Data Protection in Guernsey

Enforcement in Guernsey

The Authority and the ODPA are responsible for administering and enforcing the DPL 2017 (Section 61(1)(a) DPL 2017).

When investigating a complaint regarding a potential breach of the DPL 2017, the Authority has wide powers to require information and, with appropriate warrants, powers to enter premises and search them (Schedule 7 DPL 2017). It may also conduct and / or require an audit of a controller or processor.

Before making a breach determination or an enforcement order, the ODPA may give the person concerned a written notice of the ODPA's proposals and allow the person time (up to 28 days) to make representations. However, the ODPA may dispense with this requirement if the determination or order needs to be made immediately or without notice in the interests of the data subjects or where the ODPA has reasonable grounds for suspecting that data may be tampered with or that to do so might seriously prejudice any other investigation etc. There is a right to appeal the decision of the ODPA under section 84 DPL 2017.

Following a breach determination, the ODPA may take the following enforcement action:

Reprimand

The DPL 2017 does not specify the conditions upon which a reprimand may be issued. However, it will most likely take the form of a notice issued in combination with an administrative fine or a formal undertaking by the controller or processor to meet future compliance with any part of the DPL 2018.

Warning

A warning may be given where the ODPA determines that any proposed processing or other act or omission is likely to be a breach of the DPL. 

Order

This refers to a formal notice of enforcement and can consist of an order to do any or all of the following:

  • bring specified processing operations into compliance with an operative provision of the DPL 2017, or take any other specified action required to comply with said provision, in a manner and within a period specified in the order
  • notify a data subject of any personal data breach
  • comply with a request made by the data subject to exercise a data subject right
  • rectify or erase personal data
  • restrict or limit the recipient’s processing operations (which may include restricting or ceasing the processing operation or suspending any transfers to an unauthorised jurisdiction)
  • notify persons to whom the personal data has been disclosed of the rectification, erasure or temporary restriction on processing

Administrative fines

Whilst the GDPR has the potential to attract administrative fines of up to 4% of annual worldwide turnover or EUR 20 million (whichever is higher), the administrative fines under the DPL 2017 are generally lower (between £5,000,000 - £10,000,000) and can be broadly categorised on four levels.

Level 1

Administrative fines issued against a controller or processor may not exceed £5,000,000 for breaches of section 74(1)(a) – (d) DPL 2017, comprising the following:

  • failure to make reasonable efforts to verify that a person who has given consent to the processing of a child's personal data (being a child who is under 13 years' old) in the context of offering information society services directly to that child, is duly authorised to give consent to that processing under Section 10(2)(f) DPL 2017
  • failure to take reasonable steps to inform the data subject of anonymisation (in breach of Section 11(1)(b) DPL 2017)
  • any breach of the general duties of controllers and processors (except section 31 DPL 2017 – duty to take reasonable steps for compliance) (breach of Part IV DPL 2017)
  • any breach of a controller's administrative duties including the requirement to designate a representative in the Bailiwick in certain cases and the requirement to register and pay fees to the ODPA (as per Part V DPL 2017)
  • a breach of the security provisions contained in Part VI DPL 2017
  • failure to comply with the requirements in respect of data protection impact assessments and prior consultation (except section 46 DPL 2017 – prior consultation required for high-risk legislation) in accordance with Part VII DPL 2017
  • failure to comply with requirements to designate a DPO (where required) or ancillary duties relating to the DPO's functions in accordance with breach of Part VIII of the DPL 2017.

Level 2

Administrative fines issued against a controller or processor may not exceed £10,000,000 for breaches of section 74(1) DPL 2017, comprising the following (in addition to the Level 1 list above):

  • breach of any duty imposed on the person concerned by section 6(1) (data protection principles) including lawfulness of processing
  • breach of any duty imposed on the person concerned under Part III DPL 2017 (data subject rights)
  • failure to comply with an order by the Authority under section 73(2) DPL 2017 within the time specified in the order
  • transfer of personal data to a person in an unauthorised jurisdiction in breach of section 55 DPL 2017 (general prohibition of transfers of personal data outside of the Bailiwick to unauthorised jurisdictions)
  • breach of any provision of any ordinance or regulations made pursuant to the DPL 2017 which imposes a duty on a controller or processor.

Level 3

In addition to the two administrative fines described above, the DPL 2017 imposes a 'cap' on administrative fines of up to £300,000 (unless the fine is less than 10% of the person's total annual global turnover or total global gross income in the preceding financial year).

Level 4

An administrative fine issued against a person must not exceed 10% of the total global annual turnover or total global gross income of that person during the period of the breach in question, for up to 3 years.

Enforcement activity has increased since the implementation of the DPL 2017 and more specifically during the last 12 months. To date, we are aware that two Guernsey controllers have been subject to administrative fine orders for the sum of £80,000 and £10,000 respectively. We are also aware that the ODPA has issued both public and private reprimands on controllers (the severity of which depends on the seriousness of the breach).

Offences / criminal proceedings

In addition to the above, the DPL 2017 imposes criminal sanctions on persons who are found guilty of certain specified offences. Such offences include:

  1. unlawful obtaining or disclosure of personal data
  2. obstruction or provision of false, deceptive or misleading information
  3. impersonation of an Authority official, and
  4. (unless an exception applies) breach of confidentiality by a designated official without the consent of the individual.   

Regarding the offence under paragraph (d) above, a 'designated official' shall include a member of the Authority including the Commissioner and any DPO. 

Criminal liability can attach to any director or other officer of the organisation including a body corporate, general partner of a limited partnership, foundation official etc. Criminal proceedings may also be instigated against an unincorporated entity in the case of a general partnership, or a committee etc.

Continue reading

  • no results

Previous topic
Back to top