How to complain

Individuals are at the heart of data protection legislation. The Law contains legal rights and responsibilities and specifically aims to strengthen individuals’ rights.

If you feel your rights (or someone else’s) are not being respected, in the first instance you need to:

  • raise your concerns directly with the organisation or entity that you’re concerned about: follow our quick guide to doing this.
  • if you have evidence that you’ve already raised your concern and you’re not happy with the response, we may be able to help you. You can make a formal complaint against an entity if you can provide evidence of: your concerns; and that you have sought to resolve the issue with the entity already.

If you are unsure of how to proceed please contact us for advice.

If any terms are unclear to you, please refer to our definitions page for explanation.

You have the following 10 rights under The Data Protection (Bailiwick of Guernsey) Law, 2017 which must be respected by all local entities who decide how your personal data is used *:

  1. Right to information for personal data collected from data subject
  2. Right of access
  3. Right to object to processing for direct marketing purposes
  4. Right to object to processing on grounds of public interest
  5. Right to object to processing for historical or scientific purposes
  6. Right to rectification
  7. Right to erasure
  8. Right to restriction of processing
  9. Right not to be subject to decisions based on automated processing
  10. Right to data portability

You can find out more about your 10 rights here.

In addition to your 10 rights, local entities who decide how your personal data is used must adhere to these seven principles outlined in our local data protection legislation (Part II section 6):

    They must have a valid legal reason for processing your personal data, they must obtain it without deceiving you, and they must make it clear to you exactly how they are going to use it.
    They must only use your personal data for the reason (or reasons) they have told you they’re using it for.
    They can only ask for the minimum amount of personal data necessary from you.
    They must ensure that any personal data they hold about you is accurate and up-to-date.
    They must not keep your personal data for longer than is needed.
    They must keep your personal data safe so that it doesn’t get accidentally deleted or changed, or seen by someone who is not allowed to see it.
    This is the big one. They must show that they take responsibility for how they look after your personal data.

* This could be: your bank, a school, your plumber, the States of Guernsey, an online retailer, a social media platform, your employer, a politician acting in their official capacity, the supermarket you shop at, your GP’s practice, your insurer, in short: anyone who is deciding how your personal data is used. These sorts of entities are called ‘controllers’ in data protection law.