ARTICLE
14 April 2025

Guernsey Funds Law Series - Data Protection Law Requirements

W
Walkers

Contributor

Walkers is a leading international law firm which advises on the laws of Bermuda, the British Virgin Islands, the Cayman Islands, Guernsey, Ireland and Jersey. From our 10 offices, we provide legal, corporate and fiduciary services to global corporations, financial institutions, capital markets participants and investment fund managers.
The Data Protection (Guernsey) Law, 2017 (as amended) ("DPGL"), which was introduced to broadly mirror the EU General Data Protection Regulation, came into force on 25 May 2018.
Guernsey Privacy

KEY TAKEAWAYS

  • The Data Protection (Guernsey) Law, 2017 (as amended), which was introduced to broadly mirror the EU General Data Protection Regulation, came into force on 25 May 2018
  • Funds or fund managers will likely be considered data controllers and be subject to Guernsey's data protection regime by virtue of collecting personal data (ie data relating to an identified or identifiable person) when investors subscribe for interests in the fund
  • Where personal data is lost, corrupted, improperly disclosed, accessed or distributed, it is necessary to contact the Office of the Data Protection Authority in Guernsey within 72 hours except in certain circumstances

The Data Protection (Guernsey) Law, 2017 (as amended) ("DPGL"), which was introduced to broadly mirror the EU General Data Protection Regulation, came into force on 25 May 2018.

The DPGL introduced obligations on those entities that are established in Guernsey or collect or process data of Guernsey residents, whether this be a self-managed fund, a general partner or a fund manager, including:

  • disclosure obligations, including how and what data is processed;
  • maintaining safeguards and standards on processing and maintaining data, including actions to take in cases of a data breach; and
  • data subject rights, including objecting to data processing and the right to erasure (in certain circumstances).

Why is this relevant to funds?

Funds or fund managers will likely be subject to the DPGL as:

  • personal data is likely collected when investors subscribe;
  • the fund will likely be considered a data controller; and
  • administrators or other service providers will likely be considered data processors.

Funds and fund managers should be aware of their obligations as:

  • data controllers need to register with the Office of the Data Protection Authority in Guernsey;
  • data controllers are ultimately responsible for the processing of personal data in accordance with DPGL; and
  • breaching DPGL can in some cases result in significant fines, criminal charges and adverse outcomes for the owners of the personal data.

Consideration should also be given to what other personal data is collected, including that of directors, officers, representatives, etc.

Key definitions

  • Data subject: an identified or identifiable natural person.
  • Personal data: any information relating to a data subject.
  • Controller: a person or entity that, either alone or with others, determines the purpose and means of the processing of any personal data.
  • Processor: an individual or other person that is given the task of processing personal data by a controller (it excludes any employee of a controller and any employee of a processor). They do not determine the nature of data processed but act by direction of the controller. This will most commonly capture fund administrators, designated administrators, investment managers or investment advisors.

What do data subjects need to know?

Data subjects, such as investors, must be informed about (among other things):

  • the identity and contact details of who in the fund structure is the identified data controller;
  • the purposes for which their personal data is processed and the legal basis for the processing;
  • the circumstances in which such data may be disclosed or transferred; and
  • their rights in respect of their personal data.

The legal basis for processing the personal data may include the following:

  • the processing is necessary for compliance with the data controller's legal and regulatory obligations as a licensee;
  • the processing is necessary for the performance of a contract by the data controller or the taking of steps at the request of the data subject with a view to entering into a contract, delegation or transaction;
  • the processing is necessary for the purposes of legitimate interests pursued by the data controller (such as maintaining internal procedures and policies); or
  • the data subject has consented to the processing of their data for a specific purpose (the data subject has the right to withdraw their consent at any time). Specific purposes may include, for example, the opening of fund bank accounts.

These disclosures are typically found in a privacy notice set out in the offering documents.

How must the data be treated?

The collection and treatment of personal data must be:

  • processed in a fair, lawful and transparent way;
  • collected for a specified and legitimate purpose;
  • adequate, relevant and necessary;
  • accurate and kept up to date;
  • stored only as long as necessary; and
  • processed in accordance with legislation to ensure security, integrity and confidentiality.

Unnecessary data should therefore not be collected, and funds will need to ensure their relevant service providers adhere to the DPGL. Typically, this would be covered in the agreements governing the relationship and delegations with those service providers (such as the administrator agreement, management agreement, advisory agreement).

Special category data

There are additional requirements should special category data be collected, such as race, ethnic background, political opinions, religious or philosophical beliefs, trade union memberships, genetics, health, sexual orientation and criminal or alleged criminal records.

What rights do data subjects have?

  • to be informed about how their data is being used;
  • to access, amend and rectify their personal data;
  • to have incorrect or incomplete data updated;
  • to request erasure of personal information (in certain circumstances);
  • to restrict processing;
  • to data portability (in certain circumstances); and
  • to object to how their data is processed, such as marketing.

Data breaches

In cases where personal data is lost, corrupted, improperly disclosed, accessed or distributed, it is necessary to contact the Office of the Data Protection Authority in Guernsey within 72 hours except in certain circumstances. In some cases, data subjects will need to be notified.

We would expect service providers to have appropriate plans in place in the event of a data breach, which should include informing the fund.

Next steps

Data protection is a complicated and potentially high-risk area of law and this memorandum only covers some of the relevant areas.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More