Data protection & privacy laws in Isle of Man (2026)

The Data Protection Act 2018 (IOM) is the enabling framework; substantive obligations derive from the GDPR and LED Implementing Regulations 2018, which apply the EU GDPR and LED as modified Manx law. This replaced the Data Protection Act 2002.

The Isle of Man Information Commissioner (inforights.im) is the independent supervisory authority established under Regulation 79 of the GDPR and LED Implementing Regulations 2018. Dr Alexandra Delaney-Bhattacharya took up the post in September 2024. The office also oversees the Freedom of Information Act 2015 and Unsolicited Communications Regulations 2005.

The European Commission granted the Isle of Man an adequacy decision in 2004, allowing personal data to flow freely from the EEA without additional safeguards. The Commission confirmed in January 2024 that the decision continues to operate satisfactorily, subject to close ongoing monitoring.

The Data Protection (Law Enforcement) (Adequacy) (Isle of Man) Regulations 2025 (SI 2025/89) came into force on 20 February 2025, enabling UK competent authorities to transfer personal data to Isle of Man authorities for law-enforcement purposes without specific case-by-case authorisation.

Controllers and processors must register with the Information Commissioner. Data subjects hold rights to access, rectification, erasure, restriction, portability, and objection. Personal data breaches posing any risk to individuals must be notified to the Commissioner within 72 hours.

Maximum administrative fines are capped at GBP 1,000,000 — lower than the EU GDPR ceiling of EUR 20,000,000 or 4% of global annual turnover. Since April 2024 the Commissioner has issued three Enforcement Notices, including urgent notices to secondary schools over unlawful CCTV inside toilet facilities.