Law: Data Protection (Jersey) Law, 2018 (the Law), and Data Protection Authority (Jersey) Law 2018 (the Authority Law)

Regulator: Jersey Office of the Information Commissioner (JOIC)

Summary: Data protection in Jersey is regulated by the Data Protection (Jersey) Law, 2018 (the Law) and the Data Protection Authority (Jersey) Law 2018 (the Authority Law). The Law and the Authority Law came into force on May 25, 2018. The Authority Law establishes the Data Protection Authority which can appoint a Board permitted to delegate most of its functions to the Jersey Office of the Information Commissioner (JOIC).

Controllers and processors established in Jersey are required by the Authority Law to register with the JOIC before commencing the processing of personal data. As of January 1, 2020, the Data Protection (Registration and Charges) (Amendment) (Jersey) Regulations 2019 have been effective which have introduced a new fees structure, with fees ranging from £70 to £1,600 depending on the size of the organization, its revenue, and the type of personal data processing.

The JOIC has issued guidance on various data protection issues, including Data Protection by Design and Default, Data Protection Impact Assessment (DPIA), and data subject rights. In addition, the JOIC has signed a memorandum of understanding (MoU) with the Guernsey Office of the Data Protection Authority (ODPA) in order to enhance the exchange of information and cooperation between the ODPA and the JOIC. The European Commission has recognized Jersey as providing adequate protection for the purpose of cross-border data transfers from the EU.