Data Protection in Guernsey

Transfer in Guernsey

The DPL 2017 differentiates between authorised jurisdictions and unauthorised jurisdictions.

Authorised jurisdictions include:

  • the Bailiwick of Guernsey;
  • a member state of the European Union;
  • any country, sector or international organisation which has been determined by the European Commission as providing an 'adequate level of protection' for the rights and freedoms of data subjects; or
  • any designated jurisdiction

A designated jurisdiction includes the UK (or any country within the UK), any Crown Dependency (such as the Channel Islands or Isle of Man) or any sector within the UK or a Crown Dependency.

Unauthorised jurisdictions means any countries, sectors in a country or international organisation that does not fall within the scope of an 'authorised jurisdiction'.   

Personal data must not be transferred outside of the Bailiwick of Guernsey by a controller or processor ("Exporter") to an unauthorised jurisdiction unless the Exporter is satisfied that:

  • particular 'safeguards' are in place and there is a mechanism for data subjects to enforce their rights and obtain effective legal remedies against a controller or processor receiving the personal data ("Importer") (section 56 DPL 2017);
  • the Authority or the ODPA has authorised the transfer (section 57 DPL 2017); or
  • other specified derogations exist (section 59 DPL 2017).

'Safeguards' for the purposes of paragraph (a) above include: legally enforceable agreements (where the Importer is a public authority / body), binding corporate rules, EU's Model Clauses (or equivalent provisions as may from time to time be in force) or approved codes or other approved mechanisms which combine binding and enforceable commitments on the Importer. 

'Derogations' include:

  • the data subject has given explicit consent to the transfer after having been informed of the risks of the transfer;
  • the transfer is necessary for the performance of a contract between the data subject and the controller or between the controller and third party in the interests of the data subject or for the taking of steps at the request of the data subject with a view to the data subject entering into a contract with the data controller;
  • the transfer is authorised by regulations made for reasons of public interest;
  • the transfer is necessary for, or in connection with, legal proceedings, obtaining legal advice or for the purposes of establishing, exercising or defending legal rights;
  • the transfer is necessary to protect the vital interests of the data subject or another individual (provided that the data subject is physically or legally incapable of giving consent or the controller cannot be reasonably expected to obtain explicit consent);
  • the transfer is part of personal data on a public register or a register to which a member of the public has lawful access;
  • a decision of a public authority (within or without the Bailiwick) based on international agreement imposing international obligations on the Bailiwick or an order of a court or tribunal;
  • the transfer is in the legitimate interests of the controller which outweighs the significant interests of the data subject and:
    • the transfer is not repetitive;
    • the transfer only concerns a limited number of data subjects;
    • the controller has assessed all circumstances surrounding the data transfer and on the basis of that assessment considers that appropriate safeguards to protect personal data have been provided.

Where the transfer is justified on the legitimate interests grounds described above, both the ODPA and the data subject must be notified accordingly. 

Guernsey  

In common with the GDPR, The DPL 2017 places restrictions on the extent to which personal data may be transferred to recipients outside the Bailiwick of Guernsey ("Guernsey").

As set out above, in the absence of an adequacy decision by the EC, transfers are permitted outside the EU/EEA under certain other specified circumstances, in particular where such transfers take place subject to "appropriate safeguards". The Law replicates this regime for transfers outside Guernsey.

Appropriate safeguards for such transfers include:

  • Binding corporate rules ("BCRs");
  • Standard data protection contractual clauses adopted by the European Commission ("SCCs").

SCCs are generally the most commonly utilised mechanism for such transfers.

In June 2021, the EC approved a new set of SCCs for international data transfers.1

The Guernsey data protection regulator, the ODPA, has now approved the new SCCs for international transfer as a valid transfer mechanism for data transfers from Guernsey (The European Commission’s new Standard Contractual Clauses - technical update  ODPA).

The new SCCs for international transfers reflect the changes made to European data protection law made by the GDPR and address some of the issues with the existing sets of SCCs (which include two controller to controller (“C2C”)  sets (2001 and 2004) and a controller to processor (“C2P”) set (2010).  The new SCCs (unlike the existing ones which only applied to C2C and C2P transfers), apply to a broader range of scenarios and include provisions for processor-to-processor ("P2P") and processor-to-controller ("P2C").

The new SCCs effectively combine all four sets of clauses into one document, allowing controllers and processors to "build" the relevant agreement on a modular basis.

The new SCCs also incorporate provisions to address the Schrems II decision of the European Court of Justice, the key effect of which was to invalidate the EU-U.S. Privacy Shield and to place additional administrative conditions on the use of SCCs.

While a transition period allows businesses to incorporate the old SCCs into new contracts until, at the latest, 27 September 2021, any Guernsey business looking to export personal data relying on SCCs will after that date need to use the new SCCs which provide for these further steps are taken. All existing contracts must be transitioned to the new SCCs by 27 December 2022.

Where controllers and processors are utilising SCCs (either new or old) or BCRs, they will need also to take account of the Schrems II decision. The European Data Protection Board ("EDPB") has published its Schrems II guidance in relation to supplementary measures to accompany international transfer tools. In summary, a 6 step process is required in relation to international transfers.  

  1. Know your transfers. Be aware of where the personal data so you know the level of protection provided there. Make sure the data you transfer is adequate, relevant and limited to what is.
  2. Verify the transfer tool your transfer relies on. Using the SCCs or BCRs will be enough in this regard.
  3. Assess if there is anything in the law and / or practices of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer.
  4. Identify and adopt supplementary measures necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence. This step is only necessary if your assessment has revealed issues with the third party country's safeguards. If no supplementary measure is suitable, you must avoid, suspend or terminate the transfer.
  5. Take any formal procedural steps the adoption of your supplementary measure may require.
  6. Re-evaluate at appropriate intervals the level of protection afforded to the personal data you transfer to third countries and monitor if there have been or there will be any developments that may affect it. This is an ongoing duty.

In practice, the above requires a detailed and documented transfer impact assessment ("TIA"). For many Guernsey controllers and processors, this will be an onerous process and we would suggest that it should be something that Guernsey businesses should prioritise.  We are able to assist clients in this process.

Transfers between Guernsey and the USA

The replacement of the Privacy Shield transfer scheme (invalidated by Schrems II) by the EU-US Privacy Data Privacy Framework means that Guernsey controllers and processors are in principle able to utilise the new Framework for data transfers. However, the US Department of Commerce is yet to extend the scope of the Framework to cover Guernsey and accordingly it is recommended that Guernsey controllers and processors continue to utilise standard contractual clauses in respect of transfers between Guernsey and the US.

What about the UK?

The European Commission has now recognised the UK as an adequate jurisdiction for the purposes of international data transfer and the UK has in turn recognised Guernsey as an adequate jurisdiction for the purposes of the UK GDPR meaning that transfers to and from the UK and Guernsey may continue without restriction.

Guernsey controllers and processors who are subject to the UK GDPR by virtue of its extra territoriality provisions will also need to consider whether they may need to continue using the existing standard contractual clauses or the UK International Data Transfer Agreement.

Footnotes

1. It should be noted that the European Commission also approved a set of SCCs in relation to data processing agreements at the same time. 

Continue reading

  • no results

Previous topic
Back to top