Data Protection (Registration
and Charges) (Jersey) Regulations 2018
1 Interpretation[1]
In these Regulations –
“Law” means the Data Protection Authority
(Jersey) Law 2018;
“payer” means a registered controller or registered
processor who is required to pay an annual charge under Regulation 6;
“past-year revenues” means a payer’s gross
revenues that are generated by or on behalf of that part of the payer’s
business that is established in Jersey for the year before the year to which an
annual charge relates;
“register” means a register of controllers and
processors who are required to register under Article 17 of the Law;
“registration period” has the same meaning as in
paragraph 2 of Schedule 2 to the Law;
“year” means a calendar year.
2 Particulars
in register
The Authority may include the following particulars in an entry in a
register –
(a) whether
the entry is in respect of a controller or processor or both;
(b) a
registration number issued by the Authority in respect of the entry;
(c) the
date on which the entry is treated as having been included in the register;
(d) information
that may assist persons consulting the register to contact any controller to
whom the entry relates about the processing of personal data;
(e) such
further information as the Authority considers necessary or expedient for the
purposes of fulfilling its functions under the Law.
3 Notification
of registration
The Authority must, as soon as practicable and in any event within
28 days of making, amending or removing an entry in a register, notify the
controller or processor to whom the entry relates –
(a) of
the making or amending of the entry, the date of that entry or amendment and
the particulars currently included within the entry; or
(b) of
the removal of the entry,
as the case may be.
4 Requirement
to notify changes to particulars
(1) Registered
controllers and registered processors must notify the Authority of any change
in the particulars that they were required to provide to the Authority in
respect of their application for registration as soon as practicable and in any
event within 28 days of the change.
(2) [2]
5 [3]
6 Requirement
to pay annual charge[4]
(1) Every
registered controller and registered processor must pay an annual charge to the
Authority for each calendar year or part of a calendar year in which the controller
or processor is registered, the amount of which is to be calculated in
accordance with Regulations 6A and 6B.
(2) An
annual charge falls due on 1st January of the year to which the charge relates
and must be paid by the last day of the following month.
(3) However,
if the controller or processor becomes registered during the course of a year
the annual charge falls due one month after registration.
(4) A
registered controller or registered processor is exempt from paying the annual
charge if –
(a) the
only processing carried out by the controller or processor falls within any of
the classes of processing set out in the Schedule; and
(b) no
further disclosure relating to that processing is made other than –
(i) as
required by law, including by order of a court, or
(ii) as
permitted by Article 64 of the Data Protection Law (permitted processing
for law enforcement, legal proceedings and public records purposes).
6A Annual charge:
calculation of amount[5]
(1) The
amount of a payer’s annual charge is the sum of the applicable base
amount set out in paragraph (2) and every additional amount set out in any
of paragraphs (3), (4) and (5) that applies in the circumstances.
(2) The
base amount that must be paid by a payer is –
(a) £70,
if the payer has fewer than 10 full-time equivalent employees;
(b) £90,
if the payer has at least 10, but not more than 50, full-time equivalent
employees; or
(c) £500,
if the payer has more than 50 full-time equivalent employees.
(3) A
payer who has past-year revenues of more than £5 million must also
pay –
(a) £150,
if those revenues are £20 million or less; or
(b) £500,
if those revenues are more than £20 million.
(4) A
payer who is registered with the Jersey Financial Services Commission and is
carrying on a financial services business as specified in Schedule 2 to
the Proceeds of Crime (Jersey)
Law 1999 (other than in paragraphs 6, 8 and 10 of Part B) must also
pay –
(a) £50,
if the payer has fewer than 10 full-time equivalent employees;
(b) £150,
if the payer has at least 10, but not more than 50, full-time equivalent
employees; or
(c) £600,
if the payer has more than 50 full-time equivalent employees.
(5) A
payer to whom paragraph (6) applies must also pay –
(a) £50,
if the payer has fewer than 10 full-time equivalent employees;
(b) £150,
if the payer has at least 10, but not more than 50, full-time equivalent
employees; or
(c) £350,
if the payer has more than 50 full-time equivalent employees.
(6) This
paragraph applies to any payer, other than a payer exempted from the
requirement to register with the Jersey Financial Services Commission,
who –
(a) processes
special category data;
(b) to
which paragraph (4) does not apply; and
(c) has
past-year revenues of at least £100,000.
(7) For
the purposes of this Regulation, in determining the number of full-time
equivalent (“FTE”) employees of a payer –
(a) a
person employed for no more than 9 hours a week is treated as 25% of a FTE
employee;
(b) a
person employed for more than 9 hours but no more than 18 hours a week is
treated as 50% of a FTE employee;
(c) a
person employed for more than 18 hours but not more than 27 hours a week is
treated as 75% of a FTE employee; and
(d) a
person employed for more than 27 hours a week is treated as a FTE employee.
(8) The
determination referred to in paragraph (7) must be calculated on the basis
of the highest number of posts existing at any time during the past 12 months,
ignoring any vacancies.
(9) The
Authority may –
(a) issue
guidance regarding the calculation of the number of full-time equivalent
employees and whether any particular category of worker is to be treated as an
employee or not; and
(b) make
determinations on the application of paragraphs (7) and (8) to any payer.
(10) In this
Regulation, “employee” includes –
(a) if
the payer is an individual, the payer;
(b) an
office holder of the payer; and
(c) if
the payer is a partnership, an individual who is a partner.
6B Exception for payer
being administered by trust company businesses or fund services businesses[6]
(1) In
this Regulation, “trust company business” and “fund services
business” have the same meanings as in Article 1(1) of the Financial Services (Jersey)
Law 1998.
(2) Despite
Regulation 6A, the amount of the annual charge for a registered controller or
registered processor that is being administered by a trust company business or
a fund services business is £50.
(3) A
registered controller or registered processor referred to in paragraph (2)
is not eligible under Regulation 6(4) for an exemption from paying the annual
charge.
6C Information
requirement[7]
(1) When
paying an annual charge to the Authority, a payer must provide the Authority
with sufficient information to identify the payer and substantiate that the
amount of the payment is correct, including, where relevant, information
on –
(a) the
number of the payer’s full-time equivalent employees, as determined under
Regulation 6A(7) and (8);
(b) the
payer’s past-year revenues;
(c) whether
the payer is registered with the Jersey Financial Services Commission;
(d) whether
the payer processes special category data; and
(e) in
the case of a payer falling within Regulation 6B, the name of the trust company
business or fund services business by which the payer is administered.
(2) A
payer must provide the Authority with any additional information requested by
the Authority that relates to the calculation of the payer’s annual
charge.
7 Power
to remove entry in register[8]
The Authority may remove an entry in a register where the controller
or processor relating to that entry –
(a) fails
to comply with Regulation 4;
(b) fails
to pay the charge as required by Regulation 6;
(c) fails
to provide sufficient information as required by Regulation 6C; or
(d) provides
information under Regulation 6C that, in any material way, is false, misleading
or incomplete.
8 Citation
These Regulations may be cited as the Data Protection (Registration
and Charges) (Jersey) Regulations 2018.
SCHEDULE[9]
(Regulation 6(2))
classes of processing attracting exemption from charges
1 Public authorities
Processing that is carried out by a registered controller who is a
public authority.
1A Candidates
for election
Processing that –
(a) is
carried out by a registered controller who has become a candidate for a public
election of an officer in a constituency under Article 17H of the Elections (Jersey)
Law 2002 or been admitted as a candidate for a parish election of an officer
in a constituency under Article 18 of that Law;
(b) is
for the purpose of the contesting of the election by the registered controller;
(c) does
not involve disclosure of the personal data to a third party otherwise
than –
(i) with
the consent of the data subject, or
(ii) in
a case where it is necessary to make such disclosure for that purpose; and
(d) does
not involve keeping the personal data after it is no longer necessary for the
purpose of contesting that election.
1B Provided
schools
Processing that is carried out by a registered controller that is a
provided school, as defined in Article 1(1) of the Education (Jersey) Law 1999.
2 Accounts
and records after ceasing to conduct business
Processing that –
(a) is
solely for the purpose of retaining personal data as required by law after
ceasing to conduct business;
(b) is
carried out by a registered controller who has ceased conducting any business
or activity other than retaining the personal data; and
(c) does
not involve the disclosure of the personal data other than –
(i) with
the consent of the data subject, or
(ii) in
the case where the disclosure is necessary for the purpose referred to in
sub-paragraph (a).
3 Non-profit
associations
Processing
that –
(a) is
carried out by a registered controller that is a non-profit association (as
described in paragraph 10(a) of Schedule 2 to the Data Protection Law);
(b) is
for any one or more of the purposes of establishing or maintaining membership
of or support for the non-profit association or providing or administering
activities for individuals who are either members of the association or have
regular contact with it;
(c) is
of personal data in respect of which the data subject is –
(i) a past, existing or prospective member
of the association,
(ii) a person who has regular contact with
the association in connection with any of the purposes referred to in
sub-paragraph (b), or
(iii) a person the processing of whose personal
data is necessary for any of those purposes;
(d) is
of personal data consisting of any one or more of the following in respect of
the data subject –
(i) name,
(ii) address,
(iii) other identifiers,
(iv) information as to eligibility for membership
of the association,
(v) information as to any other matter the
processing of which is necessary for any of the purposes referred to in
sub-paragraph (b);
(e) does
not involve disclosure of the personal data to a third party other than –
(i) with the consent of the data subject,
or
(ii) in a case where it is necessary to
make the disclosure for any of those purposes; and
(f) does
not involve keeping the personal data after the relationship between the registered
controller and data subject ends, except for so long as it is necessary to do
so for any of those purposes.