- The DPL requires organisations to provide detailed privacy notices, including controller identity, processing purposes, data subject rights and contact details
- Privacy notices must be clear, accessible, free of charge and delivered within specified timeframes
- Failure to comply with DPL requirements for privacy notices can result in significant fines from the ODPA
KEY TAKEAWAYS:
Introduction
This briefing is part of a Walkers series on the Data Protection (Bailiwick of Guernsey) Law, 2017 (the "DPL"), and provides an overview on what information organisations must provide data subjects when they collect information and how the information should be provided to data subjects.
A related briefing on the object of the DPL, some of the key concepts used in the DPL, what the data principles are and the rights of data subjects is available here.
What is a Privacy Notice?
The DPL recognises how important it is for individuals to be provided with clear, relevant and accurate information about what is happening to their data. When organisations collect data (whether that is online or offline, directly or indirectly) there must be absolute clarity about how that data will be used. The information provided about the processing of personal data should be written in clear and simple language which is concise and easily understood.
These can be called data processing notices, privacy notices, data protection notices or anything that clearly indicates that it is information relating to the way in which personal data is used.
The information contained within the privacy notice must be easily accessible and must be made available to the data subject free of charge. Any privacy notice should be tailored to the data subjects who receive it, depending upon how their data is utilised. The means by which the privacy notice is brought to the attention of the data subject at the time of the collection of the data must be determined by the organisation.
What information must be provided?
The DPL sets out in some detail the information which must be provided to data subjects. This includes (but is not limited to):- the identity and contact details of the controller (and where applicable the controller's representative);
- the contact details of the data protection officer, where applicable;
- whether any of the data is special category data (special category data includes health information, political opinions, religious beliefs, ethnic origin etc.);
- the source the personal data originates from and whether it came from publically available sources;
- the purposes and legal basis of the processing;
- where lawfulness of processing is based upon being necessary for the legitimate interests of the controller, what those legitimate interests are;
- the recipients or categories of recipients of the personal data, if any;
- if the controller intends to transfer the personal data to a recipient in an authorised jurisdiction, other than Guernsey or a member state of the European union;
- the period for which the data is expected to be stored, or if that is not possible, the criteria used to determine that period;
- the data subject's rights under the DPL;
- the existence of the right to withdraw consent to process data;
- the right to complain to the office of the data protection authority in Guernsey ("ODPA"); and
- whether any decision will be made based on automated processing of the personal data
When collecting personal data from individuals, an organisation does not need to provide them with any information that they already have. According to the ODPA, when obtaining personal data from other sources, the organisation does not need to provide data subjects with this information if:
- the data subject already has the information;
- providing the information to the data subject would be impossible;
- providing the information to the data subject would involve a disproportionate effort;
- providing the information to the data subject would prejudice the purpose for which the personal data is being processed;
- the information or personal data must be kept confidential or secret to perform or comply with a duty imposed by law on the controller; or
- the organisation is required by law to obtain or disclose the personal data.
How the information should be provided?
Where an organisation collects personal data from individuals they must provide those data subjects with clear and accurate information setting out in some detail precisely how their data will be used. When an organisation obtains personal data from a source other than the data subject it relates to, it will need to provide the data subject with this information:- within a reasonable of period of obtaining the personal data and no later than one month;
- if the data is used to communicate with the individual, then at the latest, when the first communication takes place; or
- if disclosure to someone else is envisaged, then at the latest, when the data is disclosed.
The information an organisation supplies about the processing of personal data must be concise, transparent, intelligible and easily accessible. It should be written in clear and plain language, particularly if addressed to a child, and free of charge.
The means by which the privacy notice is brought to the attention of the data subject at the time of the collection of the data must be determined by the organisation. Where organisations utilise data across various jurisdictions they must ensure that they comply with all relevant local legislation.
Walkers’ comments
Any privacy notice should be tailored to the data subjects who receive it, depending upon how their data is utilised. Privacy notices can be complex and there is not a "one size fits all" solution that works across all organisations and data subjects. A failure to get it right could result in a significant fine being issued to your organisation by the ODPA.About Walkers’ Guernsey regulatory team
Walkers’ Guernsey regulatory team can advise on all aspects of Guernsey data protection, including data protection policies, procedures, privacy notices, data subject access requests and data protection audits.We have a team of regulatory experts spanning all practice areas who regularly advise on all aspects of Guernsey regulation, including financial services, AML, sanctions, data protection, consumer protection, competition, tax, economic substance, FATCA and the CRS. Our team can also provide training to staff on a broad range of topics