Data Protection Authority (Jersey)
Law 2018
A LAW to provide for a new statutory body to oversee the protection of
personal data and for connected purposes.
Commencement [see endnotes]
part 1
introductory
and setting up of authority
1 Interpretation
(1) In this
Law –
“Authority” means the Data Protection Authority
established under Article 2(1);
“authorized officer” means –
(a) the
Commissioner; or
(b) any
other employee of the Authority authorized by the Authority or the Commissioner
to exercise of perform any function under this Law;
“breach determination”, in relation to a controller or
processor, means a determination by the Authority under Article 23(1) or
24(1)(b) that the controller or processor has contravened or is likely to
contravene the Data Protection Law;
“Commissioner” means the Information Commissioner
appointed under Article 5(1);
“Data Protection Law” means the Data Protection (Jersey)
Law 2018;
“registered controller” means a controller registered
under Article 17;
“registered processor” means a processor registered
under Article 17.
(2) Subject to paragraph (1),
words and phrases used in this Law that are defined in the Data Protection Law have
the same respective meanings as in that Law.
2 Establishment
of Data Protection Authority
(1) The Data Protection
Authority is established.
(2) The Authority is a body
corporate with perpetual succession and a common seal and may –
(a) sue
and be sued in its corporate name;
(b) enter
into contracts and acquire, hold and dispose of any property; and
(c) so
far as is possible for a body corporate, exercise the rights, powers and
privileges and incur the liabilities and obligations of a natural person of
full age and capacity.
(3) The application of the
common seal of the Authority is authenticated by the signature of a person
authorized by the Authority to sign on its behalf and every document bearing
the imprint of the seal of the Authority is taken to be properly sealed unless
the contrary is proved.
3 Constitution
of Authority
(1) The Authority consists
of –
(a) the
Chairman;
(b) no
fewer than 3 and no more than 8 other voting members; and
(c) the
Commissioner as an ex officio
and non-voting member.
(2) Subject to paragraph (4),
the Chairman and the other voting members are appointed by the Minister who
must have particular regard to the need to ensure that voting members of the
Authority –
(a) have
the qualifications, experience and skills necessary to exercise and perform the
functions of a member, in particular relating to the protection of personal
data;
(b) have
a strong sense of integrity; and
(c) are
able to maintain confidentiality.
(3) Before appointing any
individual under this Article, the Minister may require the individual to
provide, or to authorize the Minister to obtain, any information and references
that the Minister reasonably requires to ascertain the individual’s
suitability for appointment as a voting member.
(4) At least 2 weeks before
making an appointment under this Article the Minister must present to the
States a notice of the Minister’s intention to make the appointment.
(5) Each voting member is
appointed for a term of 5 years or such shorter period as the Minister
thinks fit in a particular case and is eligible for reappointment up to a
maximum period of service of 9 years.
(6) An individual is
ineligible to be a voting member if the individual –
(a) is,
or has at any time during the preceding 12 months been, a member of the
States of Jersey;
(b) is a
States’ employee or is otherwise under the direction and control of the
States; or
(c) is
engaged in any employment, occupation (whether or not remunerated) or business,
or receives any benefits, that is incompatible with the functions of a member
of the Authority.
4 Vacation
of office of voting members and vacancies
(1) The Minister may revoke
the appointment of any voting member of the Authority if he or she is satisfied
that the member –
(a) is
guilty of serious misconduct, as determined by a panel convened by the
Authority in consultation with the Minister and consisting of 3 or more
individuals, other than a member of the Authority or the Minister;
(b) has
been convicted of a criminal offence that is sufficiently serious to cast doubt
on the member’s suitability to continue in office;
(c) has
become bankrupt; or
(d) is
incapacitated physically or mentally from carrying out the duties of the office
or is otherwise unable or unfit to discharge his or her functions; or
(e) is
ineligible to be a voting member under Article 3(6).
(2) The Minister must not
remove a voting member from office on the ground specified in paragraph (1)(a)
unless a panel consisting of 3 or more individuals (none of whom is a member of
the States) appointed by the Minister determines the voting member to be guilty
of serious misconduct.
(3) A panel convened under
paragraph (2) may determine and adopt its own procedures to determine
whether or not the voting member is guilty of serious misconduct.
(4) The Minister must
present to the States not more than 2 weeks after terminating an
appointment under this Article a notice of the termination.[1]
(5) Any voting member may
resign from office at any time by giving notice to the Minister.
(6) The Minister must take
all reasonable steps to ensure that any vacancy under this Article that would
reduce the number of voting members to below the requirements of Article 3(1)
is filled as soon as practicable.
(7) A person is not
disqualified for holding office as a voting member of the Authority on account
of being an officer, employee or agent of the Authority.
(8) The rights and
obligations of the Authority and the performance of the Authority’s
functions are not affected by any vacancy or defect in any appointment to the
Authority.
5 Appointment
of Information Commissioner
(1) The Authority must
appoint a person, to be known as the Information Commissioner, who is the chief
executive and an employee of the Authority.
(2) The
Commissioner –
(a) is
responsible for managing the other employees of the Authority;
(b) is in
charge of the day-to-day operations of the Authority; and
(c) has
the functions conferred or imposed on him or her by this Law and any other
enactment.
(3) Subject to this
Article, the Commissioner holds office under this Law subject to terms and
conditions determined by the Authority.
(4) The Commissioner holds
office under this Law for –
(a) a
term of 5 years; or
(b) such
shorter term as may be specified in the terms and conditions of his or her appointment,
and is eligible for re-appointment.
(5) The Authority may
remove the Commissioner from office under this Law before the expiry of his or
her term of office, but only on the grounds that the Commissioner –
(a) is
guilty of serious misconduct, as determined by a panel convened by the
Authority in consultation with the Minister and consisting of 3 or more
individuals, other than a member of the Authority or the Minister;
(b) has
been convicted of a criminal offence that is sufficiently serious to cast doubt
on the Commissioner’s suitability to continue in office;
(c) has
become bankrupt;
(d) is
incapacitated physically or mentally from carrying out the duties of the
office; or
(e) is
otherwise unable or unfit to discharge his or her functions.
(6) A panel convened under
paragraph (5)(a) may determine and adopt its own procedures to determine
whether or not the Commissioner is guilty of serious misconduct.
(7) Subject to the Freedom of Information
(Jersey) Law 2011, the Commissioner must not engage in any other
employment, occupation (whether remunerated or not) or business, or receive any
benefits other than the salary, allowances and other emoluments and expenses
awarded by the Authority, except with the approval of the Authority.
6 Power
of Commissioner to discharge functions of Authority
(1) Subject to any
policies, procedures and specific directions issued by the Authority, the
Commissioner may exercise or perform, on behalf of the Authority and in its
name, any function of the Authority under this Law or the Data Protection Law other
than –
(a) the
issuing of a public statement under Article 14;
(b) the
making of an order to pay an administrative fine under Article 26;
(c) the
preparation of an annual report under Article 44; or
(d) any
other function specified by the Authority by written notice to the
Commissioner.
(2) A function exercised or
performed by the Commissioner under paragraph (1) is treated for all
purposes as having been exercised or performed by the Authority.
(3) Nothing in paragraph (1)
or (2) prevents the Authority from exercising or performing the function
concerned.
7 Remuneration
and resources
(1) The voting members of
the Authority are entitled to –
(a) such
fees, allowances and other emoluments as expenses as the Minister determines in
consultation with the Authority and publishes; and
(b) if
the Minister so determines, reasonable out-of-pocket or other expenses
occasioned in the course of carrying out the Authority’s duties.
(2) The Authority may
appoint such officers, employees and agents as it considers necessary for the
performance of its functions and may –
(a) make
those appointments on such terms as to remuneration, the payment of expenses
and other conditions of service as the Authority thinks fit; and
(b) establish
and make such schemes or other arrangements as it thinks fit for the payment of
pensions and other benefits in respect of such officers and employees.
(3) The Authority may
procure any accommodation, equipment, services or facilities it reasonably
requires for the proper and effectual discharge of its functions.
8 Confidentiality
of information
(1) A person who is or has
been a member of the Authority, a member of the Authority’s staff or an
agent of the Authority must not, except with lawful authority, disclose
information that –
(a) has
been obtained by, or furnished to, the Authority under or for the purposes of this
Law or the Data Protection Law;
(b) relates
to an identified or identifiable individual or business; and
(c) is
not at the time of the disclosure, and has not previously been, available to
the public from other sources.
(2) For the purposes of paragraph (1),
a disclosure of information is made with lawful authority if –
(a) the
disclosure is made with the consent of the individual or of the person for the
time being carrying on the business;
(b) the
information was provided for the purpose of its being made available to the
public (in whatever manner) under this Law or the Data Protection Law;
(c) the
disclosure is made for the purposes of, and is necessary for, the discharge of
a function under this Law or the Data Protection Law, or an obligation under an
agreement, or other instrument, of the EU;
(d) the
disclosure is made for the purposes of any proceedings, whether criminal or
civil and whether arising under, or by virtue of, this Law or the Data
Protection Law or otherwise; or
(e) having
regard to the rights and freedoms or legitimate interests of any person, the
disclosure is necessary in the public interest.
(3) A person who knowingly or recklessly discloses information in
contravention of paragraph (1) is guilty of an offence and liable to
imprisonment for a term of 2 years and to a fine.
9 Proceedings
of Authority
(1) The Authority must
meet –
(a) at
least once every 2 months; or
(b) less
frequently if resolved by the Authority, but no fewer than 4 times a year.
(2) If the Authority
resolves to meet less frequently than once every 2 months, it must record
the reason in its resolution.
(3) The person who presides
at meetings is –
(a) the
Chairman, if the Chairman is present; or
(b) if
the Chairman is not present, the person elected to chair the meeting by, and
from among, the other voting members present.
(4) At a
meeting –
(a) a
quorum is constituted by the nearest whole number of voting members above one
half of the number of voting members for the time being in office;
(b) decisions
are made by a majority vote;
(c) the
Commissioner has no vote, but may participate in the Authority’s
proceedings;
(d) each
voting member other than the person presiding has one vote; and
(e) the
person presiding has no original vote, but in the event of equality in the
votes of the other voting members present, the person presiding must exercise a
casting vote.
(5) The Authority may, if
it thinks fit, transact any business by the circulation of papers to all
members, and a resolution in writing approved in writing by a majority of its
voting members is as valid and effectual as if passed at a meeting by the votes
of the members approving the resolution.
(6) The Authority must keep
proper minutes of its proceedings, including minutes of any business transacted
as permitted by paragraph (5).
(7) Subject to the
provisions of this Article the Authority may regulate its own procedure.
(8) The validity of any
proceedings of the Authority is unaffected by –
(a) a
vacancy in its membership;
(b) any
defect in the appointment or election of any member;
(c) any
ineligibility of an individual to be a voting member; or
(d) any
lack of qualification of an individual to act as
a member.
(9) In this Article a
reference to a meeting includes any meeting at which members of the Authority
transact business remotely and communicate by any means of technology.
10 Delegation
(1) The Authority may delegate
any of its functions under this Law or the Data Protection Law wholly or partly
to an officer or employee of the Authority.
(2) Nothing in this Article
authorizes the Authority to delegate –
(a) this
power of delegation;
(b) the
function of reviewing any of its decisions;
(c) the
issuing of a public statement under Article 14;
(d) the
making of an order to pay an administrative fine under Article 26; or
(e) the
preparation of an annual report under Article 44.
(3) However, the functions
mentioned in paragraph (2)(c) and (d) may be delegated to a committee
consisting of such number of voting members as may be specified by the
Authority.
(4) The delegation of any
functions under this Article –
(a) does
not prevent the performance of those functions by the Authority; and
(b) may
be amended or revoked by the Authority.
part 2
functions of authority
11 General functions
of the Authority
(1) The Authority has the
following functions –
(a) to
administer and enforce this Law and the Data Protection Law;
(b) to
monitor and report to the States on the operation of this Law and the Data
Protection Law;
(c) to
advise the Minister and the States on any amendments that the Authority
considers should be made to this Law or the Data Protection Law or on any other
action required to be taken, in relation to the operation of either of those
Laws;
(d) to
promote public awareness of risks, rules, safeguards and rights in relation to
processing, especially in relation to children;
(e) to
promote the awareness of controllers and processors of their obligations under
this Law and the Data Protection Law;
(f) on
request, to provide reports and other information to the Minister or the States
on any matter connected with the protection of personal data;
(g) on
request, to provide information to any data subject concerning the exercise of
their rights under this Law and the Data Protection Law and, if appropriate,
cooperate with competent supervisory authorities to this end;
(h) to
cooperate with, including sharing information and providing mutual assistance
to, other supervisory authorities with a view to ensuring that the Data
Protection Law is applied and enforced;
(i) to
monitor relevant developments, insofar as they have an impact on the protection
of personal data, in particular the development of information and
communication technologies and commercial practices;
(j) to
encourage the drawing up of codes;
(k) to
keep confidential records of alleged contraventions of the Data Protection Law and
of the exercise of any of its powers under this Law; and
(l) any
other function conferred or imposed on it by this Law, the Data Protection Law or
any other enactment.
(2) The Authority may
impose a fee or charge for the performance of its functions in response to a
request made by any person, where the fee or charge is authorized by this Law,
the Data Protection Law, or any Regulations made under this Law.
(3) Regulations made for
the purposes of paragraph (2) may prescribe –
(a) the
fee or charge payable; or
(b) the
basis on which the amount of the fee or charge payable is to be calculated or
ascertained.
(4) Where the Authority
receives a request to perform a task associated with any of its functions and
the request is frivolous, vexatious, unnecessarily repetitive or otherwise
excessive, the Authority may –
(a) refuse
to perform the task; or
(b) in
exceptional circumstances, perform the task but charge the requestor a
reasonable fee for the administrative costs of doing so.
(5) The Authority is not
competent to supervise processing operations of courts and judges acting in
their judicial capacity.
12 Authority to be
independent
In exercising or performing its functions, the Authority must act
independently and in a manner free from direct or indirect external influence.
13 Power to issue
opinions and guidance
(1) The Authority may
issue, on its own initiative or on request by any person –
(a) opinions
or guidance on any issue related to the protection of personal data, including
compliance with any provision of this Law or the Data Protection Law; and
(b) guidance
as to how the Authority proposes to exercise or perform any of its functions
under those Laws.
(2) The opinions or
guidance may be issued to –
(a) the
Minister;
(b) the
States; or
(c) the
public or any section of it.
(3) An opinion or guidance
issued under paragraph (1) is not legally binding but compliance or
non-compliance with any position or recommendation in the opinion or guidance
may be taken into account in determining whether or not a controller or
processor has contravened or is likely to contravene this Law or the Data
Protection Law.
14 Power to issue
public statements
(1) This Article applies to
any of the following matters –
(a) a
notification of a personal data breach made to the Authority under Article 20
of the Data Protection Law;
(b) a
recommendation or determination made under Article 23 or 24;
(c) an
action taken or order made under Article 25; or
(d) any
order to pay an administrative fine under Article 26.
(2) Where the Authority
considers that because of the gravity of the matter or other exceptional
circumstances, it would be in the public interest to do so, the Authority may
issue a public statement about any aspect of a matter to which this Article
applies.
(3) Without limiting the
generality of paragraph (2), a public statement may include the following
information –
(a) details
of any personal data breach;
(b) information
describing or identifying any data subject whose personal data is or has been
the subject of a personal data breach;
(c) information
as to the nature and the progress of any complaint, investigation or inquiry;
or
(d) the
outcome of any complaint, investigation or inquiry.
(4) Before issuing a public
statement, the Authority must, where practicable –
(a) consult
any individual whose personal data would be made public by that public
statement, or who is otherwise likely to be identifiable from the statement;
and
(b) give
written notice of the contents of the statement to any controller and any
processor that is likely to be identifiable from the statement.
15 Authority to take
steps to develop and facilitate international cooperation
The Authority must so far as practicable take steps to –
(a) develop international
cooperation mechanisms to facilitate the effective enforcement of legislation
for the protection of personal data;
(b) provide international
mutual assistance in the enforcement of legislation for the protection of
personal data, including through notification, complaint referral,
investigative assistance and information exchange, subject to appropriate
safeguards for the protection of personal data and the significant interests of
data subjects;
(c) engage relevant
stakeholders in discussion and activities aimed at furthering international
co-operation in the enforcement of legislation for the protection of personal
data; and
(d) promote the exchange
and documentation of personal data protection legislation and practice,
including on jurisdictional conflicts with third countries.
16 Further
provisions as to international co-operation
(1) The Authority –
(a) is
the designated authority in Jersey for the purposes of Article 13 of the
Convention for the Protection of Individuals with regard to Automatic
Processing of Personal Data, which was opened for signature on 28th January 1981;
and
(b) is to
be regarded as the competent supervisory authority for Jersey for any purposes
related to the GDPR.
(2) Regulations may make
provision as to the functions to be performed by the Authority in its role as
that designated or competent authority.
(3) Regulations may make
provision as to co-operation by the Authority with the European Commission or
any other competent supervisory authority in connection with the performance of
their respective duties including –
(a) the
exchange of information with the European Commission or the other supervisory
authority; and
(b) the
exercise within Jersey at the request of a competent supervisory authority of
functions conferred on the Authority by the Regulations.
(4) Regulations may give
effect to –
(a) any
agreement made under Article 15 between the Authority and any other
competent supervisory authority or the European Commission; or
(b) any
of Jersey’s international obligations.
(5) Regulations may do all
or any of the following –
(a) confer
additional powers and functions on the Authority;
(b) regulate
or restrict the functions conferred on the Authority by Article 15; and
(c) create
and impose duties on controllers, processors and recipients of personal data.
(6) The Authority must also
carry out any functions relating to the protection of individuals with respect
to the processing of personal data that the States may by Regulations direct
for the purpose of enabling Jersey to give effect to any of its international
obligations.
(7) Subject to Schedule 2,
any Regulations made under Article 54 of the Data Protection (Jersey)
Law 2005 that are in force at the time of commencement of this Article
continue in force as if made under this Article.
PART 3
registration and charges
17 Registration of
controllers and processors
(1) A controller or
processor established in Jersey must not cause or permit personal data to be
processed without being registered as a controller or processor under this
Article.
(2) However, Regulations
may make such exemptions from the requirements to register under this Article
as the States think fit.
(3) An application for
registration made to the Authority must –
(a) include
the fee as specified by the Authority;
(b) be in
a form and manner required by the Authority; and
(c) include
any information required by the Authority.
(4) Upon receipt of an
application made in accordance with paragraph (3), the Authority must
register the applicant as a controller or processor as the case may be.
(5) The Authority must –
(a) maintain
a register of controllers for the purposes of this Law; and
(b) publish
any such information as the Minister may by Order prescribe.
(6) A person who
contravenes paragraph (1) is guilty of an offence.
18 Registered
controllers and processors to pay prescribed charges
(1) Regulations may require
registered controllers, registered processors or both, to pay a charge to the
Authority in order to pay for the remuneration, salaries, fees, allowances and
other emoluments, costs and expenses of –
(a) the
establishment of the Authority; and
(b) the
Authority’s operations, including the exercise or performance of any
functions of the Authority.
(2) The Regulations must
provide for –
(a) the
amount of the charge, or the basis on which the amount of the charge is to be
calculated or ascertained;
(b) the
periods in respect of which, and the times at which, the charge must be paid,
or a means for ascertaining those periods and times; and
(c) the
manner and form in which the charge must be paid.
(3) The Regulations
may –
(a) impose
duties on the Authority, registered controllers, or registered processors in
connection with the collection or payment of the charge;
(b) confer
powers on the Authority in connection with the collection of the charge; and
(c) exempt
any person from paying the charge.
(4) A person required by
the Regulations to pay a charge must do so in accordance with the Regulations.
(5) The Authority may
recover any charge due and payable by any person to the Authority under the
Regulations as a debt owed by the person to the Authority.
part 4
ENFORCEMENT BY AUTHORITY
19 Right to make a
complaint
An individual may make a complaint in writing to the Authority in a
form approved by the Authority if –
(a) the individual
considers that a controller or processor has contravened or is likely to
contravene the Data Protection Law; and
(b) the contravention
involves or affects, or is likely to involve or affect, any right in respect of
personal data relating to the individual.
20 Investigation of
complaints
(1) Upon receiving a
complaint, the Authority must –
(a) promptly
give the complainant a written acknowledgment of the receipt of the complaint;
and
(b) as
soon as practicable and in any event within 8 weeks of receiving the
complaint, determine in accordance with paragraph (2) whether or not to
investigate it.
(2) The Authority must
investigate the complaint unless –
(a) the
complaint is clearly unfounded;
(b) the
complaint is frivolous, vexatious, unnecessarily repetitive or otherwise
excessive; or
(c) the
Authority determines that it is inappropriate to investigate the complaint,
having regard to any other action taken by the Authority under –
(i) Article 14
or 15, or
(ii) any
Regulations made under Article 16.
(3) Where a complaint is
investigated, the Authority must give the complainant and the controller or
processor concerned –
(a) as
soon as practicable, and in any event within 8 weeks of receiving the
complaint, written notice that the complaint is being investigated; and
(b) at
least once within 12 weeks of the notice under sub-paragraph (a),
written notice of the progress and, if possible, the outcome of the
investigation.
(4) However, where the
Authority considers that giving the notice within the time specified by
paragraph (3) is likely seriously to prejudice the investigation, the
Authority may delay giving the notice, in which case it must give the notice
(including an update as to the progress of and, where applicable the outcome of
the investigation) as soon as it is possible to do so without seriously
prejudicing the investigation.
(5) If the Authority
determines not to investigate a complaint, the Authority must give the
complainant written notice of its determination and the reasons for it within
8 weeks of receiving the complaint.
(6) A notice under
paragraph (4) must include information as to the complainant’s right
to bring proceedings under Article 31.
21 Inquiries
(1) The Authority may
conduct an inquiry on its own initiative into the application of the Data
Protection Law, including into whether –
(a) a
controller or processor has contravened the Data Protection Law; or
(b) any
intended processing in the context of a controller or processor, or any
intended act or omission of a controller or processor, is likely to contravene
that Law.
(2) An inquiry may be
conducted –
(a) on
the basis of information or a request received from any person or any other
basis;
(b) together
with, or in addition to and separately from, an investigation under Article 20.
(3) Where the Authority
decides to conduct an inquiry into any matter of a kind specified in paragraph (1)(a)
or (b), the Authority must give the controller or processor
concerned –
(a) as
soon as practicable, and in any event within 8 weeks of commencing the
inquiry, written notice of the nature of the inquiry; and
(b) at
least once within 12 weeks of the notice under sub-paragraph (a),
written notice of the progress and, if possible, the outcome of the inquiry.
(4) However, where the
Authority considers that giving the notice within the time specified by
paragraph (3) is likely seriously to prejudice the inquiry, the Authority
may delay giving the notice, in which case it must give the notice (including
an update as to the progress of and, where applicable the outcome of the
inquiry) as soon as it is possible to do so without seriously prejudicing the
inquiry.
(5) Nothing in this Article
limits –
(a) an
individual’s right to make a complaint under Article 19, or
(b) the
duties of the Authority under Article 20.
22 Powers of
investigation and inquiry
Schedule 1 has effect in relation to the powers of the
Authority in relation to any investigation or inquiry under this Part.
23 Determinations on
completion of investigation
(1) On completing an investigation,
the Authority must determine whether or not –
(a) the
controller or processor concerned has contravened the Data Protection Law; or
(b) any
intended processing in the context of the controller or processor concerned, or
any intended act or omission of the controller or processor concerned is likely
to contravene that Law.
(2) If the Authority makes
a breach determination against a controller or processor, the Authority must
also determine whether or not to impose a sanction under Article 25 on the
controller or processor, and if so which one or more than one to impose, or
whether to impose an administrative fine under Article 26.
(3) As soon as practicable
after making a determination under paragraph (1) or (2), the
Authority must give the controller or processor concerned, and the complainant,
written notice of –
(a) the
determination and the reasons for it; and
(b) the
right of appeal under Article 32.
24 Recommendations
and determinations on completion of inquiry
(1) On completing an
inquiry, the Authority may do either or both of the following –
(a) make
such recommendation as the Authority thinks fit to the Minister or the States
regarding the operation of this Law or the Data Protection Law; or
(b) make
a determination that –
(i) a controller or
processor has contravened the Data Protection Law, or
(ii) any
intended processing in the context of a controller or processor, or any
intended act or omission of the controller or processor concerned is likely to
contravene that Law.
(2) If the Authority makes
a breach determination against a controller or processor, the Authority must
also determine whether or not to impose a sanction under Article 25 on the
controller or processor; and, and if so which one or more than one to impose,
or whether to impose an administrative fine under Article 26.
(3) As soon as practicable
after making a determination under paragraph (1)(b) or (2), the Authority
must give the controller or processor concerned written notice of –
(a) the
determination and the reasons for it; and
(b) the
right of appeal under Article 32.
25 Sanctions
following breach determination
(1) If the Authority makes
a breach determination against a controller or processor, the Authority may by
written notice to the controller or processor (“the recipient”)
take all or any of the following sanctions against the recipient –
(a) issue
a reprimand to the recipient;
(b) issue
a warning to the recipient that the intended processing or other act or
omission is likely to contravene the Data Protection Law;
(c) make
an order under paragraph (3).
(2) Paragraph (1) does
not limit the Authority’s power to impose an administrative fine under
Article 26 in the case of a contravention of the Data Protection Law.
(3) The Authority may order
the recipient to do all or any of the following –
(a) bring
specified processing operations into compliance with the Data Protection Law, or
take any other specified action required to comply with that Law, in a manner
and within a period specified in the order;
(b) notify
a data subject of any personal data breach;
(c) comply
with a request made by the data subject to exercise a data subject right;
(d) rectify
or erase personal data in accordance with Article 31 or 32 of the Data
Protection Law;
(e) restrict
or limit the recipient’s processing operations, which may
include –
(i) temporarily
restricting processing operations in accordance with Article 33 of the Data
Protection Law,
(ii) ceasing
all processing operations for a specified period or until a specified action is
taken, or
(iii) suspending
any transfers of personal data to a recipient in any other jurisdiction; and
(f) notify
persons to whom the personal data has been disclosed of the rectification,
erasure or temporary restriction on processing, in accordance with Articles 31
to 33 of the Data Protection Law.
(4) Nothing in paragraph (3)(d),
(e) or (f) limits paragraph (3)(c).
(5) An order under
subsection (3) may, in relation to each requirement in the order,
specify –
(a) the
time at which, or by which, the requirement must be complied with; and
(b) the
period during which the requirement must be complied with (including the
occurrence of any action or event upon which compliance with the requirement
may cease).
(6) The Authority may
revoke or amend an order under paragraph (3) by giving written notice to
the person concerned.
(7) A recipient in respect
of whom an order is made under paragraph (3) must comply with the order
within any time specified for its compliance.
(8) A person who
contravenes paragraph (7) is guilty of an offence.
26 Administrative
fines
(1) Subject to Article 27
the Authority may order a controller or processor to pay to the Authority an
administrative fine for any of the following –
(a) failure
to make reasonable efforts to verify that a person giving consent to the
processing of the personal data of a child as required by Article 11(4) of
the Data Protection Law is a person duly authorized to give consent to that
processing in accordance with that provision;
(b) breach
of any duty or obligation imposed by Article 7 of, and any provision of
Parts 3, 4 or 5 of, the Data Protection Law;
(c) processing
personal data in breach of any other provision of Part 2 or 6 of the Data
Protection Law; or
(d) transfer
of personal data to a person in a third country or international organization
in contravention of Article 66 or 67 of the Data Protection Law.
(2) In determining whether
or not to order a fine and, if ordered, the amount of the fine, the Authority
must have regard to –
(a) the
nature, gravity and duration of the contravention of the Data Protection Law, taking
into account the nature, scope and purpose of the processing concerned as well
as the number of data subjects affected and the level of damage suffered by
them;
(b) whether
the contravention was intentional or negligent;
(c) any
action taken by the person concerned to mitigate the loss, damage or distress
suffered by data subjects;
(d) the
degree of responsibility of the person concerned taking into account technical
and organizational measures implemented by the person concerned for the
purposes of any provision of the Data Protection Law;
(e) any
relevant previous contraventions by the person concerned;
(f) the
degree of cooperation with the Authority, in order to remedy the breaches and
mitigate the possible adverse effects of the contravention;
(g) the
categories of personal data affected by the contravention;
(h) the
manner in which the contravention became known to the Authority, in particular
whether, and if so to what extent, the person concerned notified the
contravention to the Authority;
(i) where
an order under Article 25(3) has previously been made in respect of the
person concerned with regard to the same subject-matter, compliance with any
measures required to be taken by the order;
(j) compliance
or non-compliance with code or evidence of certification in respect of the
processing concerned; and
(k) any
other aggravating or mitigating factor applicable to the circumstances of the
case, such as financial benefits gained, or losses avoided, directly or
indirectly, from the contravention.
(3) In ordering any fine,
the Authority must take into account the need for fines to –
(a) be
effective;
(b) be
proportionate; and
(c) have
a deterrent effect.
(4) An order imposing a
fine –
(a) must
specify the date by which the fine must be paid; and
(b) may
provide for the fine to be paid by instalments of any number and amounts and at
any times specified in the order.
(5) The Authority may, of
its own motion or on the application of the person concerned, vary –
(a) the
amount of a fine; or
(b) the
number, amounts and times of the instalments by which the fine is to be paid.
(6) The Authority may
publish the name of the person concerned and the amount of the fine in any
manner it considers appropriate.
(7) The Authority may
recover a fine as a debt owed and due to the Authority by the person concerned.
(8) A fine imposed on an
unincorporated body by an order of the Authority must be paid from the funds of
the body.
(9) Nothing in this Article
authorizes the Authority to order a public authority other than one falling
only within paragraph (k) of the definition of “public
authority” in Article 1(1) of the Data Protection Law to pay a fine.
(10) Any fine paid to or recovered
by the Authority forms part of the annual income of the States.
(11) In this Article –
“fine” means an administrative fine ordered under
paragraph (1);
“person concerned” means the controller or processor
against whom an administrative fine is ordered.
27 Limits on administrative
fines
(1) Subject to paragraphs (2)
and (3) an administrative fine ordered against a person –
(a) for
any matter specified in Article 26(1)(a) and (b), must not exceed
£5,000,000;
(b) for
any matter specified in Article 26(1)(c) or (d), must not exceed
£10,000,000.
(2) An administrative fine
must not exceed £300,000 or 10% of the person’s total global annual
turnover or total gross income in the preceding financial year, whichever is
the higher.
(3) An administrative fine
ordered against any person whose processing of data that gave rise to the fine
was in the public interest and not for profit must not exceed £10,000.
(4) Where a person
contravenes several provisions of the Data Protection Law in relation to the
same processing operations, or associated or otherwise linked processing
operations, the aggregate of the administrative fines issued against the
controller or processor in respect of those processing operations must not
exceed the limit specified under paragraph (1)(a) or, if applicable to any
such contravention, paragraph (1)(b).
(5) The Minister may, by
Order, amend any monetary amount set out in this Article and Regulations may
amend Article 26 and other provision of this Article.
28 Procedure to be
followed before making breach determination or order under this Part
(1) This Article applies
where the Authority, otherwise than with the agreement of the person concerned,
proposes to make –
(a) a
breach determination;
(b) an
order under Article 25(3); or
(c) an
order for the payment of an administrative fine.
(2) Before making the
determination or order, the Authority must give the person concerned notice in
writing –
(a) stating
that the Authority is proposing to make the determination or order;
(b) stating
the terms of, and the grounds for, the proposed determination or order;
(c) stating
that the person concerned may, within a period of 28 days beginning on the
date of the notice or any longer period that may be specified in the notice,
make written or oral representations to the Authority in respect of the
proposed determination or order in a manner specified in the notice; and
(d) of
the right of appeal of the person concerned under Article 32 if the
Authority were to make the proposed
determination or order.
(3) The Authority must consider
any representations made in response to a notice under paragraph (2)
before giving further consideration to the proposed determination or order.
(4) The Authority may
reduce the period of 28 days mentioned in paragraph (2)(c) where the
Authority considers it necessary to do so –
(a) in
the interests of data subjects, or any class or description of data subjects,
or in the public interest; or
(b) where
there are reasonable grounds for suspecting any of the matters mentioned in
paragraph (5).
(5) The matters
are –
(a) that,
if that period of notice were given, information relevant to or relating to the
proposed determination or order would be concealed, falsified, tampered with or
destroyed; or
(b) that
the giving of that period of notice is likely seriously to
prejudice –
(i) any criminal,
regulatory or disciplinary investigation, or any prosecution, in Jersey or
elsewhere,
(ii) co-operation
or relations with investigatory, prosecuting, regulatory or disciplinary
authorities, in Jersey or elsewhere, or
(iii) the
performance by the Authority of its functions.
(6) The Authority may
dispense with the procedures in paragraphs (2) and (3) altogether if it
considers that the determination or order needs to be made immediately or
without notice because of the interests or grounds mentioned in paragraph (4).
(7) For clarity, where a
notice under this Article relates to a proposed administrative fine under
Article 26 the notice must state the amount of the proposed fine.
(8) In this Article
“person concerned” means the controller or processor against whom
the breach determination or order is proposed to be made.
29 Exclusion of
courts and tribunals acting in a judicial capacity
Nothing in this Law authorizes the Authority –
(a) to investigate, inquire
into or determine any matter; or
(b) exercise any of its
other powers,
in relation to processing operations carried out by, or any other
act or omission of, a court or tribunal acting in its judicial capacity.
30 Proceedings by
the Authority
The Authority may bring proceedings before the Royal Court in
respect of any contravention or likely contravention of this Law or the Data
Protection Law and if the court is satisfied that either of those Laws has
been, or will be, contravened it may make such order as it considers
appropriate, including –
(a) an award of
compensation for loss, damage or distress to any person in respect of the
contravention;
(b) an injunction
(including an interim injunction) to restrain any actual or likely
contravention;
(c) a declaration that the
controller or processor, as the case may be, has committed the contravention or
that a particular act, omission or course of conduct on the part of the
controller or processor would result in a contravention; and
(d) requiring the
controller or processor to give effect to any of the rights of data subjects
under Part 6 of the Data Protection Law.
31 Proceedings
against Authority
(1) Proceedings may be
brought in the Royal Court –
(a) by a
complainant where the Authority has omitted to give the complainant a written
acknowledgement of receipt of a complaint, or a notice as to whether or not the
complaint is being investigated in accordance with Article 20;
(b) by a
complainant where the Authority has made a decision not to investigate a
complaint under Article 20(2); and
(c) by a
person affected by a notice, decision or determination given by the Authority
in relation to a complaint under Article 20,
on the grounds that the action or omission by the Authority was
unreasonable in all the circumstances of the case.
(2) The proceedings must be
brought within 28 days of –
(a) in
the case of proceedings under paragraph (1)(a), the end of the 8 week
period mentioned in Article 20(1)(b) or (5); or
(b) in
any other case, the date on which the person receives notice of the relevant
notice, decision or determination from the Authority.
(3) On receipt of the
application the Royal Court may, on such terms as the court considers just,
suspend or modify the effect of the notice, decision or determination in
question pending the outcome of the proceedings.
(4) On the hearing of the
matter the court may –
(a) dismiss
the proceedings on such terms and conditions as it may direct; or
(b) make
such other order as it considers just, including an order –
(i) that
the Authority give the written acknowledgement or notice required,
(ii) annulling
the decision not to investigate the complaint and directing the Authority to
investigate it,
(iii) confirming,
modifying or substituting the notice, decision or determination, or
(iv) remitting
the matter back to the Authority for reconsideration.
(5) In this
Article –
“complainant” means a person who has summited a
complaint to the Authority under Article 19;
“person affected by a notice, decision or determination”
means –
(a) the
complainant in respect of the complaint giving rise to it; or
(b) a
controller, processor or responsible officer in respect of whom it was made.
32 Rights of appeal against determinations or orders of the Authority
(1) This Article applies where
the Authority –
(a) makes
a breach determination; or
(b) makes
an order under Article 25(3);
(c) orders
the payment of an administrative fine under Article 26; or
(d) serves
an information notice under paragraph 1 of Schedule 1.
(2) The controller or
processor affected may appeal the determination, order or notice to the Royal
Court in accordance with this Article.
(3) The appeal may be made
on the grounds that in all the circumstances of the case the decision was not
reasonable.
(4) An appeal must be made
within the period of 28 days immediately following the date on which the
person concerned receives written notice of the determination, order or notice
from the Authority.
(5) An appeal is made by
summons served on the Authority stating the grounds and material facts on which
the appellant relies.
(6) On the application of
the appellant, the Royal Court may, on such terms as the court thinks just,
suspend or modify the effect of the determination or order appealed against
pending the determination of the appeal.
(7) Upon determining an
appeal under this Article, the Court may –
(a) confirm
the determination, order or notice, with or without modification; or
(b) annul
the determination, order or notice and remit the matter back to the Authority
for reconsideration, in addition to making any order it considers just.
33 General
provisions relating to offences
(1) A
person guilty of an offence under this Law is liable to a fine.
(2) Where
an offence under this Law, or under Regulations made under this Law, committed
by a limited liability partnership or body corporate or unincorporated body is
proved to have been committed with the consent or connivance of, or to be
attributable to any neglect on the part of –
(a) a
person who is a partner of the limited liability partnership, or director,
manager, secretary or other similar officer of the body corporate;
(b) in
the case of any other partnership, any partner;
(c) in
the case of any other unincorporated body, any officer of that body who is
bound to fulfil any duty of which the offence is a breach or, if there is no
such officer, any member of the committee or other similar governing body; or
(d) any
person purporting to act in any capacity described in sub-paragraph (a),
(b) or (c),
the person is also guilty
of the offence and liable in the same manner as the partnership or body
corporate to the penalty provided for that offence.
(3) If
the affairs of a body corporate are managed by its members, paragraph (2)
applies in relation to acts and defaults of a member in connection with the
member’s functions of management as if the member were a director of the
body corporate.
(4) Where
an offence under this Law is alleged to have been committed by an
unincorporated body, proceedings for the offence must, without limiting
paragraph (2), be brought in the name of the body and not in the name of
any of its members.
(5) A
fine imposed on an unincorporated body on its conviction for an offence under
this Law must be paid from the funds of the body.
(6) A
person who aids, abets, counsels or procures the commission of an offence under
this Law is also guilty of the offence and liable in the same manner as a
principal offender to the penalty provided for that offence.
34 Proceedings
concerning unincorporated bodies.
Subject to Article 33,
where a breach is alleged to have been committed by an unincorporated body, any
complaint, investigation, action, order or notice, or other proceedings, for or
otherwise in relation to the breach must be brought, issued or (as the case may
be) served in the name of the body and not in the name of any of its members.
35 Rules of Court
(1) The power to make Rules
of Court under Article 13 of the Royal Court (Jersey)
Law 1948 includes the power to make Rules regulating the practice and
procedure on any matter relating to the Royal Court under this Law.
(2) The Rules may, in
particular, make provision for –
(a) enabling
directions to be given to withhold material or restrict disclosure of any
information relevant to proceedings under this Law from any party (including
any representative of any party) to the proceedings; and
(b) enabling
the court to conduct such proceedings in the absence of any person, including a
party to the proceedings (or any representative of a party to the proceedings).
(3) In making the Rules,
regard must be had to –
(a) the
need to secure that the decisions that are the subject of such proceedings are
properly reviewed; and
(b) the
need to secure that disclosures of information are not made where they would be
contrary to the public interest.
36 Service
of notices etc.
(1) A notice required by
this Law to be given to the Authority is not regarded as given until it is in
fact received by the Authority.
(2) A notice or other
document required or authorized under this Law or under Regulations made under
this Law to be given to the Authority may be given by electronic or any other
means by which the Authority may obtain or recreate the notice or document in a
form legible to the naked eye.
(3) Any notice, direction
or other document required or authorized by or under this Law to be given to or
served on any person other than the Authority may be given or served –
(a) by
delivering it to the person;
(b) by
leaving it at the person’s proper address;
(c) by
sending it by post to the person at that address; or
(d) by
sending it to the person at that address by electronic or any other means by
which the notice, direction or document may be obtained or recreated in a form
legible to the naked eye.
(4) Without limiting the
generality of paragraph (3), any such notice, direction or other document
may be given to or served on a partnership, company incorporated outside Jersey
or unincorporated association by being given to or served –
(a) in
any case, on a person who is, or purports (under whatever description) to act
as, its secretary, clerk or other similar officer;
(b) in
the case of a partnership, on the person having the control or management of
the partnership business;
(c) in
the case of a partnership or company incorporated outside Jersey, on a person
who is a principal person in relation to it (within the meaning of the Financial Services (Jersey)
Law 1998); or
(d) by
being delivered to the registered or administrative office of a person referred
to in sub-paragraph (a), (b) or (c) if the person is a body corporate.
(5) For the purposes of
this Article and of Article 7 of the Interpretation (Jersey)
Law 1954, the proper address of any person to or on whom a notice, direction
or other document is to be given or served by post is the person’s last
known address, except that –
(a) in
the case of a company (or person referred to in paragraph (4) in relation
to a company incorporated outside Jersey), it is the address of the registered
or principal office of the company in Jersey; and
(b) in
the case of a partnership (or person referred to in paragraph (4) in
relation to a partnership), it is the address of the principal office of the
partnership in Jersey.
(6) If the person to or on
whom any notice, direction or other document referred to in paragraph (3)
is to be given or served has notified the Authority of an address within
Jersey, other than the person’s proper address within the meaning of paragraph (5),
as the one at which the person or someone on the person’s behalf will
accept documents of the same description as that notice, direction or other
document, that address is also treated for the purposes of this Article and Article 7
of the Interpretation (Jersey)
Law 1954 as the person’s proper address.
(7) If the name or the
address of any owner, lessee or occupier of premises on whom any notice,
direction or other document referred to in paragraph (3) is to be served
cannot after reasonable enquiry be ascertained it may be served by –
(a) addressing
it to the person on whom it is to be served by the description of
“owner”, “lessee” or “occupier” of the premises;
(b) specifying
the premises on it; and
(c) delivering
it to some responsible person resident or appearing to be resident on the
premises or, if there is no person to whom it can be delivered, by affixing it,
or a copy of it, to some conspicuous part of the premises.
part 5
ADMINISTRATIVE provisions
37 Guidance of
Minister
(1) The
Minister may, if he or she considers that it is desirable in the public
interest to do so, and having consulted the Authority, give to the Authority
written guidance or general written directions on matters relating to corporate
governance.
(2) The
guidance relates to the system and arrangements by or under which the Authority
is directed and controlled and may relate to –
(a) accountability,
efficiency and economy of operation of the office of the Authority, but not to
matters relating directly to the Authority’s regulatory functions;
(b) conflicts
of interest, the accounts of the Authority and their audit, borrowing by the
Authority and the investment of the funds of the Authority.
(3) The
Authority must have regard to any guidance and must act in accordance with any
directions addressed to the Authority under this Article.
38 Fees and charges
The Authority may charge, retain and apply in the performance of the
Authority’s functions –
(a) fees and charges (other
than administrative fines) of such amounts, paid by such persons and paid in
such manner, as may be –
(i) prescribed
by Order of the Minister, the Minister having consulted the Authority, or
(ii) payable
in accordance with this Law or any other enactment; and
(b) such fees and charges
(not inconsistent with this or any other enactment) –
(i) of
such amounts, paid by such persons and paid in such manner, as may be decided
by the Authority in respect of any service, item or matter, that does not arise
under this or any other enactment, and
(ii) as
may be agreed between the Authority and any person for whom the Authority
provides advice, assistance or other services under this or any other
enactment, in respect of the advice, assistance or other matters.
39 Grants
to Authority
(1) In respect of each
financial year, the States may make a grant to the Authority from their annual
income towards the Authority’s expenses in performing any of its
functions.
(2) The amount of any grant
referred to in paragraph (1) is determined by the Minister for Treasury
and Resources on the recommendation of the Minister made after consultation
with the Authority.
(3) In making that
recommendation, the Minister must have regard to the actual financial position
and the projected financial position of the Authority.
(4) In determining the
amount of grant, the Minister for Treasury and Resources must have regard to
the actual financial position and the projected financial position of the
Authority.
40 Consent
to borrowing
(1) The Authority must not
borrow money without the consent of the Minister.
(2) The Minister for
Treasury and Resources may, on such terms as he or she may determine, on behalf
of the States –
(a) guarantee
the liabilities of the Authority; or
(b) lend
money to the Authority.
(3) The Minister for
Treasury and Resources may act under paragraph (2) only on the
recommendation of the Minister.
41 Guidelines on
investment
In investing any funds
belonging to the Authority, the Authority must comply with any guidelines
specified by the Minister.
42 Exemption from
income tax
The income of the Authority is not liable to income tax under the Income Tax (Jersey)
Law 1961.
43 Accounts
and audit
(1) The Authority
must –
(a) keep
proper accounts and proper records in relation to the accounts; and
(b) prepare
accounts in respect of each financial year; and
(c) after
the accounts have been audited in accordance with paragraph (3), provide
them to the Minister as soon as practicable after the end of the financial year
to which they relate, but in any event within 4 months of the end of that
year.
(2) The Minister must lay a
copy of the accounts so provided before the States as soon as practicable after
the Minister receives the report.
(3) The accounts of the
Authority must –
(a) be
audited by auditors appointed in respect of each financial year by the
Comptroller and Auditor General (as defined by the Comptroller and Auditor
General (Jersey) Law 2014); and
(b) be
prepared in accordance with generally accepted accounting principles and show a
true and fair view of the profit or loss of the Authority for the period to
which they relate and of the state of the Authority’s affairs at the end
of the period.
44 Annual
reports
(1) The Authority must
prepare a report on its activities in each financial year.
(2) The Authority must
provide the Minister with the report as soon as practicable after the end of
the financial year to which the report relates, but in any case within
4 months of the end of that year.
(3) The Authority may also
provide the Minister with other reports relating to the Authority’s
functions or activities.
(4) The Minister must lay a
copy of any report provided to the Minister under this Article before the
States as soon as practicable after receiving the report.
45 Limitation
of liability
(1) A person or body to
whom this Article applies is not liable in damages for anything done or omitted
in the performance or purported performance of any functions of the Authority
conferred by or under this Law or the Data Protection Law, or any other
functions conferred by or under either of those Laws, unless it is shown that
the act or omission was in bad faith.
(2) This Article applies to
the following –
(a) the
States;
(b) the
Minister;
(c) the
Authority or any person who is, or is acting as, an officer, employee or agent
of the Authority, or performing any function on behalf of the Authority.
(3) This Article does not
prevent an award of damages in respect of the act or omission on the ground
that it was unlawful as a result of Article 7(1) of the Human Rights (Jersey)
Law 2000.
part 6
CLOSING provisions
46 Regulations and
Orders
(1) The
States may by Regulations and the Minister may by Order make provision for the
purpose of carrying this Law into effect and, including for or with respect to
any matter that may be prescribed under this Law by Regulations or Orders as
the case may be.
(2) Regulations
and Orders made under this Law may contain such transitional, consequential, incidental
or supplementary provisions as appear to the States to be necessary or
expedient for the purposes of the Regulations or Order.
47 Transitional
provisions
Schedule 2 has effect.
48 Citation
This Law may be cited as the Data Protection Authority (Jersey)
Law 2018.
SCHEDULE 1
(Article 22)
POWERS
OF invESTIGATION AND INQUIRy
1 Power
to issue information notice
(1) The
Authority may require any controller or processor to give the Authority any
information that the Authority considers necessary for a purpose specified in
sub-paragraph (2) by issuing the controller or processor (“the
recipient”) a notice (an “information notice”).
(2) The
purposes referred to in subparagraph (1) are –
(a) to
determine whether or not to investigate a complaint;
(b) to
determine whether or not to conduct an inquiry;
(c) for
the purpose of an investigation or inquiry;
(d) to
make a determination or an order, or take any other action, under any provision
of Part 4; or
(e) to
determine whether or not to exercise any other power conferred on the Authority
by this Law.
(3) An
information notice must include –
(a) a
statement of the purpose in sub-paragraph (2) for which the notice is
issued;
(b) a
description of the information required by the Authority;
(c) a
statement of the Authority’s reasons for requiring that information; and
(d) a
statement of the form and manner in which, and the period within which
(“compliance period”), the recipient must give the information to
the Authority.
(4) A
compliance period must not be shorter than 28 days beginning on the date
on which the notice was issued.
(5) Despite
sub-paragraph (4), the Authority may specify a compliance period shorter
than 28 days but not shorter than 7 days beginning on the date on
which the notice was issued, but in this case the Authority must include in the
information notice a statement of its reasons for specifying that shorter
period.
(6) A
recipient of an information notice must comply with the notice.
(7) A
recipient is not required by virtue of this paragraph to furnish the Authority
with any information in respect of –
(a) any
communication between a professional legal adviser and a client in connection
with the giving of legal advice to the client with respect to the
latter’s obligations, liabilities or rights under this Law or the Data
Protection Law; or
(b) any
communication between a professional legal adviser and a client, or between
such an adviser or client and any other person, made in connection with or in
contemplation of proceedings under or arising out of this Law or the Data
Protection Law and for the purposes of such proceedings.
(8) In
sub-paragraph (7), references to a client of a professional legal adviser
include references to any person representing such a client.
(9) A
recipient is not required by virtue of this paragraph to furnish the Authority
with any information if to do so would, by revealing evidence of the commission
of any offence other than an offence under this Law, expose the recipient to
proceedings for that offence.
(10) The
Authority may cancel an information notice by written notice served on the
person on whom the information notice was served.
2 General
power of entry, search, etc.
(1) This
paragraph applies to any premises (“searchable premises”) if an
authorized officer believes on reasonable grounds
that –
(a) those
premises are occupied by a registered controller or registered processor;
(b) personal
data is processed in the context of a controller or processor occupying or
operating at or from those premises, whether directly or by the use of agents;
(c) personal
data is processed at or on those premises;
(d) any
equipment, device or other thing used to process personal data
(“processing equipment”) is kept at or on those premises;
(e) any
information relating to the processing of personal data was or is present on
those premises;
(f) a
contravention of the Data Protection Law was or is being committed on or in
relation to those premises; or
(g) an
offence under the Data Protection Law was or is being committed on or in
relation to those premises.
(2) Subject
to paragraph 4, an authorized officer may during normal working hours
exercise any power specified in sub-paragraph (3) or (4) on or in relation
to any searchable premises, for any of the following
purposes –
(a) establishing
whether a controller or processor contravened or is contravening this Law or
the Data Protection Law;
(b) establishing
whether any person has committed or is committing an offence under this Law or
the Data Protection Law;
(c) conducting
an investigation or inquiry, or exercising or performing any other function of
the Authority under this Law or the Data Protection Law;
(d) securing
anything which the authorized officer has reason to believe may be
required –
(i) for the effective
conduct of any investigation or inquiry, or
(ii) as
evidence in any proceedings for an offence under this Law or the Data
Protection Law.
(3) Sub-paragraph (2)
refers to the following powers –
(a) with
the assistance of a police officer, stop a person, vehicle, vessel or
container;
(b) enter
any searchable premises;
(c) search
the premises and examine, test or inspect anything at the premises and open it
(or break it open);
(d) photograph,
film or otherwise record anything at the premises;
(e) require
the production of any equipment, device or other thing used to process personal
data or otherwise used by a controller or processor;
(f) take
copies of or extracts from any information (including, in the case of
information in a non-legible form, a copy of or an extract from that
information in a legible form);
(g) if
anything at the premises cannot be conveniently removed, secure it against
interference;
(h) seize
any equipment, device or other thing, which is at the premises and detain it
for as long as the authorized officer considers necessary;
(i) require
any person to give the authorized officer any information, including (but
without limiting the generality of this paragraph) –
(i) information
regarding the ownership, identity or origin of, or any other information
regarding any equipment, device or other thing,
(ii) any
information regarding the premises, or
(iii) the
name and address of any controller, processor or other person involved in the
processing of personal data; and
(j) require any person to afford the authorized
officer any other facilities or assistance that the officer considers
necessary or expedient, including in relation to any documents or other
information provided to the officer.
(4) Without limiting the generality of sub-paragraph (3),
sub-paragraph (2) also refers to the following powers –
(a) power
to inspect any records (in whatever form they are held) relating to the
business of a controller or processor; and
(b) where
any such records are stored in electronic form, power to –
(i) inspect and check
the operation of any equipment, device or other thing which is or has been in
use in connection with those records,
(ii) require
any person having charge of, or otherwise concerned with the operation of, the
equipment, device, or other thing to afford the authorized officer such
assistance as the officer may reasonably require, or
(iii) require
the records to be produced in a form in which they may be taken away.
(5) Neither sub-paragraph (3)
nor sub-paragraph (4) applies to, or in relation to, any items for which any rule of privilege may be claimed.
3 Safeguards
for general powers of entry, search, etc.
(1) An authorized officer
entering any premises under paragraph 2 must, if the owner or occupier of those premises is present –
(a) identify
himself or herself to the owner or occupier; and
(b) produce
to the owner or occupier documentary evidence that the officer is an authorized
officer.
(2) If
the owner or occupier of those premises is not present at the time the authorized
officer leaves those premises, the authorized officer –
(a) must
leave the premises as effectively secured against trespassers as that
authorized officer found them; and
(b) must
leave in a prominent place on those premises written notice that those premises
have been entered and searched under paragraph 2, including that
authorized officer's name, an address at which that authorized officer may be
contacted and a copy of the documentary evidence referred to in sub-paragraph (1)(b).
(3) An
authorized officer who seizes anything under paragraph 2(3)(h) must leave
with the owner or occupier of the premises (if present) or leave on the
premises (if the owner or occupier is not present) a statement
stating –
(a) particulars
of what has been seized; and
(b) that
the authorized officer has seized it.
4 Entry
to dwellings restricted.
An authorized officer
must not enter a dwelling under paragraph 2, except –
(a) with
the consent of the owner or occupier of those premises;
(b) by
giving the owner or occupier of those premises at least 7 days’
prior written notice of the entry; or
(c) under
and in accordance with a warrant issued under paragraph 5.
5 Warrants
for entry, etc.
(1) If
the Bailiff or a Jurat is satisfied by information on oath supplied by the
Authority that there are reasonable grounds for suspecting –
(a) that
a controller has contravened or is contravening any of the data protection
principles; or
(b) that
an offence under this Law or the Data Protection Law has been or is being
committed,
and that evidence of the
contravention or of the commission of the offence is to be found on any
premises specified in the information, the Bailiff or Jurat may issue a warrant
to the Authority.
(2) A
warrant may permit an authorized officer at any time within 7 days of the
date of the warrant to enter the premises, to search them, to inspect, examine,
operate and test any equipment found there which is used or intended to be used
for the processing of personal data and to inspect and seize any documents or
other material found there which may be such evidence as is mentioned in
sub-paragraph (1).
(3) The
Bailiff or a Jurat must not issue a warrant unless satisfied –
(a) that
the Authority has given 7 days’ notice in writing to the occupier of
the premises in question demanding access to the premises;
(b) that
either access was demanded at a reasonable hour and was unreasonably refused or
although entry to the premises was granted, the occupier unreasonably refused
to comply with a request by the Authority to permit the authorized officer to
do any of the things referred to in subparagraph (2); and
(c) that
the occupier, has, after the refusal, been notified by the Authority of the
application for the warrant and has had an opportunity of being heard by the
Bailiff or Jurat on the question whether or not it should be issued.
(4) Sub-paragraph (3)
does not apply if the Bailiff or Jurat is satisfied that the case is one of urgency
or that compliance with that sub-paragraph would defeat the object of the
entry.
(5) A
person executing a warrant issued under this paragraph –
(a) may
use such reasonable force as may be necessary;
(b) may
be accompanied by a police officer during its execution.
(6) A
warrant must be executed at a reasonable hour unless it appears to the person
executing it that there are grounds for suspecting that the evidence in
question would not be found if it were so executed.
(7) If
the person who occupies the premises in respect of which a warrant is
issued –
(a) is
present when the warrant is executed, the person executing it must show the
warrant to that person and supply him or her with a copy of it;
(b) is
not present, the person executing it must leave a copy of it in a prominent
place on the premises.
(8) A
person seizing anything under a warrant must give a receipt for it to the
person in occupation of the premises.
(9) Anything
so seized may be retained for so long as is necessary for the purpose of the
investigation or inquiry, or any subsequent proceedings (whether civil or
criminal).
(10) Unless
the Royal Court orders otherwise, any property seized must be returned to its
owner as soon as practicable after the completion of the investigation, inquiry
or proceedings, and proceedings are taken to be completed when either any
appeal has been concluded or, if no appeal is made, the time limit for
appealing has expired.
6 Exemptions from powers
conferred by warrant
(1) The
powers of inspection and seizure conferred by a warrant are not exercisable in
respect of –
(a) any
communication between a professional legal adviser and the adviser’s
client in connection with the giving of legal advice to the client with respect
to the client’s obligations, liabilities or rights under this Law or the Data
Protection Law; or
(b) any
communication between a professional legal adviser and the adviser’s
client, or between such an adviser or such a client and any other person, made
in connection with or in contemplation of proceedings under or arising out of
this Law and for the purposes of such proceedings.
(2) Sub-paragraph (1)
applies also to –
(a) a
copy or other record of any such communication; and
(b) any
document or article enclosed with or referred to in any such communication if
made in connection with the giving of any advice or, as the case may be, in
connection with or in contemplation of and for the purposes of such
proceedings.
(3) This
paragraph does not apply to anything in the possession of any person other than
the professional legal adviser or the client or to anything held with the
intention of furthering a criminal purpose.
(4) In
this paragraph references to the client of a professional legal adviser include
references to any person representing such a client.
(5) If
the person in occupation of premises in respect of which a warrant is issued
objects to the inspection or seizure under the warrant of material on the
grounds that it consists partly of matters in respect of which those powers are
not exercisable, the person must, if the person executing the warrant so
requests, furnish the latter with a copy of so much of the material as is not
exempt from those powers.
7 Power to conduct or require data protection audits
(1) The
Authority may –
(a) conduct
a data protection audit of any part of the operations of the controller or
processor; or
(b) require
the controller or processor to appoint a person approved by the Authority
to –
(i) conduct a data
protection audit of any part of the operations of the controller or processor,
and
(ii) report
the findings of the audit to the Authority.
(2) The
Authority must specify the terms of reference of any audit carried out under
sub-paragraph (1).
(3) The
controller or processor concerned must pay for an audit required under
sub-paragraph (1)(b).
SCHEDULE 2
(Article 47)
transitional
provisions
1 Interpretation
In this Schedule “2005
Law” means the Data Protection (Jersey) Law 2005.
2 Registration
(1) A
controller who, immediately before the commencement of this Law, was registered
as a data controller under Part 3 of the 2005 Law, and any
processor, is exempt from the requirement to register under Part 3 of this
Law until the end of the registration period.
(2) Any
notification by a data controller of wish to be included in the register under
Article 18 of the 2005 Law that did not result in an entry in
the register under Article 19 of that Law before the commencement of this
Law, shall be determined as if it were an application made under Article 17
of this Law.
(3) In
respect of each controller who is exempt from registration under Article 17
of this Law for the duration of the registration period by virtue of paragraph (1),
the Authority must nevertheless register the controller under Article 17(4)
and include in the register maintained under paragraph (5) of that Article
the particulars that, immediately before the commencement of this Law, were
included (or treated as included) in respect of that controller maintained
under Article 19 of the 2005 Law.
(4) The
Minister may by Order make further provision modifying Article 17 of this
Law in its application to any person, including any controller mentioned in
sub-paragraph (3).
(5) In
this paragraph “registration period” means –
(a) in
the case of a controller, the period at the end of which, if Article 19 of
the 2005 Law had remained in force, the controller’s entry
would have fallen to be removed unless renewed; and
(b) in
the case of a processor, a period of 26 weeks from the day on which this
Law comes into force.
3 Enforcement notices served
under 2005 Law
(1) If,
immediately before the commencement of this Law an enforcement notice is served
under Article 40 of the 2005 Law, that notice has effect, after
commencement, as if it were an order made under Article 25(3) of this Law.
(2) The
Authority may make an order under Article 25(3) or Article 26(1) of
this Law on or after the day on which that Article comes into force if the
Commissioner has reasonable grounds for suspecting that, before that day, a
data controller contravened the data protection principles within the meaning
of the 2005 Law by reason of any act or omission that would also have
constituted a contravention of the data protection principles set out in
Article 8 of the Data Protection Law if they had applied when the act or
omission occurred.
4 Requests for assessment under Article 42 of 2005 Law
Any request for
assessment under Article 42 of the 2005 Law that the Commissioner has not
dealt with before the commencement of this Law has effect as if it were a
complaint under Article 19 of this Law.