Bermuda Personal Information Protection Act 2016 (PIPA)

Bermuda

v2016 (effective 2025)

6 domains

24 controls

Bermuda's Personal Information Protection Act 2016 (PIPA, substantially in force January 1, 2025) establishes a comprehensive privacy framework. The Privacy Commissioner for Bermuda oversees compliance. PIPA establishes processing principles, individual rights, mandatory breach notification, and provisions for cross-border transfers. Designed to support Bermuda's EU adequacy application for the insurance/reinsurance sector.

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (6)

Bermuda PIPA Part 1: Preliminary

2 controls

Controls in the Bermuda PIPA Part 1: Preliminary domain of Bermuda Personal Information Protection Act 2016 (PIPA) — 2 controls
Code	Title	Description
BM-PIPA-3	Application	Application. Section 3 sets out the organisations and processing to which the Act applies (organisations that use person...
BM-PIPA-4	Exclusions	Exclusions. Section 4 sets out the matters excluded from the Act (for example personal or domestic use, and certain othe...

Bermuda PIPA Part 2: General Principles and Rules

12 controls

Controls in the Bermuda PIPA Part 2: General Principles and Rules domain of Bermuda Personal Information Protection Act 2016 (PIPA) — 12 controls
Code	Title	Description
BM-PIPA-10	Purpose limitation	Purpose limitation. Section 10 requires that personal information only be used for the purposes for which it was collect...
BM-PIPA-11	Proportionality	Proportionality. Section 11 requires that the personal information used be adequate, relevant and not excessive in relat...
BM-PIPA-12	Integrity of personal information	Integrity of personal information. Section 12 requires personal information to be accurate and, where necessary, kept up...
BM-PIPA-13	Security safeguards	Security safeguards. Section 13 requires organisations to protect personal information with appropriate safeguards again...
BM-PIPA-14	Breach of security	Breach of security. Section 14 requires organisations to notify the Commissioner (and affected individuals where require...
BM-PIPA-15	Transfer of personal information to an overseas third party	Overseas transfers. Section 15 requires that, before transferring personal information to an overseas third party, the o...
BM-PIPA-16	Personal information about children in the information society	Children's information. Section 16 imposes specific requirements on the use of personal information about children in th...
BM-PIPA-5	Responsibility and compliance	Responsibility and compliance. Section 5 requires every organisation to adopt suitable measures and policies to give eff...
BM-PIPA-6	Conditions for using personal information	Conditions for using personal information. Section 6 sets out the lawful conditions (including consent and other permitt...
BM-PIPA-7	Sensitive personal information	Sensitive personal information. Section 7 imposes additional conditions on the use of sensitive personal information (in...
BM-PIPA-8	Fairness	Fairness. Section 8 requires that personal information be used in a manner that a reasonable person would consider fair...
BM-PIPA-9	Privacy notices	Privacy notices. Section 9 requires organisations to provide a clear and accessible privacy notice describing their prac...

Bermuda PIPA Part 3: Rights of Individuals

5 controls

Controls in the Bermuda PIPA Part 3: Rights of Individuals domain of Bermuda Personal Information Protection Act 2016 (PIPA) — 5 controls
Code	Title	Description
BM-PIPA-17	Access to personal information	Right of access. Section 17 gives individuals the right to request access to their personal information held by an organ...
BM-PIPA-18	Access to medical records	Access to medical records. Section 18 sets out the specific procedure and safeguards for requests for access to medical...
BM-PIPA-19	Rectification, blocking, erasure and destruction	Rectification, blocking, erasure and destruction. Section 19 gives individuals the right to request rectification, block...
BM-PIPA-20	Procedure for making a request	Procedure for requests. Section 20 sets out the procedure for making a request under sections 17, 18 or 19, including ti...
BM-PIPA-21	Compensation for financial loss or distress	Compensation. Section 21 provides individuals a right to compensation for financial loss or distress caused by a contrav...

Bermuda PIPA Part 4: Exemptions

1 controls

Controls in the Bermuda PIPA Part 4: Exemptions domain of Bermuda Personal Information Protection Act 2016 (PIPA) — 1 controls
Code	Title	Description
BM-PIPA-22	Exemptions	Exemptions. Sections 22 to 25 set out exemptions from the Act, including national security (s22), communication provider...

Bermuda PIPA Part 5: The Commissioner

2 controls

Controls in the Bermuda PIPA Part 5: The Commissioner domain of Bermuda Personal Information Protection Act 2016 (PIPA) — 2 controls
Code	Title	Description
BM-PIPA-26	The Privacy Commissioner: establishment and powers	The Commissioner. Sections 26 to 37 establish the office of the Privacy Commissioner and set out the Commissioner's appo...
BM-PIPA-32	Codes of practice	Codes of practice. Section 32 empowers the Commissioner to issue codes of practice; organisations should align their pra...

Bermuda PIPA Part 6: Reviews, Complaints and Enforcement

2 controls

Controls in the Bermuda PIPA Part 6: Reviews, Complaints and Enforcement domain of Bermuda Personal Information Protection Act 2016 (PIPA) — 2 controls
Code	Title	Description
BM-PIPA-38	Reviews and complaints	Reviews and complaints. Sections 38 to 43 give individuals the right to ask for a review or initiate a complaint to the...
BM-PIPA-44	Commissioner's orders and judicial review	Orders and enforcement. Sections 44 to 45 set out the Commissioner's power to make orders and the availability of judici...

Your Compliance Coverage

If you comply with Bermuda Personal Information Protection Act 2016 (PIPA), you already cover:

GDPR

38%

9 controls mapped

Compare →

ISO/IEC TR 24028:2020

1 controls mapped

Compare →

ISO 27002:2022

1 controls mapped

Compare →

See all 3 mapped frameworks ↓

Maps to 3 other frameworks

24 total controls

GDPR

9 source controls mapped|9 target controls covered

38%

ISO/IEC TR 24028:2020

1 source controls mapped|1 target controls covered

ISO 27002:2022

1 source controls mapped|1 target controls covered

Compare Bermuda Personal Information Protection Act 2016 (PIPA) with GDPR

Frequently Asked Questions

What is Bermuda Personal Information Protection Act 2016 (PIPA)?

Bermuda Personal Information Protection Act 2016 (PIPA) is a compliance framework from Bermuda with 6 domains and 24 controls. Bermuda's Personal Information Protection Act 2016 (PIPA, substantially in force January 1, 2025) establishes a comprehensive privacy framework. The Privacy Commissioner for Bermuda oversees compliance. PIPA establishes processing principles, individual rights, mandatory breach notification, and provisions for cross-border transfers. Designed to support Bermuda's EU adequacy application for the insurance/reinsurance sector. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does Bermuda Personal Information Protection Act 2016 (PIPA) have?

Bermuda Personal Information Protection Act 2016 (PIPA) has 24 controls organised across 6 domains. The largest domains are Bermuda PIPA Part 2: General Principles and Rules (12 controls), Bermuda PIPA Part 3: Rights of Individuals (5 controls), Bermuda PIPA Part 1: Preliminary (2 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does Bermuda Personal Information Protection Act 2016 (PIPA) map to?

Bermuda Personal Information Protection Act 2016 (PIPA) maps to 3 other compliance frameworks. The top mapping partners are GDPR (38% coverage), ISO/IEC TR 24028:2020 (4% coverage), ISO 27002:2022 (4% coverage). Use our comparison tool to explore control-level mappings between frameworks.

How do I get started with Bermuda Personal Information Protection Act 2016 (PIPA) compliance?

Start your Bermuda Personal Information Protection Act 2016 (PIPA) compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about Bermuda Personal Information Protection Act 2016 (PIPA) requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 24 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 718 frameworks.

Get Started Free →

Free forever — no credit card required