September 2023

1. Governing Texts

Jersey's data protection landscape underwent significant reform in the wake of the EU's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').

Jersey was recognized by the European Commission as an equivalent jurisdiction in 2008. Its adequacy decision will be reassessed in due course by the European Commission, in line with the review requirements of the GDPR.

The Data Protection (Jersey) Law, 2018 ('the Law') and the Data Protection Authority (Jersey) Law 2018 ('the Authority Law') (collectively, 'the DP Laws') were therefore drawn up to maintain Jersey's adequacy status, noting the enactment of the GDPR. As such, the DP Laws are intended to be broadly equivalent to the GDPR in order to maintain the adequacy decision. The DP Laws have been in force since May 25, 2018; several sets of secondary regulations have since been passed to augment Jersey's data protection law framework.

This Guidance Note sets out the known Jersey law position as of September 2023. Unless otherwise stated, all references to legislation are to the Law.

1.1. Key acts, regulations, directives, bills

Jersey is not, and has never been, part of the EU. However, the DP Laws are based on the same fundamental principles as the GDPR and impose obligations on data controllers and processors and rights on data subjects that are equivalent to those imposed by the GDPR and the Data Protection Directive with respect to Law Enforcement (Directive (EU) 2016/680). The Law sets out, amongst other things, the key definitions, fundamental duties of data controllers, duties of processors, circumstances under which a data protection officer ('DPO') must be appointed, the rights of data subjects, and relevant exemptions in respect of both the rights of data subjects and from the obligations of data controllers and processors. The other key legislation is the Authority Law, which sets out the powers, functions, and funding arrangements for Jersey's data protection regulator, the Data Protection Authority ('the Authority'). Secondary legislation includes:

• the Data Protection (Registration and Charges) (Jersey) Regulations 2018 ('the Registration Regulations') which, among other things, sets out the statutory basis for payment of annual fees to the Authority and those entities that are exempt from charges; and
• the Data Protection (International Co-operation) (Jersey) Regulations 2005 ('the International Co-operation Regulations').

The International Co-operation Regulations sets out provisions for co-operation between the Authority and foreign designated authorities, requires the Authority to assist persons resident outside of Jersey who seek information or help about data processing in Jersey that may relate to them, requires the Authority to assist Jersey residents who seek information or help about data processing outside Jersey that may relate to them, and restricts the Authority's use of information received from a foreign designated authority.

Although not considered further in this overview, it should be noted that, in addition to rights under the DP Laws, the Freedom of Information (Jersey) Law 2011 ('FOI Law') may also be of relevance in some situations. Article 8 of the FOI Law provides that a member of the public has a general right to be supplied with information held by a specified public authority, such right is not absolute in nature, with specified public authorities being able to refuse to supply information in certain circumstances, for instance, where such information is absolutely exempt information or qualified exempt information.

1.2. Guidelines

The Jersey Office of the Information Commissioner ('JOIC'), which is part of the Authority and to which the Authority has delegated certain of its powers, has day-to-day responsibility for carrying out the Authority's functions. 

Article 13(1) of the Authority Law provides that the Authority may issue opinions or guidance on any issue related to the protection of personal data, including compliance with any provision of the DP Laws; and guidance as to how the Authority proposes to exercise or perform any of its functions under the DP Laws. Article 13(3) of the Authority Law provides that an opinion or guidance issued under Paragraph (1) is not legally binding but compliance or non-compliance with any position or recommendation in the opinion or guidance may be taken into account in determining whether or not a controller or processor has contravened or is likely to contravene the DP Laws.

The JOIC has published on its website a number of guides and templates for individuals and organizations (accessible here).

1.3. Case law

Given the DP Laws are relatively novel pieces of legislation and also noting the size of Jersey as a jurisdiction, there is a relative paucity of case law considering or interpreting the statutory framework set out by the DP Laws.

Although decided based on Data Protection (Jersey) Law 2005 ('the 2005 Law'), which is no longer in effect and has been replaced by the DP Laws, the following cases may be of assistance to the Jersey courts dealing with data protection claims under the DP Laws:

• Case Alwitry v The States Employment Board and Minister for Health and Social Services [2016] JRC 050: an application by the representor (applicant) for access to various documents under the 2005 Law;
• Case An Advocate v The Chief Officer of the States of Jersey Police [2011] JRC 190: consideration of whether the disclosure of sensitive personal data regarding the plaintiff, a Jersey lawyer, by the Jersey Police to the Jersey Law Society for the exercise of the disciplinary functions conferred upon the Law Society was necessary under the 2005 Law; and
• Case Larsen v Comptroller of Taxes JRC 244: consideration of whether compulsory production of documents pursuant to a notice issued under Taxation (Exchange of Information with Third Countries) (Jersey) Regulations 2008, as documents foreseeably relevant to foreign investigation of criminal tax matters, fell within the crime and taxation exemption in the 2005 Law.

However, if and when the Jersey courts are required to interpret the DP Laws, it is likely that, noting the DP Laws were drafted with the aim of providing essentially equivalent protection for personal data to that set out in the GDPR, relevant case law from other jurisdictions subject to GDPR or may be of persuasive (but not binding) authority (this was the approach adopted in the Larsen case, where both English and EU case law regarding data protection was considered by the Jersey court).

It should also be noted that in addition to the penalties for breaches of the DP Laws (refer to the section on penalties), the Case Cole v States Police (Royal Ct.) 2007 JLR 606 confirms that the tort of misuse of private information/breach of confidence, which concerned the wrongful disclosure of private information, forms part of Jersey law.

2. Scope of Application

2.1. Personal scope

Article 4(2) of the Law provides that the Law applies to the processing of personal data by controllers or processors. Personal data means any data relating to a data subject (Article 2(1) of the Law). A data subject is an identified or identifiable, natural, living person who can be identified, directly or indirectly, by reference to (but not limited to) an identifier such as a name, an identification number, or location data; an online identifier; or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of the person (Article 2(2) of the Law).

The Jersey data protection framework does not apply to information relating to deceased individuals, nor does it cover the processing of information that concerns legal persons (such as companies).

The Law does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity but applies to controllers or processors that provide the means for processing personal data for such an activity (Article 4(1) of the Law).

2.2. Territorial scope

Law

The provisions relating to territorial scope in the Law are set out in Article 4 of the Law.

The Law can apply both to the processing of personal data taking place within Jersey and extraterritorially, in certain circumstances, to processing taking place outside of Jersey (i.e. in relation to Jersey residents' personal data being processed elsewhere/outside of Jersey, usually in relation to the offering of goods or services or monitoring behavior). Article 4(2) of the Law sets out that it applies to the processing of personal data by a controller or a processor in one of the following contexts:

• in the context of a controller or processor established in Jersey;
• by a controller or processor not established in Jersey but who uses equipment in Jersey for processing the data otherwise than for the purposes of transit through Jersey; or
• by a controller or processor not established in Jersey where the processing:
  • relates to data subjects who are in Jersey, and
  • is for the purpose of offering goods or services to persons in Jersey or monitoring the behavior of such persons.

The question of whether a controller or processor is established in Jersey will be fact-specific in each case, but any: natural person ordinarily resident in Jersey; body incorporated under the laws of Jersey; and any partnership or other unincorporated association formed under the law of Jersey, will be treated as being established in Jersey (Article 4(4) of the Law). Furthermore, any person who: maintains in Jersey an office, branch, or agency through which the person carries on any processing of personal data, or regular practice that carries on any processing of personal data; or engages in effective and real processing activities through stable arrangements in Jersey, shall also be treated as established in Jersey for the purposes of the Law.

Authority Law

As is evident from the above, the Law can, potentially, apply to controllers and processors who are not established in Jersey where such controllers and processors are processing data in relation to Jersey data subjects and are offering goods or services or monitoring the behavior of persons in Jersey.

There is a separate requirement under Article 17(1) of the Authority Law which requires that a controller or processor established in Jersey must not cause or permit personal data to be processed without being registered, with the Authority, as a controller or processor. As such, it may be the case that a processor or controller is subject to the Law but not subject to the requirement to register with the JOIC/the Authority under the Authority Law.

2.3. Material scope

The Law applies to the processing of personal data, including special category data. 

Data is defined as information that falls under one of the following categories:

• is being processed by means of equipment operating automatically in response to instructions given for that purpose;
• is recorded with the intention that it should be processed by means of such equipment;
• is recorded as part of a filing system or with the intention that it should form part of a filing system; or
• is recorded information held by a scheduled public authority and does not fall within any of the previous categories (Article 1(1) of the Law).

It should be noted, therefore, that in relation to scheduled public authorities (as defined in the FOI Law, but essentially meaning those public authorities that are subject to the FOI Law), the scope of the Law will also apply to manual unstructured processing of personal data. Processing is defined widely and means any operation or set of operations that is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. As the Law applies to the personal data of a living individual who can be identified, directly or indirectly, it does not apply to information that has been anonymized. However, while the Law includes a definition of pseudonymization, it does not contain a specific definition of anonymization.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The Authority is the data protection regulator in Jersey and is entrusted with a number of functions and responsibilities pursuant to Article 11 of the Authority Law. The Authority is governed by a board and is the principal corporate body responsible for regulating compliance with the Law. The board of the Authority provides oversight, sits above the JOIC and the Information Commissioner (who is the chief executive of the Authority), and also provides governance advice, as well as setting policy and strategic direction.

The Information Commissioner on behalf of the Authority undertakes all the functions of the Authority under the Law other than the issuing of a public statement under Article 14 of the Authority Law, the making of an order to pay an administrative fine under Article 26, or any other function specified by the Authority by written notice to the Information Commissioner.

3.2. Main powers, duties and responsibilities

The Authority's main functions are to administer and enforce the DP Laws and to monitor and report on the operation of the DP Laws. It is also entrusted with the responsibility to promote public awareness of risks, rules, safeguards, and rights in relation to processing and the awareness of controllers and processors of their obligations under the DP Laws. Article 13 of the Authority Law provides that the Authority may issue opinions and guidance. Article 14 of the Authority Law provides that where the Authority considers that because of the gravity of the matter or other exceptional circumstances, it would be in the public interest to do so, the Authority may issue a public statement in relation to certain prescribed matters, e.g., personal data breaches (refer to the section on penalties).

Part 4 of the Authority Law deals with the Authority's enforcement powers (refer to the section on penalties) and its investigative powers, which are wide-ranging. Article 22 and Schedule 1 of the Authority Law set out the investigative powers of the Authority in relation to any investigation or inquiry under Part 4. The powers include the power to issue an information notice requiring a controller or processor to give information the Authority considers necessary and the general powers of entry and search (subject to appropriate safeguards such as warrants). An information notice imposes a legal requirement on the recipient to provide the Authority with any information considered necessary to assist the Authority in any investigation or inquiry; such information is required to be furnished within 28 days.

The Authority is also responsible for maintaining the register of data controllers and processors established in Jersey, as required by Article 17 of the Authority Law. Finally, Article 12 of the Authority Law requires that in exercising or performing its functions, the Authority must act independently and free from direct or indirect external influence.

4. Key Definitions

Data controller: According to Article 1(1) of the Law, a natural or legal person, public authority, agency, or other body that, whether alone or jointly with others, determines the purposes and means of the processing of personal data.

Data processor: According to Article 1(1) of the Law, a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller, but does not include an employee of the controller.

Personal data: According to Article 2(1) of the Law, any data relating to a data subject.

Sensitive data: The Law does not contain a specific definition of sensitive data. However, Article 1(1) does contain a definition of 'special category data.'

Special category data is:

• data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership;
• genetic or biometric data that is processed for the purpose of uniquely identifying a natural person;
• data concerning health;
• data concerning a natural person's sex life or sexual orientation; or
• data relating to a natural person's criminal record or alleged criminal activity.

The processing of such special category data is subject to additional safeguards (Article 9(1) and Part 2 of Schedule 2 of the Law).

It should be noted that, unlike other jurisdictions, information concerning a natural person's criminal record or alleged criminal activity is not defined separately and sits within the definition of special category data.

Health data: According to Article 1(1) of the Law, personal data related to the physical or mental health of a natural person, including the provision of health care services, that reveals information about their health status.

Biometric data: According to Article 1(1) of the Law, it refers to personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person, that allow or confirm the unique identification of that natural person, such as facial images or fingerprint data.

Pseudonymization: According to Article 3(1) of the Law, the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, and where that additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person. 

It should be noted that the Law confirms in Article 3(2) that pseudonymization may be achieved even though additional information that would enable the attribution of the data to a specific data subject is retained within the controller's organization provided that the controller maintains records indicating who has access to that additional information.

Data subject: According to Article 2(2) of the Law, an identified or identifiable, natural, living person who can be identified, directly or indirectly, by reference to (but not limited to) an identifier such as a name, an identification number, or location data; an online identifier; or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of the person.  

5. Legal Bases

Article 9 of the Law provides that the processing of personal data, that would otherwise be lawful, is lawful under the Law only if it meets at least one of the conditions specified in Schedule 2. However, when it comes to processing data that includes special category data, it must meet at least one of the conditions mentioned in Part 2 of Schedule 2. As such, to establish the legal bases for processing in Jersey, one must refer to Schedule 2 of the Law.

5.1. Consent

Article 11(1) of the Law defines 'consent' as follows: in relation to the processing of a data subject's personal data, means any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they, by a statement or by clear affirmative action, whether orally or in writing, signifies agreement to the processing of that data. In order for consent to be valid, such consent needs to meet the specific requirements for consent under Article 11 of the Law. Specifically, Article 11(2) provides that consent: is not informed unless the data subject is aware of the identity of the controller who will process the data and the purposes of the processing for which the personal data are intended; and is not freely given if it does not allow separate consent to be given to different personal data processing operations where it is appropriate in the individual case.

Article 11(3) sets out the requirements that a controller must be able to demonstrate in order to establish the presence of consent; this includes the requirement to inform the data subject of their right to withdraw consent at any time.

Consent may be relied upon as a legal basis for the processing of both personal data and in respect of special category data. However, in relation to special category data, it should be noted that the standard of consent required for processing special category data is explicit consent (Paragraph 6, Part 2 of Schedule 2 of the Law), which is a higher standard of consent than is required in relation to the processing of personal data which is not special category data. Consent need not be explicit in relation to the processing of such personal data (Paragraph 1, Part 1 of Schedule 2 of the Law). According to JOIC guidance, explicit consent must be documented.

5.2. Contract with the data subject

This basis is set out in Paragraph 2, Part 1 of Schedule 2 of the Law. This basis can be relied upon where the processing is necessary for: the performance of a contract to which the data subject is a party; or the taking of steps at the request of the data subject with a view to entering into a contract. 

It is important to note that a contract is not a legal basis for processing special category data, so if the relevant data includes special category data, an additional legal basis will be required to process the data.

5.3. Legal obligations

Paragraph 7, Part 2 of Schedule 2 of the Law sets out this legal basis, which may be relied upon where the processing is necessary for compliance with a legal obligation, other than one imposed by contract, to which the controller is subject.

This legal basis may be relied upon in relation to the processing of personal data and in relation to special category data.

5.4. Interests of the data subject

This basis is set out in Paragraph 3, Part 1 of Schedule 2 of the Law and, as a basis for the processing of special category data, in Paragraph 8, Part 2 of Schedule 2 of the Law. To rely on this basis with respect to personal data, the processing must be necessary to protect the vital interests of the data subject or any other natural person. 

To rely on this basis where the data includes special category data, the processing must be necessary to protect the vital interests of the data subject or another person, in a case where consent cannot be given by or on behalf of the data subject, or the controller cannot reasonably be expected to obtain the consent of the data subject; or another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld.

5.5. Public interest

Paragraph 4, Part 1 of Schedule 2 provides that in relation to the processing of personal data, but not special category data, the public interest is a valid legal basis where the processing is necessary for:

• the administration of justice;
• the exercise of any functions conferred on any person by or under any enactment;
• the exercise of any functions of the Crown, the States, or any public authority; or
• the exercise of any other functions of a public nature with a legal basis in Jersey law to which the controller is subject and exercised in the public interest by any person.

Paragraph 4, Part 2 of Schedule 2 provides a similar (albeit more restricted) basis, which may also be used as a legal basis for the processing of special category data where the processing is necessary for:

• the administration of justice;
• the exercise of any functions conferred on any person by or under an enactment; or
• the exercise of any functions of the Crown, the States, any administration of the States, or any public authority.

Additionally, Paragraph 14, Part 2 of Schedule 2 provides an additional legal basis (applicable to personal data and also to special category data) where the processing is necessary for reasons of substantial public interest provided for by law and is subject to appropriate protections to protect the rights and interests of the data subject.

5.6. Legitimate interests of the data controller

Paragraph 5, Part 1 of Schedule 2 sets out this legal basis and provides that it may be relied upon where the processing is necessary for the purposes of legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed unless the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject, in particular where the subject is a child; or the controller is a public authority.

As is evident from the above, this legal basis is not applicable to processing by public authorities. Additionally, it cannot be relied upon for processing special category data, so another applicable legal basis would be required.

5.7. Legal bases in other instances

The above legal bases will be applicable in relation to most data processing carried out. However, there are further additional legal bases set out in Part 2, Schedule 2 (and so which are applicable to the processing of special category data) pursuant to Article 9(2) of the Law. For instance, in relation to the processing of employee data, Paragraph 8, Part 2 of Schedule 2 of the Law provides a specific legal basis where the processing is necessary for the purposes of exercising or performing any right, obligation, or public function conferred or imposed by law on the controller in connection with employment, social security, social services, or social care.

It should be noted that there are specific exceptions, primarily outlined in Part 7 of the Law, that exempt certain provisions of the Law, particularly those around data subjects' rights, in specific circumstances. These exceptions limit the applicability of requirements such as:

• access to personal data;
• providing notice of processing; or
• non-disclosure of personal data to third parties.

The circumstances include disclosures required by law, financial services data, management forecasting, negotiations, legal advice, and proceedings, confidential references for job applicants, legal professional privilege, and where the personal data is being used for purely domestic purposes or journalism, literary, or artistic purposes. These exemptions can also apply an exemption to the requirement to have a legal basis for the processing, in certain circumstances.

There is no specific legal basis for direct marketing. When direct marketing is targeted at named individuals and their data (i.e., name, email address, residential address, etc.) is used to send direct marketing, then that marketing is caught by the Law. There exists a specific right to object to processing for direct marketing purposes, which will be discussed below.

6. Principles

Article 8(1) of the Law requires that a controller ensure that the processing of personal data complies with data protection principles. The data protection principles are as follows:

• lawfulness, fairness, and transparency principle: personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data (Article 8(1)(a));
• purpose limitation principle: personal data must be collected for specified, explicit, and legitimate purposes and once collected, not further processed in a manner incompatible with those purposes (Article 8(1)(b));
• data minimization principle: personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (Article 8(1)(c));
• accuracy principle: personal data must be accurate and, where necessary, kept up to date, with reasonable steps being taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (Article 8(1)(d));
• storage limitation principle: personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data is processed (there is a specific carve-out in relation to archiving) (Article 8(1)(e)); and
• integrity and confidentiality principle: personal data must be processed in a manner that ensures appropriate security of the data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (Article 8(1)(f)). 

It should be noted that Article 6(1) provides that the controller is responsible for, and must be able to demonstrate compliance with, the data protection principles - although not caught within the statutory definition of the data protection principles, this is often known as the accountability principle.

7. Controller and Processor Obligations

7.1. Data processing notification

As noted above, in relation to controllers and processors which are established in Jersey there is a requirement to be registered as a controller or processor in accordance with Article 17 of the Authority Law. Failure to do so is an offense (Article 17(6) of the Authority Law).

Regulation 2 of the Registration Regulations sets out the information that the Authority may include in the register. Regulation 4 provides that registered controllers and registered processors must notify the Authority of any change in the particulars that they were required to provide to the Authority in respect of their application for registration as soon as practicable and in any event within 28 days of the change. Regulation 6 of the Registration Regulations provides that every registered controller and registered processor (i.e. those entities to which Article 17 of the Authority Law applies) must pay an annual charge to the Authority for each calendar year or part of a calendar year in which the controller or processor is registered unless exempt. The annual charge payable to the Authority varies depending on the controller or processor in question; the charges range from £70 to £1,600. The amount of charge depends on the number of full-time equivalent employees, past-year revenue, and the type of personal data being processed. Guidance from the JOIC on the amount of the charge is available here and here.

There are certain circumstances in which a registered controller or registered processor is exempt from paying the annual charge. This exemption applies, for instance, to public authorities, certain schools in Jersey, and non-profit associations. Failure to pay the relevant charge or to notify changes to the Authority permits the Authority to remove a processor or controller from the Register pursuant to Regulation 7 of the Registration Regulations, could, in turn, lead to a violation of Article 17 of the Authority Law if the processing continues (which would constitute an offense).

7.2. Data transfers

There are no data localization requirements. However, Part 8 of the Law sets out the requirements for international data transfers, which align with the requirements of GDPR. The JOIC has also provided a guidance note on international data transfers.

Article 66(1) of the Law provides that a controller or a processor must not transfer personal data for processing or in circumstances where the controller or processor knew or should have known that it would be processed after the transfer to a third country or an international organization unless that country or organization ensures an adequate level of protection for the rights and freedoms of the data subjects in relation to the processing of personal data.

Article 1(1) of the Law defines 'third country' as meaning, subject to Article 1(3A) of the Law, a country or territory outside the European Economic Area ('EEA') other than Jersey. Article 1(3A) clarifies that, despite Brexit, the UK is to be treated as not being a third country for the purpose of the Law - so, irrespective of Brexit and any future determination by the European Commission as to the adequacy of the UK's data protection regime, it should be the case that transfers to the UK will continue to be permissible on the basis that there is a specific carve-out in respect of the UK under the Law.

Article 66(2) provides that the level of protection set out in Article 66(1) is adequate if:

• the European Commission has so decided, by means of an implementing act under Article 45 of the GDPR (i.e., an adequacy decision);
• there are appropriate safeguards; or
• the transfer falls within certain exceptions, being set out in Schedule 3 of the Law.

Adequacy decisions

As noted, the adequacy decision criterion is based on the adequacy decisions of the European Commission under Article 45 of the GDPR; such decisions automatically apply to Jersey pursuant to Article 66(2).

Appropriate safeguards

Article 67 of the Law provides that, in the absence of an adequacy decision, a controller or processor may transfer personal data to a third country or an international organization only if the controller or processor has provided appropriate safeguards in accordance with Article 67, and on condition that enforceable data subject rights and effective legal remedies for data subjects comparable to those under the Law are available in that country or organization.

Article 67(2) provides that appropriate safeguards can include:

• a legally binding and enforceable instrument between public authorities;
• binding corporate rules approved by the Authority (which comply with Schedule 4 of the Law) or approved by another competent supervisory authority under Article 46 of the GDPR or equivalent statutory provisions;
• standard data protection clauses adopted by the Authority or by a competent supervisory authority and approved by the European Commission in accordance with the examination procedure referred to in Article 93(2) of the GDPR;
• a code or any other code approved by another competent supervisory authority under Article 40 of the GDPR or equivalent statutory provisions, together with binding and enforceable commitments of the controller, processor, or recipient in the third country or international organization to apply the appropriate safeguards, including as regards data subjects' rights; and
• the controller, processor, or recipient in the third country having been certified in accordance with a certification mechanism approved by a competent supervisory authority under Article 42 of the GDPR (there is a provision in the Law by which specific regulations may be passed establishing a Jersey certification mechanism, but no such regulations are yet in force).

Adoption of the above-listed safeguards does not require any specific authorization from the Authority.

The Authority also has the power to authorize particular contractual clauses between parties, or administrative arrangements between public authorities (Article 67(3)).

Exceptions

As noted, Article 66(2)(3) provides that there are certain exceptions to the cross-border data transfer regime. These are set out in Schedule 3 of the Law, are limited in nature, and are available only in specified conditions, namely:  

• order of court, public authorities, among others: the transfer is specifically required by:
  • an order or judgment of a court or tribunal having the force of law in Jersey;
  • an order or judgment of a court or tribunal of a country other than Jersey or a decision of a public authority of such a country having the force of law in Jersey that is based on an international agreement imposing an international obligation on Jersey; or
  • a decision of a public authority in Jersey that is based on such an international agreement (Paragraph 1, Schedule 3);
• consent: the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards (Paragraph 2, Schedule 3);
• contract between data subject and controller: the transfer is necessary for:
  • the performance of a contract between the data subject and the controller; or
  • the implementation of pre-contractual measures taken at the data subject's request (Paragraph 3, Schedule 3);
• third-party contract in the interest of the data subject: the transfer is necessary for the conclusion or performance of a contract between the controller and a person other than the data subject (Paragraph 4, Schedule 3);
• transfer by or on behalf of the Jersey Financial Services Commission ('JFSC'): the transfer is necessary for reasons of substantial public interest, which is taken to be the case if certain requirements are met including that the transfer is permitted or required under an enactment in force in Jersey, is made by the JFSC and appropriate measures have been put in place by the JFSC (Paragraph 5, Schedule 3);
• legal proceedings: the transfer is necessary for the purposes of establishing, exercising, or defending legal rights (Paragraph 6, Schedule 3);
• vital interests: the transfer is necessary to protect the vital interests of the data subject or another person and:
  • the data subject is physically or legally incapable of giving consent;
  • the data subject has unreasonably withheld consent; or
  • the controller or processor cannot reasonably be expected to obtain the explicit consent of the data subject (Paragraph 7, Schedule 3); and
• public register: the transfer is made from a register which according to the relevant law is intended to provide information to the public and is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, subject to certain conditions (Paragraph 8, Schedule 3).

There is also an additional exception (provided for under Paragraph 9, Schedule 3 of the Law). This exception may be applicable where none of the above exceptions apply, provided the transfer is not repetitive, if it concerns only a limited number of data subjects, if it is necessary for the purposes of compelling legitimate interests pursued by the controller (which are not overridden by the interests or rights and freedoms of the data subject), and if the controller has assessed all the circumstances surrounding the data transfer and has, on the basis of that assessment, provided suitable safeguards with regard to the protection of personal data. There is a requirement to inform the Authority of the transfer and to provide certain prescribed information to the data subject.

7.3. Data processing records

Controllers

In relation to controllers, Article 6(1)(e) of the Law provides that a controller must comply with the record-keeping requirements and disclose the records covered by those requirements on request to the Authority. The 'record-keeping requirements' for controllers are defined as the requirements with respect to the record keeping as set out in Articles 3(2), which relates to records required to be maintained in connection with pseudonymization, and 14(3) of the Law.

Article 14(3) sets out that the controller and any representative of the controller must maintain a written record of the processing activities under their responsibility. This record should include the following details:

• the name and contact details of the controller and any joint controller, representative of the controller, or DPO;
• the purposes of the processing;
• a description of the categories of data subjects and personal data processed;
• a description of the recipients, if any, to whom the controller intends to, or may wish to, disclose the data;
• in cases where data will be transferred to a third country or an international organization, the name of that country or organization, and in the case of transfers referred to in Paragraph 9, Schedule 3, the appropriate safeguards that are put in place;
• when feasible, the envisaged data retention periods for different categories of data; and
• when feasible, a general description of the technical and organizational measures implemented in respect of the processed data.

Processors

Article 22(e) of the Law provides that a processor must keep records of the processor's data processing activities in accordance with the Law and disclose them on request to the Authority.

Article 23(3) sets out the record-keeping requirements applicable to processors, namely that a processor must maintain a record of all categories of processing activities carried out on behalf of a controller, containing:

• the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller's or the processor's representative, and the DPO;
• the categories of processing carried out on behalf of each controller;
• where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in Paragraph 9, Schedule 3, the documentation of suitable safeguards; and
• when feasible, a general description of the technical and organizational security measures implemented in respect of the processed data (as referred to in Article 21).

Small organization exception

It should be noted that there is an exception to the record-keeping requirements with respect to both controllers and in respect of processors for organizations with fewer than 250 employees unless the processing:

• is likely to result in a risk to the rights and freedoms of data subjects;
• is not occasional; or
• includes special category data or relates to criminal convictions or related security measures.

7.4. Data protection impact assessment

A controller is required to carry out a data protection impact assessment ('DPIA') in certain circumstances (Article 16 of the Law), namely:

• where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons (Article 16(1));
• in respect of systematic and extensive evaluation of personal aspects relating to natural persons that are based on automated processing, and on which decisions are based that produce legal effects concerning, or similarly significantly affecting, those persons (Article 16(5)(a));
• in respect of the processing of special category data on a large scale (Article 16(5)(b)); or
• in respect of a systematic monitoring of a publicly accessible area on a large scale (Article 16(5)(c)).

The Authority does not provide a whitelist or blacklist setting out what processing requires a DPIA (although it has the power to do so under Article 16(7)). However, the JOIC has indicated that the EDPB's Guidelines on DPIA should be considered when determining whether processing is likely to result in a high risk. This guidance is also referred to in the DPIA Template published by the JOIC.

Neither the Authority nor the JOIC has not provided significant guidance on when a DPIA will be required. Given the fact that Article 16 of the Law has been drafted to be roughly equivalent to GDPR, appropriate guidance could be sought from data protection authorities in EU Member States or the UK Information Commissioner's Office ('ICO').

Exceptions

A DPIA is not required when the processing:

• is not likely to result in a high risk to the rights and freedoms of natural persons or otherwise falls within Article 16;
• has a legal basis and is regulated by the relevant law, carried out in accordance with Paragraphs 4, public functions, and 7, other legal obligations, Schedule 2; and a DPIA has already been carried out as part of a general impact assessment in the context of the adoption of that legal basis; or
• is included on a whitelist issued by the Authority (as noted above, no such whitelist has been published).

Requirements of a DPIA

Article 16(6) provides certain minimum requirements in relation to any DPIA; this includes the requirement to describe, systematically, the envisaged processing operation, the purposes of the processing, and to conduct assessments in respect of the necessity and proportionality of the processing operations in relation to the purposes. It should be noted that where more than one processing operation is similar to the degree of risk involved, the risks may be assessed using a single assessment – i.e. depending on the circumstances it may be permissible to have one DPIA cover more than one processing operation (Article 16(3)).

When carrying out a DPIA, the controller must seek the advice of its DPO, where one is appointed (Article 16(4)).

In addition to the DPIA's Template mentioned earlier, the JOIC has also published a DPIA Checklist.

Prior consultation requirement

When a DPIA indicates that any processing would pose a high risk to the rights and freedoms of natural persons in the absence of measures taken by the controller to mitigate the risk, the provisions of Article 17 of the Law apply. In summary, this requires that before starting the processing, the controller must consult the Authority who will assess whether the proposed processing is in contravention of the Law. 

7.5. Data protection officer appointment

Article 24(1) of the Law provides that controllers and processors are required to appoint a DPO in any case where:

• the processing is carried out by a public authority, except for courts acting in their judicial capacity;
• the core activities of the controller or the processor consist of processing operations that, by virtue of their nature, scope, or purposes, require regular and systematic monitoring of data subjects on a large scale;
• the core activities of the controller or the processor consist of processing special category data on a large scale; or
• it is required by the relevant law.

According to Article 24(2), a group of undertakings may appoint a single DPO provided that the DPO is easily accessible from each establishment and only if such DPO is easily accessible to all data subjects, the Authority, and the controller or processor who appointed the DPO along with such of the controller or processor's employees who carry out data processing.

Position and duties of a DPO

The Law includes provisions in respect of the position of the DPO (Article 25) and with respect to the duties of the DPO (Article 26). 

Article 25 provides that a controller or processor appointing a DPO must:

• ensure that the DPO is involved, properly and in a timely manner, in all issues that relate to the protection of personal data;
• support the DPO in performing their duties by providing the resources and access to personal data and processing operations, necessary to carry out those duties and to maintain their expert knowledge;
• ensure that the DPO operates independently and does not receive any instructions regarding the performance of their duties other than to perform them to the best of the officer's ability and in a professional and competent manner; and
• not dismiss or penalize the DPO for performing their duties (other than for failing to perform to the best of the officer's ability and in a professional and competent manner).

A DPO's duties include:

• informing and advising the controller or the processor and any employees who carry out processing of their obligations under the relevant law;
• monitoring compliance with the DP Laws and with the data protection policies of the controller or processor;
• acting as a contact point for data subjects with regard to all issues relating to the processing of their personal data and the exercise of their rights under the Law;
• cooperating with the Authority on request;
• acting as the contact point for the Authority on data processing matters;
• providing advice when requested in relation to a DPIA and monitoring the process; and
• providing specific advice to the controller or processor with regards to any DPIA including whether such assessment should be carried out and the process and outcome of any DPIA.

Any DPO appointed must report directly to the highest management (Article 25(2)) and be appointed based on professional qualities and, in particular, expert knowledge of data protection law and practices (Article 24(8)).

The controller or the processor must publish the contact details of the DPO and communicate them to the Authority (Article 24(8)).

7.6. Data breach notification

A personal data breach is defined in Article 1(1) of the Law as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. In the case of a personal data breach, a controller must, without undue delay and, whenever feasible, not later than 72 hours after having become aware of it, notify the Authority of the personal data breach, unless such personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons (Article 20(1) of the Law). Article 20(3) specifies the nature and information required to be covered in a breach notification. The JOIC has an online breach reporting form available on its website here. 

There is no obligation to notify affected individuals of the personal data breach unless there is a high risk to their rights and freedoms (Article 20(6)). If there is such high risk then the controller must communicate the breach without undue delay and in clear and plain language. It should be noted that there are limited exceptions to individual data subject notification, such as when notifying individuals would involve disproportionate effort on the part of the controller. In such cases, an alternative measure, such as public communication, must be employed to inform data subjects effectively.

Developing a strategy to manage the notification and response is a common practice, aimed at maintaining customer trust, even in cases where there is no direct obligation to do so.

7.7. Data retention

As noted above, the Law requires that a controller must ensure that the processing of personal data complies with the data protection principles, one of which is the storage limitation principle. This principle stipulates that personal data should be kept in a form that permits the identification of data subjects for only as long as is necessary for the purposes for which the data is processed. It is worth noting that there is a specific exemption for archiving, provided certain criteria can be met and appropriate safeguards are put in place.  

The Law does not specify how long personal data should be retained, as it applies to many different organizations, each subject to potentially varied statutory retention periods. The retention period also depends on the type of information, the purpose for holding it, and whether there are legal obligations affecting the data storage. The retention principle applies to any personal data held, whether stored electronically or on paper, including digital images, CCTV, or voice recordings. At the end of its lifetime, information must be destroyed securely and appropriately.

Record retention and destruction policies tailored to the organization's particular requirements and obligations should be developed and regularly reviewed to ensure compliance.

7.8. Children's data

There are specific provisions relating to children under the Law. Article 11 sets out the requirements for establishing consent to processing. In particular, a child under the age of 13 cannot give valid consent to the processing for the purposes of an information society service, which refers to a remote electronic service provided upon request and for remuneration for the processing and storage of data. However,  a person with parental responsibility for the child may grant the necessary consent (Article 11(4)).

There are specific provisions within the Authority Law that require the Authority to prioritize children when promoting public awareness of risks, rules, safeguards, and rights related to processing (Article 11(1)(d) of the Authority Law).

7.9. Special categories of personal data

There are specific provisions regarding the processing of special category data. By way of example, in order for special category data to be processed lawfully it will be necessary (subject to certain exceptions) for the processing to have a legal basis as set out Part 2 of Schedule 2 of the Law to process special category data, as covered in section 5 above.

7.10. Controller and processor contracts

There is a requirement under Article 19(3) of the Law that processing by a processor must be governed by a contract or other legal act under the relevant law, that is binding on the processor with regard to the controller and sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller.

According to Article 19(10), such a contract or legal act must be in writing. There are specific mandatory requirements to be covered by the contract, namely, the contract is required to stipulate that the processor shall:

• process the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by the relevant law to which the processor is subject, in which case the processor must inform the controller of that legal requirement before processing unless that law prohibits such information being given;
• ensure that the persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• take all measures required by Article 21 of the Law (i.e., has implemented appropriate technical and organizational security measures);
• respect the conditions referred to in Article 19 in respect of the appointment of a sub-processor;
• assist the controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the controller's obligation to respond to requests for exercising the data subject's rights set out in Part 6 of the Law;
• assist the controller in ensuring compliance with the obligations under Articles 16 (which relates to DPIAs), 20 (relating to notification of personal data breaches), and 21 (relating to the security of personal data), taking into account the nature of processing and the information available to the processor;
• delete or return (at the choice of the controller) all the personal data to the controller after the end of the provision of services relating to processing, and delete existing copies unless the relevant law requires the storage of the personal data; and
• make available to the controller all the information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

8. Data Subject Rights

Data subject rights are outlined in Part 6 of the Law, while specific applicable exemptions are detailed in Part 7 of the Law. Article 27 of the Law sets out the general requirements imposed on, or applicable to, controllers in relation to the handling of requests from data subjects. These requirements include:

• a requirement to take such action as the controller considers appropriate, and provide information on the action taken to that data subject, without undue delay and in any event within four weeks of receipt of the request (the period of four weeks may be extended by a further eight weeks where necessary if the request(s) are complex or numerous, provided the controller informs the data subject within the initial four weeks of the extension and the reasons for the delay);
• a requirement that certain specified information (being the information contained in Article 12 of the Law) must be provided free of charge; and
• a provision that a data controller may, when faced with request requests that are manifestly vexatious, unfounded, or excessive (with the burden of proof resting on the controller), either charge a reasonable fee for providing the information or acting on the request or refuse to act on the request. 

8.1. Right to be informed

Article 12 of the Law provides that certain prescribed information is to be provided by a controller to a data subject under the following circumstances:

• when the controller obtains such personal data from the data subject. In this case, the specified information must be provided at the same time as the data is obtained as far as practicable; or
• when the personal data has not been received from the data subject. In this case, the specified information must be provided before the 'reasonable time.' The meaning of 'reasonable time' can differ depending on the circumstances but would usually mean a reasonable period after obtaining the personal data.

The prescribed information is set out at Article 12(4) of the Law and should include, amongst other information, a description of:

• the nature of the personal data being collected;
• the purposes for which the data is being collected and processed, whether by or on behalf of the data controller;
• the recipients, or recipient classes, to whom the data will or may be disclosed;
• any countries or territories outside the jurisdiction to which the data controller, whether directly or indirectly, transfers, intends, or wishes to transfer the data; and
• the general technical and security measures that will be taken to keep the data secure.

The prescribed information must be provided in an intelligible form using clear language. 

In practice, this requirement is usually met by providing a separate privacy notice, also known as a privacy policy, to the data subject. This enables the data subject to make a clear and informed decision as to whether to proceed. In practice, a privacy policy is often hosted on the website of the controller, and it is also not uncommon to refer to such privacy policy in other contractual documentation. Article 12(6) provides certain limited exceptions to the requirement to provide information to data subjects. For instance, when the personal data is not received from the data subject but through a third party, the controller does not need to comply with the requirement to provide the prescribed information in cases where it would be impossible, would involve a disproportionate effort on the part of the controller, or is likely to harm the objectives of the processing (Article 12(6)(a)). 

8.2. Right to access

The right to access is contained in Article 28 of the Law. An individual is entitled to be informed by a data controller whether their personal data is being processed by or on behalf of the data controller. If so, the individual is entitled to, among other things, a description of:

• the personal data;
• the purposes for which it is being or is to be processed; and
• the recipients, or classes of recipients, to whom the data may be disclosed.

The data subject is, without limiting the rights and freedoms of other persons, entitled to obtain from the controller in intelligible form the information constituting any personal data of which the individual is the data subject and a copy of that data, and further copies of those data on payment of a fee of such amount as will enable the controller to cover its administrative costs (Article 28(3)).

It should be noted that the exercise of the right under Article 28 of the Law should not prejudice the rights and freedoms of others. To this end, Article 28(4) provides that, if the supplying of information under Article 28 would require the disclosing of information relating to another individual who can be identified from that information, the controller is not obliged to enable such information to be supplied unless the other individual has consented to the disclosure of the information to the person making the request, or it is reasonable in all the circumstances to do so without the consent of the other individual.

However, Article 28(4) should not be interpreted as permitting a controller to communicate as much information as possible without disclosing the identity of any third party, such as by redacting names or other identifying information.

8.3. Right to rectification

Article 31(1) provides that a data subject who disputes the accuracy or completeness of personal data may make a written request to the controller to rectify or change the personal data, stating the inaccuracy or explaining why the personal data is incomplete.

Article 31(3) provides that on receipt of a request for rectification, a controller must:

• rectify or complete the data;
• if the controller is satisfied with the accuracy and completeness of the personal data, take no action regarding the data; or
• where it is not reasonable to expect the controller to confirm or verify the accuracy or completeness of the personal data, they should a statement to the data indicating that the subject contests the accuracy or (as the case may be) completeness of that personal data.

8.4. Right to erasure

The right to erasure, or the right to be forgotten, is set out in Article 32 of the Law and provides that, in certain circumstances, a data subject has the right to require a data controller to erase personal data without undue delay.

Article 32(1) sets out the limited grounds on which the ground can be exercised, namely, where:

• the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• the data subject withdraws consent as a legal basis and there is no other legal ground for the processing;
• the data subject objects to the processing:
  • under Article 35 of the Law (being the right to object to processing for the purpose of public functions or legitimate interests), where there are no overriding legitimate grounds or reasons of public interest for the processing; or
  • under Article 36 (being the right to object to processing for direct marketing purposes); or 
• the personal data has been unlawfully processed;
• the personal data has to be erased for compliance with a legal obligation under the relevant law to which the controller is subject; or
• the personal data has been collected in relation to the offer of information society services directly to a child who is unable to give valid consent under Article 11(4) of the Law.

If the controller has made relevant personal data public and is obliged to erase such data after a subject has successfully exercised their right to erasure, the controller must take reasonable steps to alert other controllers who are also processing this personal data that the data subject has requested the erasure of such data. This notification should encompass any links to, copies of, or replication of such personal data (Article 32(2)).

Pursuant to Article 32(3) of the Law, a data subject cannot exercise the right to erasure in situations where processing is necessary:

• for exercising the rights of freedom of expression and information;
• for compliance with a legal obligation which requires processing by the relevant law to which the controller is subject or for the performance of a task carried out in the public interest or the exercise of official authority vested in the controller;
• for reasons of public interest in the area of public health (in accordance with Paragraph 16 of Schedule 2 of the Law);
• for any archiving and research purposes (described in Paragraph 17 of Schedule 2 of the Law) in so far as the right of erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
• for the establishment, exercise, or defense of legal claims.

8.5. Right to object/opt-out

Data subjects have the right to object to the processing of their personal data in certain limited circumstances, including:

Right to object to processing for the purpose of public functions or legitimate interests (Article 35)

This right may be exercised where the processing of any personal data is based exclusively on the conditions in Paragraphs 4 (public functions) and 5 (legitimate interests) of Schedule 2. 

Where a data subject objects under Article 35, the controller must cease processing unless they can demonstrate compelling legitimate or public interests that either outweigh the interests, rights, and freedoms of the data subject, or are necessary for the establishment, exercise, or defense of legal claims.

Right to object to processing for direct marketing purposes (Article 36)

This right may be exercised when a controller is processing personal data for direct marketing purposes. In such cases, a data subject has the right to object to the processing that is directly related to that marketing. Following the objection, the processing for direct marketing must be ceased.

Right to object to processing for historical or scientific purposes (Article 37)

A data subject has the right to object to the processing of personal data when the lawfulness of the processing is based on archiving and research purposes, as described in Paragraph 17, Schedule 2 of the Law. If a data subject objects under Article 37, the controller must cease the processing, unless the controller can demonstrate that the purpose for which the personal data is processed relates to an objective that is in the public interest or the public interest in the objective outweighs the data subject's interests.

8.6. Right to data portability

In limited circumstances, Article 34 of the Law provides data subjects with the right to receive personal data about themselves that they have provided to a controller in a structured, commonly used, and machine-readable format; and transmit these data to another controller, where technically feasible without hindrance. This includes the right to have personal data transmitted directly from one controller to another, where technically feasible.

This right may only be exercised where the legal ground for the processing is based on consent (under Paragraphs 1 or 6 of Schedule 2) or on a contract (under Paragraph 2 of Schedule 2) and where the processing is carried out by automated means.

8.7. Right not to be subject to automated decision-making

Article 38(1) provides that a data subject has the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects them.

This right does not apply if the decision:

• is necessary for entering into, or performing, a contract between the data subject and a controller;
• is authorized by the relevant law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
• is based on the data subject's explicit consent.

Where the decision is necessary in respect of a contract and is based on explicit consent, the controller must implement suitable measures to safeguard the data subject's rights, freedoms, and legitimate interests, including the right to seek human intervention from the controller (Article 38(4)).

8.8. Other rights

The Law also includes the right to restriction of processing (Article 33). Data subjects have the right to obtain from the controller restriction of processing of personal data where:

• the accuracy of the personal data is contested by the data subject, for such a period as will enable the controller to verify the accuracy of the personal data;
• the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
• the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims; and
• the data subject has objected to processing under Article 35 (the right to object to processing for the purpose of public functions or legitimate interests, as mentioned earlier) pending verification of whether the legitimate grounds or reasons of public interest of the controller override those of the data subject.

In the event of a successful exercise of the right under Article 33, the personal data may only be processed in line with the provisions of Article 33(2), namely:

• with the data subject's consent;
• for the purposes of legal proceedings (as set out in Paragraph 12 of Schedule 2);
• for the purposes of vital interests (as set out in Paragraphs 3 or 9 of Schedule 2); or
• for the purposes of the public interest (as set out in Paragraph 14 of Schedule 2).

9. Penalties

The Authority has a range of tools to investigate potential breaches, including investigative powers and information notices, and can also impose sanctions and penalties in cases of breaches.

It should be noted that Article 33 of the Authority Law grants individuals the right to appeal to the Royal Court of Jersey regarding:

• breach determinations;
• orders;
• administrative fines; or
• the service of an information notice, on the grounds that, in all the circumstances of the case the decision of the Authority was unreasonable.  

Reprimand (Article 25(1)(a) of the Authority Law)

This is a formal acknowledgment that an organization has done something wrong and is being rebuked for its conduct. This remains on the record of an organization and could be considered if further incidents occur in the future. Generally, reprimands are issued in tandem with certain other orders, but this is not always the case; sometimes these are used as a minor 'wrap on the knuckles' for a technical contravention of the Law for which the organization was responsible but where such organization has taken steps to rectify the issues that contributed to the contravention.

Warning (Article 25(1)(b) of the Authority Law)

The Authority may issue a warning when it considers that any intended processing or other act or omission is likely to contravene the Law. A warning is designed to avoid such a contravention.

Orders (Articles 25(1)(c) and 25(3) of the Authority Law)

Article 25(1)(c) of the Authority Law provides that where there has been a breach determination, the Authority may make an order under Article 25(3) of the Authority Law (which specifies the orders which may be made by the Authority). The Authority may order the controller or processor to: 

• bring specified processing operations into compliance with the Law, or take any other specified action required to comply with the Law, in a manner and within a period specified in the order;
• notify a data subject of any personal data breach;
• comply with a request made by the data subject to exercise a data subject right;
• rectify or erase personal data;
• restrict or limit the recipient's processing operations, which may include temporarily restricting processing operations, ceasing all processing operations for a specified period or until a specified action is taken, or suspending any transfers of personal data to a recipient in any other jurisdiction; and
• notify persons to whom the personal data has been disclosed of the rectification, erasure, or temporary restriction on processing.

Failure to comply with an order within the specified timeframe given in the order is an offense (Article 28(7) of the Authority Law).

Public Statement (Article 14 of the Authority)

As noted, the Authority is empowered to make public statements in relation to certain prescribed matters, namely:

• a notification of a personal data breach made to the Authority;
• a recommendation or determination made following an investigation or inquiry;
• an action taken or order made under Article 25 of the Authority Law; or
• any order to pay an administrative fine.

The Authority may only make such public statements when it believes that due to the gravity of the matter or other exceptional circumstances, it would be in the public interest to do so.

The public statements issued by the Authority are available and maintained on the JOIC website. The Authority has indicated that it reserves this power for the most serious cases.

Administrative Fines (Articles 26 and 27 of the Authority Law)

Article 26 of the Authority Law provides that, subject to Article 27 of the Authority Law, the Authority may order a controller or processor to pay the Authority an administrative fine. This fine may be substantial and can be imposed for any of the following reasons:

• failure to make reasonable efforts to verify that a person giving consent to the processing of the personal data of a child as required by Article 11(4) of the Law is a person duly authorized to give consent (i.e., a person with parental responsibility);
• breach of any duty or obligation imposed by Article 7 (joint controllers), Part 3 (other duties of controllers), Part 4 (joint security duty and duties of controllers), or Part 5 (data protection officer) of the Law;
• processing personal data in breach of any other provision of Part 2 (fundamental duties of controller) or Part 6 (rights of data subjects) of the Law; or
• transfer of personal data to a person in a third country or international organization in contravention of Articles 66 or 67 of the Law (refer to the section on data transfers).

Article 27 of the Authority Law sets out the limits on the amount of any administrative fine. An administrative fine for either of the first two reasons mentioned above must not exceed £300,000 or 10% of the person's total global annual turnover or total gross income in the preceding financial year, whichever is the higher (up to a maximum of £5 million). An administrative fine for either of the last two reasons mentioned above must not exceed £300,000 or 10% of the person's total global annual turnover or total gross income in the preceding financial year, whichever is the higher (up to a maximum of £10 million). 

In deciding whether to levy a fine and the quantum of any fine, the Authority must have regard to the factors set out in Article 26(2) of the Authority Law (which include, for example, nature, gravity, and duration of the contravention) and in ordering any fine the Authority must consider the need for fines to be effective, proportionate and have a deterrent effect.

To date, the Authority has not issued any administrative fines. The Authority has emphasized its intention to use these as a position of last resort. Guidance on administrative fines has been published by the JOIC.

Criminal offences

In addition to the civil sanctions listed above, Articles 71 to 74 of the Law address offenses related to the unlawful obtaining of personal data, requiring a person to produce certain records, giving false information or obstruction, and giving false information. These offenses are punishable by up to two years of imprisonment and/or a fine.

Additional civil remedies

It should be noted that Article 68 of the Law empowers a data subject who considers that the transparency and subject rights provisions have been contravened to bring proceedings in the Royal Court. Article 69 of the Law gives a right to compensation to any person who suffers loss, damage, or distress by reason of a contravention of the Law by a controller or processor.

9.1 Enforcement decisions

Notable enforcement actions in Jersey have been limited. As noted above, the Authority has not yet used its power under Article 26 of the Authority Law to levy an administrative fine.

This can be demonstrated by statistics released by the Authority for the year 2022 in respect of breach reporting. In 2022, there were 58 complaints and 188 self-reported data breaches. Of the 188 self-reported data breaches reported in 2022, only one resulted in a formal inquiry and a determination that there had been a contravention of the Law. Of the remaining self-reported data breaches, many did not cross the threshold for reporting to the Authority and were of a minor nature.

It is worth noting that most of the public statements issued by the Authority are related to governmental bodies. However, the public statement issued by the Authority in relation to CSS Limited provides some indication as to how the Authority exercises its enforcement powers. In that case, a formal reprimand was issued, and orders were made relating to the updating of CSS Limited's systems, the education of its staff, and notifying certain affected data subjects.