Data & Privacy · Bermuda
Data & Privacy - Bermuda
Bermuda has a comprehensive, GDPR-style data-protection regime under the Personal Information Protection Act 2016 (PIPA). PIPA received Royal Assent in 2016 and came fully into force on 1 January 2025, by which date all in-scope organisations using personal information were required to be compliant. It is enforced by an independent Privacy Commissioner.
PIPA 2016 reached full operative effect on 1 January 2025 after a staged commencement; the Government announced this date on 16 June 2023, giving organisations roughly an 18-month preparation window.
The Office of the Privacy Commissioner for Bermuda (PrivCom) is the independent regulator. The Commissioner is appointed by the Governor and exercises functions free from direction or control by any other person or authority.
Part 2 (sections 5-16) sets out the principles governing use of personal information, including fairness/lawfulness, proportionality, purpose limitation, accuracy/integrity, and limited retention.
In-scope organisations must appoint a Privacy Officer responsible for managing personal information and liaising with the Commissioner, implement safeguards, provide privacy notices, and handle individual access requests.
Individuals have rights including access to their personal information; under section 21 those who suffer damage or emotional distress may bring a private legal action and seek court-determined compensation.
PrivCom has issued the official Guide to PIPA and supporting materials explaining the principles, definitions and obligations, primarily aimed at Privacy Officers and those responsible for day-to-day data protection.
Machine-assisted translation · verified 5/23/2026 · orientation, not legal advice. English version →