October 2024

1. Governing Texts

Personal data is critical to the economy of Guernsey. As the Island and its Bailiwick benefits from a strong finance sector, ensuring that personal data can flow without restriction is a key part of the Bailiwick's continued success.

Historically, Guernsey has taken great care to ensure that its data protection regime provides standards of protection for personal data that are equivalent to those in force within the EU – and this was particularly important with the advent of the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR).

To date, the Bailiwick of Guernsey enjoys adequacy by virtue of a decision of the European Commission (Commission) which was, essentially, 'grandfathered' into the new regime under the GDPR. This decision is in the process of being reviewed.

1.1. Key acts, regulations, directives, bills

As the Bailiwick of Guernsey is not a member of the EU, it has implemented its own legislation to align with the GDPR. The processing of personal data in Guernsey is regulated by the Data Protection (Bailiwick of Guernsey) Law, 2017, as amended (Data Protection Law). There is also separate legislation governing the processing of personal data in the context of law enforcement known as the Data Protection (Law Enforcement and Related Matters) (Bailiwick of Guernsey) Ordinance, 2018.

Section 1 of the Data Protection Law states that, among others, the object of the Data Protection Law is the 'protection of the rights of individuals in relation to their personal data, and provide for the free movement of personal data, in a manner equivalent to the GDPR and the Law Enforcement Directive'.

Notwithstanding the Data Protection Law and its equivalence to the GDPR, the GDPR is also likely to apply to certain Guernsey businesses by virtue of its extraterritoriality provisions set out under Article 3 of the GDPR. This is relevant where a non-EU headquartered organization is 'established' within the EU (e.g. a company with a branch office in the EU), regardless of whether the organization chooses to process data about EU individuals inside or outside the EU. The extraterritoriality provisions might also apply to non-EU established organizations which are:

• offering goods or services to individuals in the EU, even if provided free of charge; or
• monitoring the behavior of individuals in the EU, where their behavior takes place in the EU.

The GDPR provides for a number of significant rights, obligations, and powers, which are mirrored in the Data Protection Law, including provisions relating to data breach notification, data subject rights, sanctions, children, processors, and accountability.

In addition, the European Communities (Implementation of Privacy Directive) (Guernsey) Ordinance, 2004 (as amended) (Ordinance) regulates, among other things, electronic communications services, nuisance calls, and direct marketing.

The Guernsey Financial Services Commission (GFSC), a body that regulates financial services businesses (FSBs), has, as of  February 5, 2021, issued Cyber Security Rules and Guidance (Rules and Guidance) which impose additional obligations on FSBs to take into account cyber risk at board level. The Rules and Guidance focus on the following five core principles, outlined in a number of international cyber security frameworks:

• identify: take appropriate steps to identify material assets and carry out an assessment of significant associated cyber risks;
• protect: protect IT services;
• detect: detect any cyber security events;
• respond: have a plan in place to mitigate any disruption; and
• recover: be aware of the appropriate steps that need to be taken to restore business capabilities.

FSBs will also be subject to periodic reviews by the GFSC regarding their systems, policies, and procedures.

1.2. Guidelines

In July 2019, the Office of the Data Protection Authority (ODPA) issued and updated a series of guidelines to assist organizations active in Guernsey with specific areas of data protection law. Among such guidelines, the following should be highlighted:

• Guidance on Notification of Personal Data Breaches (Notification Guidance);
• Guidance on information to be given to a data subject about how their data is going to be handled;
• Guidance on Data Protection Impact Assessments (DPIAs);
• Guidance on Conditions for Lawful Processing;
• Guidance on Consent (Consent Guidance);
• Guidance on Data Portability;
• Guidance on Data Protection Measures by Design and Default;
• Guidance on Children (Children's Guidance);
• Guidelines on Data Protection Officers; and
• Guidelines on Special Category Data.

In 2021, the ODPA published updated information on data transfers, relating to the sending of data to another jurisdiction. This is likely to be of particular importance and is discussed in the section on data transfers.

The ODPA has introduced a new registration and levy collection regime which applies to all controllers and processors who are established within the Bailiwick, and accordingly has issued the Everything You Need to Know about the Registration and Levy Regime guidance.

In September 2023, the ODPA published FAQs relating to the Discrimination (Guernsey) Ordinance, 2022 which subsequently came into force on October 1, 2023. As an employer, the legislation is likely to impact the way in which employers are required to collect and use personal data about potential, new and existing employees. It is also likely to include the processing of special category data which is given a higher level of protection because of its sensitivity and potential for harm if misused. Additionally, the ODPA noted that, for employees, the discrimination legislation is likely to impact the way in which personal data about them is collected and used. It is also likely to involve special category data which is often more sensitive information. Data protection legislation recognizes the potential harm should such information be misused or mishandled and gives greater protections for it.

1.3. Case law

There have been no significant decisions in the Royal Court of Guernsey (Court) concerning data protection issues following the implementation of the Data Protection Law. In the event that issues arise, case law from Jersey and the UK would be considered to assist the Court. In addition, the ODPA, the guidance of the Information Commissioner's Office (ICO) in the UK, and the European Data Protection Board (EDPB) would also be considered persuasive by the Court.

2. Scope of Application

2.1. Personal scope

The Data Protection Law protects 'personal data'. The term 'personal data' is defined as any information which relates to an identified or identifiable living natural person. Therefore, the Data Protection Law does not protect information belonging to deceased persons or private or public organizations (whose information would be protected by other legal frameworks such as intellectual property law and confidentiality). An individual is identifiable from any information where the individual can be directly or indirectly identified from the information by reference to, for example, a name, identifier, factors such as a person's physical, physiological, genetic, mental, economic, cultural, or social identity, and any other objective factors.

The Data Protection Law contains a statutory exception that applies to individuals who process personal data solely for the purpose of their personal, family, or household affairs (including recreational purposes).

2.2. Territorial scope

The Data Protection Law applies to all controllers and processors who are established within the Bailiwick.

This term has a specific meaning under the Data Protection Law and includes situations where:

• the individual or entity is resident, incorporated, established, or registered within Guernsey or the neighboring islands of Alderney, Sark, and Herm (as applicable);
• the controller or processor maintains in the Bailiwick an office, branch, agency, or regular practice;
• the individual or entity causes or permits processing equipment to be used in the Bailiwick otherwise than for the purposes of transit through the Bailiwick; or
• the individual or entity is engaged in effective and real processing activities through stable arrangements in the Bailiwick.

A controller which satisfies Article 111 (b) to (d) of the Data Protection Law, under the definition of 'established in the Bailiwick', must also designate in writing a representative of the controller in the Bailiwick, notify the ODPA of the name and contact details of the representative, and authorize the representative to receive, on behalf of the controller, notices, and other communications from the ODPA or other supervisory authorities.

2.3. Material scope

The Data Protection Law applies to all public and private sector entities insofar as they use, or process personal data processed by automated means or recorded as part of a relevant filing system. In practice, this captures virtually every private sector organization. The term 'processing' is broadly construed in line with the GDPR and includes (but is not limited to) any operations that are performed on personal data whether or not by automated means such as, collecting, recording, organizing, structuring or storing data, adapting, altering, retrieving, disclosing, combining, profiling, restricting, and erasing personal data.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The ODPA (formerly the Office of the Data Protection Commissioner) is an independent public official, appointed by the States of Guernsey (States), and is responsible for the enforcement of the Data Protection Law.

3.2. Main powers, duties and responsibilities

The ODPA's duty is to promote good practice and thereby encourage compliance with the Data Protection Law. This is to be achieved by issuing guidance, encouraging the drawing up of codes of conduct, and performing an advisory role for those who request it. The ODPA is also responsible for disseminating decisions, in particular, the Commission's decisions, to enable data controllers to remain updated as to the state of current laws and practices and may undertake assessments of the practices of data controllers to enable them to follow and maintain good practice.

In addition, the ODPA has the power to issue enforcement notices, undertake an assessment of a controller's practices, at the request of an affected data subject, and issue information and special information notices.

Failure to comply with an enforcement, information, or special information notice is a criminal offense.

4. Key Definitions

Data controller: A person who, either alone or jointly or in common with other persons, determines the purposes for which and the manner in which any personal data are, or are to be, processed.

Data processor: Any person, other than an employee of the data controller, who processes personal data on behalf of the data controller.

Personal data: Data that relates to a living individual who can be identified from that data or from that data and other information that is in the possession of, or is likely to come into the possession of, the data controller.

Sensitive data: Personal data revealing an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic, biometric, or health data, sex life, and criminal data. This is referred to 'special category data'.

Health data: Health data means personal data relating to the health of an individual, including the provision of healthcare services, which reveals information about the individual's health status.

Biometric data: Means personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of an individual, which allows or confirms the unique identification of that individual, such as facial images or fingerprint data.

Pseudonymization: Means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, where that additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable individual, and 'pseudonymize' has a corresponding meaning.

5. Legal Bases

Unlike the GDPR, the Data Protection Law only requires a controller to satisfy (at least) one condition of processing in respect of personal and/or special category data.

Section 7 of the Data Protection Law states that the processing of personal data is lawful if at least one condition, as listed in Part I or II of Schedule 2 of the Data Protection Law, is satisfied, or in the case of special category data, if at least one condition in Part II or III of the Data Protection Law is satisfied.

The conditions in Schedule 2 of the Data Protection Law include (but are not limited to):

5.1. Consent

The data subject has requested or given consent to the processing of the personal data for the purpose for which it is processed (Section 1, Part 1, Schedule 2 of the Data Protection Law).

5.2. Contract with the data subject

The processing is necessary for the conclusion or performance of a contract to which the data subject is party or is in the interest of the data subject, or the processing is necessary to take steps at the request of the data subject prior to entering into such a contract (Section 2, Part 1, Schedule 2 of the Data Protection Law).

5.3. Legal obligations

The processing is necessary for the controller to exercise any right or power, or perform or comply with any duty, conferred or imposed on the controller by law, otherwise than by an enactment or an order or a judgment of a court or tribunal having the force of law in the Bailiwick (Section 6, Part 1, Schedule 2 of the Data Protection Law).

5.4. Interests of the data subject

The processing is necessary to protect the vital interests of the data subject or any other individual who is a third party (Section 3, Part 1, Schedule 2 of the Data Protection Law).

5.5. Public interest

The processing is necessary for the exercise or performance by a public authority of a function that is of a public nature or a task in the public interest (note that, unlike the GDPR, this condition only applies to public authorities) (Section 5, Part 1, Schedule 2 of the Data Protection Law).

5.6. Legitimate interests of the data controller

The processing is necessary for the purposes of the legitimate interests of the controller (other than a public authority) (Section 4, Part 1, Schedule 2 of the Data Protection Law).

5.7. Legal bases in other instances

According to Part II, Schedule 2 of the Data Protection Law, the processing is lawful:

• if the information contained in the personal data has been made public as a result of steps deliberately taken by the data subject; and
• if it is necessary:
  • for the controller to exercise any right or power, or perform or comply with any duty, conferred, or imposed on the controller by an enactment;
  • in order to comply with a court order or judgment having force in the Bailiwick;
  • for social care purposes;
  • for reasons of public health;
  • for the administration of justice;
  • in limited circumstances, for the legitimate interests of a not-for-profit organization;
  • for historical or scientific purposes; or
  • for the purpose of or in connection with any legal proceedings, for the purpose of obtaining legal advice or otherwise establishing or defending legal rights; and
• if it is authorized by regulations or enactment.

Part III, Schedule 2 of the Data Protection Law provides that processing is lawful if:

• the data subject has given their explicit consent to the processing; or
• the processing is necessary to protect the vital interests of the data subject and they are physically or legally incapable of giving consent or the controller cannot be reasonably expected to obtain explicit consent of the data subject.

In addition to the above, the States have authorized via the Data Protection (General Provisions) (Bailiwick of Guernsey) Regulations, 2018 (as amended) (Data Protection Regulations), a number of limited conditions that apply to a range of personal and special category data in the context of the processing of health data for insurance and pensions purposes, special category data for employment purposes, criminal data in the context of recruitment, and the provision of goods and services. These bases are subject to specific conditions and should be considered – as with all lawful bases – on a case-by-case basis.

Organizations can generally only send marketing texts or emails to individuals (including sole traders and some partnerships) if that person has provided specific and informed consent in accordance with the Data Protection Law. Indirect consent (e.g. consent originally given to a third party) is unlikely to be sufficient unless the 'soft opt in' exception applies in line with the Ordinance.

In relation to processing employee data, there is a presumption that consent will not be valid in an employment context due to the imbalance of power between the employer and the employee, as per the Consent Guidance. As mentioned above, specific limited conditions exist, where special category data is processed in an employment context.

6. Principles

Data controllers must comply with the data protection principles set out under Section 6(2) of the Data Protection Law (Principles).

The Principles comprise:

• lawfulness, fairness, and transparency: personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data (Section 6(2)(a) of the Data Protection Law);
• purpose limitation: personal data must be collected for specified, explicit, and legitimate purposes and, once collected, not further processed in a manner incompatible with those purposes (Section 6(2)(b) of the Data Protection Law);
• data minimization: personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (Section 6(2)(c) of the Data Protection Law);
• accuracy: personal data must be accurate and, where necessary, kept up to date, with reasonable steps being taken to ensure that personal data, that is inaccurate, having regard to the purposes for which it is processed, is erased, or rectified without delay (Section 6(2)(d) of the Data Protection Law);
• storage limitation: personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data is processed (Section 6(2)(e) of the Data Protection Law);
• integrity and confidentiality: personal data must be processed in a manner that ensures appropriate security of the data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (Section 6(2)(f) of the Data Protection Law); and
• accountability: the controller is responsible for, and must be able to demonstrate compliance with, the data protection principles described under paragraphs (a) to (f) of Section 6(2) of the Data Protection Law.

7. Controller and Processor Obligations

The Data Protection Law is principally addressed to data controllers and holds them responsible for compliance. Data controllers have various responsibilities under the Data Protection Law, including:

• compliance with the data protection principles;
• only processing personal data with the consent of the data subject, or as otherwise permitted or required by law;
• informing data subjects of their rights and granting access to data;
• having appropriate technical and organizational measures against unauthorized or unlawful processing and against accidental loss or destruction, or damage to, personal data;
• compliance with data transfer requirements when transferring data internationally; and
• where processing is carried out on behalf of a data controller, choosing a data processor providing sufficient guarantees in respect of technical or organizational measures governing the processing being carried out and taking reasonable steps to ensure compliance with such measures.

Processors are also subject to certain specific obligations under the Data Protection Law. These include ensuring that appropriate processor clauses are in place with controllers in compliance with the Data Protection Law (see section on controller and processor contracts below). Failure to comply with these obligations could result in a processor being subject to regulatory enforcement by the ODPA and civil proceedings by data subjects. In practice, data controllers are also responsible for ensuring that any processors they appoint are compliant with the Data Protection Law.

Whilst not applicable in all cases, licensees of GFSC are required to assess businesses to which they outsource certain functions against a published set of criteria. These cover issues such as security, robust compliance procedures, and suitability for the outsourced function. Data processors may fall within the scope of such criteria and, as such, this provides a further benchmark against which processors can be assessed.

In addition, Section 33 of the Data Protection Law requires two or more controllers who jointly determine the purposes and means of processing personal data (i.e. joint controllers) to explicitly agree on their respective responsibilities for compliance with the duties of controllers under the Data Protection Law. Any such agreement between the joint controllers may also designate a contact point for data subjects. The Data Protection Law does not require two or more controllers, who independently determine the purposes and means of processing personal data, to collaborate. However, if such a situation were to be investigated, the ODPA would likely consider the ICO's Code of Practice on Data Sharing.

7.1. Data processing notification

All controllers and processors established in the Bailiwick are required to register with the ODPA. The term 'established in the Bailiwick' is defined by virtue of Section 111(1) of the Data Protection Law.

A new regime was established on January 1, 2021, for registration and levy collection. The new regime abolished the exemptions from registration and replaced them with a much narrower subset of exemptions. The effect of this is that the majority of controllers and processors established in the Bailiwick over a year ago now find themselves subject to the new regime and are required to register directly with the ODPA via their website or appoint a Levy Collection Agent (if applicable). The Levy Collection Agent is responsible, among other things, for collecting levies of administered entities (i.e. those entities which it is regulated under Guernsey law to administer) in turn for issuing certificates of exemption to each entity and keeping certain records stipulated under the Data Protection (General Provisions) (Bailiwick of Guernsey) (Amendment No. 2) Regulations, 2020.

In addition to being broader in scope, the new regime imposes a new fee structure. The new fee structure is based on headcount. In particular, the fee is based on the number of full-time equivalent (FTE) employees employed by the business.

There are two levels of fees:

• for organizations with 1 to 49 FTE employees: £50 per annum; or
• for organizations with 50 or more FTE employees: £2,000 per annum.

7.2. Data transfers

The starting point is that personal data must not be transferred to a country or territory outside of the Bailiwick unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects. In common with the GDPR, the Data Protection Law places restrictions on the extent to which personal data may be transferred to recipients outside the Bailiwick of Guernsey.

Guernsey has been recognized by the Commission as providing an adequate level of protection for personal data for the purpose of transferring data to countries outside the European Economic Area (EEA) (see Decision on the Adequate Protection of Personal Data in Guernsey (Decision 2003/821/EC)). Guernsey has been assessed by the Commission as providing adequate protection for personal data in Opinion 8/2007 on the Level of Protection of Personal Data in Jersey and Opinion 5/2003 on the Level of Protection of Personal Data in Guernsey. Guernsey has stated that continuing to be judged to be adequate is a strategic priority.

Under Article 45 of the GDPR, the adequacy bar has been significantly raised following the decision of the Court of Justice of the European Union's (CJEU) judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) (Schrems II Case). The CJEU held that adequacy requires an 'essentially equivalent' regime to that guaranteed within the EU. Recital 104 of the GDPR tracks this language and requires that a Commission's adequacy decision means that a third country must have 'an adequate level of protection essentially equivalent to that ensured within the EU'.

Under Article 45 of the GDPR, the Commission must consider an array of factors in assessing the adequacy of a third country, including, 'the rule of law, respect for human rights and fundamental freedoms, legislation relating to public security, defense, national security, and criminal law, the access of public authorities to personal data, rules for the onward transfer of personal data to other third countries or international organizations, case law, and the enforcement of data subject rights'. The existence and functioning of an independent regulator must also be considered, including their enforcement powers. Article 45 of the GDPR also provides for the ongoing monitoring and, if necessary, suspension and/or revocation of adequacy decisions.

This is, of course, subject to the Commission assessing the adequacy of security measures and the level of protection afforded by the controller or processor to whom the data is being transferred, for example.

Following the implementation of the GDPR, Guernsey's adequacy findings have been 'grandfathered' into the new regime under Article 45(9) of the GDPR, subject, every four years, to a reassessment, which took place during 2020. Guernsey is awaiting the results of this reassessment.

In the absence of an adequacy decision by the Commission, transfers are permitted outside the EU/EEA under certain other specified circumstances, in particular where such transfers take place subject to 'appropriate safeguards'. The Data Protection Law replicates this regime for transfers outside Guernsey. Appropriate safeguards for such transfers include:

• Binding Corporate Rules (BCRs); and
• Standard Contractual Clauses (SCCs).

SCCs are generally the most commonly utilized mechanism for such transfers.

In June 2021, the Commission approved a new set of SCCs for international data transfers, with Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679. The ODPA has now approved the new SCCs for international transfer as a valid transfer mechanism for data transfers from Guernsey.

The new SCCs for international transfers reflect the changes made to European data protection law by the GDPR and address some of the issues with the old version of SCCs (which include two controller-to-controller (C2C) sets (2001 and 2004) and a controller-to-processor (C2P) set (2010)). The new SCCs (unlike the old ones which only applied to C2C and C2P transfers), apply to a broader range of scenarios and include provisions for processor-to-processor (P2P) and processor-to-controller (P2C) agreements.

The new SCCs effectively combine all four sets of clauses into one document, allowing controllers and processors to 'build' the relevant agreement on a modular basis. The new SCCs also incorporate provisions to address the Schrems II Case, the effect of which was to invalidate the EU-U.S. Privacy Shield Framework and to place additional administrative conditions on the use of SCCs. While a transition period allowed businesses to incorporate the old SCCs into new contracts until September 27, 2021, as of that date, any Guernsey business looking to export personal data relying on SCCs is now required to use the new SCCs. All existing contracts were expected to have transitioned to the new SCCs by December 27, 2022.

Where controllers and processors are utilizing SCCs or BCRs, they will also need to take account of the Schrems II Case. The EDPB has published Recommendations 01/2020 on Measures that Supplement Transfer Tools to Ensure Compliance with the EU Level of Protection of Personal Data, in relation to supplementary measures to accompany international transfer tools. In summary, personal data exporters are required to follow a six-step process in relation to international transfers:

1. know the transfers carried out, be aware of where the personal data is sent to ensure an essentially equivalent level of protection, and make sure the data transferred is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed;
2. verify the transfer tool used, using the SCCs or BCRs will be enough in this regard;
3. assess if there is anything in the law and/or practices of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools relied on, in the context of a specific transfer;
4. identify and adopt supplementary measures necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence, however, this step is only necessary if the assessment has revealed issues with the third-party country's safeguards. If no supplementary measure is suitable, exporters must avoid, suspend, or terminate the transfer;
5. take any formal procedural steps the adoption of supplementary measure may require; and
6. re-evaluate at appropriate intervals the level of protection afforded to the personal data transferred to third countries and monitor if there have been or there will be any developments that may affect it, on an ongoing basis.

In practice, the above requires a detailed and documented transfer impact assessment (TIA).

The Commission has recognized the UK as an adequate jurisdiction for the purposes of international data transfer, meaning that transfers to and from the UK and Guernsey may continue without restriction. Guernsey controllers and processors who are subject to the UK General Data Protection Regulation (Regulation (EU) 2016/679) (UK GDPR) by virtue of its extra territoriality provisions will also need to consider whether they may need to use the UK's newly introduced International Data Transfer Agreement (IDTA) or Addendum which came into force on March 21, 2022, and replaced the EU's SCCs.

7.3. Data processing records

Section 37 of the Data Protection Law imposes a duty on controllers and processors to keep records, make returns, and cooperate with the ODPA. The controller or processor must maintain any prescribed records for the prescribed periods of time, in the prescribed manner and form. These records must be made available to the ODPA on request.

Regulations 7 and 8 of the Data Protection Regulations provide that controllers and processors maintain a written record of any processing carried out by or on behalf of the controller.

7.4. Data protection impact assessment

Under Section 44 of the Data Protection Law, a controller must not cause or permit any high-risk processing before carrying out a DPIA. The DPIA must be reviewed and revised where there is a change to the risks posed to the interests of data subjects or where the controller otherwise considers it necessary to do so.

Where a DPIA indicates that there is a high risk to the rights or freedoms of the data subject, the controller must consult the ODPA (Section 45 of the Data Protection Law).

The ODPA has not issued a list of processing activities that require a DPIA (i.e. a 'blacklist'). However, it has provided DPIA Screening Questions (Screening Questions) which can help data controllers assess whether a DPIA is needed. These are as follows:

• Will the project involve the collection of new information about individuals?
• Will the project compel individuals to provide information about themselves?
• Will information about individuals be disclosed to organizations or people who have not previously had routine access to the information?
• Are you, or will you be, using information about individuals for a purpose for which it is not currently used, or in a way it is not currently used?
• Does the project involve you using new technology that might be perceived as being privacy intrusive? For example, the use of biometrics, facial recognition, or profiling.
• Will the project result in you making decisions or taking action against individuals in ways that can have a significant impact on them?
• Is the information about individuals of a kind particularly likely to raise privacy concerns or expectations? For example, health records, criminal records other special category data or other information that people would consider to be private; and
• Will the project require you to contact individuals in ways that they may find intrusive?

Method

The ODPA has published a DPIA template, which provides the following steps when conducting a DPIA, and after following the Screening Questions referred to above. These steps are as follows:

• identify the need for a DPIA;
• describe the information flows, e.g. describe the collection, use, and deletion of personal data, refer to a flow diagram or another way of explaining data flows where useful, and state how many people are likely to be affected by this project;
• explain what practical steps have been taken to ensure that data protection risks have been identified and addressed;
• identify the data protection and related risks (i.e. compliance and corporate risks);
• identify data protection solutions;
• determine who is responsible for approving the data protection risks involved in the project and what solutions need to be implemented; and
• determine who is responsible for integrating the DPIA outcomes into the project plan, and who will be the contact for future privacy concerns.

In addition, the Principles provide that when conducting a DPIA, the data protection principles should be taken into consideration, namely lawfulness, fairness and transparency, purpose limitation, minimization, accuracy, storage limitation, integrity and confidentiality, and accountability.

7.5. Data protection officer appointment

Section 47 of the Data Protection Law provides for the mandatory appointment of data protection officers (DPOs) in certain instances, including:

• where processing is carried out in the context of a public authority, other than a court or tribunal acting in its judicial capacity; or
• processing operations carried out as part of a core activity of a controller or processor where, by virtue of their nature, scope, or purpose, such operations require or involve large-scale and systematic monitoring of data subjects or large-scale processing of special category data.

Where the appointment of a DPO is mandatory, the controller and the processor must jointly designate an individual as a DPO.

7.6. Data breach notification

As noted above, the Data Protection Law requires all controllers, upon becoming aware of a personal data breach, to provide written notice to the ODPA as soon as practicable and in any event no later than 72 hours after becoming aware of said breach. Section 42(5) of the Data Protection Law provides an exemption from the duty to notify the ODPA where the personal data breach is 'unlikely to result in any risk to the significant interests of the data subject'.

Businesses should, therefore, consider whether the type of personal data disclosed could, at the time of the breach and in the future, 'adversely affect the individual', taking into consideration such concerns as financial loss, reputational damage, or identity fraud. The bar is set quite low for reporting a breach to the ODPA, as there is usually at least some risk to the data subject, even if that risk is relatively minimal.

If the breach is reported to the ODPA, the information prescribed in Section 42(3) of the Data Protection Law will need to be provided, which includes:

• a description of the nature of the personal data breach;
• contact details of the DPO or contact point;
• a description of the likely consequences of such a breach;
• a description of the measures taken or proposed to be taken to address risks and mitigate against possible adverse effects; and
• an explanation of any delays where a breach has been notified after 72 hours.

Notification to data subjects

Pursuant to Section 43 of the Data Protection Law, where a data controller becomes aware of a personal data breach that is likely to pose a 'high risk' to the significant interests of a data subject, the controller must give the data subject written notice of the breach as soon as practicable. The Notification Guidance provides a non-exhaustive list of factors to consider when determining whether a breach poses a high risk to a data subject, including financial loss, reputational damage, and identity fraud. When assessing the risks, the ODPA expects all controllers to consider the nature, scope, context, and purpose of the compromised personal data, including whether special category data had been compromised.

In any event, businesses should document all considerations and reasoning for any decisions taken in respect of the breach and the reporting thereof.

7.7. Data retention

Under the Data Protection Law, the overriding requirement with respect to data retention is that personal data is kept for 'no longer than is necessary'. Whilst there are exceptions, this is frequently viewed as being for a period equivalent to the limitation period or 'prescription period' as it is known in Guernsey. In other words, once the period within which an entity can potentially be sued has passed, the data should be destroyed. There are also certain periods prescribed by law and regulations for the retention of data. For example, certain company documentation must be retained as prescribed by the Companies (Guernsey) Law, 2008.

7.8. Children's data

Under the Data Protection Law, children are, for the first time, given express rights with regard to the processing of personal data. Children over the age of 13 years old may lawfully consent to the processing of their data in relation to the offer of information society services. Parental consent is required should information society service providers wish to process the data of children under the age of 13. The Children's Guidance issued by the ODPA provides further guidance in respect of children.

7.9. Special categories of personal data

Special category data is subject to additional restrictions on processing. Controllers must satisfy at least one of the Part II or III, Schedule 2 conditions in the Data Protection Law or a more limited condition authorized by the Data Protection Regulations. Many of these latter conditions are subject to public interest restrictions.

Criminal data falls within the class of special category data. It is not possible to rely on consent when processing criminal data unless certain conditions are met, including where the controller is authorized or required by any enactment to process the criminal data of any person at the application or request of, or otherwise with the consent of, the data subject or is authorized or required by enactment to apply to or request any person to process that criminal data (Section 10(7) of the Data Protection Law).

Finally, controllers must consider special category data in a number of circumstances including when appointing a DPO, conducting a DPIA, and when considering the application of the proportionality factors under paragraph 4, Schedule 9 of the Data Protection Law.

7.10. Controller and processor contracts

Agreements between controllers and processors

A controller must not appoint a processor to process personal data unless both of the following conditions are satisfied:

Condition A

The processor provides the controller with sufficient guarantees that reasonable technical and organizational measures will be carried out to ensure compliance with the Data Protection Law and safeguard data subjects (which include making information available to the controller regarding compliance with this provision).

Whilst the Data Protection Law does not define what 'sufficient guarantees' means in practice, controllers will be expected to undertake appropriate due diligence on all processors and ensure that appropriate guarantees are provided in the processor agreement.

Condition B

This condition requires the controller to put in place a legally binding agreement in writing with the processor setting out a number of requirements including the subject matter, duration, nature, scope, context and purpose of the processing, category of personal data, categories of data subjects affected, the duties and rights of the controller, and the duties imposed on the processor.

The data processing agreement must contain certain key provisions. These broadly align with the requirements under the GDPR and include:

• ensuring that the processing is only processed on the written instructions of the controller (including with regard to the transfer of personal data outside the Bailiwick);
• requiring the processor to inform the controller where it is required by law to process personal data contrary to the controller's written instructions;
• ensuring that any person authorized by the processor is legally bound to a duty of confidentiality;
• at the end of the services, and at the controller's discretion, delete, or return all personal data;
• requiring that reasonable and organizational measures are in place to assist the controller where a data subject is exercising their rights;
• taking reasonable steps to assist the controller to comply with its duties when complying with its security obligations and when conducting DPIAs;
• making available to the controller all information necessary to demonstrate compliance with its record-keeping responsibilities and facilitating any lawful audits or inspections; and
• a new requirement for the processor to inform the controller immediately if, in the processor's opinion, an instruction given by the controller to the processor breaches any applicable law.

There are also a number of conditions imposed on processors when appointing sub-processors. These include obtaining general authorization from the controller regarding the appointment of sub-processors (with an option to object to any appointment) and specific consent. The controller should ensure that the duties imposed on the primary processor are also passed on to the sub-processor (notwithstanding that the primary processor will remain fully liable for any breach of a sub-processor's duties under the Data Protection Law).

8. Data Subject Rights

8.1. Right to be informed

Data subjects have a right to be informed regarding who the data controller is and what exactly will happen to the data that a data subject provides. This fair processing of information shall be provided in the form of a privacy policy or notice. Sections 12 and 13 of the Data Protection Law outline the information that is to be provided to a data subject where the data has been collected either from the data subject or a third party and when it should be provided, i.e. at the time the data is collected.

The information provided in the privacy notice must be concise, transparent, intelligible, and easily accessible, written in clear and plain language, and free of charge.

8.2. Right to access

Data subjects have a right to be informed that their personal data is being processed by or on behalf of the data controller, the identity of the data controller, the nature of that personal data, the purposes for which they are being processed, and the recipients to whom it is or may be disclosed.

The right extends to being provided with a description of the personal data, its source, and, if automated processing is involved, the logic involved in the decision-making, in addition to a notice confirming the identity of the data controller, and/or representative where applicable, the purposes for which the data are or will be processed, and any other information required in order to make the processing fair and lawful. This notice is to be given either at the time the data are first processed or (in certain circumstances, at a later time).

8.3. Right to rectification

Upon application by the data subject, the Court can order the erasure, rectification, or destruction of inaccurate personal data. If an order is made to that effect, the data controller can be forced to notify third parties to whom the data has been disclosed of the destruction, erasure, or rectification.

8.4. Right to erasure

Please see the section on the right to rectification above.

8.5. Right to object/opt-out

Data subjects have a right to prevent or to cease, the processing of their personal data where such processing causes, or is likely to cause, substantial unwarranted damage or distress to that individual.

8.6. Right to data portability

The Data Protection Law allows data subjects to obtain and reuse their personal data for their own purposes, meaning that data controllers must, upon request, provide the data subject with the relevant personal data in a structured, commonly used, and machine-readable format, suitable for transmission to another controller.

8.7. Right not to be subject to automated decision-making

Where automated decision-making is undertaken in relation to personal data, the data subject can require that no decisions are made solely using automated processing.

8.8. Other rights

Not applicable.

9. Penalties

Right to compensation

An individual who suffers damage or distress by reason of any contravention by a data controller of any requirement under the Data Protection Law is entitled to claim compensation from the data controller for such damage.

Under the previous regime, the ODPA did not possess the power to impose fines for non-compliance. There were criminal penalties available to the prosecuting authorities, but these were rarely invoked. The Data Protection Law introduces the power for the regulator to levy various levels of administrative fines for breaches of the Data Protection Law, as detailed further below. The ODPA also has the power under the GDPR and the Data Protection Law to make an order against a business requiring them to restrict or limit their processing operations, including requiring a business to cease processing personal data altogether. This has the effect of potentially shutting down a business overnight.

Section 67 of the Data Protection Law provides that individuals can make a complaint to the ODPA if they consider that a controller or processor has breached, or is likely to breach, any 'operative provision'. The ODPA is obligated to investigate each complaint, save for in exceptional circumstances, for example, where the complaint is clearly unfounded or vexatious. The ODPA is also empowered to conduct inquiries on its own initiative, which may be conducted together with an investigation or separately. Upon completion of its investigations, the ODPA must determine whether or not the controller or processor concerned has breached or is likely to breach an operative provision and, if so, the appropriate sanction to be imposed.

There is a range of sanctions available to the ODPA under Sections 73 and 74 of the Data Protection Law, including a reprimand or warning, or an order to take specified actions or pay a civil penalty by way of an administrative fine under Section 75 of the Data Protection Law (such sanctions are not mutually exclusive). Administrative fines under the Data Protection Law are generally lower than those imposed under the GDPR, ranging from £5 million to £10 million, and categorized according to various levels, as detailed in Section 74 of the Data Protection Law.

9.1 Enforcement decisions

Enforcement activity has increased since the implementation of the Data Protection Law. On September 2, 2020, the ODPA issued its first administrative fine order against a Guernsey controller for £80,000 for lack of transparency in relation to the processing of personal data published in a public directory and breach of the accuracy principle.

This was subsequently followed on November 6, 2020, by a second administrative find order against another Guernsey controller for £10,000, in respect of a personal data breach comprising data of a 'highly sensitive and private' nature.

The ODPA has also issued public reprimands against (amongst others):

• the Guernsey Police for breaching Section 6(2)(a) of the Data Protection Law relating to the principle of lawfulness, fairness, and transparency, highlighting a failure to provide demonstrable consent for the processing of special category data;
• the Policy and Resources Committee (a public body) for failure to provide data subjects with information in accordance with Section 12(3) of the Data Protection Law;
• the States of Alderney for requiring personal information of a sensitive nature without properly providing data subjects with information in accordance with Section 12 of the Data Protection Law; and
• the Committee for Health and Social Care for failing to respond in good time to a so-called Data Subject Access Request;
• the Guernsey Union D'Escrime LBG (GUE) (a Guernsey members' sports club) was found to have breached section 15 (right of access) of the Law, following a 237-day delay in responding to a family's data subject access request (DSAR) regarding the GUE's involvement with a minor and safeguarding concerns. The GUE were issued with an enforcement order requiring specific action to address shortcomings in their processing when dealing with DSARs and were given three months to demonstrate compliance.
• the Committee for Health and Social Care (HSC) (a division of Guernsey's government) was issued with an enforcement order following an inappropriate response to a DSAR for an investigation report into alleged physical and emotional abuse of a vulnerable adult. The HSC disclosed a heavily redacted report and failed to include the appendices to the report. The redactions were found to be inappropriate by the ODPA as it failed to allow the family visibility on what had happened with the vulnerable adult and the HSC was found to have breached sections 15 (right of access) and 25 (facilitating exercise of data subject's rights) of the Law, by unreasonably withholding information from the family and resisting attempts by the family to obtain the full report. The HSC was ordered to release the full report (albeit with minimal redactions), including the appendices to the family.
• the ODPA successfully sued six companies for non-payment of annual registration fees.
• the Policy and Resource Committee (P&R) (a division of Guernsey's government) was issued with an enforcement order requiring them to disclose a redacted job reference to a jobseeker pursuant to a DSAR. P&R had initially withheld the reference relying on the exception that it contained personal data of other individuals, and the information could not be redacted without the reference losing its full context. The ODPA found that in weighing up the competing rights of the jobseeker and other individuals, the P&R had failed to give proper consideration to the significant interests of the job seeker to; know what was said about them particularly if this affected the decision as to whether they got the job or not, to challenge the validity of the reference and the recruitment decision and to exercise any other rights available under the Law. The P&R was found to have breached section 15 (right of access) of the Law and was ordered to provide the job reference to the job seeker, with appropriate redactions of the personal data of the other individuals.
• the HSC was reprimanded for breaching sections 42 and 43 (notification of data breaches) of the Law, when it failed to notify affected individuals of a data breach until 50 and 62 days respectively, after becoming aware of the breaches. The HSC argued that it required time to investigate the extent of the breaches and verify the contact details of the affected individuals. Whilst an investigation was considered reasonable by the ODPA, it was found that the HSC failed to carry out the investigation in a timely manner.