Data protection & privacy laws in Saint Lucia (2026)

The Data Protection Act Cap. 8.18 was enacted in 2011, amended by the Data Protection (Amendment) Act No. 2 of 2015, partially proclaimed in January 2023, and brought fully into force on 1 January 2025.

The Data Protection Commissioner is the independent supervisory authority, appointed by the Governor General on the advice of the Prime Minister after consultation with Cabinet and the Leader of the Opposition. The Commissioner oversees registration, compliance, investigations, and can impose administrative penalties.

Data controllers must register with the Data Protection Commissioner before processing personal data, declaring the categories of data, purposes, intended recipients, and any cross-border transfers. They must implement appropriate technical and organisational security measures (s. 42) and destroy personal data when the processing purpose lapses (s. 43).

The Act grants rights of access, rectification, erasure, and objection to processing (including an absolute right to object to direct-marketing use). Data subjects may also revoke consent at any time for compelling legitimate grounds.

Section 36 imposes heightened restrictions on processing special categories of data (e.g., health, racial or ethnic origin, political opinions, religious beliefs), generally requiring explicit consent or another specific statutory ground.

Section 45 prohibits transfer of personal data outside Saint Lucia unless the destination country or territory has comparable safeguards for data-subject rights, or the Commissioner has approved terms ensuring adequate safeguards.