Fintech 2025

BERMUDA Law and Practice Contributed by: Steven Rees Davies, Kyle Masters, Charissa Ball and Alexandra Fox, Carey Olsen

• issue a public censure to name and shame the licensee; • issue a prohibition order banning a per - son from performing certain functions for a Bermuda-regulated entity; or • obtain an injunction from the court. In the more extreme cases, the BMA may revoke a licence and subsequently petition the court for the winding-up of the entity whose licence it has revoked. 2.11 Implications of Additional, Non- Financial Services Regulations Personal Information and Protection Act Bermuda’s Personal Information and Protection Act 2016 (PIPA) is the main piece of legislation in Bermuda that regulates the use of personal information. It has been implemented in phases and came into full force and effect on 1 January 2025. Every organisation in Bermuda that uses person - al information, where such information is used either wholly or partly by automated means – or where it forms, or is intended to form, part of a structured filing system – is caught under PIPA. Under PIPA, an organisation can only use per - sonal information where there is a lawful basis for that use. Such lawful bases include: • when the organisation has the knowing con - sent of the individual to that use; • where the individual would not reasonably be expected to object to that use (except in rela - tion to sensitive personal information); • where using that information is necessary for the performance of a contract to which the individual is a party; • where the use is authorised or required by law; and

• where the use is necessary in the context of an individual’s employment relationship with the organisation. In order to comply with the provisions of PIPA, those organisations that are caught under it (including those in the fintech sector) will need to: • adopt suitable measures and policies that take into account the nature, scope, context and purposes of the use of personal infor - mation, as well as the risk to individuals that results from the use of such information; • ensure that any third party whose services are engaged (by contract or otherwise) in con - nection with the use of personal information complies with PIPA at all times; • designate a privacy officer who will have primary responsibility for communicating with the privacy commissioner; • ensure that all personal information they hold is accurate, up to date, adequate, relevant, and proportionate to the purposes for which it is to be used and ensure that all personal information is only kept as long as is neces - sary for its use; • implement safeguards (proportionate to the likelihood and severity of harm, the sensitivity of the personal information, and the context in which the information is held) to protect personal information against risks of unau - thorised access, destruction, use, modifica - tion or disclosure; and • provide “privacy notice” to each individual before or at the time their personal informa - tion is collected, which should be clear and easily accessible and which must provide the individual with details of the organisation’s practices and policies in relation to personal information.

91

CHAMBERS.COM

Powered by