The Data Protection (Bailiwick of Guernsey) Law, 2017 (the "DPL") came into force on 25 May 2018 to coincide with the enforcement of the EU's General Data Protection Regulation (EU) 2016/670 (the "GDPR"). The European Commission has granted Guernsey "adequacy" status and recognises the legal standards applicable in Guernsey as covering all the principles necessary for an adequate level of protection for natural persons. This allows EU organisations to easily transfer personal data to Guernsey. The Office of the Data Protection Authority (the "ODPA") is the independent supervisory authority for the purposes of DPL and associated legislation.

In this briefing we will explore the object of the DPL, some of the key concepts used in the DPL, what the data principles are and the rights of data subjects.

Object of the DPL

The object of the DPL is to protect the rights of individuals in relation to their personal data, and provide for the free movement of personal data, in a manner equivalent to the GDPR and associated legislation. According to the ODPA the aim of data protection is to ensure people are treated fairly and lawfully, protecting them from harms that can arise from their personal data being mis-used.

Key terms

Although the DPL is drafted in a way that is accessible, the DPL is not free from legal jargon. Some of the key legal concepts used in the DPL and associated legislation are:

  • controller – the entity responsible for determining why and how personal data is processed.
  • data subject –the person who is identified (or identifiable) by personal data.
  • data subject rights – the legal rights a data subject has under the DPL.
  • data subject access request - is where an individual asks a controller for details of what information they have about them and what they are doing with that information.
  • personal data - any information relating to an identified or identifiable individual. This includes both factual information about people as well as opinions expressed about them.
  • personal data breach - a breach of security leading to the accidental or unlawful destruction, loss, or alteration of, or the unauthorised disclosure of, or access to, personal data.
  • processor – the entity tasked with processing personal data on behalf of the controller. They do not determine why and how personal data is processed.
  • processing - any operation or set of operations which is performed on personal data, or on sets of personal data, whether or not by automated means.
  • special category data – personal data revealing an individual's racial or ethnic origin, political opinion, religious or philosophical belief, trade union membership, genetic data, biometric data, health data, data concerning an individual's sex life or orientation or criminal data.

Data Protection principles

At the core of the DPL are the seven data protection principles. They set out how personal data must be handled, ensuring that an individual's rights are respected. Under the DPL, both controllers and processors must comply with the "data protection principles", which are as follows:

Lawfulness, Fairness and transparency

Processing of data must be carried out in a lawful, fair and transparent manner in relation to the data subject.

Purpose limitation

Processing of data must only be for a specific, explicit and legitimate purpose and once collected cannot be processed in a manner incompatible with this specific purpose.

Minimisation

Processing data that is adequate, relevant and limited to what it is necessary in relation to the purpose.

Accuracy

Processing data accurately and ensuring the personal data processed is kept up to date and accurate.

Storage limitation

Personal data that has been processed should not be kept for longer than is necessary and must be for the purpose for which it is processed.

Integrity and confidentiality

Data is processed in a manner which ensures its security, using appropriate technical or organisational measures.

Accountability

The controller is responsible for, and must be able to demonstrate, compliance with the data protection principles.

Data Subject Rights

The DPL gives individuals 10 specific rights around how information about them should be treated. And it places obligations on organisations/ businesses to ensure that they use people's data properly. Data subjects have the following rights under the DPL:

1. The right to information for personal data collected from data subjects

The data subject has a right to be given the specific information (which is ordinarily set out in the controller's privacy notice), which includes a statement as to:

  • Whether the collection of data is a statutory or contractual requirement, or a requirement that needs to be met in order to enter into a contract. The DPL requires that this information is given to the data subject before or at the time the personal data is collected.
  • Whether the data subject is obliged to provide personal data and what the consequences might be if such personal data is not provided.

2. Right to data portability

This element of the DPL allows a data subject to have their personal data transmitted from one organisation who acts as a 'controller' of their data to another organisation who the data subject wishes to have control of their data. All local organisations should assess how they could easily transfer or copy all data relating to a specific person from their system and provide it to that person in a structured, 'machine readable' format that can be plugged into another organisation's system. This could be as simple as using specific types of software files.

3. Right of access

This right allows a data subject to ask what personal data an organisation holds about them and why. This right is exercised by way of a Data Subject Access Request ("DSAR"). In summary, a DSAR is when a data subject asks what personal data a controller holds about them and what the organisation is doing with that personal data. An organisation must respond to a DSAR within one month, although the DPL allows for this period to be extended where the DSAR is complex.

4. Right to object to processing for direct marketing purposes

If an organisation is processing personal data for direct marketing purposes, a data subject has the right to require them to stop, by writing directly to the organisation concerned and making such a request. At that point the organisation must stop sending the data subject any material when asked. A data subject must be informed explicitly before, or at the time of the controller's first communication, of their right to object to processing for marketing purposes. This communication must be separate from any other matters notified to the data subject.

5. Right to object to processing on grounds of public interest

This right only operates where the lawfulness of the processing of personal data is based exclusively on legitimate interests, or it is necessary for the performance of a public function or task by a public authority. In these circumstances, the data subject has a right to require the controller to cease the processing (by written request). The controller must give the data subject notice of the processing and must explicitly inform the data subject before, or at the time of the controller's first communication, of their right to object to the processing.

6. Right to object to processing for historical or scientific purposes

If an organisation is processing personal data based on it being necessary for historical or scientific purposes, the data subject has a right to request it stops the processing. The data subject needs to write directly to the organisation concerned to make any such request.

7. Right to rectification

This right can be exercised where a data subject disputes the accuracy or completeness of personal data. The data subject has a right to require the controller to rectify or change the personal data. The data subject may make a written request to the controller to rectify or change the personal data, stating the inaccuracy or explaining why the personal data is incomplete. If the controller is a public authority, it is required to have a data protection officer whom you can contact.

8. Right to erasure

A data subject has the right to require a controller to erase their personal data when, for example, the personal data is no longer necessary, when they withdraw their consent, or the data subject objects to the processing. This right is sometimes referred to as a "right to be forgotten".

A data subject will write directly to the organisation concerned to make any such request. If the controller is a public authority, it is required to have a data protection officer whom the data subject can contact.

9. Right to restriction of processing

A data subject can obtain a restriction on processing when the personal data processed by the controller is disputed on the grounds of accuracy and completeness or it is unlawful or is no longer necessary for the purposes it was collected. A restriction on processing can also be obtained if the data subject objects to the processing on the grounds of historical or scientific purposes or public interest grounds.

10. Right not to be subject to decisions based on automated processing

"Automated decision making" often means that no human is involved in the processing of personal data and decisions related thereto. The DPL recognises that individuals should be protected against unfair and harmful practice and provides a data subject with a right not to be subjected to an automated decision. A data subject should be made aware of all such processing by the organisation when it first asks a data subject to provide their data (which is ordinarily set out in the controller's privacy notice).

Walkers' comments

Under the DPL, both controllers and processors must comply with the "data protection principles" and ensure that a data subject's individual rights can be exercised and complied with. Controllers and processors cannot delegate their responsibilities under the DPL.

The ODPA are focussed on organisations who do not process data in accordance with the DPL and we anticipate the ODPA increasing its efforts in ensuring compliance by commencing inquiries and/or investigations. Where an organisation does not act in compliance with the DPL, it is at risk of receiving a reprimand, warning or enforcement order requiring the controller to do one or more things. Where there has been material non-compliance with the DPL, the ODPA may also impose an administrative penalty on an organisation up to a maximum of £5,000,000 or £10,000,000 (depending on the operative provision breached).

About Walkers' Guernsey regulatory team

Walkers' Guernsey regulatory team can advise on all aspects of Guernsey data protection, including data protection policies, procedures, privacy notices, data subject access requests and data protection audits.

We have a team of regulatory experts spanning all practice areas who regularly advise on all aspects of Guernsey regulation, including financial services, AML, sanctions, data protection, consumer protection, competition, tax, economic substance, FATCA and the CRS. Our team can also provide training to staff on a broad range of topics

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.