March 2024

1. Governing Texts

1.1. Key acts, regulations, directives, bills

The Isle of Man is a self-governing British Crown dependency. To ensure it is able to do business and exchange data with other jurisdictions, it has chosen to adopt the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and the Data Protection Directive with respect to Law Enforcement (Directive (EU) 2016/680) ('LED') by order under the Data Protection Act 2018 ('the Act') as part of its domestic law. It has done so with adaptations specific to the requirements of the Isle of Man. The Isle of Man is deemed to be a Member State of the EU only for the purposes of the GDPR and the LED (with the exceptions of transfers of personal data to third countries or international organizations (see on data transfers below)).

The Act is the principal data protection legislation. It is heavily supplemented by secondary legislation, including the GDPR and LED Implementing Regulations 2018 ('the Implementing Regulations') the Data Protection (Application of the GDPR) Order 2018 ('the GDPR Order') (and the adapted text of the GDPR in the Annex to that order), and the Data Protection (Application of the LED) Order 2018 ('the LED Order') (and the adapted text of the EU LED in the Annex to that order).

The Act and associated Orders gave effect to the GDPR and the LED in the Island. The Implementing Regulations (as amended), contain nuances specific to the Isle of Man and its approach to the GDPR and the LED regarding inter alia data protection procedures and powers of the Isle of Man regulatory authority. Such provisions have been previously contained in the former Data Protection Act 2002, which was repealed.

A full list of the applicable legislation, orders, and regulations (collectively 'the Legislation') are as follows:

• the Act;
• the GDPR Order;
• the LED Order;
• the Implementing Regulations;
• the Data Protection (Fees) Regulations 2018;
• the Data Protection Act 2018 (Appointed Day) Order 2018;
• the GDPR and LED Implementing Regulations (Amendment) Regulations 2018;
• the Data Protection (Application of GDPR) (Amendment) Order 2019; and
• the Data Protection (Withdrawal from the EU) (UK and Gibraltar) Regulations 2019.

Adequacy Decision

On 15 January 2024, the European Commission ('European Commission') concluded its first review of 11 existing adequacy decisions. Along with 10 other countries, the Isle of Man has been able to demonstrate its continuous commitment to data protection practices and laws and had its 'Adequacy Decision' under the GDPR reaffirmed by the European Commission. Pursuant to the GDPR, the European Commission will continue to monitor relevant developments in adequate countries and has the power to suspend, amend, and/or withdraw an adequacy decision, where the level of protection for personal data is impacted negatively. Whilst the finding of the 'Adequacy Decision' remains in force, data can continue to flow freely from the EU to the Isle of Man without the requirement to have additional data protection safeguards in place.

1.2. Guidelines

Presently, a number of guidance notes have been published and continue to be made available from time to time by the Information Commissioner ('the Commissioner'), who is the main regulator in the Isle of Man (see section on Data Protection Authority | Regulatory Authority below). These guidance notes do not constitute legal advice but are a useful resource for individuals and/or organizations wishing to comply with their obligations under the Legislation.

A full list of the guidance notes can be found on the Commissioner's website, here.

On 16 January 2023, the Commissioner published Revised Personal Data Breach Documents on its website, including Personal data breach reporting – further guidance. It reflects the current guidance on personal data breach notifications pursuant to Article 33(3) of the GDPR Order and serves as a useful tool assisting controllers who wish to contain, mitigate, and recover from a personal data breach.

Pursuant to the Implementing Regulations, the Commissioner may also prepare statutory Codes of Practice regarding inter alia, data sharing, direct marketing, and such other items it deems appropriate. At the time of publication, these have generally not been issued, however, there remain a number of requirements which have to be complied with under the data protection laws regarding marketing campaigns targeted at individuals. Furthermore, there are additional requirements under the Unsolicited Communications Regulations 2005 ('UCR') concerning direct marketing by email, text, telephone, or fax. The Commissioner has published guidance on the UCR which can be found on its website, here.

1.3. Case law

At the date of publication, there has been no reported litigation providing further content to the legal framework in the Isle of Man, as the Legislation is fairly new and the Isle of Man is a small jurisdiction.

Considerable weight is given to the decisions of the UK and EU courts (where relevant) to the legal framework of the Isle of Man.

Action taken, thus far, has been limited to enforcement of the Legislation by the Commissioner, which has included ordering corrective action to be taken. This may include enforcement notices, warnings, reprimands, and imposing financial penalties against data controllers.

2. Scope of Application

2.1. Personal scope

The Act applies to the processing of personal data by controllers and processors and Article 4(1) of the GDPR Order defines 'personal data' as any information relating to an identified or identifiable natural person (data subject).

The Act does not apply to private/public organizations or deceased individuals, both of which fall outside the scope of the GDPR Order. The GDPR Order also does not cover the processing of personal data by an individual in a purely personal or household capacity or by competent authorities for the purposes of the prevention, investigation, detection, or prosecution of criminal offenses or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

2.2. Territorial scope

The Implementing Regulations apply to the processing of personal data by a controller or processor in the following circumstances where:

• A controller or processor is established in the Isle of Man where the personal data is processed in the context of the activities of that establishment. (The term 'establishment' includes, where there is an office, branch, agency, or regular practice maintained on the Island).
• A controller or processor is not established in the Isle of Man but uses equipment in the Isle of Man for processing personal data, otherwise than for the purposes of transit through the Isle of Man. Such controller or processor must nominate a representative established in the Island.
• A controller is established outside the Isle of Man and the personal data is processed in the context of the activities of that establishment, where the personal data being processed relates to an individual who is in the Isle of Man when processing takes place; and the purpose of the processing is:
  • to offer goods or services to data subjects in the Island, irrespective of whether or not a payment by the data subject is required; or
  • to monitor individuals' behavior in the Isle of Man.
• A processor processes personal data:
  • for a controller established outside the Isle of Man; or
  • the processor is established outside the Isle of Man; and
  • where the personal data being processed is:
    • in the context of the activities of that establishment;
    • relates to an individual who is in the Isle of Man when the processing takes place; and
    • the purpose of the processing is to offer goods or services to individuals in the Isle of Man, whether or not for payment, or to monitor individuals' behaviors in the Isle of Man.

2.3. Material scope

The Legislation applies to the automated or structured processing of personal data (including special categories of personal data (see below)), whether in whole or in part, as well as to manual processing (other than by automated means), if the personal data forms part of a filing system or are intended to form part of a filing system. This might include  organized paper files such as address books etc., which are organized according to a specific criteria. Files which are not structured fall outside the scope of the Implementing Regulations.

Regulation 12 of the Implementing Regulations sets out provisions whereby special categories of personal data and criminal convictions and offenses data may be processed in reliance upon certain exceptions provided under Articles 9(2) and 10 of the GPDR Order. Additional conditions must be met which are further covered by Schedule 2 of the Implementing Regulations.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The Commissioner is the main regulator in the Isle of Man and is an independent supervisory body for data protection and the purposes of Article 51 (supervisory authority) of the GDPR Order. The Information Commissioner appoints public servants to assist in carrying out their functions.

3.2. Main powers, duties and responsibilities

The Commissioner is required to carry out certain tasks and exercise its powers with complete independence.

The duties and responsibilities of the Commissioner are set out in Article 57 of the GDPR Order and include, inter alia:

• monitoring and enforcing the Legislation;
• promoting public awareness and understanding of the risks, rules, safeguards, and rights in relation to the processing of personal data;
• providing advice to the Isle of Man Government ('the Government') and other institutions and bodies on legislative and administrative measures relating to the protection of natural persons' rights and freedoms with regard to processing;
• promoting awareness of controllers and processors of their obligations under the Legislation;
• providing information to data subjects, upon request, about their rights under the Legislation, free of charge (unless the request/s is excessive or manifestly unfounded);
• handling complaints lodged by data subjects, or by a body, organization, or association;
• conducting investigations which might extend to carrying out data protection audits and obtaining access to the premises of a controller; and
• monitoring relevant developments and international cooperation.

The performance of the Commissioner's tasks is free of charge for the data subject and, where applicable for the data protection officer ('DPO'), unless such requests are manifestly unfounded or excessive where it may charge a reasonable fee or refuse to act on the request.

The Commissioner also undertakes certain advisory and approval functions which include, inter alia:

• consulting with controllers prior to processing, where a Data Protection Impact Assessment ('DPIA') under Article 35 of the GDPR Order indicates the processing would result in a high risk, in the absence of mitigation measures taken by a controller; and
• reviewing and/or approving draft codes of conduct, and any amendments or extensions thereto, submitted by associations and other bodies.

A 'protected disclosure' (whistleblowing) can also be made to the Commissioner as a Prescribed Person/Organisation by virtue of sections 50-54 of the Employment Act 2006.

A 'protected disclosure' is essentially to bring to the attention of the Commissioner the failings of an employer regarding its compliance with data protection legislation and/or the Freedom of Information Act 2015 ('FOIA').

The Commissioner also has certain duties and responsibilities pursuant to the FOIA, which include, inter alia to:

• promote good practice under the FOIA;
• provide the public with information regarding the FOIA, good practice, and functions of public authorities and the Commissioner under the FOIA; and
• provide recommendations to a public authority considered not to conform to the code of practice under the FOIA.

On 17 January 2023, the Commissioner made a recommendation to a public authority regarding conforming with the FOIA, issued by way of a Decision Notice following its receipt of an applicant's complaint. All decision notices issued by the Commissioner can be found on its website, here, together with summaries thereof, here.

4. Key Definitions

Data controller: under Article 4(7) of the GDPR Order, 'controller' means '…the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data…'.

This definition is qualified by Regulation 6(3) of the Implementing Regulations, so that where data is processed only:

• for purposes for which they are required by an enactment to be processed; and
• by means which an enactment is required to be used for such processing, the controller is the person on whom the obligation to process the data is imposed by the enactment or any one of the enactments (if there is more than one). The definition is further qualified and subject to the provisions on the application of the Implementing Regulations to the Government and to the Isle of Man Parliament ('Tynwald').

Data processor: means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

Personal data: means any information relating to an identified or identifiable natural person (data subject).

An 'identifiable living/natural person' is further defined to mean one who can be identified, directly or indirectly, in particular by reference to:

• an identifier such as a name, an identification number, location data, or an online identifier; or
• one or more factors specific to the physical, psychological, genetic, mental, economic, cultural, or social identity of the natural person.

Sensitive data (special categories of personal data): are set out in Article 9(1) of the GDPR Order and relate to the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation.

Health data: (data concerning health is the term used in the Implementing Regulations and the GDPR Order) means personal data relating to the physical or mental health of a natural person, including the provision of healthcare services, which reveal information about their health status.

Biometric data: means personal data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.

Pseudonymization: means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

5. Legal Bases

5.1. Consent

'Consent' of a data subject means any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.

For it to be valid, it must meet specific requirements in Article 7 of the GDPR Order, including:

• where a controller is relying on consent to justify processing, the controller must be able to demonstrate the data subject has consented;
• where the consent is given in writing which also concerns other matters, the request for consent must be presented in a manner which clearly distinguishes it from those other matters in an intelligible, easily accessible, and simple form, using plain and clear language;
• the data subject has been informed that they have the right to withdraw their consent at any time and it should be easy to do so; and
• for consent to be freely given. In assessing whether consent is freely given, utmost account shall be taken as to whether, inter alia, the performance of a contract and/or the provision of a service is conditional on the consent to the processing of personal data which is not necessary for the performance of that contract.

Should a data subject withdraw their consent to the processing of their personal data at any time, such withdrawal shall not affect the lawfulness of processing by the controller based on consent before its withdrawal.

Article 8 of the GDPR Order covers the conditions for a child's consent in relation to information society services. Pursuant to Regulation 11 of the Implementing Regulations, this has changed the definition of a child by reference to the age of 13 years, not 16 years.

Article 9 of the GDPR Order covers the processing of special category personal data and requires a higher threshold for the reliance on consent, in so far as there must be 'explicit consent' in place.

5.2. Contract with the data subject

Article 6(1)(b) of the GDPR Order can be relied upon and provides that processing will be legitimate where the processing is necessary for the performance of the contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract.

If the data includes 'special category data' or 'criminal convictions and offenses data,' then a further legal basis will be required in addition to this under Article 9 of the GDPR Order.

5.3. Legal obligations

Article 6(1)(c) of the GDPR Order can be relied upon and provides that processing will be legitimate where the processing is necessary for compliance with a legal obligation to which the controller is subject.

If the data includes 'special category data' or 'criminal convictions and offenses data,' then a further legal basis will be required in addition to this under Article 9 of the GDPR Order.

5.4. Interests of the data subject

Article 6(1)(d) of the GDPR Order can be relied upon and provides personal data processing will be lawful where the processing is necessary in order to protect the vital interests of the data subject, or of another natural person.

If the data includes 'special category data', or 'criminal convictions and offences data' then a similar basis is set out in Article 9(2)(c) of the GDPR Order, where the data subject is physically or legally incapable of giving consent.  

5.5. Public interest

Article 6(1)(e) of the GDPR Order can be relied upon and provides personal data processing will be legitimate where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Regulation 10 of the Implementing Regulations contains a list of possible functions that would count as being within the scope of the 'public interest' legal basis for processing data or 'in the exercise of the controller's official authority'. These include activities necessary for:

• the administration of justice;
• the exercise of a function of the Tynwald and its branches;
• the exercise of a function conferred on a person by an enactment; or
• the exercise of a function of the Crown, a department of the Government, or an Isle of Man statutory board.

Substantial public interest conditions are also set out in Part 2 of Schedule 2 of the Implementing Regulations regarding processing special category data and that related to criminal convictions.

If the data includes 'special category data' or 'criminal convictions and offenses data,' then a further legal basis will be required in addition to this under Article 9 of the GDPR Order.

5.6. Legitimate interests of the data controller

Article 6(1)(f) of the GDPR Order can be relied upon and provides personal data processing will be lawful where the processing is necessary for the purposes of the legitimate interests pursued by the controller, or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

This legal basis does not apply to processing carried out by public authorities in the performance of their tasks.

If the data includes 'special category data' or 'criminal convictions and offenses data,' then a further legal basis will be required in addition to this under Article 9 of the GDPR Order.  

5.7. Legal bases in other instances

The Implementing Regulations contain further legal bases that can be relied upon to process 'special category data' and 'criminal convictions and offenses data.'

The further legal bases are set out in Schedule 2, Parts 1, 2, and 3 of the Implementing Regulations and include, for example, conditions relating to employment, social security and social protection, health or social care purposes, and public health.

When relying on one of these further legal bases, the controller must keep a record of the processing including which condition has been relied on and how the processing satisfies Article 6 of the GDPR Order.

Schedule 9 of the Implementing Regulations also contains exemptions and restrictions to the application of certain provisions of the GDPR Order. Those exemptions and restrictions are in addition to the restrictions specified in Regulations 20 to 24 or specified in regulations made under Regulation 25, which are:

• manual unstructured personal data held by Freedom of Information public authorities;
• manual unstructured personal data used in longstanding historical research;
• national security; and/or
• regulatory activity.

A non-exhaustive list of some of the exemptions contained in the Implementing Regulations are below, which include:

• legal proceedings;
• trusts;
• insurance;
• protection of the rights of others;
• crime and taxation;
• legal professional privilege;
• health, education, and social work;
• Tynwald privilege; and
• domestic purposes.

In addition, the Implementing Regulations also set out 'special purposes' whereby the obligation for a controller to have a legal basis for processing is not required. Special purposes include for:

• the purposes of journalism;
• academic purposes;
• artistic purposes; and
• iteracy purposes; provided such publications would be in the public interest.

In relation to direct marketing activities, controllers should also bear in mind the UCR, which sits alongside the Act. Under Regulation 5(3) of the UCR, controllers will need to ensure they comply with the requirements of those regulations, whereby unsolicited electronic communications to an individual require the recipient's prior consent, except where:

• the contact details of the individual were obtained in the course of selling or negotiating the sale of a product/service to the recipient;
• the direct marketing is in respect of similar products/services only; and
• the individual has been given the means to opt-out at the time the details were initially collected and thereafter on each subsequent marketing communication.

6. Principles

The principles relating to the processing of personal data are set out in Article 5 of the GDPR Order and Article 4 of the LED Order.

Unless an exemption applies, all of the principles should be observed by processors in relation to all aspects of data processing. They include the following regarding personal data:

• lawfulness, fairness, and transparency: processed lawfully, fairly, and in a transparent manner in relation to the data subject;
• purpose limitation: collected for specified, explicit, and legitimate purposes and not further processed in a manner which is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall, in accordance with Article 89(1) of the GDPR Order, not be considered incompatible with the initial purpose;
• data minimization: adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed;
• accuracy: accurate and, where necessary, kept up to date. If the personal data is inaccurate, every reasonable step must be taken to ensure it is erased or rectified without delay;
• storage limitation: kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. Personal data may be stored for longer periods solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, provided appropriate technical and organizational measures are in place;
• integrity and confidentiality: processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures; and
• accountability: the controller is responsible for and should be able to demonstrate compliance with the above principles.

7. Controller and Processor Obligations

7.1. Data processing notification

By provision of Regulation 9(4) of the Implementing Regulations, all controllers and processors are required to register with the Commissioner. This includes businesses operating from a home address and regardless of whether the processing takes place in the Isle of Man or not. The requirements in Schedule 7 of the Implementing Regulations must be complied with and a fee is payable when registering. The registration must be renewed every year. Failure to register is an offense (see the section on Enforcement Decisions below).

7.2. Data transfers

There are no data localisation requirements in the Isle of Man, that is to say, the data does not need to be physically kept in the Isle of Man.

Controllers and processors must comply in full with the requirements set out in Chapter 5 of the GDPR Order when transferring data to third countries or international organizations. A transfer should only take place under certain conditions, for example, where there is an adequate level of protection in place and/or with certain safeguards in place which are set out in Articles 45, 46, 48, and 49 of the GDPR Order. Controllers and/or processors must adhere to accountability requirements and be able to demonstrate and document the assessment they have made together with suitable safeguards put in place where they rely upon 'other exceptions' for a transfer to a third country or international organization. Safeguards which might be used, include, inter alia, the adoption of standard data protection clauses.

7.3. Data processing records

There are requirements for controllers set out in Article 30 of the GDPR Order to maintain records of their data processing activities. Separately, processors and/or their representatives (where applicable) are also required to maintain records of all data processing activities carried out on behalf of the controller, the requirements of which are also set out in Article 30. Records of the data processing shall be in writing, which includes in electronic format, and should be open to inspection by the Commissioner upon request.

7.4. Data protection impact assessment

Where a type of processing, in particular, uses new technologies, and taking into account the nature, scope, context, and purposes of the processing is likely to result in a high risk to the rights and freedoms of individuals, prior to processing, a controller must carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

Pursuant to the Legislation, a DPIA referred to above must be prepared in cases of:

• a systematic and extensive evaluation of personal aspects relating to individuals which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individual, or similarly significantly affect the individual;
• processing on a large scale of special categories of data referred to in Article 9(1) of the GDPR Order, or of personal data relating to criminal convictions and offenses referred to in Article 10 of the GDPR Order; or
• a systematic monitoring of a publicly accessible area on a large scale.

The Commissioner has published guidance on DPIAs, which would serve as a useful tool for controllers and/or processors determining whether a DPIA is required and the type of detail to be identified and included, such as, inter alia, identifying and assessing the risks to the rights and/or freedoms of data subjects, measures to be taken, and safeguards to reduce or eliminate those risks. Under Article 36 of the GDPR Order, where a DPIA indicates a high risk in the absence of mitigation measures taken, a controller must consult with the Commissioner prior to any processing. Failure to undertake a required DPIA might result in the Commissioner using their powers to impose a monetary penalty and/or issue an order imposing a ban on processing.

A DPIA should not be mandatory where the processing is not be considered to be on a 'large scale'. The GDPR Order does not define what constitutes 'large scale' but Recital 91 of the GDPR Order provides some examples where personal data is processed from patients or clients by an individual physician, or other healthcare professional or lawyer.

7.5. Data protection officer appointment

Some controllers and processors are required to appoint a DPO as per Articles 37 to 39 of the GDPR Order.

Article 37(1) of the GDPR Order sets out when it is mandatory to appoint a DPO: '…The controller and the processor shall designate a data protection office in any case where: (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offenses referred to in Article 10…'

The nature and processing activities of a controller and/or processor determines when a DPO must be appointed. Albeit the appointment of a DPO is voluntary in some cases, not falling within the above, controllers and/or processors must be able to demonstrate compliance with all obligations under the Legislation. It would appear that the designation of a DPO would be a golden standard and good practice. Where a DPO is not appointed, the onus is on the controller and/or processor to justify to the Commissioner why a DPO was not required and to demonstrate it meets all its requirements under the Legislation.

The requirement to appoint a DPO does not apply to courts and other independent judicial authorities when acting in their judicial capacity.

Under Recital 97 of the GDPR Order, the fundamental role of the DPO is explained as being '…a person with expert knowledge of data protection law and practices should assist the controller or processor to monitor internal compliance…' Article 37(5) of the GDPR Order further states: '..The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfill the tasks referred to in Article 39...'

The minimum tasks of the DPO are set out in the Legislation, which are:

• to inform and advise the controller or the processor and the employees who carry out the processing of their obligations pursuant to the Legislation;
• to monitor compliance;
• to provide advice where requested as regards the DPIA and monitor its performance;
• to cooperate with the IOM ICO as the supervisory body;
• to act as the contact point for the IOM ICO and consult where appropriate.

The Commissioner issued helpful guidance on this matter, a closer look at the Data Protection Officer.

This guidance states '….the necessary level of expert knowledge required of the DPO should be determined according to the data processing operations carried out and the protection required for the personal data being processed. For example, where a data processing activity is particularly complex, or where particularly sensitive data is involved, the DPO may need a higher level of expertise and support.

Relevant skills and expertise include:

• knowledge of the business sector and the organization;
• understanding of the processing operations carried out;
• ability to promote a data protection culture within the organization;
• understanding of information technologies and data security;
• expertise in national and European data protection laws and practices including an in-depth understanding of the GDPR…'

Under Article 37(7) of the GDPR Order, the controller or processor has to notify the Commissioner of the contact details of the chosen DPO so that the Commissioner has a point of contact within the business. The DPO can then facilitate the Commissioner's access to documents and information to allow it to exercise its supervisory role.

7.6. Data breach notification

Under Article 30 of the LED Order and Regulation 60 of the Implementing Regulations, personal data breaches must be notified to the Commissioner by the controller without undue delay if the breach is likely to result in a high risk to the rights and freedoms of the data subject. Where feasible, the controller should notify the personal data breach to the Commissioner not later than 72 hours after having become aware of it, unless the controller is able to demonstrate, in accordance with the accountability principle, that the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals.

Regulation 60(2) of the Implementing Regulations and Article 33 of the GDPR Order specifies that if the notification is made more than 72 hours after the controller was made aware of it, the notification must include reasons for the delay. Regulation 60(3) of the Implementing Regulations makes clear a processor must notify the controller without under delay after becoming aware of a personal data breach. Regulation 60(4) of the Implementing Regulations lists the information that the notification to the Commissioner must include, for example, a description of:

• the nature of the personal data breach (categories and approximate number of data subjects concerned etc.); and
• the likely consequences of the personal data breach.

Personal data breaches must also be notified to the data subject by the Controller without undue delay if the personal data breach is likely to result in a high risk to the rights and freedoms of the data subject, in accordance with Article 31 of the LED Order and Regulation 61 of the Implementing Regulations.

7.7. Data retention

The 'storage limitation' principle in Article 5(1)(e) of the GDPR Order states that personal data should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.

The only exception to this is storage solely for archiving purposes in the public interest, scientific, or historical research purposes, or statistical purposes, in which case the data may be held indefinitely, subject to required safeguards as set out in Article 89(1) of the GDPR Order and Regulation 18 of the Implementing Regulations. The safeguards are to ensure that technical and organizational measures are in place which may include pseudonymization, provided this is appropriate, noting the purposes for which the data is held.

To make sure that organizations do not fall foul of storage limitation principles, organizations have to ensure good data hygiene practices. There is a requirement under Article 5 of the LED Order for controllers and processors to review the need for the storage of the personal data within five years of the date on which the data was first stored.

Retention periods may also be linked to specific statutory requirements, for example, requirements to hold certain accounting records for a minimum number of years.

7.8. Children's data

The GDPR Order makes specific reference to children. Recital 38 states that '…Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences, and safeguards concerned and their rights in relation to the processing of personal data...'

Controllers must be conscious that they are processing a child's personal data and ensure that they are aware of, and comply with, the following provisions of the GDPR Order, specific to children:

• Article 6(1)(f): processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child;
• Article 8: conditions applicable to a child's consent in relation to information society services, for example, consent cannot be given by a child below the age of 13 years;
• Article 12: fair processing information. A controller shall make any communication relating to the processing of the data subject in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child; and
• Article 17: right to erasure. This is particularly relevant, where '…the data subject has given his or her consent as a child and is not fully aware of the risks involved by the processing, and later wants to remove such personal data, especially on the internet. The data subject should be able to exercise that right notwithstanding the fact that he or she is no longer a child...'

7.9. Special categories of personal data

The processing of any of the special categories of personal data is prohibited unless a controller can demonstrate that at least one of the conditions set out in Article 9(2) of the GDPR Order applies.

Data relating to criminal convictions and offenses are not included in the definition of special category data. However, Article 10 of the GDPR Order restricts the processing of criminal conviction data. Such processing can only be carried out under the control of an official authority or when the processing is authorized by EU law (as applied to the Island by or under the authority of an Act of Tynwald) or Manx law providing for appropriate safeguards for the rights and freedoms of data subjects.

However, there are exemptions and restrictions in place regarding data relating to criminal convictions. According to Regulation 20 of the Implementing Regulations, the provisions of the GDPR Order and the Implementing Regulations will not apply to manual unstructured personal data relating to criminal convictions held by Freedom of Information public authorities.

7.10. Controller and processor contracts

Article 28 of the GDPR Code requires a written (including in an electronic format) contract (or other binding legal act) to be in place between a controller and processor. The contract must include certain provisions as set out in Article 28(3) of the Applied GDPR. This includes details about the processing such as:

• the subject matter and duration of the processing;
• the nature and purpose of the processing;
• the type of personal data and categories of data subject; and
• the controller's obligations and rights.

In addition to the above, Article 28(3) sets out further specific provisions which must, as a minimum, be included in a contract between a controller and processor. The parties may agree to supplement these and include their own additional provisions. When engaging with a data processor, controllers will need to have carried out sufficient due diligence inquiries to be able to demonstrate the processor it uses, and provides sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the LED Order and the Implementing Regulations, and ensure the protection of the rights of data subjects.

In order to comply with the provisions of the LED Order, controllers will need to adopt a rule of 'data protection by design and by default' whereby, inter alia, the controller must implement appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data protection principles (such as data minimization) in an effective manner and integrate the necessary safeguards into the processing.

At the date of publication, the Commissioner has not adopted any standard contractual clauses.

8. Data Subject Rights

8.1. Right to be informed

Data subjects have the right to be informed of the ways in which a controller will be processing their personal data. Under Article 13 of the GDPR Order, controllers are required to provide certain privacy information in relation to data processing where personal data is collected directly from the data subject and, under Article 14 of the GDPR Order, where it is collected indirectly, for example via a third party. This requirement is frequently met through the provision of a 'privacy notice' or a 'privacy policy.'

The GDPR Order is supplemented by Schedules 7 and 9 of the Implementing Regulations, which provide exemptions from compliance in certain circumstances, for example, where data is being processed in circumstances where it is subject to legal professional privilege.

8.2. Right to access

Under Article 14 of the LED Order, Regulation 43 of the Implementing Regulations, and Article 15 of the GDPR Order, a data subject has the right to obtain in writing from a controller confirmation as to whether or not personal data concerning them is being processed within an applicable time period. There are various exemptions from compliance, for example, to protect national security and to avoid obstructing legal or official inquiries.

8.3. Right to rectification

Under Article 16 of the LED Order, Regulation 45(1)(a) and (b) of the Implementing Regulations, and Article 16 of the GDPR Order, a data subject has the right to obtain rectification of inaccurate personal data affecting them or to have incomplete personal data completed by means of a supplementary statement.

8.4. Right to erasure

Under Article 16 of the LED Order, Regulation 45(1)(c) of the Implementing Regulations, and Article 17 of the GDPR Order, a data subject has the right to obtain the erasure of their personal data (the right to be forgotten) in certain circumstances.

8.5. Right to object/opt-out

A data subject can object on the grounds relating to their particular situation to the processing of personal data where the basis for processing is either public interest or legitimate interest of the controller. A controller must stop processing the personal data unless it demonstrates compelling legitimate grounds for processing the data that override the interests, rights, and freedoms of the data subject or require the data in order to establish, exercise, or defend legal rights.

8.6. Right to data portability

A data subject has the right to receive their personal data in a structured, commonly used, machine-readable, and interoperable format where the processing of data is based on the consent of the data subject or on a contract and the processing is carried out by automated means.

8.7. Right not to be subject to automated decision-making

Individuals have the right not to be subject to a decision that includes a measure which is based on automated processing, including profiling, which produces legal effects concerning the data subject, or similarly affects the data subject. This is not to say that automation decision-making cannot be used, but it must not be the sole process.

A data subject will not have the right stated above, if the decision:

• is necessary for entering into, or performance of, a contract between the parties;
• is authorized by Isle of Man law and there are suitable measures in place, such as allowing human intervention on the part of the controller, to safeguard the data subject's rights and freedoms and legitimate interests; or
• is based on the data subject's explicit consent.

Additional considerations should be taken regarding special categories of personal data as referred to in Article 9(1) of the Applied GDPR, unless point Articles 9(2)(a) or 9(2)(g) of the GDPR applies and there are suitable measures to safeguard the data subjects rights and freedoms and legitimate interests are in place. Profiling which includes an automated process is allowed, but the individual should be informed of the existence of and the consequences of such profiling. Where any automated decision-making is used, the controller must inform the individual.

8.8. Other rights

A data subject also has a right to:

• Complain to the Commissioner and about the Commissioner and their staff. A data subject can make an application to the Isle of Man Data Protection Tribunal for an order to progress a complaint against the Information Commissioner;
• Object where personal data are processed for direct marketing purposes; and
• restrict processing. Individuals can exercise a right to restrict the processing of their data in the four scenarios set out in Article 18(1) of the GDPR Order, which are:
  • the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  • the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims; and/or
  • the data subject has objected to processing pursuant to Article 21(1) pending the verification of whether the legitimate grounds of the controller override those of the data subject.

If the controller does not take action on the request of the individual, they must inform the individual without delay and within one month with the reasons why and information as to any remedies/right of appeal the individual may have.

9. Penalties

There are various sanctions and financial penalties that can be issued by the Commissioner.

By provision of Article 58 of the GDPR Order, the Commissioner has wide ranging investigative powers against controllers and/or processors, such as carrying out data protection audits, obtaining access to all personal data held, and searching premises.

Under Article 58 of the GDPR Order, the Commissioner also has certain corrective powers which include, inter alia:

• warnings that intended processing operations are likely to infringe the GDPR Code;
• Reprimands where processing operations have infringed the GDPR Code;
• issue enforcement notices regarding:
  • compliance with the requests to exercise rights;
  • processing operations to be brought into compliance in a specified manner and timeframe; communication of a personal data breach to a data subject;
  • suspension of data flows to a recipient in a third country;
  • rectification, restriction, or erasure of data and notification to recipients of the data of that action;
  • imposition of a temporary or definitive limitation including a ban on processing; and
  • the withdrawal of a certification or ordering the certification body to withdraw a certification if the requirements for the certification are not or no longer met;
• Issue orders regarding:
  • compliance with the requests to exercise rights;
  • processing operations to be brought into compliance in a specified manner and timeframe;
  • communication of a personal data breach to a data subject;
  • suspension of data flows to a recipient in a third country;
  • rectification, restriction, or erasure of data and notification to recipients of the data of that action.
• Impose penalties in addition to, or instead of, other measures referred to above (a penalty notice).

The maximum amount of any one penalty is £1 million. This regulation concerning the maximum penalty amount applies despite Article 83 of the GDPR Order. An appeal can be made to the Data Protection Tribunal in the Isle of Man against the imposition of a sanction or a penalty. There are also a number of criminal offenses (including some personal liability offenses), the penalties for which are fines and/or imprisonment for non-compliance. These are detailed in the Implementing Regulations and include:

Offenses carrying a fine of up to £10,000 and/or an imprisonment term of up to two years:

• Regulation 103: making a false statement in response to an information notice;
• Regulation 126: unlawful obtaining of personal data, etc.;
• Regulation 127: re-identification of de-identified personal data; and
• Regulation 137: prohibition of the requirement to produce relevant records.

Offenses carrying a fine of up to £10,000 and/or an imprisonment term of up to six months:

• Regulation 82: obstruction of a person exercising the power to inspect personal data to discharge an international obligation;
• Regulation 128: alteration of personal data to prevent disclosure;
• Regulation 129: record tampering; and
• Paragraph 15 of Schedule 4: various offenses in relation to the execution of warrants and the making of false statements.

Offenses carrying a fine of up to £10,000:

• Schedule 7 2(1): processing of personal data without a register entry; and
• Schedule 7 12(1) and (2): duty to notify changes in a register entry.

Officers of a company may also be personally liable for an offense committed by the company. Regulation 143 of the Implementing Regulations provides a director, manager, secretary, or similar officer of the company or person purporting to act in such capacity, will be liable to be proceeded against and punished accordingly for an offense of the Implementing Regulations committed by the body corporate, where it is proved to have been committed with the consent, connivance of, or be attributable to the neglect of such persons.

9.1 Enforcement decisions

Some of the most notable recent enforcement and penalty decisions made by the Commissioner include:

July 2023 – Manx Care

An enforcement notice was issued to Manx Care regarding its compliance with data protection legislation.  It had failed to comply with Article 5(1)(d) of the GDPR Order (principle of accuracy) regarding scanned electronic patient records.  Manx Care is required to bring its processing activities, i.e. the scanning of medical records, into compliance with Article 5(1)(d) of the GDPR Order (principle of accuracy).  Failure to comply with the enforcement notice may result in a penalty and/or contempt proceedings.

June 2023 – Department of Home Affairs ('the DHA')

Following an investigation by the Commissioner into the unauthorized access of personal data in the system, known as iCasework, an enforcement notice has been given to the DHA as the current processor.  This was noting the function and staff of the Office of Cyber Security and Information Assurance, with responsibility for the system administration of iCasework, transferred from Isle of Man Constabulary ('the IOMC') to the DHA during the course of the Commissioner's investigation. It found the DHA as the current processor failed to have a binding contract with any of the public authorities using iCasework. 

The Commissioner ordered the DHA to bring its processing activities into compliance with  Articles 28 (Processor) and 32 (Security of Processing) of the GDPR Order by July 31, 2023.

January 2023 – Manx Care:

A penalty variation notice was issued which varied an earlier penalty notice given to Manx Care in July 2022. Certain paragraphs of the original penalty notice were replaced, resulting in the payment of the penalty of £170,500 being stayed until March 31, 2023, allowing Manx Care further time to implement appropriate technical and organization measures. Manx Care was required to report to the Commissioner its updates and progress monthly on the 26^th day of each month during January, February, and March 2023. Should Manx Care fail to demonstrate compliance with the enforcement notice and implement sufficient safety measures, the Commissioner will use its corrective powers, whereby the penalty will become immediately payable together with a further enforcement notice being issued, temporarily or permanently limiting/banning certain processing activities.

August 2022 – Sentient International Limited

An enforcement notice was issued by the Commissioner following its investigation into Sentient's handling of and compliance with data protection legislation. The Commissioner concluded that Sentient breached certain provisions of the GDPR Order and ordered Sentient to comply with the data subject's requests. Sentient was ordered to provide to the data subject a copy of the personal data listed within 30 days of the issuance of the enforcement notice.

July 2022 – Manx Care:

The imposition of a penalty of £170,500 on Manx Care.

In October 2021, Manx Care emailed an insecure attachment containing a patient's confidential health data to more than 1870 recipients. Manx Care was subject to an enforcement notice at that time and a further enforcement notice was issued in February 2022. Manx Care failed to comply with those enforcement notices and a penalty notice was therefore issued. The payment of the penalty was stayed until December 2022, dependant on the basis that Manx Care implemented appropriate technical and organisational measures to avoid a future occurrence.

Each of the above are reported by the Commissioner on its website in its latest news and updates, here.