Matt Sanders
Managing Partner
Guernsey
KEY TAKEAWAYS:
The Data Protection (Bailiwick of Guernsey) Law, 2017 (the "DPL") came into force on 25 May 2018 to coincide with the enforcement of the EU's General Data Protection Regulation (EU) 2016/670 (the "GDPR"). The European Commission has granted Guernsey "adequacy" status and recognises the legal standards applicable in Guernsey as covering all the principles necessary for an adequate level of protection for natural persons. This allows EU organisations to easily transfer personal data to Guernsey. The Office of the Data Protection Authority (the "ODPA") is the independent supervisory authority for the purposes of DPL and associated legislation.
In this briefing we will explore the object of the DPL, some of the key concepts used in the DPL, what the data principles are and the rights of data subjects.
Object of the DPL
The object of the DPL is to protect the rights of individuals in relation to their personal data, and provide for the free movement of personal data, in a manner equivalent to the GDPR and associated legislation. According to the ODPA the aim of data protection is to ensure people are treated fairly and lawfully, protecting them from harms that can arise from their personal data being mis-used.
Key terms
Although the DPL is drafted in a way that is accessible, the DPL is not free from legal jargon. Some of the key legal concepts used in the DPL and associated legislation are:
Data Protection principles
At the core of the DPL are the seven data protection principles. They set out how personal data must be handled, ensuring that an individual's rights are respected. Under the DPL, both controllers and processors must comply with the “data protection principles”, which are as follows:
Lawfulness, Fairness and transparency
Processing of data must be carried out in a lawful, fair and transparent manner in relation to the data subject.
Purpose limitation
Processing of data must only be for a specific, explicit and legitimate purpose and once collected cannot be processed in a manner incompatible with this specific purpose.
Minimisation
Processing data that is adequate, relevant and limited to what it is necessary in relation to the purpose.
Accuracy
Processing data accurately and ensuring the personal data processed is kept up to date and accurate.
Storage limitation
Personal data that has been processed should not be kept for longer than is necessary and must be for the purpose for which it is processed.
Integrity and confidentiality
Data is processed in a manner which ensures its security, using appropriate technical or organisational measures.
Accountability
The controller is responsible for, and must be able to demonstrate, compliance with the data protection principles.
Data Subject Rights
The DPL gives individuals 10 specific rights around how information about them should be treated. And it places obligations on organisations/ businesses to ensure that they use people’s data properly. Data subjects have the following rights under the DPL:
1. The right to information for personal data collected from data subjects
The data subject has a right to be given the specific information (which is ordinarily set out in the controller's privacy notice), which includes a statement as to:
2. Right to data portability
This element of the DPL allows a data subject to have their personal data transmitted from one organisation who acts as a ‘controller’ of their data to another organisation who the data subject wishes to have control of their data. All local organisations should assess how they could easily transfer or copy all data relating to a specific person from their system and provide it to that person in a structured, ‘machine readable’ format that can be plugged into another organisation’s system. This could be as simple as using specific types of software files.
3. Right of access
This right allows a data subject to ask what personal data an organisation holds about them and why. This right is exercised by way of a Data Subject Access Request ("DSAR"). In summary, a DSAR is when a data subject asks what personal data a controller holds about them and what the organisation is doing with that personal data. An organisation must respond to a DSAR within one month, although the DPL allows for this period to be extended where the DSAR is complex.
4. Right to object to processing for direct marketing purposes
If an organisation is processing personal data for direct marketing purposes, a data subject has the right to require them to stop, by writing directly to the organisation concerned and making such a request. At that point the organisation must stop sending the data subject any material when asked. A data subject must be informed explicitly before, or at the time of the controller's first communication, of their right to object to processing for marketing purposes. This communication must be separate from any other matters notified to the data subject.
5. Right to object to processing on grounds of public interest
This right only operates where the lawfulness of the processing of personal data is based exclusively on legitimate interests, or it is necessary for the performance of a public function or task by a public authority. In these circumstances, the data subject has a right to require the controller to cease the processing (by written request). The controller must give the data subject notice of the processing and must explicitly inform the data subject before, or at the time of the controller's first communication, of their right to object to the processing.
6. Right to object to processing for historical or scientific purposes
If an organisation is processing personal data based on it being necessary for historical or scientific purposes, the data subject has a right to request it stops the processing. The data subject needs to write directly to the organisation concerned to make any such request.
7. Right to rectification
This right can be exercised where a data subject disputes the accuracy or completeness of personal data. The data subject has a right to require the controller to rectify or change the personal data. The data subject may make a written request to the controller to rectify or change the personal data, stating the inaccuracy or explaining why the personal data is incomplete. If the controller is a public authority, it is required to have a data protection officer whom you can contact.
8. Right to erasure
A data subject has the right to require a controller to erase their personal data when, for example, the personal data is no longer necessary, when they withdraw their consent, or the data subject objects to the processing. This right is sometimes referred to as a "right to be forgotten".
A data subject will write directly to the organisation concerned to make any such request. If the controller is a public authority, it is required to have a data protection officer whom the data subject can contact.
9. Right to restriction of processing
A data subject can obtain a restriction on processing when the personal data processed by the controller is disputed on the grounds of accuracy and completeness or it is unlawful or is no longer necessary for the purposes it was collected. A restriction on processing can also be obtained if the data subject objects to the processing on the grounds of historical or scientific purposes or public interest grounds.
10. Right not to be subject to decisions based on automated processing
"Automated decision making" often means that no human is involved in the processing of personal data and decisions related thereto. The DPL recognises that individuals should be protected against unfair and harmful practice and provides a data subject with a right not to be subjected to an automated decision. A data subject should be made aware of all such processing by the organisation when it first asks a data subject to provide their data (which is ordinarily set out in the controller's privacy notice).
Walkers' comments
Under the DPL, both controllers and processors must comply with the “data protection principles” and ensure that a data subject's individual rights can be exercised and complied with. Controllers and processors cannot delegate their responsibilities under the DPL.
The ODPA are focussed on organisations who do not process data in accordance with the DPL and we anticipate the ODPA increasing its efforts in ensuring compliance by commencing inquiries and/or investigations. Where an organisation does not act in compliance with the DPL, it is at risk of receiving a reprimand, warning or enforcement order requiring the controller to do one or more things. Where there has been material non-compliance with the DPL, the ODPA may also impose an administrative penalty on an organisation up to a maximum of £5,000,000 or £10,000,000 (depending on the operative provision breached).
About Walkers’ Guernsey regulatory team
Walkers’ Guernsey regulatory team can advise on all aspects of Guernsey data protection, including data protection policies, procedures, privacy notices, data subject access requests and data protection audits.
We have a team of regulatory experts spanning all practice areas who regularly advise on all aspects of Guernsey regulation, including financial services, AML, sanctions, data protection, consumer protection, competition, tax, economic substance, FATCA and the CRS. Our team can also provide training to staff on a broad range of topics
Authors
Managing Partner/Guernsey
Senior Counsel/Guernsey
Senior Associate/Guernsey
Senior Associate/Guernsey
Key Contacts
Managing Partner
Guernsey
Senior Counsel
Guernsey
Senior Associate
Guernsey
Senior Associate
Guernsey