Autism Cayman
Autism Cayman
  • Home
  • symposium2025
  • About us

Data Protection Policy

AUTISM CAYMAN

(Reg. No. 408296)

Data Protection Policy

(adopted by Board resolution of

2 January 2025)

  1. EXECUTIVE SUMMARY
    1. 1.1.This Data Protection Policy (“Policy”) regulates how Autism Cayman non-profit organisation (“NPO”) protects Personal Data in compliance with the Cayman Islands Data Protection Act (2021 Revision) (“DPA”) and the Data Protection Regulations (2018 Revision) (“Regulations”, and, together with the DPA, the “Data Protection Legislation”).
    2. 1.2.The Policy ensures that those volunteers and directors of the NPO who need to have access to Personal Data understand the rules governing the use of Personal Data. The Policy also ensures that members of the public who provide their Personal Data to the NPO understand how their Personal Data will be used.
    3. 1.3.Unless otherwise defined, capitalised terms in this Policy have the meaning given to them the Data Protection Legislation and the NPO’s Memorandum & Articles of Association.
  2. INTRODUCTION
    1. 2.1. The objects of the NPO (“Objects”), as recorded in its Memorandum of Association, are:
      1. 2.1.1. to promote autism acceptance in the Cayman Islands; and
      2. 2.1.2. to provide community-based support, information and advocacy to autistic persons and their families (and/or carers) in allegiance with all autistic persons in the Cayman Islands. 
    2. 2.2. In pursuing these Objects, the NPO may need to collect, store, process, and use Personal Data.
    3. 2.3. The NPO recognises its responsibilities as a Data Controller under the Data Protection Legislation, including the Data Protection Principles.
  3. DATA PROTECTION PRINCIPLES
    1. 3.1. In accordance with the Data Protection Principles, Personal Data will be:
      1. 3.1.1. Processed lawfully, fairly and in a transparent manner in relation to the Data Subject;
      2. 3.1.2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
      3. 3.1.3. adequate, relevant, and limited to what is necessary in relation to the purposes for which they are collected or further Processed;
      4. 3.1.4. accurate and, where necessary, kept up-to-date, with every reasonable step taken to ensure that Inaccurate Personal Data, having regard to the purpose for which they are Processed, are rectified, blocked, erased or destroyed without delay;
      5. 3.1.5. kept for only as long as it is needed and subsequently destroyed;
      6. 3.1.6. Processed in accordance with the rights of Data Subjects, including under the DPA;
      7. 3.1.7. Processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful Processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures; and
      8. 3.1.8. transferred only to countries or territories which ensure there is an adequate level of protection for the rights and freedoms of Data Subjects in relation to the Processing of Personal Data.
  4. CONSENT, PRIVACY NOTICES, AND PERSONAL DATA HANDLING
    1. 4.1. The NPO shall ensure that Personal Data is only processed where one of the “conditions” of processing provided for in the DPA applies. In general, express prior written Consent of a Data Subject is required to process their Personal Data.
    2. 4.2. The request for Consent must be in an intelligible and easily accessible form.
    3. 4.3. Consent need not always been writing, but it always must be indicated by a clear statement or clear affirmative action that is separate from any statement or action that the Data Subject might be making or taking at the same time concerning another matter.
    4. 4.4. Consent must be informed, freely given, specific, and unambiguous.
    5. 4.5. The purposes for which the Data Subject has given Consent must be clearly documented. To this end, the NPO shall clearly identify and document the purposes for processing Personal Data by means of suitable Privacy Notices.
    6. 4.6. Privacy Notices shall be made accessible to each Data Subject before their Personal Data is collected. For example, a Privacy Notice may form part of a sign-up or registration form.
    7. 4.7. Privacy Notices must be concise, transparent, intelligible, easily accessible and communicated in clear and plain language.
    8. 4.8. Privacy Notices must contain at least:
      1. 4.8.1. the NPO’s identity;
      2. 4.8.2. the purposes of Processing of the Personal Data;
      3. 4.8.3. a link to or reference to this Policy;
      4. 4.8.4. a statement that the Data Subject is entitled to withdraw their Consent at any time; and
      5. 4.8.5. contact details to which such withdrawal of Consent (or any queries or complaints) may be communicated.
    9. 4.9. The Data Subject must be able to withdraw Consent at any time.
    10. 4.10. If Consent is withdrawn, the Processing of the relevant Personal Data must cease immediately.
    11. 4.11. A record must be kept of all Consents obtained and withdrawn (whether or not the Consent was given or withdrawn in writing).
    12. 4.12. The NPO shall ensure that all Personal Data is limited to what is necessary for the purposes for which it is being Processed.
    13. 4.13. The NPO shall ensure that if Personal Data is no longer needed for the purposes for which it was Processed, it will be destroyed, secured, archived, or anonymised in accordance with the Data Protection Legislation.
    14. 4.14. This Policy must be made publicly available by the NPO on its website and a copy provided to any member of the public upon request free of charge.
  5. DATA SUBJECT RIGHTS
    1. 5.1. The right to be informed: Every Data Subject has the right to be informed of the purposes for which their Personal Data is being Processed by the NPO.
    2. 5.2. The right of access: Every Data Subject has the right to request access to their Personal Data being Processed by the NPO.
    3. 5.3. The right to have inaccurate data corrected: Every Data Subject has the right to have their inaccurate Personal Data rectified, blocked, or destroyed.
    4. 5.4. The right to restrict or stop Processing: Every Data Subject has the right to request that the NPO stop or restrict the Processing of their Personal Data.
    5. 5.5. The right to stop direct marketing: Every Data Subject has the right to request that the NPO cease direct marketing using their Personal Data.
    6. 5.6. Rights in relation to automated decision-making: Every Data Subject has the right to receive information on and object to the Processing of their Personal Data by the NPO using automated decision-making where such processing significantly affects the Data Subject.
    7. 5.7. The right to complain: Every Data Subject has the right to complain to the NPO and the Ombudsman about any perceived violations of the DPA by the NPO.
    8. 5.8. The right to seek compensation: Every Data Subject has the right to seek compensation through the Court when a Data Subject suffers damage due to a contravention of the DPA by the NPO.
  6. DATA SUBJECT ACCESS REQUESTS
    1. 6.1. The NPO shall process any data subject access request (“DSAR”) in accordance with the applicable legislation.
    2. 6.2. All DSARs received by the NPO shall be forwarded to the NPO’s President and Controllers for appropriate handling.
    3. 6.3. Where the NPO receives a DSAR, the requesting Data Subject shall be informed of their right to complain to the Ombudsman.
  7. DATA SECURITY
    1. 7.1. The NPO shall adopt appropriate and proportionate measures to ensure that confidentiality of Personal Data maintained.
    2. 7.2. The NPO shall regularly review and adapt its data security measures in light of developments in legislation and practical considerations.
  8. INCIDENT REPORTING AND RESPONSE
    1. 8.1. The NPO shall ensure that any suspected theft or unauthorised Processing of Personal Data (“Breach”) shall be immediately investigated, contained, and mitigated.
    2. 8.2. If the President and the Controllers of the NPO determine that a suspected Breach has indeed occurred, the NPO shall, within 5 days of first becoming aware of the suspected Breach notify both the affected Data Subject and the Ombudsman of the same.
    3. 8.3. The NPO’s Notifications to the Data Subject and the Ombudsman shall set out, at least:
      1. 8.3.1. the nature of the Breach;
      2. 8.3.2. the consequences of the Breach;
      3. 8.3.3. measures taken or proposed to be taken by the NPO to contain the Breach and/or mitigate its consequences; and
      4. 8.3.4. measures recommended by the NPO to the Data Subject to mitigate the consequences of the Breach.
    4. 8.4. The NPO will communicate its Notifications using the prescribed form found on https://oci-webform.workpro-online.com/Client/complaints . The form must only be completed and submitted by the NPO’s President after it has been determined that the Breach has indeed occurred.
    5. 8.5. The NPO shall maintain a record of all the Breaches.
  9. DATA RETENTION
    1. 9.1. Subject to any withdrawal of Consent, Data Subject deletion request, or other applicable rule of law, the NPO shall retain Personal Data for at least 5 years in compliance with paragraph 6.6 of the General Guidance and Best Practices for the Non-Profit Organisation Sector published by the Cayman Islands Registrar of Non-Profit Organisations (“Data Retention Period”).
    2. 9.2. At the end of the Data Retention Period, the NPO shall securely destroy the Personal Data to the maximum extent practicable.
  10. SHARING PERSONAL DATA WITH THIRD PARTIES
    1. 10.1. Personal Data may only be shared with third parties to the extent that this is consistent with the Consent obtained from the relevant Data Subject and the applicable Data Protection Principles.
    2. 10.2. Before any Personal Data is transmitted to any third party, the NPO shall assess whether such Personal Data transfer is compliant with the relevant Consent and the applicable Data Protection Principles and shall record in writing the outcome of this assessment.
  11. TRAINING
    1. 11.1. The NPO shall ensure that all its Directors, volunteers, and (if applicable) employees (together, “NPO Staff”), are made aware of this Policy and their responsibilities thereunder.
    2. 11.2. The NPO shall offer annual data protection training to the NPO Staff.

Autism Cayman is an ordinary resident non-profit company limited by guarantee incorporated with reg. no. 408296 on 29 February 2024 and is also registered as a non-profit organisation with reg. no. NP-694, with its registered office address at CO Services Cayman Limited, P.O. Box 10008, Willow House, Cricket Square, Grand Cayman, KY1-1001, Cayman Islands. 


Our Memorandum of Association records our objects as follows: (a) to promote autism acceptance in the Cayman Islands; and (b) to provide community-based support, information and advocacy to autistic persons and their families (and/or carers) in allegiance with all autistic persons in the Cayman Islands.


Copyright © 2025 Autism Cayman - All Rights Reserved. 

  • Data Protection Policy

Powered by

This website uses cookies.

We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.

DeclineAccept