DLA Piper Intelligence

Data Protection
Laws of the World

Law

Guernsey
Guernsey

The Data Protection (Bailiwick of Guernsey) Law 2017 (DPL 2017) came into force on May 25, 2018 to coincide with the enforcement of the EU's General Data Protection Regulation (EU) 2016/670 (GDPR).

Adequacy:

The DPL 2017 replaced Guernsey's previous data protection legislation, the Data Protection (Bailiwick of Guernsey) Law, 2001 as amended (DPL 2001) which was implemented in response to Directive 95/46/EC. Unlike the DPL 2001, the DPL 2017 is not modeled after a UK enactment. It is, however, stated to be equivalent to the GDPR.

In 2003, Guernsey was recognized by the European Commission as providing an adequate level of protection for free flow of personal data to the Bailiwick (see Opinion 02072/07/EN WP 141 and Opinion 10595/03/EN WP 79). This decision remains in place for the purposes of the GDPR until it is reassessed by the European Commission on or around 2020 (as per Article 45(9) GDPR).

Scope and Applicability:

The DPL 2017 applies in relation to the processing of personal data where both of the following conditions are met:

  • The processing is by automated means (whether wholly or partly) or if the processing is not by automated means it is intended to form part of a filing system
  • The processing is conducted by a controller or processor established in the Bailiwick of Guernsey ("Bailiwick") or the personal data is that of a Bailiwick resident and is processed in the context offering goods or services (whether or not for payment) to the resident or the monitoring of a resident's behavior in the Bailiwick

In practice, this means that there may be instances where controllers and processors established in the Bailiwick are subject to both the DPL 2017 and, where they process personal data of data subjects who are in the EU, the GDPR.

However, unlike the GDPR, the Data Protection (Commencement, Amendment and Transitional) (Bailiwick of Guernsey) Ordinance, 2018 (DP Ordinance), provides controllers and processors with limited transitional relief from certain areas of the DPL 2017 (Transitional Provisions). This means that controllers and processors who are subject to the DPL 2017 have until May 25, 2019 to ensure compliance for certain duties. This includes relief from the duty to:

  • Notify pre-collected data
  • Carry out privacy impact assessments
  • Comply with statutory obligations in connection with certain processor and joint controller-led duties
  • Renew consents where they have been validly obtained before May 25, 2018

In reality, the Transitional Provisions only provide limited comfort to those controllers and processors who process personal data of Bailiwick residents only. Where an organization is subject to the GDPR, then it must, notwithstanding the Transitional Provisions, comply with all aspects of the GDPR.

Last modified 28 Jan 2019
Law
Guernsey

The Data Protection (Bailiwick of Guernsey) Law 2017 (DPL 2017) came into force on May 25, 2018 to coincide with the enforcement of the EU's General Data Protection Regulation (EU) 2016/670 (GDPR).

Adequacy:

The DPL 2017 replaced Guernsey's previous data protection legislation, the Data Protection (Bailiwick of Guernsey) Law, 2001 as amended (DPL 2001) which was implemented in response to Directive 95/46/EC. Unlike the DPL 2001, the DPL 2017 is not modeled after a UK enactment. It is, however, stated to be equivalent to the GDPR.

In 2003, Guernsey was recognized by the European Commission as providing an adequate level of protection for free flow of personal data to the Bailiwick (see Opinion 02072/07/EN WP 141 and Opinion 10595/03/EN WP 79). This decision remains in place for the purposes of the GDPR until it is reassessed by the European Commission on or around 2020 (as per Article 45(9) GDPR).

Scope and Applicability:

The DPL 2017 applies in relation to the processing of personal data where both of the following conditions are met:

  • The processing is by automated means (whether wholly or partly) or if the processing is not by automated means it is intended to form part of a filing system
  • The processing is conducted by a controller or processor established in the Bailiwick of Guernsey ("Bailiwick") or the personal data is that of a Bailiwick resident and is processed in the context offering goods or services (whether or not for payment) to the resident or the monitoring of a resident's behavior in the Bailiwick

In practice, this means that there may be instances where controllers and processors established in the Bailiwick are subject to both the DPL 2017 and, where they process personal data of data subjects who are in the EU, the GDPR.

However, unlike the GDPR, the Data Protection (Commencement, Amendment and Transitional) (Bailiwick of Guernsey) Ordinance, 2018 (DP Ordinance), provides controllers and processors with limited transitional relief from certain areas of the DPL 2017 (Transitional Provisions). This means that controllers and processors who are subject to the DPL 2017 have until May 25, 2019 to ensure compliance for certain duties. This includes relief from the duty to:

  • Notify pre-collected data
  • Carry out privacy impact assessments
  • Comply with statutory obligations in connection with certain processor and joint controller-led duties
  • Renew consents where they have been validly obtained before May 25, 2018

In reality, the Transitional Provisions only provide limited comfort to those controllers and processors who process personal data of Bailiwick residents only. Where an organization is subject to the GDPR, then it must, notwithstanding the Transitional Provisions, comply with all aspects of the GDPR.

Last modified 28 Jan 2019
Definitions

Definition of personal data

Section 111(1) of the DPL 2017 defines personal data as any information relating to an identified or identifiable individual.

An identifiable individual is given special meaning under Schedule 9 of the DPL 2017 and is defined as an individual who can be directly or indirectly identified from the information including:

  • By reference to a name or an identifier
  • One or more factors specific to the person's physical, physiological, genetic, mental, economic, cultural or social identity
  • Where, despite pseudonymization, that information is capable of being attributed to that individual by the use of additional information
  • By any other means reasonably likely to be used, taking into account objective factors such as technological factors and the cost and amount of time required for identification in the light of the available technology at the time of processing

Definition of sensitive personal data

Special category data means personal data consisting of information as to a data subject's:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data, meaning personal data relating to the inherited or acquired genetic characteristics of an individual which gives unique information about their physiology or their health, including as a result of an analysis of a biological sample from that individual
  • Biometric data, meaning personal data resulting from the specific technical processing relating to the physical, physiological or behavioral characteristics of an individual, which allows or confirms the unique identification of that individual, such as facial images or dactyloscopic data
  • Health data, which includes any personal data relating to the health of an individual, including the provision of health care services, which reveals their health status and includes information about their physical or mental health
  • Sex life or sexual orientation
  • Criminal data which relates to the commission or alleged commission by an individual of any offense, or any proceedings for any offense committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings
Last modified 28 Jan 2019
Authority

Overall oversight of the implementation of the DPL 2017 is vested in a new independent body, the Data Protection Authority (the Authority). The DP Authority delegates many of the day-to-day regulatory functions and provides governance to an independent operational body known as the Office of the Data Protection Authority (ODPA) (formerly, the Office of the Data Protection Commissioner).

The DP Authority and the ODPA are also required, pursuant to The Data Protection (International Cooperation and Assistance) (Bailiwick of Guernsey) Regulations, 2018 to have regard to Articles 60 – 62 GDPR by providing mutual cooperation with other supervisory authorities relating to both the GDPR and the DPL 2017.

The Office of the Data Protection Authority

St Martin’s House
Le Bordage, St. Peter Port
Guernsey GY1 1BR

T: +44 (0) 1481 742074
E: enquiries@odpa.gg

W: https://odpa.gg 

 

Last modified 28 Jan 2019
Registration

Schedule 4 of the DPL 2017 requires all controllers and processors established in the Bailiwick to register with the ODPA. The DP Authority may prescribe the form and manner of registration.

Guidance (Notification and Registration) confirms that the DPL 2017 will maintain a similar reporting requirement. Therefore, any information (including fees) that was necessary in respect of the DPL 2001 is still required under the new regime, in addition to a small number of areas such as contact details for data protection officers (as applicable):

  • The name and address of the data controller
  • The name and address of any nominated representatives
  • A description of the data and the category or categories of data subject to which they relate
  • Why the information is processed
  • A description of any recipient or recipients to whom the data controller intends or may wish to disclose the data
  • The names, or a description, of any countries or territories outside the Bailiwick of Guernsey to which the data controller directly or indirectly transfers, or intends or may wish directly or indirectly to transfer, the data

The notification must also contain a general description of the measures to be taken to prevent unauthorized or unlawful processing of, accidental loss or destruction of, or damage to, personal data.

Registered entities or persons are required to notify the ODPA of any changes to the registered details.

The Transitional Provisions extend to registration requirements until May 25, 2019. This means that those controllers who were exempted from registration under the 2001 Law have until May 25, 2019 to ensure that they have the requisite processes in place to enable them to comply with their registration requirements.

A new registration system is due to be implemented by May 25, 2019 to coincide with a new regulatory regime governing the levying of fees. At the time of writing, we understand that the DP Authority has submitted its proposals for consultation with the States of Guernsey and further guidance is anticipated in Spring 2019.

Last modified 28 Jan 2019
Data Protection Officers

A data protection officer (DPO) must be appointed where either of the following apply:

  • Processing is carried out by a public authority (other than a court, or tribunal acting in a judicial capacity)
  • The core processing operations of the controller or processor require or involve large-scale and systematic monitoring of data subjects or large-scale processing of special category of data

The ODPA has issued guidance clarifying what is intended by the use of the term large-scale processing which is neither defined in the GDPR nor the DPL 2017.

With reference to guidance issued by Europe's former advisory body known as the Article 29 Working Party (now replaced by the European Data Protection Board (EDPB) on the appointment of DPOs ("DPO Guidelines"), the ODPA's guidance advises controllers and processors to take into account the terms of the GDPR and the DPO Guidelines when assessing whether a DPO is required to be appointed. It further clarifies that small businesses in Guernsey are, as a general rule, unlikely to be undertaking large-scale processing unless they work with large databases of customers or other types of data subjects. The ODPA expects controllers and processors to review the scope and nature of processing periodically to ascertain whether there are sufficient factors to warrant appointing a DPO. All controllers and processors should then document the outcome of such reviews.

Last modified 28 Jan 2019
Collection & Processing

Principles

Data controllers must comply with the following data protection principles set out under Section 6(2) DPL 2017 ("Principles"):

  • Lawfulness, fairness and transparency: personal data must be processed lawfully, fairly and in a transparent manner in relation to the data
  • Purpose limitation: personal data must be collected for specified, explicit and legitimate purposes and once collected, not further processed in a manner incompatible with those purposes
  • Data minimization: personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
  • Accuracy: personal data must be accurate and, where necessary, kept up to date, with reasonable steps being taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
  • Storage limitation: personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed
  • Integrity and confidentiality: personal data must be processed in a manner that ensures appropriate security of the data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures
  • Accountability: the controller is responsible for, and must be able to demonstrate, compliance with all other data protection principles

Lawful basis

Data controllers are required to ensure that they have a lawful basis for processing personal data. The DPL 2017 sets out a number of conditions which may be relied upon to legitimize the processing of personal data and special category data.

The most common conditions for controllers to rely on are:

  • The data subject consents to the processing
  • The processing is necessary for the performance of a contract to which the data subject is a party or between a controller and a third party in the interests of a data subject; or in order to take steps at the data subject’s request with a view to entering into a contract
  • The processing is necessary for the controller to exercise any right or power, or perform or comply with a duty imposed on it by law, otherwise than an obligation imposed by an enactment, an order, or a judgment of a court or tribunal having the force of the law in the Bailiwick
  • The processing is necessary in order to protect the vital interests of the data subject
  • The processing is necessary for legitimate interests of the controller or third party except where the processing is exercised by a public authority
  • The processing is necessary for the exercise or performance by a public authority of a function that is of a public nature or a task carried out in the public interest

In addition to these conditions, controllers may also rely on one or more of a restrictive set of conditions in order legitimize either personal data or special category data. These include (but are not limited to):

  • Data subject providing explicit consent to the processing
  • Processing which is necessary for compliance with a legal right or power or duty imposed on a controller by an enactment
  • Processing which is made public as a result of steps deliberately taken by the data subject
  • Processing which is necessary for the purpose of or in connection with legal proceedings, the discharge of any functions of a court or tribunal, obtaining legal advice or establishing, exercising or defending legal rights
  • Processing which is the administration of justice of the exercise of any function of the Crown, the States of Guernsey or a public committee
  • Processing which is necessary for a historical or scientific purpose
  • Processing for the vital interests of a data subject

For the purposes of Section 10 DPL 2017, where a controller seeks to rely on consent, the controller must comply with more stringent requirements than under the DPL 2001 in order to ensure that such consent is valid.

Valid consent must be (among others) a "specific, informed and unambiguous indication of the data subject's wishes by which a data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of their personal data." In this regard, the DPL 2017 sets the same high standards for consent as the GDPR.

Guidance issued by the ODPA clarifies that in addition to the ingredients required to achieve valid consent, explicit consent must also be expressly confirmed in words, rather than a positive action. The requirements are summarized in a checklist for controllers to rely on when relying on consent.

Finally, Section 10(2)(f) DPL 2017 stipulates that a child may only provide their own consent to processing in respect of information society (primarily, online) services, where that child is over 13 years of age. Otherwise a parent (or other responsible adult) must give it on their behalf.

Transparency

Requirements of transparency under the DPL 2017 closely align with the GDPR. Therefore, the DPL 2017 requires that certain specified information must be supplied as part of a fair processing notice. (Schedule 3 DPL 2017):

  • The identity and contact details of the controller, and (where applicable), the controller’s representative
  • The contact details of the data protection officer (if any)
  • Confirmation of whether any of the personal data is special category data
  • Where the personal data are not obtained directly from the data subject: confirmation of the source of the personal and (if applicable) confirmation whether the personal data was obtained from a publicly available source confirmation of the source
  • The purposes for which the data are intended to be processed and the legal basis for the processing
  • An explanation of the legitimate interests pursued by the controller or by a third party, if the processing is based on those interests
  • The recipients or categories of recipients of the personal data (if any)
  • Where applicable, the fact that the controller intends to transfer personal data to a third country or international organization and whether or not there is an adequate level of protection for the rights and freedoms of data subjects
  • The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period
  • Information concerning the rights of data subjects
  • Where the processing is based on consent, the existence of the right to withdraw consent
  • A statement of the right to complain to the DP Authority
  • The existence of any automated decision-making and any meaningful information about the logic involved in such decision-making and the significance of any such decision-making for the data subject
  • Any further information that is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair

Rights of the Data Subject

The DPL 2017 has strengthened the rights of data subjects in line with the GDPR (Part III DPL 2017).

Controllers must respond to a request "as soon as practicable" and in any event within one month following receipt of the request or receipt of the information necessary to confirm the identity of the requestor or the day on which a fee or charge is paid to the controller.

The following rights are available to data subjects:

  • Right to information for personal data collected about the data subject either directly or indirectly (Sections 13 – 14 DPL 2017): Where personal data has been collected from a source other than the data subject, certain exceptions are available.
  • Right to data portability (Section 15 DPL 2017): A data subject has the right to have certain relevant personal data (being personal data relating to that person which has been provided to the original controller directly or via a processor) ported to a new controller, where either:
    • That relevant personal data is being processed based on consent
    • The processing necessary for the conclusion or performance of a contract
    • Where the right applies, the original controller must ensure that any personal data transmitted is provided in a structure, commonly used and machine-readable format. The right is subject to certain exceptions set out under Section 16 DPL 2017.
  • Right of access (Section 15 DPL 2017): A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information about how the data has been used by the controller. Section 16 DPL 2017 provides for certain exceptions, including where a request cannot be complied with, without disclosing information about another individual balancing the rights of the requestor with significant interests of the other individual. The DPL 2017 sets out further detail in respect of the factors which should be taken into consideration when making this determination.
  • Right to object to processing (Section 17 – 19 DPL 2017): Data subjects have the right to object to processing for: (a) direct marketing purposes, (b) on public interest grounds and (c) where the processing is for historical or scientific purposes. While the right to object in respect of paragraph (a) is unconditional, the rights to object under paragraphs (b) and (c) are qualified and subject to a public interest tests.
  • Right to rectification (Section 20 DPL 2017): A data subject has a right to request that any inaccurate or incomplete personal data may be corrected or a statement on the controller's file noting that the data subject disputes the accuracy or completeness of the personal data.
  • Right to erasure (Section 21 DPL 2017): Data subjects may request erasure of their personal data. The right is not absolute: it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the data for the purposes for which they were collected or otherwise lawfully processed, or following the successful exercise of the objection right, or of the withdrawal of consent.
  • Right to restriction of processing (Section 22 DPL 2017): A data subject may request that the processing of their personal data is restricted in certain limited circumstances. For example: where the accuracy of the personal data is contested; where the processing is unlawful; where the data is no longer required (save for legal claims or for the purposes of obtaining legal advice or establishing/exercising or defending legal rights).
  • Right to notified of restriction, erasure or rectification (Section 23 DPL 2017): The controller must not only notify the data subject concerned but, unless it is impracticable or involves disproportionate effort, notify any other person whose personal data has been disclosed.
  • Right not to be subject to decisions based on automated processing (Section 24 DPL 2017): A data subject has a right not to be subjected to an automatic decision and a controller is prohibited from causing or permitting a data subject to be subjected to an automatic decision unless Section 24(2) DPL applies.

    This section permits automated processing where: the data subject has given their explicit consent, or it has been authorized by the States of Guernsey or via an enactment; or the automated processing is necessary for: the vital interests of the data subject or another person; for the performance of a contract.

    Additional restrictions apply for the automated processing of special category data. A controller must ensure that appropriate safeguards are in place where automated processing has been conducted in accordance with Section 24(2) DPL (including allowing the data subject to appeal or seek a review of the decision). 
  • Right to make a complaint to ODPA (Section 67 DPL 2017): a data subject may also complain in writing to the ODPA if they consider that a controller or processor has breached or is likely to breach the DPL 2017 and that breach involves or affect (or likely to involve or affect) personal data relating to the individual or any data subject right of the individual.
  • Right to bring a civil action against a controller or processor for breach duty (Section 79 DPL 2017): where a controller or processor breaches an operative provision under the DPL 2017 that causes damage to another person, the injured party may bring a tortious claim in court against the controller or processor for breach of statutory duty. The court may award damages, an injunction to restrain actual/anticipated breach of duty and make a declaration that the controller or processor has committed the breach or will commit a breach if its current course of action subsists. Individuals may also claim compensation for distress, inconvenience or other adverse effect suffered by an injured party even if it does not result from any physical or financial loss or damage. Group (or 'class') actions may also be brought against an organization (Section 97 DPL 2017).
Last modified 28 Jan 2019
Transfer

The DPL 2017 differentiates between authorized jurisdictions and unauthorized jurisdictions.

Authorized jurisdictions include the Bailiwick of Guernsey, a member state of the European Union, any country, sector or international organization which has been determined by the European Commission as providing an 'adequate level of protection' for the rights and freedoms of data subjects; or any designated jurisdiction. A designated jurisdiction includes the UK (or any country within the UK), any crown dependency or any sector within the UK or a crown dependency.

Unauthorized jurisdictions mean any countries, sectors in a country or international organization that does not fall within the scope of an authorized jurisdiction.

Personal data must not be transferred outside of the Bailiwick of Guernsey by a controller or processor ("Exporter") to an unauthorized jurisdiction unless the Exporter is satisfied that any of the following conditions are satisfied:

  • Particular safeguards are in place and there is a mechanism for data subjects to enforce their rights and obtain effective legal remedies against controller or processor receiving the personal data ("Importer") (section 56 DPL 2017)
  • The DP Authority or the ODPA has authorized the transfer (section 57 DPL 2017)
  • Other specified derogations exist (section 59 DPL 2017)

Safeguards, for the purposes of the first condition named above, include: legally enforceable agreements (where the Importer is a public authority/body), binding corporate rules, EU's Model Clauses (or equivalent provisions as may from time to time be in force) or approved codes or other approved mechanisms which combine binding and enforceable commitments on the Importer.

While the DPL 2017 does not expressly reference the EU-US Privacy Shield and the ODPA has not yet issued updated guidance in relation to international transfers under the DPL 2017, it is likely that, for so long as the Privacy Shield framework remains operational, Privacy Shield will be recognized as an approved mechanism for transferring personal data to the United States.

Derogations include:

  • The data subject has given explicit consent to the transfer after having been informed of the risks of the transfer
  • The transfer is necessary for the performance of a contract between the data subject and the controller or between the controller and third party in the interests of the data subject or for the taking of steps at the request of the data subject with a view to the data subject entering into a contract with the data controller
  • The transfer is authorized by regulations made for reasons of public interest
  • The transfer is necessary for, or in connection with, legal proceedings, obtaining legal advice or for the purposes of establishing, exercising or defending legal rights
  • The transfer is necessary to protect the vital interests of the data subject or another individual (provided that the data subject is physically or legally incapable of giving consent or the controller cannot be reasonably expected to obtain explicit consent)
  • The transfer is part of personal data on a public register or a register to which a member of the public has lawful access
  • A decision of a public authority (within or without the Bailiwick) based on international agreement imposing international obligations on the Bailiwick or an order of a court or tribunal
  • The transfer is in the legitimate interests of the controller which outweighs the significant interests of the data subject and the transfer is:
    • Not repetitive
    • Only concerns a limited number of data subjects
    • Controller has assessed all circumstances surrounding the data transfer and on the basis of assessment has provided appropriate safeguards to protect personal data

Where the transfer is legitimized on the legitimate interests grounds described above, both the ODPA and the data subject must be notified accordingly.

Last modified 28 Jan 2019
Security

Security appears more prominently under the DPL 2017 than its predecessor. While implementing appropriate security measures to safeguard personal data from unauthorized or unlawful processing continues to be a feature of the DPL 2017 (see Principle 6 'Integrity and Confidentiality'), the DPL 2017 (unlike its predecessor) sets out with more clarity the steps required to ensure compliance.

Data controllers must take reasonable steps to ensure a level of security which is appropriate to the personal data, taking into account the nature, scope, context and purpose of the processing, the likelihood and severity of the risks to data subjects if the personal data is not secure (including the risk of unlawful or accidental destruction, loss or alteration of personal data and unauthorized disclosure of personal data), best practices and the costs of implementing appropriate measures.

Section 41 of the DPL 2017 provides clarity as to what a required 'step' would constitute. In essence, to ensure compliance with this obligation, a controller should consider this following:

  • Pseudonymizing and encrypting personal data
  • Ensuring that the controller or processor has and retains the ability to do the following:
    • Ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
    • Restore access to personal data in a timely manner in the event of a physical or technical incident
  • Establishing and implementing a process for regular testing and evaluation of the effectiveness of the technical and organizational measures

The security obligations are strewn throughout the DPL 2017 and not only appear on account of Part VI of the DPL 2017 but are also a key consideration when undertaking a data protection impact assessment, the right to erasure, a controller's duty to take reasonable steps to achieve compliance and what measures are in place when choosing a processor. For example, in this regard, a controller must when assessing the suitability of a processor ensure that the processor provides (in addition to a data processing agreement) sufficient guarantees that reasonable technical and organizational security measures governing the processing to be carried out will be established and carried out to meet the requirements of the DPL 2017 and will safeguard the rights of data subjects.

Last modified 28 Jan 2019
Breach Notification

What is a breach?

The DPL 2017 defines a personal data breach as a "breach of security leading to the a) accidental or unlawful destruction, loss, or alteration of; or b) unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise process."

This definition replicates the definition under Article 4 of the GDPR.

Notice to ODPA:

As with the GDPR, the DPL 2017 requires all controllers, upon becoming aware of a personal data breach to provide written notice to the ODPA as soon as practicable and no later than 72 hours after becoming so aware. Section 42(5) of the DPL 2017 provides an exemption from the duty to notify the ODPA where the personal data breach is "unlikely to result in any risk to the significant interests of the data subject.”

In determining whether there is a risk, the ODPA's guidance entitled Notification of Personal Data Breaches ("Breach Guidance") advises organizations who process personal data to consider the type of personal data they hold and whether any breach could, both at the time of the breach and in the future, 'adversely affect an individual' taking into consideration financial loss, reputational damage, or identity fraud.

The DPL 2017 stipulates the types of information which must be provided to the ODPA include, a description of the nature of the personal data breach, contact details of the DPO or contact point, a description of the likely consequences of such a breach, a description of the measures taken or proposed to be taken to address risks and mitigate against possible adverse effects and an explanation of any delays (where a breach has been notified after 72 hours).

All breaches which must be notified to the ODPA can be submitted to the ODPA via their online secure breach reporting facility. All breaches that come to the attention of the controller after May 25, 2018 must be reported to the ODPA, regardless of when they occurred.

In any case, whether a personal data breach is notified to the ODPA or not, the controller must keep a written record of each personal data breach of which the controller is aware, including the facts relating to the breach, the effects, the remedial action taken and any steps taken by the controller to comply with its notification obligations (including a copy of the notice provided to the ODPA).

Notice to data subjects:

Where a controller becomes aware of a personal data breach that is likely to pose a "high risk to the significant interests of a data subject," the controller must give the data subject written notice of the breach as soon as possible.

The Breach Guidance provides a non-exhaustive of factors for controllers to take into account when determining whether a breach poses a high risk. While financial loss, reputational damage and identity fraud must be considered, the Breach Guidance also includes the risk of whether the breach might have an adverse impact of safety or well-being of the data subject (including psychological distress or humiliation). When assessing the risks, the ODPA expects all controllers to consider the nature, scope, context and purpose of the compromised personal data (including whether special category data had been compromised).

Such notice must include a description of the nature of the breach, the name and contact details of the DPO or point of contact, a description of the likely consequences of the breach, and a description of the measures taken or proposed to be taken by the controller to address the breach.

A controller is exempt from the requirement to notify a data subject where it has done either of the following:

  • Established and carried out appropriate technical and organizational measures to protect personal data and, in particular, those measures have rendered personal data unintelligible to any person who is not authorized to access it (e.g., encryption)
  • Taken subsequent measures to mitigate the risk, such that the high risk is no longer likely to materialize, or where the performance of the duty would involve disproportionate effort

While the Breach Guidance does not define what might constitute disproportionate effort, it clarifies that a controller must nonetheless publish a notice (without making public any personal data) or take any other step equivalent to publication in order to inform the data subjects in an equally effective manner.

Notice to controller (where a processor is engaged):

The responsibility for reporting a personal data breach to the ODPA rests with the controller. However, where a processor becomes aware of a personal data breach, the processor must give the controller notice as soon as practicable. Where notice is given orally, written notice must follow at the first available opportunity.

Other regulatory notification requirements:

Guernsey's European Communities (Implementation of Privacy Directive) (Guernsey) Ordinance 2004 ("e-Privacy Ordinance") requires a provider of a public electronic communications service (the “service provider”) to notify subscribers of a significant risk to the security of the service.

Last modified 28 Jan 2019
Enforcement

The DP Authority and the ODPA are responsible for administering and enforcing the DPL 2017 (Section 61(1)(a) DPL 2017).

When investigating a complaint regarding a potential breach of the DPL 2017, the DP Authority has wide powers to require information and, with appropriate warrants, powers to enter premises and search them (Schedule 7 DPL 2017). It may also conduct and/or require an audit of a controller or processor.

Before making a breach determination or an enforcement order, the ODPA may give the person concerned a written notice of the ODPA's proposals and allow the person time (up to 28 days) to make representations. However, the ODPA may dispense with this requirement if the determination or order needs to be made immediately or without notice in the interests of the data subjects or where the ODPA has reasonable grounds for suspecting that the notice may be tampered with or might seriously prejudice any other investigations etc. There is also a right to appeal the decision of the ODPA under section 84 DPL 2017.

Following a breach determination, the ODPA may take the following enforcement action:

Reprimand

The DPL 2017 does not specify the conditions upon which a reprimand may be issued. However, it will most likely take the form of a notice, and may be issued in combination with an administrative fine or a formal undertaking by the controller or processor to meet future compliance with any part of the DPL 2018.

Warning

A warning may be given where the ODPA determines that any proposed processing or other act or omission is likely to be breach the DPL.

Order

This refers to a formal notice of enforcement and can order any or all of the following:

  • Bring specified processing operations into compliance with an operative provision of the DPL 2017, or take any other specified action required to comply with said provision, in a manner and within a period specified in the order
  • Notify a data subject of any personal data breach
  • Comply with a request made by the data subject to exercise a data subject right
  • Rectify or erase personal data
  • Restrict or limit the recipient’s processing operations (which may include restricting or ceasing the processing operation or suspending any transfers to an unauthorized jurisdiction)
  • Notify persons to whom the personal data has been disclosed of the rectification, erasure or temporary restriction on processing

Administrative Fines:

While the GDPR has the potential to attract administrative fines of up to 4% of annual worldwide turnover or €20 million (whichever is higher), the administrative fines under the DPL 2017 are generally lower (between £5 million - £10 million) and can be categorized according to various levels.

Level 1:

Administrative fines issued against a controller or processor may not exceed £5 million for breaches of section 74(1)(a) – (d) DPL 2017, comprising the following:

  • Failure to make reasonable efforts to verify that person giving consent to the processing of the personal data of a child under 13 years of age in the context of the offer of information society services directly to the child is a person duly authorized to give consent to that processing under Section 10(2)(f) DPL 2017
  • Failure to take reasonable steps to inform the data subject of anonymization (in breach of Section 11(1)(b) DPL 2017)
  • Any breach of the general duties of controllers and processors (except section 31 DPL 2017 – duty to take reasonable steps for compliance) (breach of Part IV DPL 2017)
  • Any breach of a controller's administrative duties including the requirement to designate a representative in the Bailiwick in certain cases and the requirement to register and pay fees to the ODPA (as per Part V DPL 2017)
  • A breach of the security provisions contained in Part VI DPL 2017
  • Failure to comply with the requirements in respect of data protection impact assessments and prior consultation (except section 46 DPL 2017 – prior consultation required for high-risk legislation) in accordance with Part VII DPL 2017
  • Failure to comply with requirements to designate a DPO (where required) or ancillary duties relating to the DPO's functions in accordance with breach of VIII DPL 2017

Level 2:

Administrative fines issued against a controller or processor may not exceed £10,000,000 for breaches of section 74(1) DPL 2017, comprising the following (in addition to the Level 1 list above):

  • Breach of any duty imposed on the person concerned by section 6(1) (data protection principles) including lawfulness of processing
  • Breach of any duty imposed on the person concerned under Part III DPL 2017 (data subject rights)
  • Failure to comply with an order by the DP Authority under section 73(2) DPL 2017 within the time specified in the order
  • Transfer of personal data to a person in an unauthorized jurisdiction in breach of section 55 DPL 2017 (general prohibition of transfers of personal data outside of the Bailiwick to unauthorized jurisdictions)
  • Breach of any provision of any ordinance or regulations made pursuant to the DPL 2017 which imposes a duty on a controller or processor

Level 3:

In addition to the two administrative fines described above, the DPL 2017 imposes a cap on administrative fines of up to £300,000 (unless the fine is less than 10% of the person's total annual global turnover or total global gross income in the preceding financial year).

Level 4:

An administrative fine issued against a person must not exceed 10% of the total global annual turnover or total global gross income of that person during the period of the breach in question, up to three years.

Offenses/Criminal Proceedings

In addition to the above, the DPL 2017 imposes criminal sanctions on persons who are found guilty of certain specified offenses. Such offenses include:

  • Unlawful obtaining or disclosure of personal data
  • Obstruction or provision of false, deceptive or misleading information
  • Impersonation of a DP Authority official
  • Unless an exception applies and breach of confidentiality by a designated official without the consent of the individual

Regarding the offense under the last bullet above, a designated official shall include a member of the DP Authority including the Commissioner and any DPO.

Criminal liability can attach to any director or other officer of the organization (including a body corporate, general partner of a limited partnership, foundation official). Criminal proceedings may also be instigated against an unincorporated entity in the case of a general partnership.

Last modified 28 Jan 2019
Electronic Marketing

Direct marketing by electronic means to individuals and organizations is regulated by the European Communities (Implementation of Privacy) Directive (Guernsey) Ordinance 2004 ("e-Privacy Ordinance").

Following the implementation of the DPL 2017, the e-Privacy Ordinance was amended consequentially to conform outdated references to the new law and replace references to the Data Protection Commissioner with Data Protection Authority. No material amendments were made to the e-Privacy Ordinance, which is intended to sit alongside the DPL 2017.

In this regard, neither the e-Privacy Ordinance nor the DPL 2017 prohibit the use of personal data for the purposes of electronic marketing provided that individuals have the right to prevent the processing of their personal data (ie, a right to 'opt out') for direct marketing purposes.

As such, the e-Privacy Ordinance still reflects the e-Privacy Directive and therefore prohibits the use of automated calling systems without the consent of the recipient. Furthermore, unsolicited emails can only be sent without consent if the following conditions are met:

  • The contact details have been provided in the course of a sale or negotiations for a sale
  • The marketing relates to a similar product or service
  • The recipient was given a simple method of refusing the use of their contact details when they were collected

The identity of the sender cannot be concealed in direct marketing communications sent electronically (which is likely to include SMS marketing).

These restrictions only apply in respect of individuals and not where corporations are sent marketing communications.

Last modified 28 Jan 2019
Online Privacy

The 2011 amendments to the Privacy and Electronic Communications Regulations 2003 (PECR) by the UK in relation to cookies did not find their way into Guernsey law and there are no immediate plans for this to be done. However, certain aspects of online privacy nevertheless remain governed by the e-Privacy Ordinance (defined under the heading Electronic Marketing above).

As a matter of good practice, the use of cookies should be identified to web users and they should be allowed to opt out of their use if they so wish.

Traffic data held by a service provider must be erased or anonymized when it is no longer necessary for the purpose of a transmission or communication. Exceptions include if the information is being retained in order to provide a value added service to the data subject or if it is held with their consent.

Traffic data should only be processed by a service provider for (a) the management of billing or traffic, (b) customer enquiries, (c) the prevention or detection of fraud, (d) the marketing of electronic communications services, or (e) the provision of a value added service.

Location data may only be processed where the user / subscriber cannot be identified from that data or for the provision of a value added service with consent.

Given the fundamental changes to the data protection regime since the e-Privacy Ordinance was introduced in 2004 and the ongoing negotiations in Europe in relation to the so-called e-Privacy Regulation ("Regulation"), further amendments to the e-Privacy Ordinance are, perhaps, inevitable. The States of Guernsey continues to monitor the progress of the draft Regulation in the meantime.

Last modified 28 Jan 2019
Contacts
Alexandra Gill
Alexandra Gill
Associate
T +44 (0)1481 741546
Last modified 28 Jan 2019