Revised Laws of Saint Lucia (2022)

34.   Consent for processing of personal data

  1.  

    (1)   Subject to subsection (2), a data controller shall not process personal data unless the data controller has obtained the express consent of the data subject.

  1.  

    (2)   Notwithstanding subsection (1), a data controller may process personal data without obtaining the express consent of the data subject where the processing is necessary —

    1.  

      (a)     for the performance of a contract to which the data subject is a party;

    1.  

      (b)     in order to take steps required by the data subject prior to entering into a contract;

    1.  

      (c)     in order to protect the vital interests of the data subject;

    1.  

      (d)     for compliance with any legal obligation to which the data controller is subject;

    1.  

      (e)     for the administration of justice;

    1.  

      (f)     for the performance of an activity that is carried out in the public interest or in the exercise of official authority vested in the data controller or in a third party to whom the personal data is disclosed;

    1.  

      (g)     for a purpose that concerns a legitimate interest of the data controller or of such a third party to whom personal data is provided, except where such interest is overridden by the interest to protect the fundamental rights and freedoms of the data subject and in particular the right to privacy.

  1.  

    (3)   Where the data controller processes personal data under subsection (2)(f) and (g), the data subject shall, except where otherwise provided in any other law in force in Saint Lucia, be entitled to object at any time to the data controller on compelling legitimate grounds to the processing of the personal data.

  1.  

    (4)   Where the data controller processes personal data with the consent of the data subject, the data subject may at any time revoke his or her consent for compelling legitimate grounds relating to his or her particular situation.

  1.  

    (5)   A data controller who contravenes this section commits an offence and is liable on summary conviction to a fine not exceeding $25,000. (Amended by Act 2 of 2015)