Exercising your rights

Individuals are at the heart of data protection legislation. The Law contains legal rights and responsibilities and specifically aims to strengthen individuals’ rights.

You have the following 10 rights under The Data Protection (Bailiwick of Guernsey) Law, 2017 which must be respected by all local entities who decide how your personal data is used *:

  1. Right to information for personal data collected from data subject
  2. Right of access
  3. Right to object to processing for direct marketing purposes
  4. Right to object to processing on grounds of public interest
  5. Right to object to processing for historical or scientific purposes
  6. Right to rectification
  7. Right to erasure
  8. Right to restriction of processing
  9. Right not to be subject to decisions based on automated processing
  10. Right to data portability

You can find out more about your 10 rights here.

In addition to your 10 rights, local entities who decide how your personal data is used must adhere to these seven principles outlined in our local data protection legislation (Part II section 6):

  1. LAWFULNESS, FAIRNESS & TRANSPARENCY.
    They must have a valid legal reason for processing your personal data, they must obtain it without deceiving you, and they must make it clear to you exactly how they are going to use it.
  2. PURPOSE LIMITATION.
    They must only use your personal data for the reason (or reasons) they have told you they’re using it for.
  3. MINIMISATION.
    They can only ask for the minimum amount of personal data necessary from you.
  4. ACCURACY.
    They must ensure that any personal data they hold about you is accurate and up-to-date.
  5. STORAGE LIMITATION.
    They must not keep your personal data for longer than is needed.
  6. INTEGRITY AND CONFIDENTIALITY.
    They must keep your personal data safe so that it doesn’t get accidentally deleted or changed, or seen by someone who is not allowed to see it.
  7. ACCOUNTABILITY.
    This is the big one. They must show that they take responsibility for how they look after your personal data.

* This could be: your bank, a school, your plumber, the States of Guernsey, an online retailer, a social media platform, your employer, a politician acting in their official capacity, the supermarket you shop at, your GP’s practice, your insurer, in short: anyone who is deciding how your personal data is used. These sorts of entities are called ‘controllers’ in data protection law.