Data Protection
(Registration and Charges) (Jersey) Regulations 2018
Made 22nd March 2018
Coming into force 25th
May 2018
THE STATES, in pursuance of Articles 18 and 46 of the Data Protection
Authority (Jersey) Law 2018[1], have made the following
Regulations –
1 Interpretation
In these Regulations –
“Law” means the Data Protection Authority (Jersey) Law 2018[2];
“register” means a register of controllers and
processors who are required to register under Article 17 of the Law;
“registration period” has the same meaning as in paragraph 2
of Schedule 2 to the Law;
“staff” includes persons employed within the meaning of
the Employment (Jersey) Law 2003[3] and volunteers.
2 Particulars
in register
The Authority may include the following particulars in an entry in a
register –
(a) whether
the entry is in respect of a controller or processor or both;
(b) a
registration number issued by the Authority in respect of the entry;
(c) the
date on which the entry is treated as having been included in the register;
(d) information
that may assist persons consulting the register to contact any controller to
whom the entry relates about the processing of personal data;
(e) such
further information as the Authority considers necessary or expedient for the
purposes of fulfilling its functions under the Law.
3 Notification
of registration
The Authority must, as soon as practicable and in any event within
28 days of making, amending or removing an entry in a register, notify the
controller or processor to whom the entry relates –
(a) of
the making or amending of the entry, the date of that entry or amendment and
the particulars currently included within the entry; or
(b) of
the removal of the entry,
as the case may be.
4 Requirement
to notify changes to particulars
(1) Registered
controllers and registered processors must notify the Authority of any change
in the particulars that they were required to provide to the Authority in
respect of their application for registration as soon as practicable and in any
event within 28 days of the change.
(2) Controllers
to whom Regulation 5 applies must notify the Authority of any change in
the particulars included in their entry in the register maintained under the
Data Protection (Jersey) Law 2005[4] on or before the end of the
registration period.
5 Controllers
already registered
(1) This
Regulation applies to any controller who is exempt from the requirement to
register under Part 3 of the Law until the end of the registration period
by virtue of paragraph 2 of Schedule 2 to the Law.
(2) A
controller to whom this Regulation applies must, at the end of the registration
period, be registered under Article 17 if the provisions of these
Regulations are met.
6 Requirement
to pay annual charge
(1) Subject
to paragraph (2), registered controllers and registered processors must
pay an annual charge of £50 on each anniversary of –
(a) the
date of first registration under Article 17 of the Law; or
(b) in
the case of controllers to whom Regulation 5 applies, the end of the
registration period.
(2) A
registered controller is exempt from paying the charge in paragraph (1) if
the only processing carried out by that controller is processing
that –
(a) falls
within any of the classes of processing set out in the Schedule; or
(b) would
fall within one of those classes of processing but for paragraph 1(d),
2(d) or 3(e) of the Schedule and where the disclosure –
(i) is required by
law or by order of a court, or
(ii) is permitted by
Article 64 of the Data Protection Law.
7 Power
to remove entry in register
The Authority may remove an entry in a register where the controller
or processor relating to that entry –
(a) fails
to comply with Regulation 4; or
(b) fails
to pay the charge as required by Regulation 6.
8 Citation
and commencement
These Regulations may be cited as the Data Protection (Registration
and Charges) (Jersey) Regulations 2018 and come into force on 25th May 2018.
l.-m. hart
Deputy Greffier of the States
SCHEDULE
(Regulation 6(2))
classes of processing attracting exemption from charges
1 Staff
administration
Processing that –
(a) is
for any one or more of the purposes, in relation to the staff of the registered
controller, of appointment, removal, pay, discipline, superannuation, work
management and any other human resources matter;
(b) is
of personal data in respect of which the data subject is –
(i) a
past, existing or prospective member of staff of the registered controller, or
(ii) any
person the processing of whose personal data is necessary for any of the
purposes referred to in sub-paragraph (a);
(c) is
of personal data consisting of any one or more of the following in respect of
the data subject –
(i) name,
(ii) address,
(iii) other
identifiers,
(iv) information
as to qualifications,
(v) information
as to work experience,
(vi) information
as to pay,
(vii) information
as to any other matter the processing of which is necessary for any of the
purposes referred to in sub-paragraph (a);
(d) does
not involve disclosure of the personal data to a third party otherwise than –
(i) with
the consent of the data subject, or
(ii) in
a case where it is necessary to make such disclosure for any of those purposes;
and
(e) does
not involve keeping the personal data after the relationship between the registered
controller and the data subject ends, except for so long as it is necessary to
do so for any of those purposes.
2 Accounts
and records
Processing that –
(a) is
for any one or more of the following purposes so far as they relate to the
conduct of any business or activity carried on by the registered controller –
(i) keeping
accounts,
(ii) deciding
whether to accept any person as a customer or supplier,
(iii) keeping
records of purchases, sales or other transactions in order to ensure that the
requisite payments or deliveries are made or services provided by or to the registered
controller in respect of those purchases, sales or other transactions,
(iv) making
financial or management forecasts;
(b) is
of personal data in respect of which the data subject is –
(i) a
past, existing or prospective customer, or supplier, of the registered
controller, or
(ii) a
person the processing of whose personal data is necessary for any of the
purposes referred to in sub-paragraph (a);
(c) is
of personal data (other than personal data processed by or obtained from a
credit reference agency) consisting of any one or more of the following in
respect of the data subject –
(i) name,
(ii) address,
(iii) other
identifiers,
(iv) information
as to financial standing,
(v) information
as to any other matter the processing of which is necessary for any of the
purposes referred to in sub-paragraph (a);
(d) does
not involve disclosure of the personal data to a third party otherwise than –
(i) with
the consent of the data subject, or
(ii) in
a case where it is necessary to make the disclosure for any of those purposes;
and
(e) does
not involve keeping the personal data after the relationship between the registered
controller and the data subject ends, except for so long as it is necessary to
do so for any of those purposes.
3 Non-profit
associations
Processing that –
(a) is
carried out by a registered controller that is a non-profit association (as
described in paragraph 10(a) of Schedule 2 to the Data Protection
Law);
(b) is
for any one or more of the purposes of establishing or maintaining membership
of or support for the non-profit association or providing or administering
activities for individuals who are either members of the association or have
regular contact with it;
(c) is
of personal data in respect of which the data subject is –
(i) a
past, existing or prospective member of the association,
(ii) a
person who has regular contact with the association in connection with any of the
purposes referred to in sub-paragraph (b), or
(iii) a
person the processing of whose personal data is necessary for any of those
purposes;
(d) is
of personal data consisting of any one or more of the following in respect of
the data subject –
(i) name,
(ii) address,
(iii) other
identifiers,
(iv) information
as to eligibility for membership of the association,
(v) information
as to any other matter the processing of which is necessary for any of the
purposes referred to in sub-paragraph (b);
(e) does
not involve disclosure of the personal data to a third party other than –
(i) with
the consent of the data subject, or
(ii) in
a case where it is necessary to make the disclosure for any of those purposes;
and
(f) does
not involve keeping the personal data after the relationship between the registered
controller and data subject ends, except for so long as it is necessary to do
so for any of those purposes.