The Data Protection Act 2019 of Barbados applies to data processing activities based on the establishment of the data controller or processor in Barbados. Article 3(2) provides a detailed definition of what constitutes being "established in Barbados" for the purposes of the Act.The law recognizes three categories of entities as being established in Barbados:

1. "an individual who is ordinarily resident in Barbados" - This covers natural persons who have their habitual residence in Barbados.
2. "a body, association or other entity incorporated, organised, registered or otherwise formed under any enactment" - This encompasses legal entities that have a formal legal presence in Barbados through incorporation, registration, or other forms of official recognition under Barbadian law.
3. "a person who does not fall within paragraph (a) or (b) but maintains in Barbados an office, branch or agency through which he carries on any activity related to the processing of personal data" - This provision extends the law's applicability to entities that, while not formally incorporated or resident in Barbados, maintain a physical presence in the country through which they conduct data processing activities.

The inclusion of this third category is particularly significant as it broadens the scope of the law to cover foreign entities that have established a presence in Barbados for data processing purposes.

Implications

The broad definition of "established in Barbados" has several implications for businesses:

1. Local individuals and entities: Barbadian residents and locally incorporated entities are clearly subject to the Act when processing personal data.
2. Foreign companies with local presence: International companies that set up offices, branches, or agencies in Barbados for data processing activities will fall under the Act's jurisdiction, even if they are not formally incorporated in Barbados.
3. Remote operations: The law does not appear to apply to entities that process data of Barbadian residents without any physical presence in Barbados, unless they are offering goods or services to data subjects in Barbados (as per Art.3(1)(b)).
4. Data processors: The law explicitly includes data processors in its scope, meaning that companies providing data processing services in Barbados are subject to the Act's requirements.
5. Scope of activities: For entities falling under category (c), the law applies specifically to activities related to the processing of personal data carried out through their Barbadian office, branch, or agency.

This approach ensures that the Data Protection Act 2019 covers a wide range of entities operating within Barbados, providing comprehensive protection for personal data processed in the country while also respecting jurisdictional boundaries by not extending to entities without a significant connection to Barbados.