with regards to his/her privacy (sub 1) an that laws shall provide protection to safeguard such privacy in connection to the registration and distribution of personal data (sub 2). Such rules have come into effect in Bonaire, Sint Eustatius en Saba on October 10, 2010 by the adoption of the Privacy Act of Bonaire (Wet Bescherming Persoonsgegevens BES, Stb. 2010, 349).  The Privacy Act of Bonaire is nearly identical to the Dutch Privacy Act (Nederlandse Wet Bescherming Persoonsgegevens, 6 juli, 2000), which in turn closely follows the EU Privacy Directive of 1995 and the distribution of such information (PbEG L 281) 

Curaçao

Article 12 of the constitution of Curacao (Staatsregeling van het Land Curaçao, A.B. 2010, 86) describes the right of each individual that his/her privacy is to be respected. This principle is addressed in the Privacy Act of Curaçao (Landsverordening bescherming persoonsgegevens (AB 2010, 84). This Privacy Act is substantially the same as the Privacy Act of Bonaire and the Privacy Act of the Netherlands with the exception of certain articles that relate specifically to Europe have been omitted.  The Privacy Act of Curaçao entered into force on October 1, 2013.

The Privacy Acts require compliance with the following four principles with regards to personal data:  

1. OBJECTIVE

Any storage and use of personal data must be in accordance with a clearly stated and justified objective.  Personal data may not be stored and used for time  periods that exceed meeting those specified objectives.

2. ADEQUATE, PURPOSE ORIENTED, NOT EXESSIVE AND ACCURATE

Personal data is subject to the above requirements which shall be observed by the suppliers and the processors of the data.

3. TRANSPARENCY AND RIGHT TO CORRECTION

Personal data is subject to transparency towards the consumers (data subjects).  Consumers must be informed that their personal data is used with disclosure of the purpose.  The consumer has the right to, and must be given possibilities to, object to the way in which the data is collected if he/she is of the opinion that the collection and use of his/her personal data is not in accordance with applicable laws. (article 13 EVRM). The expenses involved for the consumer to have is objections heard shall not be excessive, and he/she must be able to direct him/herself to the Data Protection Board (College Bescherming Persoonsgegevens).

4. DUE CARE

Personal data shall be supplied, processed and used in accordance with the laws and shall at all time be subject to principles of fairness and due care (article 6 LvBP/ WBP BES).

 


Comparison of key aspects of the Privacy Acts of BES, Curaçao and the Netherlands:

 

Privacy Act
BES

Privacy Act
 Curaçao

Privacy Act
 The Netherlands (Europe)

  

Reporting obligation to the Data Protection Board  “CBP”

No

No

Yes (art 27. WBP)

Administrative fines by CPB for violations of reporting obligation

No

Yes art. 54

Yes

Supervision over storage and use of personal data

Data Protection Board (Commissie Toezicht Bescherming Persoonsgegevens) BES (not yet appointed)

Data Protection Board (College Bescherming Persoonsgegevens) Curaçao  (not yet appointed)

CBP

Legal requirement for Code of Conduct

No

No

Yes

Data protection officer requirement (internal supervisor) 

No

No

Yes

Sharing of personal data with other countries

Consent required in advance by the Data Protection Board (CPB BES)

Consent required in advance by the Data Protection Board (CPB Curaçao)

Consent required in advance by the Minister of Justice, after advice by CBP

 


Source: Mr. F. van der Jagt- Privacy Bescherming op de voormalig Nederlandse Antillen, de WBP BES (unofficial translation)

 

Supervision

Article 44 of the Privacy Act of Bonaire describes the purpose and responsibilities of the Data Protection Board (Commissie Toezicht Bescherming Persoonsgegevens BES). At the time of this writing such Data Protection Board has however not yet been appointed. This is also the situation in Curaçao, where the Data Protection Board, (College Bescherming Persoonsgegevens) as described in article 41, has not yet been appointed.

Data processing

The Privacy Acts describe all handling of data from the collection to the destruction thereof as data processing. Of significant importance is that the personal data can only be collected  for a specific, justified objective. 

Articles 8a u/i 8f describe the principles for processing personal data legitimately, of which at least one principle must be met.

  • Permission of the consumer. The consumer must have given unambiguous permission to the processing of his/her personal data. The consumer must be informed (for example by means of disclosure in the general terms and conditions where a transaction or interaction is subject to) 
  • As part of an agreement (such as a credit agreement) or legal obligation.
  • Justified cause. This requires a judgment between the interest of the company and the interest of the consumer that shall include the following considerations:
    1. Is there a true cause that justifies the processing of personal data? 
    2. Are there any infringements in the personal interest and/or fundamental rights of the consumer?
    3. Can the objective be met in any other way? 
    4. Are the objectives and the methods in proportions of each other?

The Principal (Verantwoordelijke), Consumer (Betrokkene) and Data Processor (Bewerker)

The Principal (Verantwoordelijke) as defined in article 1, sub d, LvBP/WBP BES, establishes the objective and methods of processing of the data supplied and owned them. With regards to CCB, the principals are the members of CCB. CCB as data processor has to comply with the objectives as established by the principals and which are agreed upon in the contracts between the principals and CCB.  The governing objective is that members share the personal data to enhance credit decisions, and to be able to exercise their duty of care to avoid over-crediting of consumers.  The members of CCB are provided useful overviews of the total credit exposure of consumers as well as their credit default history This information can only be used to assess the creditworthiness of consumers to minimize financial damages and to allow the members to exercise their duty of care responsibilities to protect the consumers from being over extended with credit-related financial obligations. 

The Consumer or Data Subject (betrokkene) as described in article 1, sub f, LvBP/WBP BES, is the natural person who’s personal data is being processed. 

The Data Processor (bewerker) as described in article 1, sub e, LvBP/WBP BES, is the organization that processes the personal data of and on behalf of the Principal.  The Data Processor is responsible to adhere to the agreements made with the Principal when collecting, processing and sharing Personal Data submitted by the Principal.

Obligations of the Principal (verantwoordelijke) being the members of CCB

The members of CCB being the Principals are required by law to inform the Consumer of the objective of processing their data and to disclose their identity. (articles 25 and 26 of the Privacy Act of Curaçao). Noncompliance with this information requirement can lead to unjustified data processing. 

In certain cases the Principal is also required to provide more information such as disclosure of the members who have access to the data and the rights of the consumer.

The Principal can inform the Consumer that his/her data will be processed at the time of collection.  Typically this is done by including the notice of processing in a brochure, general information, general terms and conditions,  an application form or as part of a contract provided to the Consumer.  It is not required that the consumer signs the brochure, general information or application.  The consumer is adequately informed at the time he/she has been provided the information. 

CCB has no responsibilities to inform consumers about its activities as a data processor and can rely on the fact the principal has duly informed the consumer in accordance with the contract between CCB and the Member.  Accordingly, CCB does not have a Legal responsibility to inform the consumers. 

The Principals (members) have the following additional responsibilities: 

-they shall appoint a data processor that has proper procedures and capabilities with respect to technological and organizational security; 

-the Principal shall enter into a formal agreement with the Data Processor or shall have other ways that establishes enforceable obligations between the principal and the Data Processor;

-the agreement shall stipulate tht the data processor can only process data in accordance with the contract between the Principal and CCB; 

- the Principal must stipulate that the data Processor meet security protocols as required by the Privacy Acts, and that the data processor documents such procedures in writing (art. 14 lid 5 Lv BP/ WBP BES)

-The principal shall have an on-going responsibility to see to it that the data processor is in compliance with activities performed on behalf of the Principal in accordance with the contract. The principal shall therefore safeguard its rights contractually to verify and confirm that the data processor performs its contractual obligations under the ultimate responsibility of the Principal.

The Data Processor (verwerker), being CCB

The Data processor (CCB) is the entity that processes the personal data on behalf of the Principal (members), without the Data Processor being a subordinate of the Data Processor.  

The Data Processor processes personal data on behalf of the Principal, in accordance with the agreements entered into with the Principal and under the ultimate responsibility of the principal. The Data Processor shall be an entity which is independent of the Principal. 

Mandatory agreement between the Principals (members) and Data Processor (CCB). 

The Privacy Act (article 24, sub 2) requires that a principal who appoints another entity as Data Processor to process Personal Data on his behalf but outside of his direct control, must enter into a contract with that Data Processor. The Data Processor does not have the authority to change the objectives of data processing such as the  dissemination of the data or changes in the retention period of the personal data.  If the Data Processor takes such decisions, the entity would be considered a Principal instead of a Data Processor in the view of the laws.

Rights and Obligations of the Data Processor (CCB)

The Privacy Acts states that the Data Processor is merely responsible to execute instructions by the Principals, but has an own responsibility and liable under the terms of the Privacy Acts to comply with the principals that apply to processing of personal data. (articles 1 an 2 of the Privacy Acts).  This liability is expressly stated in article 39, sub 2 of the Privacy Act.   Separately from the Principal’s liability, the Data Processor can be held liable to the extent any damages were suffered by consumers as a direct result from data processing activities by the Data Processor.  If the Data Processor can proof that the liability cannot be blamed on the Data Processor, he shall not be held liable. The Data Processor and Principals, as well as those who are involved with Personal Data under their responsibility are required by law to keep all personal data confidential. 

Right to request correction of data

The Privacy Acts provide that consumers have the right to request for correction of incorrect data.  Such a request can be made to CCB as Data Processor and/or the Member (as Principal) who registered the Data to which the correction request apples. If it appears that the Personal Data stored by the Data Processor (CCB) is incorrect, then the Principal (Member) is required to correct the Data accordingly. 

Data Exchange with other countries

In case of exchange of Personal Data with overseas entities, that have different laws (such as St. Maarten and Aruba) such exchange of personal data is not prohibited by the Privacy Act, provided that there is an adequate and comparable degree of protection surrounding the privacy of personal data that will apply to the data that is exchanged as described in article 42 of the Privacy Act of Curaçao.

With regards to sharing Personal Data between the BES Islands and The Netherlands (Europe) no additional formalities are required.  

Curaçao has opted not to consider any of the countries within the Kingdom of the Netherlands as an external country for Privacy Act purposes. Therefore, as far as the Privacy Act of Curaçao is concerned, there are no additional formalities that are required in order to exchange data between Curaçao and any of the other countries of the Kingdom of the Netherlands. (article 52 en 53 Privacy Act Curaçao).  However, the Privacy Act of Bonaire does consider Curaçao as another country for the exchange of personal data, but because the Privacy Acts of Bonaire and Curaçao are very similar, it is very likely that the Data Protection Board of Bonaire would rule that Curaçao has an adequate and comparable degree of protection of personal data.  

 

Caribbean Credit Bureau
October, 2013