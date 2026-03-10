Key Takeaways

The Royal Court endorsed the ODPA's position that "appropriate" technical and organisational measures must be put in place with reference to the sensitivity and risk profile of the data itself.

The fact that the relevant documents were referred to previously in open court did not reduce the controller's obligations under the Law.

The Royal Court confirmed it will not re-try ODPA cases and upheld a reprimand as proportionate in the circumstances.

By a judgment dated 23 December 2025 (available here) (the Judgment), the Royal Court of Guernsey has dismissed an appeal brought by AFR Advocates (AFR) and in turn confirmed a reprimand issued by the Office of the Data Protection Authority (the ODPA) for breaches of the Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).

The Judgment marks the first appeal under Guernsey's data protection regime and provides important guidance on the standards expected of controllers handling special category data and on the appellate court's approach to enforcement decisions by the ODPA.

Our team was led by partners Advocate Sarah Brehaut and Jamie Bookless, with support from senior associate Advocate Jarrad Knoetze, who acted for the ODPA and secured a successful outcome having been involved from the outset.

Background and issues

The appeal arose from a breach determination and reprimand issued by the ODPA following the delivery of a court bundle (the Bundle) to a data subject's home. The Bundle, which contained amongst other things the individual's health information, was left unattended on a doorstep in an unsealed lever-arch folder. The ODPA, following a thorough investigation, determined that AFR had breached sections 6 (Integrity and Confidentiality) and 41 (Duty to take reasonable steps to ensure security' of the Law.

On appeal, AFR challenged the decision on multiple grounds, including an alleged error of law, unreasonableness, lack of proportionality, and material error of fact or procedure. AFR also criticised the ODPA's investigation process and, amongst other things, suggested there had been a failure to apply the correct legal test.

The Royal Court dismissed all the grounds of appeal advanced by AFR and confirmed the reprimand.

The Royal Court held that the ODPA applied the correct legal framework and endorsed the ODPA's approach to assessing 'appropriate' technical and organisational measures for special category data. This approach, aligns with EU jurisprudence that places the burden on controllers to demonstrate measures commensurate with risk.

The Royal Court found that leaving a folder which was unsealed and contained health data unattended on a porch created a clear risk of possible loss, destruction, unauthorised access, or damage. The Royal Court agreed with the ODPA that the fact that documents were referred to in open court previously did not diminish the controller's statutory obligations in relation to special category data. In addition, the fact that the health data had previously been referred to in open court did not in turn engage the exemptions under the Law capable of disapplying sections 6 or 41 of the Law.

AFR's arguments in relation to the ODPA investigation process also failed on the basis that the Law does not require the ODPA to disclose the original complaint to a controller and, in any event, the ODPA had provided sufficient particulars to AFR to enable meaningful representations to be made. The Royal Court concluded there was no procedural unfairness and no material errors of fact.

On proportionality, the Royal Court noted the reprimand was the lowest available sanction and was appropriate in the circumstances in order to highlight the compliance shortcomings where special category data is involved.

Key points for controllers

The decision underscores that controllers must adjust their security measures to the nature and risks of the data, especially where special category data is involved.

Practical measures such as using sealed packaging, marking materials 'private and confidential', confirming recipient availability or using a designated safe place are some of the measures which could be adopted when delivering sensitive information. It should also be noted that litigation and the use of personal data in open court do not dilute data protection duties: controllers remain responsible for safeguarding personal data until processing ceases.

The judgment also confirms the Royal Court's appellate role insofar as it not re-try ODPA cases but rather will seek to uphold determinations that are reasonable, proportionate and legally sound.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.