• Fine issued to Sure over directory inaccuracies

    The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law)
    Public Statement
    Issued: 09:00 2 September 2020
    Controller: Sure (Guernsey) Limited

    1. This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).

    2. The Law seeks to ‘…protect the rights of individuals in relation to their personal data, and provide for the free movement of personal data…’, and the Authority is the independent regulatory body responsible for overseeing it.

    3. Following an inquiry conducted under section 69 of the Law, the Authority determined that Sure (Guernsey) Limited breached the Law in relation to its collation and publication of The Bailiwick of Guernsey Telephone Directory 2019/2020.

    4. The Authority has fined Sure (Guernsey) Limited £80,000 for a lack of transparency as to how personal data was to be processed and for publishing personal data which contained inaccuracies and in some cases was contrary to subscribers’ wishes.

    5. Sure (Guernsey) Limited has the right to appeal this fine.

    6. The Authority confirmed that the Law requires all fine monies to be paid to the States of Guernsey’s general revenue account.

    7. Chairman of the Authority, Richard Thomas CBE, commented:

    “This is the first fine that the Data Protection Authority has imposed under the new Law. It was unanimously agreed by all members of the Authority. Although this fine is substantially lower than the maximum which the Law permits, we hope it will bring home the importance of taking great care with people’s personal information.”

    8. The Bailiwick’s Data Protection Commissioner, Emma Martins, commented:

    “The data protection law provides organisations with a range of accountability tools to ensure appropriate technical and organisational measures are in place including being prepared to deal swiftly and effectively with any breach. In taking this action, the Authority has responded appropriately and proportionately to the evidenced compliance failures. We welcome the positive steps Sure have taken since this incident to ensure better data governance of the personal data in their care.”

    For more information please refer to the administrative fine order.

    Legal Framework

    1. This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).

    2. The Authority may conduct an Inquiry on its own initiative (under section 69 of the Law) into whether a controller or processor has breached or is likely to breach an operative provision of the Law.

    3. In this case, the controller is Sure (Guernsey) Limited.

    4. Section 72 of the Law requires the Authority to determine whether or not there has been a breach of an operative provision of the Law.

    5. Section 73 of the Law sets out the sanctions that are available to the Authority where a breach determination has been made.

    6. Having considered the details of this case, the Authority has imposed an administrative fine order under section 73(2)(g) and 74 of the Law.

    7. Section 84 of the Law provides for an appeal by the controller to the Court against a determination made by the Authority. Any such appeal must be made within 28 days.

    Read more >
  • ODPA Annual Report (2019) published

    Click on image to read: ODPA Annual Report 2019

    The Office of the Data Protection Authority (ODPA) has published its annual report for 2019 which details the highlights from the first full year of its activities under The Data Protection (Bailiwick of Guernsey) Law, 2017 which came into effect in May 2018.

    The Authority has identified a number of key achievements, including taking steps towards full independence from the States of Guernsey, which ensures statutory duties can be carried out with the highest standards of integrity and accountability, along with project management and delivery of a self-funding model that is to be introduced in 2021.

    Commenting on 2019’s activities, Emma Martins, the Bailiwick’s Data Protection Commissioner, said:

    “We have seen evidence of a global awakening of the extraordinary scale and impact of personal data processing in this digital area and how it goes to the very core of who and what we are as human beings.

    “At its heart, data protection is about protecting and empowering individuals and I am delighted that, despite some early challenges, the law in the Bailiwick is now working well. It is clear that data protection is starting to bed into everyone’s personal and professional lives, not just locally, but across the globe.

    “Against the global backdrop of economic and political uncertainty, we want to ensure that the Bailiwick maintains a high-quality, stable and forward-looking regulatory environment which recognises that innovation and good governance are interdependent.”

    The ODPA’s report highlights progress made towards its five strategic objectives:

    1. delivering its enhanced statutory duties;
    2. being a relevant, responsive and effective regulator;
    3. supporting organisations to meet their obligations and empowering individuals to exercise their rights;
    4. developing and maintaining effective relationships; and
    5. elevating discussions around the protection of personal data.

    The Chair of the Data Protection Authority, Richard Thomas CBE commented on why data protection matters,

    “Data Protection is actually People Protection. In the real world, where personal information has now become incredibly valuable, it protects people’s privacy and it protects them from a wide range of social and economic harms which threaten their well-being. Data protection equally protects organisations. There cannot be any organisation – private, public or voluntary sector – that does not handle personal information. Getting data protection right for their customers, clients, suppliers, patients, citizens and voters is simply a matter of self-interest.

    Mr Thomas concluded,

    “For the Bailiwick, there is a further reason why data protection matters. Soon, in accordance with the General Data Protection Regulation (GDPR), the European Commission will decide whether the Bailiwick should keep its ‘Adequacy’ status. Loss of that status, which permits the free flows of personal data which underpin the global digital economy, would be devastating for the financial services industry and other parts of the Bailiwick’s economy.

    “Of course, the European Commission is scrutinising the 2017 Law to make sure that it closely mirrors GDPR’s provisions. But it is also required to make sure that Guernsey has a genuinely independent supervisory authority that can demonstrate effective functioning.”

    DOWNLOAD: ODPA Annual Report 2019

    See also: 

    Read more >
  • EU/US Privacy Shield data transfers invalid

    The Office of the Data Protection Authority (ODPA) is alerting local organisations to take note of a recent judgement from the Court of Justice of the European Union (CJEU) which affects all businesses who transfer personal data outside of the Bailiwick and the EU.

    On 16 July 2020 the CJEU ruled that the EU-US legal framework for data transfers known as ‘Privacy Shield’ is invalid. This means that local organisations need to take steps outlined below to ensure they have proper safeguards around any data transfers that rely on either ‘Privacy Shield’ or EU ‘Standard Contractual Clauses’.

    The now invalid Privacy Shield was a legal framework between the EU and the United States of America (US) that allowed personal data from the EU to be transferred to the US. ‘Standard Contractual Clauses’ (SCCs) are a set of terms and conditions organisations use to protect personal data transferred outside the European Economic Area (EEA).

    The CJEU ruled on both Privacy Shield and SCCs in their judgement of 16 July 2020. They concluded in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/18, “Schrems II”), that Privacy Shield is invalid but affirmed SCCs’ validity.

    The background which led to this CJEU judgement goes back many years and involves Maximillian Schrems, an Austrian activist and author. In 2013, Schrems filed a complaint against Facebook Ireland Ltd with the Irish Data Protection Commissioner seeking to stop Facebook transferring personal data from Ireland to the US. Schrems’ complaint related to Facebook’s alleged involvement in the ‘PRISM’ surveillance programme.

    The ODPA emphasises that the CJEU’s judgement:

    • highlights the crucial role of privacy protections;
    • emphasises that these protections must travel with data;
    • relates to all non-EEA and non-‘adequate’ jurisdictions, not just the US;
    • and that these types of data transfers cannot be a tick-box exercise.

    The Bailiwick is currently recognised by the European Commission as an adequate jurisdiction for the purposes of the General Data Protection Regulation (GDPR). This means that personal data can flow freely between the Bailiwick and the EEA.

    The ODPA is keen to provide clear and consistent advice and support to local organisations. This multi-layered and complex judgement requires analysis and guidance. The European Data Protection Board (EDPB) have published an early statement indicating that further guidance will be published in due course which will provide clarification and support consistency.

    In the meantime, considering the immediate effect of Privacy Shield being invalid, any local organisations that may be affected should do the following:

    1. Identify if you have been relying on the EU-US Privacy Shield for data transfers. You will need to check the terms of service, contracts or Privacy Statements for all third parties you may use to process your data (e.g. Eventbrite, Facebook, MailChimp, LinkedIn, Twitter, Instagram, Basecamp, Slack etc.)
    2. If you find that you have been relying on Privacy Shield you must work towards an alternative. Please refer to sections 56, 57 and 59 of The Data Protection (Bailiwick of Guernsey) Law, 2017 for details of data transfer requirements.
    3. If you are relying on Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), you must comprehensively review them and ensure they accurately reflect detailed consideration of risks and safeguards. Whilst the CJEU judgement recognises SCCs as valid, it also raises significant questions around their use. It is clear that relying on ‘derogations’ (such as SCCs or BCRs) in light of this judgement is no longer a straightforward matter and reliance upon any mechanisms cannot be a paper exercise.
    4. Whilst this judgement does not prohibit data transfers outside of the EEA and adequate jurisdictions, you do need to carefully review your position and invest resources into ensuring appropriate safeguards are in place.


    Read more >
  • Blog: World Day of International Justice

    To mark World Day of International Justice, our commissioner Emma Martins reflects on justice, individuals’ rights, and the fair treatment of human beings. 

    The World Day of International Justice is celebrated throughout the world on 17 July as part of efforts to recognise the importance of international criminal justice. It marks the date of the adoption of the treaty that created the International Criminal Court (ICC). The ICC investigates crimes of concern to the international community such as genocide, war crimes and crimes against humanity.

    Taking a look at the ICC’s website, one of the first things you will see is the following statement –

    Justice is a key requisite for lasting peace. International justice can contribute to long-term peace, stability and equitable development in post-conflict societies.

    We live in a world where so many people do not have the rights that we, in our community, have and often take for granted. And a day such as this, which you may think has little or nothing to do with you, is a good opportunity to understand and appreciate its relevance to our lives and to the lives of others.

    Justice is a word we use and hear a lot – often in the context of ‘fighting for’ or ‘defending’ but how often do we reflect on what we mean by it and what others mean by it as well as the role it plays in our lives?

    The root of the word itself, ‘just’, comes from the Latin ‘jus’ meaning right or law and is commonly seen as based on behaving according to what is morally right and fair.

    As with the ICC, it is a term often used in the context of law but it is also strongly related to culture. Justice is perceived and applied differently across the globe and what it looks like in any particular place says a lot about that community and culture; what it values; who it values; who has power and who doesn’t.

    Early theories of justice came from the Ancient Greek Philosophers. Aristotle considered justice to consist of what is lawful and fair, with fairness involving equitable distributions and the correction of what is inequitable.

    In our modern world, the distribution of wealth is largely decided by governments using tax laws and the correction of what is inequitable is largely determined through civil and criminal law. Laws are the basis of much of our lives, shaping and directing so much of our behaviour, sometimes in ways we give little or no thought to. Think how intuitive it is to put a seatbelt on,  I very much doubt that when you do so, you are thinking ‘I am only doing this because the law says I must’; you do it because it has simply become embedded in normal, everyday behaviour.

    Certainly, law raises important and complex issues around equality, fairness and justice. What sort of society do we want to live in? How do we want to treat each other? How do we want to be treated? Looking at the legislation in place in any jurisdiction will give answers to many of these questions and the fact that we live in a small jurisdiction does not mean that those issues are any less relevant. As Albert Einstein said –

    In matters of truth and justice, there is no difference between large and small problems, for issues concerning the treatment of people are all the same”.

    Looking at the legal foundations that underpin our lives, data protection is one of a suite of laws that provides specific rights to individuals (this podcast talks through the seven data protection principles) and is seen as essential for a functioning democracy. Indeed, the link between privacy and democracy is not at all accidental. If you look at those countries with strong data protection and privacy laws, you will also see countries that have committed to strong human and democratic rights.

    Not only does the need for proper protection of our personal data becoming increasingly important as we speed into the digital age (listen to this podcast on your digital footprint, and this podcast on cyber security for more context), it is also a right from which other rights derive – rights such as freedom of association and freedom of speech.

    In the context of justice, equality and fairness, I want to highlight one specific element of data protection legislation here in the Bailiwick (and across Europe); the fact that certain types of personal data are afforded much higher levels of protection than others.

    The law calls this special category data and it consists of the following –

    • Data revealing an individual’s racial or ethnic origin, political opinion, religious or philosophical belief or trade union membership
    • Genetic data
    • Biometric data
    • Health data
    • Personal data concerning an individual’s sex life or sexual orientation
    • Criminal data

    It is a list of data types that, for those working in data protection, will likely have been discussed at length on training courses and studied and memorised for exams. I would, however, like to encourage us to think a little deeper about this list, not from a perspective of law or legal text, but from the perspective of a human being.

    I have picked out a few examples to help illustrate –

    • Racial or ethnic origin – even before the Black Lives Matter protests swept the globe, questions of race and bias were rarely out of the news. In the UK last year, concerns were raised by scientific and civic groups about the possible intrinsic biases in facial recognition software used for law enforcement purposes that disadvantage black, Asian and minority ethnic individuals.
      (See BBC article: Use of facial recognition tech ‘dangerously irresponsible’)
    • Political opinion – Itai Dzamara was a Zimbabwean journalist and pro-democracy campaigner that disappeared in 2015. He had previously been targeted by state security agents, suffered beatings, abductions and unlawful detentions, his subsequent disappearance is widely believed to be the work of the state because of his pro-democratic views.
      (See BBC article: Itai Dzamara: The man who stood up to Zimbabwe’s Robert Mugabe and vanished)
    • Religious or philosophical belief – The ways in which the Nazi regime collected data to identify, log and locate the Jewish population facilitated the holocaust (listen to this podcast for context on this). It is so important for us to remember that data protection laws include the often-hidden agenda of preventing the reappearance of oppressive regimes that seek to use data for nefarious purposes.
    • Sexual orientation – same sex sexual activity is a crime in around 70 countries with some even imposing a death penalty. A photograph was taken of a woman waving a rainbow flag at a concert in Cairo in June 2017 and widely circulated. Sarah Hegazi was identified and subsequently arrested, tortured and imprisoned for three months as part of a crackdown by authorities. After her release she was given asylum in Canada but took her own life in June 2020.
      (See CBC article: LGBTQ activist Sarah Hegazi, exiled in Canada after torture in Egypt, dead at 30)

    These few examples illustrate how interwoven the question of individual’s rights are with the way in which identifying information is collected, recorded and used and the profound affect it can have on people’s lives and on how justly they are treated.

    Relating personally to these events may feel like a bit of a leap because they are so alien compared to the world in which we live. But the public health crisis has brought into stark focus that, as much as we are part of a strong local community, we are also part of a wider global community.

    Our lives connect in so many ways, so to end with another quote, this time from Martin Luther King,

    Injustice anywhere is a threat to justice everywhere”.

    Read more >
  • Learning and improvement the route to a culture of compliance

    The Office of the Data Protection Authority (ODPA) has published its latest breach statistics and emphasised the need for learning and improvement to better safeguard personal data handled in the Bailiwick and build a culture of compliance.

    Figure: 34 personal data breaches reported to ODPA between 1 May 2020 – 30 June 2020 by category. (Click to enlarge)

    Thirty-four personal data breaches were reported to the ODPA in the two months leading up to 30 June 2020. Just under three-quarters of these (22) happened when personal data was accidentally sent to the wrong person by email. There were two instances where data was sent to the incorrect recipient by post.

    Other self-reported breaches for the two-month period included three of inappropriate access, three cyber incidents, two unauthorised disclosure, one unauthorised access and one loss of data/paperwork/device.

    The 34 breaches were split across a variety of sectors, five from public authorities, four from fiduciary entities and three each from banking, insurance and retail/wholesale establishments. Charities/not for profits, education/training organisations, investment organisations and legal practices all reported two each with the remaining eight split across five other sectors.

    This is the second group of statistics covering the Covid-19 lockdown period and again, the figures show a similar number of breaches reported since collation of the data began two years ago.

    The Bailiwick’s Data Protection Commissioner, Emma Martins, commented on the continuing trend.

    ‘We would like to offer our thanks to those businesses and organisations that have managed to continue to fulfil their statutory duties under the recent challenging circumstances. Whilst it’s largely reassuring that the number of reported breaches is remaining consistent, perhaps it’s time to ask organisations that don’t routinely report to us to have another look at their procedures to ensure that there aren’t breaches occurring that we should be advised of.’

    Mrs Martins continued by highlighting that the Authority’s mandate is to educate and engage not just enforce.

    ‘Our aim is to help and empower all organisations, large or small, to handle personal data correctly because first and foremost we want to prevent breaches from happening in the first place. If we are going to do that effectively we need to have good knowledge and understanding of the nature of incidents and how often they are occurring. That in turn will enable us to provide more relevant and targeted support and guidance to those most at risk. Now that lockdown has eased, our fortnightly drop-in sessions to support our local regulated community are starting again on 22 July so local businesses and organisations can visit our offices and meet with a member of staff for advice. We are committed to building a culture of compliance for the Bailiwick; one that recognises that we’re all only human and we all make mistakes, but by learning from those mistakes and improving how we work, we can strive for better levels of data protection, benefitting our community and our economy.’



    • Fortnightly drop-ins
      Anyone representing an organisation can come along to the ODPA’s fortnightly drop-in sessions which are normally held between 09:00 – 12:00 every other Wednesday morning.
    • Breach reporting
      One of the key changes to the local data protection law that came into force in May 2018 is that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it. Organisations can report breaches to the ODPA via
    • Why does the ODPA publish breach statistics?
      The ODPA has published statistics of the number of breach reports it receives, every 2 months since June 2018. Publishing this information allows everyone to benefit from a better understanding of how and why breaches happen and how they can be avoided in future.
    • Number of personal data breaches reported to ODPA (June 2018 – present):

    2 months to 30 June 2020 – details above  34
    Commissioner ‘encouraged’ by consistent breach reporting trend (2 months to 30 April 2020) 30
    Lowest number of breaches in more than a year (2 months to 29 February 2020) 28
    Data Protection Commissioner calls for a culture of improvement
    2 months to 28 December 2019
    Data breaches: workplace culture change needed (2 months to 27 Oct 2019) 44
    Human behaviour remains key risk to protecting data (2 months to 26 Aug 2019) 32
    Data Protection Commissioner cautions against a ‘culture of blame’ (2 months to 25 Jun 2019) 50
    Human error remains biggest risk in data protection locally (2 months to 22 Apr 2019) 40
    ODPA report further increase in local data breaches (2 months to 22 Feb 2019) 45
    Increase in local data breaches (2 months to 18 Dec 2018) 28
    ODPC offers advice after increase in local data breaches (2 months to 18 Oct 2018) 26


    • How are personal data breaches categorised?
      The ODPA individually assess each breach reported to them and assign them to one of the eleven categories listed below. Nine of the eleven categories specify whether a breach in that category would normally be considered ‘accidental’ or ‘deliberate’. One of the eleven categories (‘cyber incidents’) can be either accidental or deliberate. It should be noted that breaches categorised as ‘deliberate’ are not necessarily considered to be malicious.
    1 Loss of data/paperwork/device accidental
    2 Data sent to incorrect recipient – email accidental
    3 Data sent to incorrect recipient – post accidental
    4 Data sent to incorrect recipient – fax accidental
    5 Inappropriate access accidental
    6 Inappropriate disclosure accidental
    7 System error accidental
    8 Cyber incidents accidental or deliberate
    9 Unauthorised access deliberate
    10 Unauthorised disclosure deliberate
    11 Other accidental or deliberate
    • What is a personal data breach?
      A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.  There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so. However, organisations do not have to report any incidents that meet the above criteria if the incident is ‘unlikely’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident. It can be difficult, and sometimes inappropriate, for organisations themselves to judge whether there is a risk to a person’s significant interests, so the ODPA encourages all incidents to be reported.


    • What are a person’s ‘significant interests’?
      A person’s ‘significant interests’ are defined in the local Law as any aspect of their life that could be put at risk due to their personal data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.
    Read more >
  • States of Guernsey approves ODPA self-funding model

    The States of Guernsey is supporting a self-funding model for the Office of the Data Protection Authority (ODPA), to reinforce its role as a fully independent regulatory body.

    The ODPA is the operational body that carries out the regulatory functions of The Data Protection (Bailiwick of Guernsey) Law, 2017 delegated by the Data Protection Authority. Its new self-funding model means that, from January 2021, most of its operational costs will be met by annual fees paid by the regulated community (i.e. local businesses and other organisations who handle personal data), with the States of Guernsey contributing around £300,000 per year.

    The way the ODPA is funded has changed because it is legally and politically obliged to operate independently of the States of Guernsey. Reinforcing this independence is an important part of the ODPA’s effective regulatory oversight, and being able to demonstrate this independence is critical to the Bailiwick retaining its ‘adequacy’ status with the European Commission. This status allows the free-flow of data between the islands and the EU which is crucial to the Bailiwick’s current and future economic success.

    Deputy Mary Lowe, President of the Committee for Home Affairs said,

    Data is an essential part of the modern economy. It is a precious commodity in both our business and personal lives and needs to be properly safeguarded. The Committee has been working closely with the Authority and we are in agreement that moving the ODPA to become self-funding will prove important in demonstrating that while the States creates the Data Protection legislation, the Authority is able to act without fear or favour in its investigations.’

    Emma Martins, the Bailiwick’s Data Protection Commissioner, commented on the work that has led to this point,

    ‘The States of Guernsey civil servants, politicians, as well as ODPA staff and board members have worked hard since 2018 to reach agreement on how best to fund the ODPA. Our focus was always on ensuring that we agreed on a low-cost, low-admin model that is as fair as possible to local businesses. Especially at this challenging time for everyone, we want people to focus their efforts on running their businesses well, rather than filling in bureaucratic forms. We are pleased to finally be in a position to start work preparing for the changes ahead and we will publish further details over the coming months.’


    Q: What is personal data? 
    It is any information that relates to an identified or identifiable living person. Things like: your name, your address, your medical records, CCTV footage of you, your social media activity, your internet browsing history, what your boss once said in an email about you, your political views, your sexuality etc.

    Q: What is ‘processing’ personal data? 
    ‘Processing’ refers to pretty much anything an entity* does with personal data. It includes activities like: collecting, storing, organising, using, altering, disclosing, erasing and destroying personal data. Profiling is also considered to be processing.
    *An ‘entity’ could be: your bank, a school, your plumber, the States of Guernsey, an online retailer, a social media platform, your employer, a politician acting in their official capacity, the supermarket you shop at, your GP’s practice, your insurer, in short: anyone who is deciding how your personal data is used. These sorts of entities are called ‘controllers’ in data protection law.

    Q. What is changing?
    From 2021, a new registration regime (approved by the States of Guernsey) will be in place for the Office of the Data Protection Authority (ODPA). This regime means that all controllers and processors established in the Bailiwick that process personal data will be legally required to register with the ODPA and pay a fee each year.

    Q. Why is the registration regime changing?
    The new data protection legislation that came into force for the Bailiwick in 2018 (The Data Protection (Bailiwick of Guernsey) Law, 2017) provided for the creation of an independent regulator. The funding mechanism that was in place prior to that time was maintained until the end of 2020 to allow for political agreement on a sustainable and efficient funding model for the future.

    Q. Who decided to make these changes?
    The States of Guernsey agreed that the ODPA should be self-funding to ensure full independence.

    Since legislation came into force in 2018, the ODPA has been working with the States of Guernsey to agree a new registration regime to enable this. All parties have focused on providing a regime that is as low cost and administratively straightforward as possible for organisations.

    The Committee for Home Affairs agreed the new model in February 2020 and the Policy and Resources Committee agreed it in March 2020. The ODPA was then tasked with implementing the model ready for January 2021.

    Q. I am registered with the ODPA now, what does it mean for me?
    If you are currently registered with the ODPA, you will need to provide the ODPA with new information confirming your registration, between January-March 2021. If you complete an annual validation with Guernsey Registry, you will be prompted to complete your ODPA registration at the end of the Registry’s process. If you do not complete an annual validation with Guernsey Registry, you can simply register directly via the ODPA’s website.

    Q. I am not currently registered with the ODPA, what will I have to do?
    If you are not currently required to register with the ODPA because you benefit from the limited exemptions (see for details), those exemptions will end at the end of 2020 (the only exception is for domestic/household purposes). You will therefore need to register and pay between January-March 2021. If you complete an annual validation with Guernsey Registry, you will be prompted to complete your ODPA registration at the end of the Registry’s process. If you do not complete an annual validation with Guernsey Registry, you will be able to register directly via the ODPA website. You will need to do this between January-March 2021.

    Q. I am a charity/not-for-profit, what does this mean for me?
    You will need to complete the registration process as above between January-March 2021, but you do not need to pay.

    Q. How much will it cost?
    It is recognised that no one wants to pay large administrative costs for running a business, however big or small. The ODPA has always been absolutely clear that its funding model should be as cost effective as possible. The 2020 economic climate has redoubled efforts to ensure that all expenditure is proportionate, necessary and has the highest standards of financial and operational governance built in. The ODPA has worked hard, together with the States of Guernsey, to keep the cost organisations are required to pay as low as possible.

    With all of that in mind, there is a simple two-tier cost structure:

    • For small organisations with fewer than 50 full-time equivalent (FTE*) employees, the annual levy will remain £50/year.
    • For large organisations with 50 or more FTEs the annual levy will be £2,000/year.

    * The Regulation will include details on how to calculate your total FTE.

    All charities/not-for profits will pay zero fee, but must still register and review this each year.

    Q.Where will the money go?
    The new fees regime will allow the ODPA to move towards self-funding status, giving it full financial independence from the States of Guernsey. This independent status is both a political and legal requirement. The ODPA’s statutory responsibilities are set out at (under ‘Functions of The Authority and ODPA’) and you can see its plan for performing these tasks via the ODPA Strategic Plan (2019-2022) at

    The Bailiwick has had a data protection regulator for many years. Up to now, it has received funding from the States of Guernsey with some income also coming directly from registration fees paid by local organisations. The strengthened data protection regulatory framework has enhanced individuals’ rights to reflect the scale of personal data processing in this digital era. It has also strengthened the role of the regulator to provide for appropriate powers and ensuring independence.

    Q. How often do I need to pay?
    Following your initial registration fee, payable by all (except charities/not-for-profits) in January-March 2021 an annual levy (of either £50 or £2,000 depending on your organisation’s size) will be due during the first quarter of each following year.

    Q. I am responsible for registering a number of entities. What are the changes for us?
    The ODPA is aware that where an organisation is responsible for registering a number of controllers and/or processors a simpler bulk registration process would be helpful. Consideration is being given to this and more information will be released when available.

    Q. I complete an annual validation via Guernsey Registry, how will this process work for me?
    The ODPA want to make the registration process as easy as possible. This ensures that costs are kept to a minimum and it also does not divert you with administrative processes which do little to support overall data protection compliance.

    To this end, the ODPA has worked with Guernsey Registry to make sure you are given a timely prompt to register with the ODPA once you have completed your annual validation with the Guernsey Registry. This allows the process to be as straightforward as possible for you.

    If you prefer, you can of course disregard the prompt at the end of the Guernsey Registry process and simply register directly with the ODPA at a time convenient to you between January-March 2021.

    Q. I do not complete an annual validation with Guernsey Registry, how will this process work for me?
    You will be able to register directly via the ODPA website. The process is designed to be as straightforward as possible whilst recognising that the ODPA have a statutory requirement to collect certain information from you.

    Q. What does the ODPA do with the data it collects for the registration process?
    Following changes to legislation in May 2019, the ODPA is no longer required to maintain a public-facing register of controllers and processors. Therefore, all registration data will be processed internally for administrative purposes only.

    Q. Why do we need to fund a data protection regulator?
    Data increasingly powers the economy as well as affecting our own individual lives, both personally and professionally. The Bailiwick relies on the free flow of data to support and develop the current economy as well as to ensure it is well positioned to take advantage of the emerging digital economy.

    Our government recognises how important data protection standards are for our jurisdiction and has therefore provided high quality legislation to ensure appropriate safeguards sit around the personal data that resides and flows through the Islands. As with any legislation, there needs to be effective oversight – both to ensure people and businesses are supported in complying with the requirements, as well as to ensure that complaints are investigated independently and robustly.

    Whilst most funding has come from the States of Guernsey up until now, it raised challenges in relation to ensuring the ODPA’s independence (both actual and perceived). With government responsible for handling some of the highest volumes and most sensitive personal data in the Bailiwick, fully independent oversight is essential. Once government made the decision to move the ODPA to a self-funding model, a lot of effort went into devising a fair, low-cost, simple registration model that provides the ODPA with sufficient funding.

    Ensuring our jurisdiction has a properly resourced and effective data protection regulator supports islanders’ rights, supports businesses to handle data properly and serves to underpin the Bailiwick’s digital strategy.

    Read more >
  • Reprimand and warning issued to Isle of Sark Shipping Co. Ltd

    The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law)

    Public Statement

    Issued: 12:00 6 July  2020

    Controller: The Isle of Sark Shipping Company Ltd

    1.  Following an inquiry under the Law the Data Protection Authority for the Bailiwick of Guernsey (the Authority) has determined that The Isle of Sark Shipping Company Ltd (the controller) breached three operative provisions of the Law, namely section 6(2)(a) requiring personal data to be processed lawfully, fairly and transparently, section 6(2)(d) requiring personal data to be accurate and up to date, and section 6(2)(f) requiring personal data to be processed in a manner that ensures appropriate security. As a result of the Authority’s findings it has imposed sanctions on the controller under the provisions of the Law, as is set out in greater detail within this statement.
    2. The inquiry undertaken by the Authority leading to the breach determination and imposition of the sanctions commenced as a result of matters being drawn to its attention and certain responses provided by the controller following questions raised by the Authority. The Authority had concerns that the controller may have been unable to demonstrate sufficient awareness, understanding and compliance with their data protection obligations under the Law and as a result failed to maintain appropriate standards and controls in their processing of personal data.
    3. The area of concern to the Authority related to the processing of personal data concerning the financial status of a data subject. At the conclusion of the inquiry the Authority found that the controller did not process the subject’s personal data in a manner which ensured that the data was processed fairly, lawfully, accurately or securely, in breach of three of the data protection principles under the Law.
    4. Where organisations process personal data in a manner which breaches operative provisions of the Law the Authority will consider taking action to address those breaches and the imposition of appropriate sanction(s), which can include the issuance of a fine.
    5. Following the determination by the Authority that the controller had breached operative provisions of the Law it proceeded to consider whether or not to impose sanctions under the Law for the breaches and, if sanctions were to be imposed, what the most appropriate sanctions would be.
    6. In this case, the Authority identified the following mitigating factors –
    • The controller maintained open and candid correspondence with the Authority whilst enquiries took place and made early admissions.
    • The controller took action prior to the Breach Determination being made to no longer process personal data in the manner highlighted by the inquiry.
    • The controller has not been subject of previous investigation or inquiry.
    1. However, the Authority also took into account that the controller showed insufficient appreciation of the significance of some of the problems arising from the processing of personal data which were the subject of the inquiry.
    2. The Authority considered it was appropriate to impose sanctions for the breaches of the operative provisions of the Law by the controller. Considering all of the relevant factors arising from the inquiry the Authority considered that the breaches of the operative provisions of the Law were toward the lower end of the scale of seriousness.  Accordingly, the Authority imposed a formal Reprimand (under s73(1)(a) of the Law) in relation to the breaches which had been discovered and it also issued a formal Warning (under s73(1)(b) of the Law) to seek to prevent future breaches of a similar nature.

    Legal Framework

    • This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).
    • Individuals can make a formal complaint (under section 67 of the Law) to the Authority if they think that a controller has breached the Law and it has affected them.
    • In this case, the controller is The Isle of Sark Shipping Company Ltd.
    • The Authority may investigate a complaint in accordance with section 68 of the Law or conduct an inquiry in accordance with section 69. Section 72 of the Law requires the Authority to determine whether or not there has been a breach of an operative provision of the Law.
    • In accordance with section 72, the Authority, having made the breach determination, will consider whether to impose a sanction(s) against the controller and, if so, which sanction(s) are the most appropriate to impose.
    • Section 73 sets out the sanctions that are available to the Authority where a breach determination has been made. Having considered the details of this case, the Authority has imposed a reprimand and a warning against the controller.
    • Section 84 provides for an appeal to the Court against a breach determination made by the Authority. Any such appeal must be made within 28 days.
    • If the Authority makes a breach determination, the Authority may by written notice to the person concerned impose all or any of the following sanctions against that person –

    (a) a reprimand,

    (b) a warning that any proposed processing or other act or omission is likely to breach an operative provision, and

    (c) an order under subsection (2) including an administrative fine.

    Read more >
  • ODPA staff returning to office: 22 June 2020

    UPDATE (12 June 2020):
    – ODPA staff will be returning to the office on Monday 22 June 2020.
    – We hope to re-start our fortnightly drop-ins, and events in early July 2020.



    UPDATE (27 March 2020): 
    ODPA takes ‘realistic’ approach to regulatory activity during Bailiwick ‘lockdown’

    UPDATE (23 March 2020):
    The ODPA premises is currently closed.

    During our office closure our staff are working remotely and can be contacted via:


    Read more >
  • ODPA response to media enquiries regarding contact tracing

    Local media have asked the ODPA to comment regarding the new data collection requirements for businesses and organisations in light of the move to Phase 4 of the exit and recovery strategy.

    The States of Guernsey have a dedicated data protection team who are responsible for the operational implementation of the data protection law in all areas of government activity. Whilst the ODPA have not been involved in the implementation of this aspect of Phase 4, we are always keen to support the whole regulated community with their compliance duties.

    As part of the Bailiwick community the ODPA welcome the very positive news that we have been able to move to the next phase so swiftly. The ODPA also recognise that a key element of the next phase is going to be efficient, effective and timely contact tracing.

    From Saturday 30 May local businesses and organisations are required to keep records of the names and contact details of all those who visit their premises.

    As with all processing of personal data, it is important that individuals are given information and details about that processing including what personal data is being collected, how it will be used and who else will have access to it. The principles contained within the data protection legislation are there simply to ensure that these elements are included in all processing activities, regardless of their context.

    The reasons for data collection in this context are self-evident and ensuring all personal data is handled in compliant manner will ensure that individuals have trust and confidence in the process as well as in the people directing that process.

    For more information about compliance with the local data protection law please see our Advice, Guidance, and Resources page

    Read more >