DLA Piper Intelligence

Data Protection
Laws of the World

Law

Guernsey
Guernsey

The processing of personal data in Guernsey is regulated by the Data Protection (Bailiwick of Guernsey) Law 2001 as amended (the 'Law').

Guernsey has been recognised by the European Commission as providing an adequate level of protection for personal data for the purposes of the Eighth Data Protection Principle (see European Commission Directive 2003/821/EC).

Enforcement of the law is through the Data Protection Commissioner (the 'Commissioner'), an independent public official appointed by the States of Guernsey.

The States of Guernsey have confirmed that Guernsey will have equivalent legislation to that set out in the General Data Protection Regulation ("GDPR") by the time GDPR is enforced in May 2018. In that regard, businesses based in Guernsey or transacting through Guernsey should prepare for GDPR and review their data estate and international transfers, in particular, in readiness for the implementation of both the local law and the extraterritorial reach of GDPR.

Last modified 26 Jan 2017
Law
Guernsey

The processing of personal data in Guernsey is regulated by the Data Protection (Bailiwick of Guernsey) Law 2001 as amended (the 'Law').

Guernsey has been recognised by the European Commission as providing an adequate level of protection for personal data for the purposes of the Eighth Data Protection Principle (see European Commission Directive 2003/821/EC).

Enforcement of the law is through the Data Protection Commissioner (the 'Commissioner'), an independent public official appointed by the States of Guernsey.

The States of Guernsey have confirmed that Guernsey will have equivalent legislation to that set out in the General Data Protection Regulation ("GDPR") by the time GDPR is enforced in May 2018. In that regard, businesses based in Guernsey or transacting through Guernsey should prepare for GDPR and review their data estate and international transfers, in particular, in readiness for the implementation of both the local law and the extraterritorial reach of GDPR.

Last modified 26 Jan 2017
Definitions

Definition of personal data

Under the Law, 'personal data means data which relate to a living individual who can be identified – (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

Definition of sensitive personal data

'Sensitive personal data' means personal data consisting of information as to:

  • the racial or ethnic origin of the data subject
  • his political opinions
  • his religious beliefs or other beliefs of a similar nature
  • whether he is a member of a labour organisation, such as a trade union
  • his physical or mental health or condition
  • his sexual life
  • the commission or alleged commission by him of any offence, and
  • any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
Last modified 26 Jan 2017
Authority

Data Protection Office
Guernsey Information Centre
North Esplanade
St Peter Port
Guernsey
GY1 2LQ

T: +44 (0) 1481 742074
F: +44 (0) 1481 742077
W: www.dataci.gg 

Last modified 26 Jan 2017
Registration

Personal data must not (except in limited circumstances) be processed unless the data controller is registered with the Commissioner. Any data controller who wishes to be included in the register must provide a notification to the Commissioner (an online portal is available). Such a notification must specify:

  1. the name and address of the data controller
  2. the name and address of any nominated representatives
  3. a description of the data and the category or categories of data subject to which they relate
  4. why the information is processed
  5. a description of any recipient or recipients to whom the data controller intends or may wish to disclose the data, and
  6. the names, or a description of, any countries or territories outside the Bailiwick of Guernsey to which the data controller directly or indirectly transfers, or intends or may wish directly or indirectly to transfer, the data.

The notification must also contain a general description of the measures to be taken to prevent unauthorised or unlawful processing of, accidental loss or destruction of, or damage to, personal data.

The data controller is required to notify the Commissioner of any changes to the registered details.

Last modified 26 Jan 2017
Data Protection Officers

There is no statutory requirement to have a data protection officer. However, where a data controller is not established in the Bailiwick but uses equipment in the Bailiwick for processing the data (otherwise than for the purposes of transit through the Bailiwick), the data controller must nominate a representative who is established in the Bailiwick. If such a representative is nominated, then their name and address forms part of the registrable particulars as detailed in the section above.

Last modified 26 Jan 2017
Collection & Processing

Data controllers may process personal data when any of the following conditions are met:

  • the data subject consents
  • the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the data subject’s request with a view to entering into a contract
  • the processing is necessary for compliance with the data controller’s legal obligations, other than an obligation imposed by contract
  • the processing is necessary in order to protect the vital interests of the data subject, or
  • the processing is necessary for the administration of justice, the exercise of a function in the public interest or the exercise of official authority.

Where sensitive personal data is processed one of a further list of more stringent conditions must also be met.

Last modified 26 Jan 2017
Transfer

Personal data must not be transferred to a country or territory outside of the Bailiwick of Guernsey unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

The exceptions to that principle are as follows:

  • the data subject has given consent to the transfer
  • the transfer is necessary for the performance of a contract between the data subject and the data controller or for the taking of steps at the request of the data subject with a view to his entering into a contract with the data controller
  • the transfer is necessary for the conclusion of a contract between the data controller and a person other than the data subject which is entered into at the request of the data subject or is in the interests of the data subject, or is necessary for the performance of such a contract
  • the transfer is necessary for reasons of substantial public interest
  • the transfer is necessary for, or in connection with, legal proceedings, obtaining legal advice or for the purposes of establishing, exercising or defending legal rights
  • the transfer is necessary to protect the vital interests of the data subject
  • the transfer is part of personal data on a public register
  • the transfer is made on terms which are of a kind approved by the Commissioner as ensuring adequate safeguards for the rights and freedoms of data subjects
  • the transfer has been authorised by the Commissioner as being made in such a manner as to ensure adequate safeguards for the rights and freedoms of the data subject.

The Commissioner has published a guidance note entitled 'Exporting Data' which sets out the following approved methods of exporting personal data:

  • within the EEA without restrictions
  • to another country or territory recognised by a European Commission Decision as ensuring adequate protection
  • to entities located in the USA and adhering to the Safe Harbor Privacy Principles
  • within a multi-national corporation by using Binding Corporate Rules, which are to be agreed between the exporter and the relevant national Data Protection Authority, or
  • to non-EU countries, provided that the transfer is made using the approved EU or (more recommended) the International Chamber of Commerce Contractual Clauses, provided always that the Data Protection Principles (as set out in the Law) are complied with.

Following the decision of the Court of Justice of the European Union in Schrems v Data Protection Commissioner (C‑362‑14), the US/EU "Safe Harbour" regime is no longer regarded as a valid basis for transferring personal data to the US. Whilst Guernsey is not a member of the EU, it can (and does) adopt measures prescribed by the EU in certain areas such as data protection. Guernsey uses the EU "adequacy" benchmark to assess whether transfers can be validly made to other jurisdictions.

The Safe Harbour regime had been relied upon as a mechanism for the transfer of data to the US, which did not otherwise have "adequate" measures in place to protect personal data. Now that the regime has been abolished, Guernsey businesses are reviewing their procedures in light of the Schrems decision and following the establishment of Privacy Shield. Whilst the Commissioner has not adopted any formal stance in response to the Schrems decision or indeed in relation to Privacy Shield, she is maintaining a close dialogue with the Channel Islands' Brussels office and the UK's Information Commissioner's Office. 

The Commissioner has confirmed that Guernsey's existing statutory regime will be adhered to and that she retains the power to investigate complaints made to her, including those founded on transfers reliant upon Safe Harbour as a basis for their validity. It is likely that an arrangement such as Privacy Shield (which is endorsed by the EU) will be respected in Guernsey, for those who wish to transfer personal data to the US.

Last modified 26 Jan 2017
Security

Data controllers must take appropriate technical and organisational measures against unauthorised or unlawful processing and against accidental loss or destruction of, or damage to, personal data.

Having regard to the state of technological development and the cost of implementing any measures, the measures required must ensure a level of security appropriate to:

  1. the harm that might result from unauthorised or unlawful processing or accidental loss, destruction or damage to, personal data, and
  2. the nature of the data to be protected.

Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must:

  1. choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and
  2. take reasonable steps to ensure compliance with those measures.
Last modified 26 Jan 2017
Breach Notification

There is no mandatory requirement in the law to report data security breaches or losses to the Commissioner or to data subjects.

However, under the European Communities (Implementation of Privacy Directive) (Guernsey) Ordinance 2004, a provider of a public electronic communications service (the 'service provider') is required to notify subscribers of a significant risk to the security of the service.

Last modified 26 Jan 2017
Enforcement

The Commissioner is responsible for the enforcement of the Law.

If the Commissioner is satisfied that a data controller has contravened or is contravening any of the Data Protection Principles, the Commissioner may serve them with a notice ('Enforcement Notice') requiring them, to do either or both of the following:

  1. to take, or to refrain from taking, such steps as may be specified. or
  2. to refrain from processing personal data.

In certain circumstances the Commissioner may serve on the data controller or the data processor a notice requiring the data controller or data processor to provide specified information to him ('Information Notice').

The Commissioner may decide to issue an Information Notice as a result of:

  1. a request received by or on behalf of any person who is, or believes themselves to be, directly affected by any processing of personal data, or
  2. the Commissioner reasonably requires the information for determining whether a data controller has complied or is complying with the Data Protection Principles.

Failure to comply with an Enforcement Notice or Information Notice is a criminal offence and can be punished:-

  1. on summary conviction, by way of a fine not exceeding £10,000, or
  2. on conviction on indictment, by way of an unlimited fine.

The Law also contains provisions for imprisonment and/or an unlimited fine in the event of a person being guilty of an offence of knowingly or recklessly obtaining, or disclosing personal data, without the consent of the data controller.

Last modified 26 Jan 2017
Electronic Marketing

Direct marketing by electronic means to individuals and organisations is regulated by the European Communities (Implementation of Privacy) Directive (Guernsey) Ordinance 2004 (the 'Ordinance'). The Law will also likely have an impact, as there is likely to be processing and use of personal data. The Law does not prohibit the use of personal data for the purposes of electronic marketing but provides individuals with the right to prevent the processing of their personal data (ie a right to 'opt out') for direct marketing purposes.

The Ordinance prohibits the use of automated calling systems without the consent of the recipient. Unsolicited emails can only be sent without consent if:

  • the contact details have been provided in the course of a sale or negotiations for a sale
  • the marketing relates to a similar product or service, and
  • the recipient was given a simple method of refusing the use of their contact details when they were collected.

The identity of the sender cannot be concealed in direct marketing communications sent electronically (which is likely to include SMS marketing).

These restrictions only apply in respect of individuals and not where corporations are sent marketing communications.

Last modified 26 Jan 2017
Online Privacy

The 2011 amendments implemented by the UK in relation to cookies have not found their way into Guernsey law and there are no immediate plans for this to be done. However, certain aspects of online privacy nevertheless remain governed by the Ordinance (defined in Electronic Marketing above).

As a matter of good practice, the use of cookies should be identified to web users and they should be allowed to “opt out” of their use if they so wish.

Traffic data held by a service provider must be erased or anonymised when it is no longer necessary for the purpose of a transmission or communication. Exceptions include if the information is being retained in order to provide a value added service to the data subject or if it is held with their consent.

Traffic data should only be processed by a service provider for (a) the management of billing or traffic, (b) customer enquiries, (c) the prevention or detection of fraud, (d) the marketing of electronic communications services, or (e) the provision of a value added service.

Location data may only be processed where the user/subscriber cannot be identified from that data or for the provision of a value added service with consent.

Last modified 26 Jan 2017
Contacts
Richard Field
Richard Field
Counsel
T +44 1481 72 72 72
Last modified 26 Jan 2017