Quick guide to exercising your rights

If you are reading this page we are assuming that you are concerned that a local entity is breaching (or breaking) our local data protection law, and that you want to understand what you can do about this. Below is a path you can take, along with some supporting information:

  1. Find out what your 10 rights are under our local law*.
  2. Contact the entity (the organisation or person**) who you think may be mis-using personal data, in writing, and explain to them which of your 10 rights you want to exercise, where appropriate. Make sure you keep a copy of your letter. Remember that whilst you can make this request – they may be able to refuse it whilst still acting within the Law but they should tell you their reasons for refusing. In this circumstance we can assist you in understanding why, and whether there are other legal routes open to you.
  3. If you do not receive a response to your letter within 1 month, chase them up. If they still don’t respond let us know and we can also chase them for a response, where appropriate, and highlight their legal responsibilities.
  4. If you receive a response that you are happy with, no further action is needed from any party.
  5. If you are not satisfied with the response and you can: a) provide sufficient evidence that proves the law has been breached or broken, and b) provide evidence that you have sought to resolve this with the entity directly, you can lodge a formal complaint with us. The act of lodging a complaint enables us to conduct an investigation under Section 68 of our local data protection law using our powers as defined in Schedule 7, where needed.

* (If you need any advice on your rights please contact us.)

** This could be: your bank, a school, your plumber, the States of Guernsey, an online retailer, a social media platform, your employer, a politician acting in their official capacity, the supermarket you shop at, your GP’s practice, your insurer, in short: anyone who is deciding how your personal data is used. These sorts of entities are called ‘controllers’ in data protection law.