The Office of the Data Protection Authority has reminded all organisations established in Guernsey that deal with personal data to complete a new registration or renew their existing annual registration with the Authority by 28 February 2023.
The Data Protection (Bailiwick of Guernsey) Law, 2017 (the DP Law) was drafted to ensure adequate protection of citizens' rights in the Bailiwick in relation to the continued digital free flow of personal data to and from the Islands.
In keeping with this purpose, there is a legal obligation to complete registration or renewal by the above date, including the payment of a prescribed registration fee and subsequent annual levy.
The following questions and answers briefly set out the various legal components to consider when dealing with the registration and renewal with the Office of the Data Protection Authority (ODPA).
Who needs to register with the ODPA?
Entities that meet the following three criteria will need to register with the ODPA:
a) all data controllers and processors established in the Bailiwick of Guernsey (including sole traders, organisations, businesses, charities, landlords, business associations, etc)
b) who handles information, facts or opinions about living people (including collecting, storing, organising, using, altering, disclosing, erasing and destroying any information that may identify individual people, such as employees, clients, service users, tenants, social media platforms etc), and
c) the activity performed does not constitute personal or household affairs
What is the timeframe for registering with the ODPA?
The window for registrations and renewals open between January and February each year.
Are there any circumstances that require registration outside the annual levy collection period (between January and February)?
No, unless any one of the following criteria is met, namely where an entity:
- employs a minimum of 50 'full-time equivalent' staff
- is required by law to appoint a Data Protection Officer
- acts as an LCA, or
- is a non-profit organisation
Should any one of the above criteria be satisfied, than the entity must register with the ODPA immediately upon its incorporation.
What is meant by "established in Guernsey"?
An entity is established in the Bailiwick of Guernsey if it is a controller, processor or other person (including legal person) that:
- is a Guernsey person, Alderney person or Sark person
- maintains in the Bailiwick: an office, branch or agency through which the person carries on an activity, or a regular practice
- causes or permits any processing equipment in the Bailiwick to be used for processing personal data otherwise than for the purposes of transit through the Bailiwick, or
- is engaging in effective and real processing activities through stable arrangements in the Bailiwick
A non-Guernsey entity that processes personal data on a genuine occasional basis that is not part of any stable processing arrangement will fall outside the scope of having to register with the ODPA.
How to register with the ODPA
Registration can be done either with the ODPA directly via their website or by registering with an ODPA Levy Collection Agent (LCA).
Certain entities are required to register directly with the ODPA, including ones that:
- employ 50 or more 'full-time equivalent' staff
- are legally required to appoint a Data Protection Officer (DPO) (see below)
- are acting as an LCA, or
- are a charity or not-for-profit organisation
Entities that are regulated or registered by the Guernsey Financial Services Commission can act as an LCA who are in turn authorised to declare, and pay the levies on behalf of controllers or processors.
How to determine whether someone is employed full-time for the purposes of the DP Law
A full-time employee is an individual who has entered into or who works under written or verbal contract of service for the employer:
a) for a minimum of 27 hours per week, or
b) a number of employees who do not individually fall within subparagraph (a) but who collectively work/are required to work 27 hours or more per week in the aggregate
- which includes any hours of work done outside the Bailiwick of Guernsey
Which entities are legally required to appoint a DPO?
If an entity falls within any of the following three criteria, it is legally required to appoint a DPO, namely where an entity:
- is a public authority (except for judiciaries)
- carries out large scale systematic monitoring of individuals (for example, online behaviour tracking) as part of its core activity, or
- carries out large scale processing of special category data (being sensitive personal information) as part of its core activity
An entity may also decide to voluntarily appoint a DPO even if it is not legally obliged to do so.
A DPO may be a staff member employed for that specific purpose, a staff member with other duties, or a contracted external party, provided that any other duties of the DPO do not conflict with their formal duties as DPO.
What are the costs involved in registering?
The fee for registering will depend on the number of employees in the organisation. The annual levy for organisations with 50 or more 'full-time equivalent' staff is £2,000 per year and £50 for all other entities. Charities and not-for-profit organisations are also required to register, however there is no annual levy payable.
What are the continuing obligations regarding registrations?
Registrations must be reviewed and renewed on an annual basis. The registration period for renewals is between January and February. Entities must also pay an annual registration levy which is the same as the initial registration fee.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.