1. Who We Are
1.1 The Central Bank of Barbados (“the Bank”, “we”, “us”, or “our”) is responsible for collecting and using your personal data.
1.2 For the purposes of the Data Protection Act, 2019-29 of the Laws of Barbados (the “Act”), the Bank is the data controller.
1.3 Our contact details are:
Address: Tom Adams Financial Centre, Spry Street, Bridgetown, St. Michael, Barbados
Telephone: +1 246 436 6870
1.4 You may contact our Data Protection Officer using the details set out at paragraph 12 below.
2. What This Notice Covers
2.1 This notice explains how we collect, use, store, and share personal data when carrying out our functions.
2.2 It applies to all personal data we collect:
• directly from you; or
• indirectly from third parties, such as financial institutions, public authorities, or other persons who provide information to us where the law allows.
2.3 If we need to use your personal data for a new purpose, we will tell you before doing so unless the law allows us not to.
3. Our Legal Basis for Processing Personal Data
3.1 We only process personal data where we have a lawful basis under the Act. The main legal bases we rely on are:
• Legal obligation: where we must comply with the law.
• Public interest or official authority: where processing is necessary for our statutory functions as a central bank and regulator.
• Contractual necessity: where processing is required to enter or perform a contract.
• Legitimate interests: in limited cases outside our statutory functions, where this basis is appropriate and does not override your rights.
• Consent: where you have given clear permission (which you may withdraw at any time).
3.2 The legal basis we use depends on the service, activity, or function involved.
3.3 Where we process sensitive personal data, such as information relating to financial investigations and criminal activity, we do so only under strict legal safeguards, where the law explicitly allows it, and to protect the public financial system.
Biometric login in the BiMPay app is verified on your own device; the Bank does not collect, receive, or store your biometric data.
4. How We Use Personal Data
4.1 The Bank processes personal data to perform its statutory functions under applicable legislation, including the Central Bank of Barbados Act 2020-30 and other financial services laws.
4.2 These functions include managing monetary policy, regulating financial institutions, maintaining financial stability, managing foreign reserves, issuing currency, and providing financial advice to the Government.
5. Types of Processing Activities
5.1 Payment Services (BiMPay). We process personal data to operate the BiMPay system and app safely. This may include your name, contact details, identification numbers, and financial data. Access to the app may be protected by device-level security features, such as biometric login, which operate on your device.
5.2 Regulation and Supervision of Financial Institutions. We process personal data relating to directors, staff, shareholders, and customers of financial institutions, payment providers, and credit bureaus. This allows us to authorise, supervise, and regulate these entities and investigate unauthorised activity.
5.3 Investigations and Enforcement. We may process personal data when investigating potential breaches of financial legislation. This may include sensitive data and information relating to criminal activity. This processing is carried out under our legal powers and may include data relating to individuals who are not the direct subject of the investigation.
5.4 Government Investment Services. When issuing and redeeming government investment instruments, we collect information such as your name, contact details, date of birth, identification numbers, and banking details.
5.5 Exchange Control Applications. We process personal data submitted with applications to utilise foreign currency. This includes names, contact details, and financial information, which we use to assess and decide on applications.
5.6 Public Enquiries and Feedback. If you contact us with queries or feedback, we use your personal data to respond and, where necessary, investigate your concerns. This may involve sharing information with relevant third parties.
5.7 Recruitment and Human Resources Administration. We process personal data from job applicants to assess suitability for employment. This includes contact details, qualifications, employment history, and, where required, background checks and references. For permanent and temporary staff, we process data that is necessary for the maintenance of employment records, payment of compensation, employee benefits, performance appraisals, and disciplinary matters.
5.8 Visitors to Our Premises. Visitors to our offices may be asked to provide their name for security purposes.
5.9 CCTV Monitoring. We use CCTV at our premises for safety, security, and crime prevention. Footage is only used for these purposes and may be shared with law enforcement where necessary.
5.10 Procurement and Suppliers. We process personal data from suppliers and tenderers to evaluate bids, award contracts, and manage supplier relationships, including payments.
5.11 Website Use and Cookies. We only collect personal data through our website where you provide it voluntarily (for example, by email or through cookies where you consent). Cookies are used to improve website functionality and user experience. You may control or disable cookies through your browser settings.
6. How Long We Keep Your Data
6.1 We keep personal data only for as long as we need it for the purpose for which it was collected, or for as long as the law requires.
6.2 Retention periods are determined based on:
• legal and regulatory requirements;
• operational needs; and
• the nature of the data and processing activity.
6.3 In many cases, we are required by law to keep data for specific periods, especially for our regulatory, supervisory, and employment-related functions. When personal data is no longer needed, we will securely delete it, destroy it, or anonymise it, as appropriate.
6.4 Where specific retention periods apply, we follow them. For example, BiMPay transaction and dispute records are retained in line with the seven-year period set out in the BiMPay Dispute Management Rules and applicable regulatory requirements.
6.5 Where there is a criminal investigation or court proceeding pending, we are permitted by the Act to retain data beyond the ordinary retention periods.
7. Sharing Your Personal Data
7.1 We do not sell your data. We may share personal data where necessary and lawful with:
• Public authorities and regulators, where sharing is necessary for our functions or required by law;
• Service providers acting as data processors on our behalf. We bind these providers to contracts that require them to protect your data as safely as we do;
• Law enforcement or other bodies where we are required or permitted to do so by law; and
• Other parties where sharing is necessary and lawful.
7.2 Where third parties process personal data on our behalf, they must only do so on our instructions and in line with applicable data protection laws.
8. International Transfers of Data
8.1 In some cases, we may transfer personal data outside Barbados, for example to supervisory authorities, service providers, or technology providers.
8.2 Where this happens, we will take steps to make sure your personal data stays protected and that appropriate safeguards are in place, ensuring that data is only transferred to:
• Countries with strong, officially recognised data protection standards such as Canada and the United States of America; or
• providers bound by strict contractual safeguards and technical protections (including encryption).
9. Your Rights
9.1 Under the Act, you have several rights in relation to your personal data, subject to certain legal limits.
• Right of access: to obtain a copy of your personal data.
• Right to rectification: to correct inaccurate or incomplete data.
• Right to erasure: to request deletion of your data where appropriate.
• Right to restrict processing: to limit how your data is used in certain circumstances.
• Right to object: to object to processing that may cause harm or distress.
• Right to object to direct marketing: although we do not use personal data for marketing.
• Right to data portability: to receive your data in a transferable format where applicable.
• Rights related to automated decision making: we do not make decisions producing legal or similarly significant effects about you solely by automated means, except where this is necessary for fraud prevention, security, or compliance with our legal obligations. Where we do, appropriate safeguards apply, including your right to request human review.
• Right to withdraw consent: where processing is based on consent.
• Right to complain: to the Data Protection Commissioner.
9.2 Since we are a regulatory authority, some of these rights are limited and cannot be used to stop an active financial investigation, block our official central banking duties, or delete records that banking laws force us to preserve.
9.3 To exercise your rights, please contact us using the details at paragraph 12 below. We will ask for proof of identity before responding to your request to protect your privacy. We will respond to valid requests within the period required under the Act, and in any event without undue delay. Where the Act permits, we may extend this period and will tell you if we do.
10. Security of Your Data
10.1 We take appropriate technical and organisational measures to protect your personal data, including safeguards such as encryption, access controls, and secure storage.
11. Changes to This Notice
11.1 We may update this privacy notice from time to time to reflect changes in law or our operations.
11.2 The latest version, together with its effective date, will always be available from the Central Bank.
12. Contact Us
12.1 If you have questions about this notice or how your data is used, please contact:
