Guernsey - Data Protection Overview
Personal data is critical to the economy of Guernsey. As the Island and its Bailiwick benefits from a strong finance sector, ensuring that personal data can flow without restriction is a key part of the Bailiwick's continued success.
Historically, Guernsey has taken great care to ensure that its data protection regime provide standards of protection for personal data which are equivalent to those in force within the EU – and this was particularly important with the advent of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').
To date, the Bailiwick of Guernsey enjoys adequacy by virtue of a decision of the European Commission ('Commission') which was, essentially, 'grandfathered' into the new regime under the GDPR. This decision is in the process of being reviewed.
1. GOVERNING TEXTS
As the Bailiwick of Guernsey is not a member of the EU, it has implemented its own legislation to align with the GDPR. The processing of personal data in Guernsey is regulated by the Data Protection (Bailiwick of Guernsey) Law, 2017, as amended ('the Data Protection Law'). There is also separate legislation governing the processing of personal data in the context of law enforcement known as the Data Protection (Law Enforcement and Related Matters) (Bailiwick of Guernsey) Ordinance, 2018.
Section 1 of the Data Protection Law states that, amongst others, the object of the Data Protection law is to 'protection the rights of individuals in relation to their personal data, and provide for the free movement of personal data, in a manner equivalent to the GDPR and the Law Enforcement Directive'.
Notwithstanding the Data Protection Law and its equivalence to the GDPR, the GDPR is also likely to apply to certain Guernsey businesses by virtue of its extraterritoriality provisions set out under Article 3 of the GDPR. This is relevant where a non-EU headquartered organisation is 'established' within the EU (e.g. a company with a branch office in the EU), regardless of whether the organisation chooses to process data about EU individuals inside or outside the EU. The extraterritoriality provisions might also apply to non-EU established organisations which are:
- offering goods or services to individuals in the EU, even if provided free of charge; or
- monitoring the behaviour of individuals in the EU, where their behaviour takes place in the EU.
The GDPR provides for a number of significant rights, obligations, and powers, which are mirrored in the Data Protection Law, including provisions relating to data breach notification, data subject rights, sanctions, children, processors, and accountability.
In addition, the European Communities (Implementation of Privacy Directive) (Guernsey) Ordinance, 2004 (as amended) ('the Ordinance') regulates, among other things, electronic communications services, nuisance calls, and direct marketing.
The Guernsey Financial Services Commission ('the GFSC'), a body which regulates financial services businesses ('FSBs'), has, as of 5 February 2021, issued Cyber Security Rules and Guidance ('the Rules and Guidance') which impose additional obligations on FSBs to take into account cyber risk at board level. The Rules and Guidance focus on the following five core principles, outlined in a number of international cyber security frameworks:
- identify: take appropriate steps to identify material assets and carry out an assessment of significant associated cyber risks;
- protect: protect IT services;
- detect: detect any cyber security events;
- respond: have a plan in place to mitigate any disruption; and
- recover: be aware of the appropriate steps that need to be taken to restore business capabilities.
FSBs will also be subject to periodic reviews by the GFSC regarding their systems, policies, and procedures.
In July 2019, the Office of the Data Protection Authority ('ODPA') issued and updated a series of guidelines to assist organisations active in Guernsey with specific areas of data protection law. Among such guidelines, the following should be highlighted:
- Guidance on Notification of Personal Data Breaches ('the Notification Guidance');
- Guidance on information to be given to a data subject about how their data is going to be handled;
- Guidance on Data Protection Impact Assessments ('DPIAs');
- Guidance on Conditions for Lawful Processing;
- Guidance on Consent ('the Consent Guidance');
- Guidance on Data Portability;
- Guidance on Data Protection Measures by Design and Default;
- Guidance on Children ('the Children's Guidance');
- Guidelines on Data Protection Officers; and
- Guidelines on Special Category Data.
In 2021, the ODPA published updated information on data transfers, relating to the sending of data to another jurisdiction. This is likely to be of particular importance and is discussed in section 7.2.
The ODPA has introduced a new registration and levy collection regime which applies to all controllers and processors who are established within the Bailiwick, and accordingly has issued the Everything You Need to Know about the Registration and Levy Regime guidance.
1.3. Case law
There have been no significant decisions in the Royal Court of Guernsey ('the Court') concerning data protection issues following the implementation of the Data Protection Law. In the event that issues arise, case law from Jersey and the UK would be considered to assist the Court. In addition, the ODPA, the guidance of the Information Commissioner's Office ('ICO') in the UK and the European Data Protection Board ('EDPB') would also be considered persuasive by the Court.
2. SCOPE OF APPLICATION
The Data Protection Law protects 'personal data'. The term 'personal data' is defined as any information which relates to an identified or identifiable living natural person. Therefore, the Data Protection Law does not protect information belonging to deceased persons or private or public organisations (whose information would be protected by other legal frameworks such as intellectual property law and confidentiality).
An individual is identifiable from any information where the individual can be directly or indirectly identified from the information by reference to, for example, a name, identifier, factors such as a person's physical, physiological, genetic, mental, economic, cultural or social identity, and any other objective factors.
The Data Protection Law contains a statutory exception which applies to individuals who process personal data solely for the purpose of their personal, family, or household affairs (including recreational purposes).
The Data Protection Law applies to all controllers and processors who are established within the Bailiwick.
This term has a specific meaning under the Data Protection Law and includes situations where:
- the individual or entity is resident, incorporated, established, or registered within Guernsey or the neighbouring islands of Alderney, Sark, and Herm (as applicable);
- the controller or processor maintains in the Bailiwick an office, branch, or agency or regular practice;
- causes or permits processing equipment to be used in the Bailiwick otherwise than for the purposes of transit through the Bailiwick; or
- is engaged in effective and real processing activities through stable arrangements in the Bailiwick.
A controller which satisfies Article 111 (b- d) of of the Data Protection Law, under the definition of 'established in the Bailiwick', must also designate in writing a representative of the controller in the Bailiwick, notify the ODPA of the name and contact details of the representative, and authorise the representative to receive, on behalf of the controller, notices and other communications from the ODPA or other supervisory authorities.
The Data Protection Law applies to all public and private sector entities insofar as they use or process personal data processed by automated means, or recorded as part of a relevant filing system. In practice, this captures virtually every private sector organisation.
The term 'processing' is broadly construed in line with the GDPR and includes (but is not limited to) any operations which are performed on personal data whether or not by automated means such as, collecting, recording, organising, structuring or storing data, adapting, altering, retrieving, disclosing, combining, profiling, restricting, and erasing personal data.
3.1. Main regulator for data protection
The ODPA (formerly the Office of the Data Protection Commissioner) is an independent public official, appointed by the States of Guernsey ('the States'), and is responsible for the enforcement of the Data Protection Law.
3.2. Main powers, duties and responsibilities
The ODPA's duty is to promote good practice and thereby encourage compliance with the Data Protection Law. This is to be achieved by issuing guidance, encouraging the drawing up of codes of conduct, and performing an advisory role for those who request it.
The ODPA is also responsible for disseminating decisions, in particular, the Commission's decisions, to enable data controllers to remain updated as to the state of current laws and practices, and may undertake assessments of the practices of data controllers to enable them to follow and maintain good practice.
In addition, the ODPA has the power to issue enforcement notices, undertake an assessment of a controller's practices, at the request of an affected data subject, and issue information and special information notices.
Failure to comply with an enforcement, information or special information notice is a criminal offence.
4. KEY DEFINITIONS
Personal data: Data which relates to a living individual who can be identified from those data or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller.
Sensitive data: Personal data revealing an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic, biometric, or health data, sex life, and criminal data. This is referred to 'special category data'.
Biometric data: Means personal data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of an individual, which allows or confirms the unique identification of that individual, such as facial images or fingerprint data.
Pseudonymisation: Means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, where that additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable individual, and 'pseudonymise' has a corresponding meaning.
5. LEGAL BASES
Unlike the GDPR, the Data Protection Law only requires a controller to satisfy (at least) one condition of processing in respect of personal and/or special category data.
Section 7 of the Data Protection Law states that the processing of personal data is lawful if at least one condition, as listed in Part I or II of Schedule 2 of the Data Protection Law, is satisfied, or in the case of special category data, if at least one condition in Part II or III of the Data Protection Law is satisfied.
The conditions in Schedule 2 of the Data Protection Law include (but are not limited to):
The data subject has requested or given consent to the processing of the personal data for the purpose for which it is processed (Section 1, Part 1, Schedule 2 of the Data Protection Law).
The processing is necessary for the conclusion or performance of a contract to which the data subject is party or is in the interest of the data subject, or the processing is necessary to take steps at the request of the data subject prior to entering into such a contract (Section 2, Part 1, Schedule 2 of the Data Protection Law).
The processing is necessary for the controller to exercise any right or power, or perform or comply with any duty, conferred or imposed on the controller by law, otherwise than by an enactment or an order or a judgment of a court or tribunal having the force of law in the Bailiwick (Section 6, Part 1, Schedule 2 of the Data Protection Law).
The processing is necessary to protect the vital interests of the data subject or any other individual who is a third party (Section 3, Part 1, Schedule 2 of the Data Protection Law).
The processing is necessary for the exercise or performance by a public authority of a function that is of a public nature or a task in the public interest (note that, unlike the GDPR, this condition only applies to public authorities) (Section 5, Part 1, Schedule 2 of the Data Protection Law).
The processing is necessary for the purposes of the legitimate interests of the controller (other than a public authority) (Section 4, Part 1, Schedule 2 of the Data Protection Law).
According to Part II, Schedule 2 of the Data Protection Law, the processing is lawful:
- if the information contained in the personal data has been made public as a result of steps deliberately taken by the data subject; and
- if it is necessary:
- for the controller to exercise any right or power, or perform or comply with any duty, conferred, or imposed on the controller by an enactment;
- in order to comply with a court order or judgment having force in the Bailiwick;
- for social care purposes;
- for reasons of public health;
- for the administration of justice;
- in limited circumstances, for the legitimate interests of a not-for-profit organisation;
- for historical or scientific purposes;
- for the purpose of or in connection with any legal proceedings, for the purpose of obtaining legal advice or otherwise establishing or defending legal rights; and
- if it is authorised by regulations or enactment.
Part III, Schedule 2 of the Data Protection Law provides that processing is lawful if:
- the data subject has given their explicit consent to the processing; or
- the processing is necessary to protect the vital interests of the data subject and they are physically or legally incapable of giving consent or the controller cannot be reasonably expected to obtain explicit consent of the data subject.
In addition to the above, the States has authorised via the Data Protection (General Provisions) (Bailiwick of Guernsey) Regulations, 2018 (as amended) ('the Data Protection Regulations'), a number of limited conditions which apply to a range of personal and special category data in the context of the processing of health data for insurance and pensions purposes, special category data for employment purposes, and criminal data in the context of recruitment, the provision of goods and services. These bases are subject to specific conditions and should be considered – as with all lawful bases – on a case-by-case basis.
Organisations can generally only send marketing texts or emails to individuals (including sole traders and some partnerships) if that person has provided specific and informed consent in accordance with the Data Protection Law. Indirect consent (e.g. consent originally given to a third party) is unlikely to be sufficient unless the 'soft opt in' exception applies in line with the European Communities (Implementation of Privacy Directive) (Guernsey) Ordinance, 2004.
In relation to processing employee data, there is a presumption that consent will not be valid in an employment context due the imbalance of power between the employer and the employee, as per the Consent Guidance. As mentioned above, specific limited conditions exist, where special category data is processed in an employment context.
Data controllers must comply with the data protection principles set out under Section 6(2) of the Data Protection Law ('the Principles').
The Principles comprise:
- lawfulness, fairness, and transparency: personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data (Section 6(2)(a) of the Data Protection Law);
- purpose limitation: personal data must be collected for specified, explicit, and legitimate purposes and, once collected, not further processed in a manner incompatible with those purposes (Section 6(2)(b) of the Data Protection Law);
- data minimisation: personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (Section 6(2)(c) of the Data Protection Law);
- accuracy: personal data must be accurate and, where necessary, kept up to date, with reasonable steps being taken to ensure that personal data which is inaccurate, having regard to the purposes for which it is processed, is erased, or rectified without delay (Section 6(2)(d) of the Data Protection Law);
- storage limitation: personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed (Section 6(2)(e) of the Data Protection Law);
- integrity and confidentiality: personal data must be processed in a manner that ensures appropriate security of the data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (Section 6(2)(f) of the Data Protection Law); and
- accountability: the controller is responsible for, and must be able to demonstrate compliance with, the data protection principles described under paragraphs (a) – (f) of Section 6(2) of the Data Protection Law.
7. CONTROLLER AND PROCESSOR OBLIGATIONS
The Data Protection Law is principally addressed to data controllers and holds them responsible for compliance. Data controllers have various responsibilities under the Data Protection Law, including:
- compliance with the data protection principles;
- only processing personal data with the consent of the data subject, or as otherwise permitted or required by law;
- informing data subjects of their rights and granting access to data;
- having appropriate technical and organisational measures against unauthorised or unlawful processing and against accidental loss or destruction, or damage to, personal data;
- compliance with data transfer requirements when transferring data internationally; and
- where processing is carried out on behalf of a data controller, choosing a data processor providing sufficient guarantees in respect of technical or organisational measures governing the processing being carried out and taking reasonable steps to ensure compliance with such measures.
Processors are also subject to certain specific obligations, under the Data Protection Law. These include ensuring that appropriate processor clauses are in place with controllers in compliance with the Data Protection Law (see section 7.10. below).
Failure to comply with these obligations could result in a processor being subject to regulatory enforcement by the ODPA and civil proceedings by data subjects. In practice, data controllers are also responsible for ensuring that any processors they appoint are compliant with the Data Protection Law.
Whilst not applicable in all cases, licensees of GFSC are required to assess businesses to which they outsource certain functions against a published set of criteria. These cover issues such as security, robust compliance procedures, and suitability for the outsourced function. Data processors may fall within the scope of such criteria and, as such, this provides a further benchmark against which processors can be assessed.
In addition, Section 33 of the Data Protection Law requires two or more controllers who jointly determine the purposes and means of processing personal data (i.e. joint controllers) to explicitly agree on their respective responsibilities for compliance with duties of controllers under the Data Protection Law. Any such agreement between the joint controllers may also designate a contact point for data subjects.
The Data Protection Law does not require two or more controllers who independently determine the purposes and means of processing personal data but the ODPA would likely have regard to the ICO's Code of Practice on Data Sharing if it was required to investigate such a matter.
All controllers and processors established in the Bailiwick are required to register with the ODPA. The term 'established in the Bailiwick' is defined by virtue of Section 111(1) of the Data Protection Law.
A new regime was established on 1 January 2021 for registration and levy collection. The new regime abolished the exemptions from registration and replaced them with a much narrower sub-set of exemptions. The effect of this is that the majority of controllers and processors established in the Bailiwick over a year ago now find themselves subject to the new regime and are required to register directly with the ODPA via their website, or appoint a Levy Collection Agent (if applicable). The Levy Collection Agent is responsible, amongst other things, for collecting levies of administered entities (i.e. those entities which it is regulated under Guernsey law to administer) in turn for issuing certificates of exemption to each entity, and keeping certain records stipulated under the Data Protection (General Provisions) (Bailiwick of Guernsey) (Amendment No. 2) Regulations, 2020.
In addition to being broader in scope, the new regime imposes a new fees structure. The new fee structure is based on head count. In particular, the fee is based on the number of full-time equivalent (FTE) employees employed by the business.
There are two levels of fees:
- for organisations with 1-49 FTE employees: £50 per annum; or
- for organisations with 50 or more FTE employees: £2,000 per annum.
The starting point is that personal data must not be transferred to a country or territory outside of the Bailiwick unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects. In common with the GDPR, the Data Protection Law places restrictions on the extent to which personal data may be transferred to recipients outside the Bailiwick of Guernsey.
Guernsey has been recognised by the Commission as providing an adequate level of protection for personal data for the purpose of transferring data to countries outside the EEA (see Decision on the Adequate Protection of Personal Data in Guernsey (Decision 2003/821/EC).
Guernsey has been assessed by the Commission as providing adequate protection for personal data in Opinion 8/2007 on the Level of Protection of Personal Data in Jersey and Opinion 5/2003 on the Level of Protection of Personal Data in Guernsey. Guernsey has stated that continuing to be judged to be adequate is a strategic priority.
Under Article 45 of the GDPR, the adequacy bar has been significantly raised following the decision of the Court of Justice of the European Union's ('CJEU') judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'). The CJEU held that adequacy requires an 'essentially equivalent' regime to that guaranteed within the EU.
Recital 104 of the GDPR tracks this language and requires that a Commission's adequacy decision means that a third country must have 'an adequate level of protection essentially equivalent to that ensured within the EU.'
Under Article 45 of the GDPR, the Commission must consider an array of factors in assessing the adequacy of a third country, including, 'the rule of law, respect for human rights and fundamental freedoms, legislation relating to public security, defence, national security and criminal law, the access of public authorities to personal data, rules for the onward transfer of personal data to other third countries or international organisations, case law, and the enforcement of data subject rights.'
The existence and functioning of an independent regulator must also be considered, including their enforcement powers. Article 45 of the GDPR also provides for the ongoing monitoring and, if necessary, suspension and/or revocation of adequacy decisions.
This is, of course, subject to the data controller assessing the adequacy of security measures and the level of protection afforded by the controller or processor to whom the data is being transferred, for example.
Following the implementation of the GDPR, Guernsey's adequacy findings have been 'grandfathered' into the new regime under Article 45(9) of GDPR, subject, every four years, to a reassessment, which took place during 2020. Guernsey is awaiting the results of this reassessment.
In the absence of an adequacy decision by the Commission, transfers are permitted outside the EU/EEA under certain other specified circumstances, in particular where such transfers take place subject to 'appropriate safeguards'. The Data Protection Law replicates this regime for transfers outside Guernsey.
Appropriate safeguards for such transfers include:
- Binding Corporate Rules ('BCRs'); and
- Standard Contractual Clauses ('SCCs').
SCCs are generally the most commonly utilised mechanism for such transfers.
In June 2021, the Commission approved a new set of SCCs for international data transfers, with Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679. The ODPA has now approved the new SCCs for international transfer as a valid transfer mechanism for data transfers from Guernsey.
The new SCCs for international transfers reflect the changes made to European data protection law by the GDPR and address some of the issues with the old version of SCCs (which include two controller to controller ('C2C') sets (2001 and 2004) and a controller to processor ('C2P') set (2010)). The new SCCs (unlike the old ones which only applied to C2C and C2P transfers), apply to a broader range of scenarios and include provisions for processor-to-processor ('P2P') and processor-to-controller ('P2C').
The new SCCs effectively combine all four sets of clauses into one document, allowing controllers and processors to 'build' the relevant agreement on a modular basis.
The new SCCs also incorporate provisions to address the Schrems II Case, the effect of which was to invalidate the EU-U.S. Privacy Shield Framework and to place additional administrative conditions on the use of SCCs.
While a transition period allows businesses to incorporate the old SCCs into new contracts until, at the latest, 27 September 2021, any Guernsey business looking to export personal data relying on SCCs will after that date need to use the new SCCs. All existing contracts must be transitioned to the new SCCs by 27 December 2022.
Where controllers and processors are utilising SCCs (either new or old) or BCRs, they will need also to take account of the Schrems II Case. The EDPB has published Recommendations 01/2020 on Measures that Supplement Transfer Tools to Ensure Compliance with the EU Level of Protection of Personal Data, in relation to supplementary measures to accompany international transfer tools. In summary, personal data exporters are required to follow a 6-step process in relation to international transfers:
- know the transfers carried out, be aware of where the personal data is sent to ensure an essentially equivalent level of protection, and make sure the data transferred is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed;
- verify the transfer tool used, using the SCCs or BCRs will be enough in this regard;
- assess if there is anything in the law and/or practices of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools relied on, in the context of a specific transfer;
- identify and adopt supplementary measures necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence, however this step is only necessary if the assessment has revealed issues with the third party country's safeguards. If no supplementary measure is suitable, exporters must avoid, suspend, or terminate the transfer;
- take any formal procedural steps the adoption of supplementary measure may require; and
- re-evaluate at appropriate intervals the level of protection afforded to the personal data transferred to third countries and monitor if there have been or there will be any developments that may affect it, on an ongoing basis.
In practice, the above requires a detailed and documented transfer impact assessment ('TIA').
The Commission has recognised the UK as an adequate jurisdiction for the purposes of international data transfer, meaning that transfers to and from the UK and Guernsey may continue without restriction.
Guernsey controllers and processors who are subject to the UK General Data Protection Regulation (Regulation (EU) 2016/679) ('UK GDPR') by virtue of its extra territoriality provisions will also need to consider whether they may need to continue using the old SCCs – the UK is yet to make a decision on replacing them for the purposes of the UK GDPR.
Section 37 of the Data Protection Law imposes a duty on controllers and processors to keep records, make returns, and cooperate with the ODPA. The controller or processor must maintain any prescribed records for the prescribed periods of time, in the prescribed manner and form. These records must be made available to the ODPA on request.
Regulations 7 and 8 of the Data Protection Regulations provide that controllers and processors maintain a written record of any processing carried out by or on behalf of the controller.
Under Section 44 of the Data Protection Law, a controller must not cause or permit any high risk processing before carrying out a DPIA. The DPIA must be reviewed and revised where there is a change to the risks posed to the interests of data subjects or where the controller otherwise considers it necessary to do so.
Where a DPIA indicates that there is a high risk to the rights or freedoms of the data subject, the controller must consult the ODPA (Section 45 of the Data Protection Law).
Section 47 of the Data Protection Law provides for the mandatory appointment of data protection officers ('DPOs') in certain instances, including:
- where processing is carried out in the context of a public authority, other than a court or tribunal acting in its judicial capacity; or
- processing operations carried out as part of a core activity of a controller or processor where, by virtue of their nature, scope or purpose, such operations require or involve large-scale and systematic monitoring of data subjects or large-scale processing of special category data.
Where the appointment of a DPO is mandatory, the controller and the processor must jointly designate an individual as a DPO.
As noted above, the Data Protection Law requires all controllers, upon becoming aware of a personal data breach, to provide written notice to the ODPA as soon as practicable and in any event no later than 72 hours after becoming aware of said breach. Section 42(5) of the Data Protection Law provides an exemption from the duty to notify the ODPA where the personal data breach is 'unlikely to result in any risk to the significant interests of the data subject.'
Businesses should, therefore, consider whether the type of personal data disclosed could, at the time of the breach and in the future, 'adversely affect the individual', taking into consideration such concerns as financial loss, reputational damage, or identity fraud. The bar is set quite low for reporting a breach to the ODPA, as there is usually at least some risk to the data subject, even if that risk is relatively minimal.
If the breach is reported to the ODPA, the information prescribed in Section 42(3) of the Data Protection Law will need to be provided, which includes:
- a description of the nature of the personal data breach;
- contact details of the DPO or contact point;
- a description of the likely consequences of such a breach;
- a description of the measures taken or proposed to be taken to address risks and mitigate against possible adverse effects; and
- an explanation of any delays where a breach has been notified after 72 hours.
Notification to data subjects
Pursuant to Section 43 of the Data Protection Law, where a data controller becomes aware of a personal data breach that is likely to pose a 'high risk' to the significant interests of a data subject, the controller must give the data subject written notice of the breach as soon as practicable. The Notification Guidance provides a non-exhaustive list of factors to consider when determining whether a breach poses a high risk to a data subject, including financial loss, reputational damage, and identity fraud. When assessing the risks, the ODPA expects all controllers to consider the nature, scope, context, and purpose of the compromised personal data, including whether special category data had been compromised.
In any event, businesses should document all considerations and reasoning for any decisions taken in respect of the breach and the reporting thereof.
Under the Data Protection Law, the overriding requirement with respect to data retention is that personal data is kept for 'no longer than is necessary.' Whilst there are exceptions, this is frequently viewed as being for a period equivalent to the limitation period or 'prescription period' as it is known in Guernsey. In other words, once the period within which an entity can potentially be sued has passed, the data should be destroyed. There are also certain periods prescribed by law and regulations for the retention of data. For example, certain company documentation must be retained as prescribed by the Companies (Guernsey) Law, 2008.
Under the Data Protection Law, children are, for the first time, given express rights with regard to the processing of personal data. Children over the age of 13 years old may lawfully consent to the processing of their data in relation to the offer of information society services. Parental consent is required should information society service providers wish to process the data of children under the age of 13. The Children's Guidance issued by the ODPA provides further guidance in respect of children.
Special category data is subject to additional restrictions on processing. Controllers must satisfy at least one of the Part II or III Schedule 2 conditions in the Data Protection Law or a more limited condition authorised by the Data Protection Regulations. Many of these latter conditions are subject to public interest restrictions.
Criminal data falls within the class of special category data. It is not possible to rely on consent when processing criminal data unless certain conditions are met, including where the controller is authorised or required by any enactment to process the criminal data of any person at the application or request of, or otherwise with the consent of, the data subject or is authorised or required by enactment to apply to or request any person to process that criminal data (Section 10(7) of the Data Protection Law).
Finally, controllers must consider special category data in a number of circumstances including when appointing a DPO, conducting a DPIA and when considering the application of the proportionality factors under paragraph 4, Schedule 9 of the Data Protection Law.
Agreements between controllers and processors
A controller must not appoint a processor to process personal data unless both of the following conditions are satisfied:
The processor provides the controller with sufficient guarantees that reasonable technical and organisational measures will be carried out to ensure compliance with the Data Protection Law and safeguard data subjects (which include making information available to the controller regarding compliance with this provision).
Whilst the Data Protection Law does not define what 'sufficient guarantees' means in practice, controllers will be expected to undertake appropriate due diligence on all processors and ensure that appropriate guarantees are provided in the processor agreement.
This condition requires the controller to put in place a legally binding agreement in writing with the processor setting out a number of requirements including the subject matter, duration, nature scope, context and purpose of the processing, category of personal data and categories of data subjects affected, the duties and rights of the controller and the duties imposed on the processor.
The data processing agreement must contain certain key provisions. These broadly align with the requirements under the GDPR and include:
- ensuring that the processing is only processed on the written instructions of the controller (including with regard to the transfer of personal data outside the Bailiwick);
- requiring the processor to inform the controller where it is required by law to process personal data contrary to the controller's written instructions;
- ensuring that any person authorised by the processor is legally bound to a duty of confidentiality;
- at the end of the services, and at the controller's discretion, delete or return all personal data;
- requiring that reasonable and organisational measures are in place to assist the controller where a data subject is exercising their rights;
- taking reasonable steps to assist the controller to comply with its duties when complying with its security obligations and when conducting DPIAs;
- making available to the controller all information necessary to demonstrate compliance with its record-keeping responsibilities and facilitating any lawful audits or inspections; and
- a new requirement for the processor to inform the controller immediately if, in the processor's opinion, an instruction given by the controller to the processor breaches any applicable law.
There are also a number of conditions imposed on processors when appointing sub-processors. These include obtaining general authorisation from the controller regarding the appointment of sub-processors (with an option to object to any appointment) and specific consent. The controller should ensure that the duties imposed on the primary processor are also passed on to the sub-processor (notwithstanding that the primary processor will remain fully liable for any breach of a sub-processor's duties under the Data Protection Law).
8. DATA SUBJECT RIGHTS
The information provided in the privacy notice must be concise, transparent, intelligible and easily accessible, written in clear and plain language, and free of charge.
Data subjects have a right to be informed that their personal data is being processed by or on behalf of the data controller, the identity of the data controller, the nature of that personal data, the purposes for which they are being processed and the recipients to whom it is or may be disclosed.
The right extends to being provided with a description of the personal data, its source, and, if automated processing is involved, the logic involved in the decision-making, in addition to a notice confirming the identity of the data controller, and/or representative where applicable, the purposes for which the data are or will be processed and any other information required in order to make the processing fair and lawful. This notice is to be given either at the time the data are first processed or (in certain circumstances, at a later time).
Upon application by the data subject, the Court can order the erasure, rectification or destruction of inaccurate personal data. If an order is made to that effect, the data controller can be forced to notify third parties to whom the data have been disclosed of the destruction, erasure, or rectification.
Please see section 8.3. above.
Data subjects have a right to prevent, or to cease, the processing of their personal data where such processing causes, or is likely to cause, substantial unwarranted damage or distress to that individual.
The Data Protection Law allows data subjects to obtain and reuse their personal data for their own purposes, meaning that data controllers must, upon request, provide the data subject with the relevant personal data in a structured, commonly used, and machine-readable format, suitable for transmission to another controller.
Where automated decision-making is undertaken in relation to personal data, the data subject can require that no decisions are made solely using automated processing.
Right to compensation
An individual who suffers damage or distress by reason of any contravention by a data controller of any requirement under the Data Protection Law is entitled to claim compensation from the data controller for such damage.
Under the previous regime, the ODPA did not possess the power to impose fines for non-compliance. There were criminal penalties available to the prosecuting authorities, but these were rarely invoked. The Data Protection Law introduces the power for the regulator to levy various levels of administrative fines for breaches of the Data Protection Law, as detailed further below. The ODPA also has the power under the GDPR and the Data Protection Law to make an order against a business requiring them to restrict or limit their processing operations, including requiring a business to cease processing personal data altogether. This has the effect of potentially shutting down a business overnight.
Section 67 of the Data Protection Law provides that individuals can make a complaint to the ODPA if they consider that a controller or processor has breached, or is likely to breach, any 'operative provision'. The ODPA is obligated to investigate each complaint, save for in exceptional circumstances, for example, where the complaint is clearly unfounded or vexatious.
The ODPA is also empowered to conduct inquiries on its own initiative, which may be conducted together with an investigation or separately.
Upon completion of its investigations, the ODPA must determine whether or not the controller or processor concerned has breached or is likely to breach an operative provision and, if so, the appropriate sanction to be imposed.
There is a range of sanctions available to the ODPA under Sections 73 and 74 of the Data Protection Law, including a reprimand or warning, or an order to take specified actions or pay a civil penalty by way of an administrative fine under Section 75 (such sanctions are not mutually exclusive).
Administrative fines under the Data Protection Law are generally lower than those imposed under the GDPR, ranging from £5 million to £10 million, and categorised according to various levels, as detailed in Section 74 of the Data Protection Law.
Enforcement activity has increased since the implementation of the Data Protection Law. On 2 September 2020, the ODPA issued its first administrative fine order against a Guernsey controller for £80,000 for lack of transparency in relation to the processing of personal data published in a public directory and breach of the accuracy principle.
This was subsequently followed on 6 November 2020 by a second administrative find order against another Guernsey controller for £10,000 in respect of a personal data breach comprising data of a 'highly sensitive and private' nature.
The ODPA has also issued public reprimands against (amongst others):
- the Guernsey Police for breaching section 6(2)(a) of the Data Protection Law relating to the principle of lawfulness, fairness, and transparency, highlighting a failure to provide demonstrable consent for the processing of special category data;
- the Policy and Resources Committee (a public body) for failure to provide data subjects with information in accordance with section 12(3) of the Data Protection Law;
- the States of Alderney, for requiring personal information of a sensitive nature without properly providing data subjects with information in accordance with section 12 of the Data Protection Law; and
- the Committee for Health and Social Care, for failing to respond in good time to a so-called Data Subject Access Request.
We are also aware that private reprimands have also been given for less serious matters.