Privacy Notice

PLEASE NOTE: The Data Protection (Bailiwick of Guernsey) Law, 2017 requires us to provide certain information to you. We provide this via our Privacy Statement below. This applies to all personal data collected by the Office of the Data Protection Authority (ODPA) except for that relating to recruitment.

WHO ARE WE?

We are the Office of the Data Protection Authority for the Bailiwick of Guernsey (ODPA). Our legal identity and powers come from the Data Protection (Bailiwick of Guernsey) Law, 2017 (and associated statutory instruments) (the Law) where we are described as ‘the Authority’. You can find contact details here.

 

DATA PROTECTION OFFICER (DPO)

The Data Protection Officer for the ODPA is Rachel Masterton, who can be contacted by email (r.masterton@odpa.gg), telephone (+44 1481 742074) or in writing (contact details here).

 

WHEN PERSONAL DATA IS COLLECTED

Personal data is collected

 

HOW WE USE YOUR PERSONAL DATA

Data collected in relation to complaints submitted under the Law or other enforcement action taken by the ODPA

All personal data collected for this purpose is processed under paragraphs 5 (exercise of functions by a public authority) and/or 8 (to exercise any right or power, or perform or comply with any duty, conferred or imposed on the controller by an enactment) of Schedule 1, Parts I and II of the Law. All special category data collected for this purpose is processed under paragraphs 8 (to exercise any right or power, or perform or comply with any duty, conferred or imposed on the controller by an enactment) and/or 12 (legal proceedings & establishing, exercising and defending legal rights) of Schedule 2, Part II of the Law.

This information is processed for the purpose of responding to or investigating your complaint. It is likely that we will need to provide some or all of this information to the controller or processor you have complained about to allow for further enquiry and investigation.  If there is information you do not wish to be passed on, please let us know.

In certain cases, it may not be possible to complete a full review of the circumstances surrounding the complaint/enquiry without disclosing some or all of the information you have provided, including your name. In such circumstances, we will discuss this in detail with you and agree on the next steps. Only in exceptional cases, where there is evidence of a serious compliance concern, would we consider pursuing an investigation where the complaint has been withdrawn. We will discuss this with you in detail should that situation arise.

We recognise that an enquiry or complaint may involve sensitive and confidential matters and will ensure we involve you in decisions made relating to the progress of the case and will keep you updated.

If you are concerned about providing information relating to a complaint or investigation, please discuss this with us.

We do compile and publish statistics relating to the number and nature of complaints received but never in a form that would identify any individual.

 

Data collected as part of the breach reporting process

All personal data collected for this purpose is processed under paragraph 8 (to exercise any right or power, or perform or comply with any duty, conferred or imposed on the controller by an enactment) of Schedule 2, Part II of the Law.

Breach reports will be reviewed and the ODPA may get in contact for further information or to assess compliance with the Law.

 

Data collected as part of the notification process

All personal data collected for this purpose is processed under paragraph 8 (to exercise any right or power, or perform or comply with any duty, conferred or imposed on the controller by an enactment) of Schedule 2, Part II of the Law.

Many businesses and organisations are required by law to notify the Office of the Data Protection Authority of the processing they carry out. This may contain personal information, for example where the business is a sole trader. Notification information is compiled into a public register, as is required by law.

Details of a relevant member of staff are requested as part of this process but are not published on the public register and are used solely by the ODPA for administration purposes.

 

Data collected by email

Personal data collected for this purpose is processed under paragraphs 5 (exercise of functions by a public authority) and 8 (to exercise any right or power, or perform or comply with any duty, conferred or imposed on the controller by an enactment) of Schedule 2, Parts I and II of the Law. Special category data collected for this purpose is processed under paragraph 8 to exercise any right or power, or perform or comply with any duty, conferred or imposed on the controller by an enactment) of Schedule 2, Part II of the Law

We process information supplied by email using standard email applications (e.g. Outlook and Exchange), and we may also record it in our customer relationship management system if it relates to a complaint, notification or other matter of significance.

 

When you interact with our online content via third parties
All personal data collected for this purpose is processed under paragraph 5 (necessary for the exercise or performance by a public authority of a task carried out in the public interest) of Schedule 2, Part I of the Law.

We process personal data when you interact with our content shared via third party services such as LinkedIn (based in USA and part of the EU-US Privacy Shield framework) and SoundCloud (based in Germany).

We use this data solely for monitoring how well our content is performing (how many views it has, who likes it, who shares it etc.) as an indicator of how well we are meeting our statutory obligations under section 61 of the Law (to promote public awareness of risks, rules, safeguards and rights in relation to processing, especially in relation to children, and to promote the awareness of controllers and processors of their duties under this Law).

 

Data collected as part of newsletter sign-up

We process your personal data (in this instance: email address only) in relation to our newsletter sign-up process under paragraph 1 (consent) of Schedule 2, Part I of the Law.

When completing our newsletter sign up form, you only need to provide your email address. We use your email address for the sole purpose of sending you our monthly newsletter. During the sign-up process you will receive an email to verify your details and a confirmation email once sign-up has been completed.

We use the legal basis of ‘consent’ to process your data in this way, as such you are free to withdraw your consent at any time. An unsubscribe link is included in each newsletter email to enable you to unsubscribe.

We use Campaign Master to deliver our newsletter, they are a UK-based organisation.

 

Data collected as part of registering to attend one of our events
We process your personal data (in this instance: your name, and email address only) in relation to our event registration process under paragraph 2 (the entering into and performance of a contract) of Schedule 2, Part I of the Law.

When registering for an event with us, you only need to provide your name and email address. We will use this information to facilitate the event and your attendance at it. We will be unable to manage your attendance at any event without your name and email address. You will not receive any event specific communication other than for events you have signed up for.

We use Ticket Tailor to manage our events registration, they are a UK-based organisation.

Data collected as a result of enquiries made by phone or in person

Personal data collected for this purpose is processed under paragraphs 5 (exercise of functions by a public authority) and/or 8 (to exercise any right or power, or perform or comply with any duty, conferred or imposed on the controller by an enactment) of Schedule 2, Parts I and II of the Law. Special category data collected for this purpose is processed under paragraph 8 (to exercise any right or power, or perform or comply with any duty, conferred or imposed on the controller by an enactment) of Schedule 2, Part II of the Law

We may record information in our customer relationship management system if the information relates to a complaint, notification or other matter of significance.

 

YOUR RIGHTS

The Law provides you with a number of specific rights.

If you want to make a submission in respect of any one of these rights, please contact our data protection officer.

 

TRANSFERS OF DATA

The ODPA does not intend to transfer any personal data to authorised jurisdictions outside of the EU, or to unauthorised jurisdictions unless we are required to do so by Law.

If you provide information as part of the process of notifying us that you are a data controller, this will be published on our website, which is available worldwide. The only exception to this is the contact details you provide, which will only be accessible to ODPA for our administration purposes.

 

LINKS TO OTHER WEBSITES

This notice does not cover any third-party websites reached via links on this website. You are advised to read the data collection statements on the other websites you visit.

 

RETENTION OF DATA

The ODPA fulfils a statutory function as set out in the Law. All data is retained securely and only used for the purposes set out in the Law. Data is retained to comply with our statutory obligations and in accordance with the retention policy of the ODPA.

 

COMPLAINTS AND APPEALS

Section 67 of the Law provides for a right to complain to the Authority. Sections 82 and 83 of the Law provides for rights of appeal. Where that complaint relates to the processing of personal data by the ODPA, specific procedures are in place to ensure appropriate review.

Complaints can be lodged via the Online Complaints page of our website or using the contact details listed here.

 

ANALYTICS

When you visit www.odpa.gg we use a third-party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns.  We do this to find out such things as the number of visitors to the various parts of the site in order to better understand how people use the website and to improve the site and the services offered. This information is only processed in a way that does not identify anyone.  We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website.

If we do collect personal data through our website, how this is processed and under what lawful processing condition depends on which part of the website is used and is listed above.

 

 

This has been updated on 15 January 2019.