Data Protection Authority (Jersey) Law 2018

Arrangement

Article

introductory and setting up of authority   5

1                 Interpretation. 5

2                 Establishment of Data Protection Authority. 6

3                 Constitution of Authority. 6

4                 Vacation of office of voting members and vacancies. 7

5                 Appointment of Information Commissioner 8

6                 Power of Commissioner to discharge functions of Authority. 8

7                 Remuneration and resources. 9

8                 Confidentiality of information. 9

9                 Proceedings of Authority. 10

10              Delegation. 11

functions of authority   11

11              General functions of the Authority. 11

12              Authority to be independent 13

13              Power to issue opinions and guidance. 13

14              Power to issue public statements. 13

15              Authority to take steps to develop and facilitate international cooperation. 14

16              Further provisions as to international co-operation. 14

registration and charges  15

17              Registration of controllers and processors. 15

18              Registered controllers and processors to pay prescribed charges. 16

ENFORCEMENT BY AUTHORITY   16

19              Right to make a complaint 16

20              Investigation of complaints. 16

21              Inquiries. 17

22              Powers of investigation and inquiry. 18

23              Determinations on completion of investigation. 18

24              Recommendations and determinations on completion of inquiry. 19

25              Sanctions following breach determination. 19

26              Administrative fines. 20

27              Limits on administrative fines. 22

28              Procedure to be followed before making breach determination or order under this Part 23

29              Exclusion of courts and tribunals acting in a judicial capacity. 24

30              Proceedings by the Authority. 24

31              Proceedings against Authority. 24

32              Rights of appeal against determinations or orders of the Authority. 25

33              General provisions relating to offences. 26

34              Proceedings concerning unincorporated bodies. 27

35              Rules of Court 27

36              Service of notices etc. 27

ADMINISTRATIVE provisions  29

37              Guidance of Minister 29

38              Fees and charges. 29

39              Grants to Authority. 30

40              Consent to borrowing. 30

41              Guidelines on investment 30

42              Exemption from income tax. 30

43              Accounts and audit 30

44              Annual reports. 31

45              Limitation of liability. 31

CLOSING provisions  32

46              Regulations and Orders. 32

47              Transitional provisions. 32

48              Consequential amendments. 32

49              Citation and commencement 32

 

POWERS OF invESTIGATION AND INQUIRy   33

1                 Power to issue information notice. 33

2                 General power of entry, search, etc. 34

3                 Safeguards for general powers of entry, search, etc. 36

4                 Entry to dwellings restricted. 36

5                 Warrants for entry, etc. 36

6                 Exemptions from powers conferred by warrant 38

7                 Power to conduct or require data protection audits. 38

transitional provisions  40

1                 Interpretation. 40

2                 Registration. 40

3                 Enforcement notices served under 2005 Law.. 40

4                 Requests for assessment under Article 42 of 2005 Law.. 41

consequential amendments  42

1                 Corruption (Jersey) Law 2006. 42

2                 Register of Names and Addresses (Jersey) Law 2012. 42

3                 Data Protection (International Co-operation) (Jersey) Regulations 2005. 42

4                 Employment of States of Jersey Employees (Jersey) Law 2005. 42

5                 Public Employees (Pensions) (Jersey) Law 2014. 43

6                 Freedom of Information (Jersey) Law 2011. 43

7                 Public Employees (Retirement) (Jersey) Law 1967. 43

8                 Public Finances (Jersey) Law 2005. 43

 


Data Protection Authority (Jersey) Law 2018

A LAW to provide for a new statutory body to oversee the protection of personal data and for connected purposes.

Adopted by the States                                             18th January 2018

Sanctioned by Order of Her Majesty in Council    8th February 2018

Registered by the Royal Court                              16th February 2018

THE STATES, subject to the sanction of Her Most Excellent Majesty in Council, have adopted the following Law –

part 1

introductory and setting up of authority

1        Interpretation

(1)     In this Law –

Authority” means the Data Protection Authority established under Article 2(1);

authorized officer” means –

(a)     the Commissioner; or

(b)     any other employee of the Authority authorized by the Authority or the Commissioner to exercise of perform any function under this Law;

breach determination”, in relation to a controller or processor, means a determination by the Authority under Article 23(1) or 24(1)(b) that the controller or processor has contravened or is likely to contravene the Data Protection Law;

Commissioner” means the Information Commissioner appointed under Article 5(1);

Data Protection Law” means the Data Protection (Jersey) Law 2018[1];

registered controller” means a controller registered under Article 17;

registered processor” means a processor registered under Article 17.

(2)     Subject to paragraph (1), words and phrases used in this Law that are defined in the Data Protection Law have the same respective meanings as in that Law.

2        Establishment of Data Protection Authority

(1)     The Data Protection Authority is established.

(2)     The Authority is a body corporate with perpetual succession and a common seal and may –

(a)     sue and be sued in its corporate name;

(b)     enter into contracts and acquire, hold and dispose of any property; and

(c)     so far as is possible for a body corporate, exercise the rights, powers and privileges and incur the liabilities and obligations of a natural person of full age and capacity.

(3)     The application of the common seal of the Authority is authenticated by the signature of a person authorized by the Authority to sign on its behalf and every document bearing the imprint of the seal of the Authority is taken to be properly sealed unless the contrary is proved.

3        Constitution of Authority

(1)     The Authority consists of –

(a)     the Chairman;

(b)     no fewer than 3 and no more than 8 other voting members; and

(c)     the Commissioner as an ex officio and non-voting member.

(2)     Subject to paragraph (4), the Chairman and the other voting members are appointed by the Minister who must have particular regard to the need to ensure that voting members of the Authority –

(a)     have the qualifications, experience and skills necessary to exercise and perform the functions of a member, in particular relating to the protection of personal data;

(b)     have a strong sense of integrity; and

(c)     are able to maintain confidentiality.

(3)     Before appointing any individual under this Article, the Minister may require the individual to provide, or to authorize the Minister to obtain, any information and references that the Minister reasonably requires to ascertain the individual’s suitability for appointment as a voting member.

(4)     At least 2 weeks before making an appointment under this Article the Minister must present to the States a notice of the Minister’s intention to make the appointment.

(5)     Each voting member is appointed for a term of 5 years or such shorter period as the Minister thinks fit in a particular case and is eligible for reappointment up to a maximum period of service of 9 years.

(6)     An individual is ineligible to be a voting member if the individual –

(a)     is, or has at any time during the preceding 12 months been, a member of the States of Jersey;

(b)     is a States’ employee or is otherwise under the direction and control of the States; or

(c)     is engaged in any employment, occupation (whether or not remunerated) or business, or receives any benefits, that is incompatible with the functions of a member of the Authority.

4        Vacation of office of voting members and vacancies

(1)     The Minister may revoke the appointment of any voting member of the Authority if he or she is satisfied that the member –

(a)     is guilty of serious misconduct, as determined by a panel convened by the Authority in consultation with the Minister and consisting of 3 or more individuals, other than a member of the Authority or the Minister;

(b)     has been convicted of a criminal offence that is sufficiently serious to cast doubt on the member’s suitability to continue in office;

(c)     has become bankrupt; or

(d)     is incapacitated physically or mentally from carrying out the duties of the office or is otherwise unable or unfit to discharge his or her functions; or

(e)     is ineligible to be a voting member under Article 3(6).

(2)     The Minister must not remove a voting member from office on the ground specified in paragraph (1)(a) unless a panel consisting of 3 or more individuals (none of whom is a member of the States) appointed by the Minister determines the voting member to be guilty of serious misconduct.

(3)     A panel convened under paragraph (2) may determine and adopt its own procedures to determine whether or not the voting member is guilty of serious misconduct.

(4)     The Minister must present to the States not more 2 weeks after terminating an appointment under this Article a notice of the termination.

(5)     Any voting member may resign from office at any time by giving notice to the Minister.

(6)     The Minister must take all reasonable steps to ensure that any vacancy under this Article that would reduce the number of voting members to below the requirements of Article 3(1) is filled as soon as practicable.

(7)     A person is not disqualified for holding office as a voting member of the Authority on account of being an officer, employee or agent of the Authority.

(8)     The rights and obligations of the Authority and the performance of the Authority’s functions are not affected by any vacancy or defect in any appointment to the Authority.

5        Appointment of Information Commissioner

(1)     The Authority must appoint a person, to be known as the Information Commissioner, who is the chief executive and an employee of the Authority.

(2)     The Commissioner –

(a)     is responsible for managing the other employees of the Authority;

(b)     is in charge of the day-to-day operations of the Authority; and

(c)     has the functions conferred or imposed on him or her by this Law and any other enactment.

(3)     Subject to this Article, the Commissioner holds office under this Law subject to terms and conditions determined by the Authority.

(4)     The Commissioner holds office under this Law for –

(a)     a term of 5 years; or

(b)     such shorter term as may be specified in the terms and conditions of his or her appointment,

and is eligible for re-appointment.

(5)     The Authority may remove the Commissioner from office under this Law before the expiry of his or her term of office, but only on the grounds that the Commissioner –

(a)     is guilty of serious misconduct, as determined by a panel convened by the Authority in consultation with the Minister and consisting of 3 or more individuals, other than a member of the Authority or the Minister;

(b)     has been convicted of a criminal offence that is sufficiently serious to cast doubt on the Commissioner’s suitability to continue in office;

(c)     has become bankrupt;

(d)     is incapacitated physically or mentally from carrying out the duties of the office; or

(e)     is otherwise unable or unfit to discharge his or her functions.

(6)     A panel convened under paragraph (5)(a) may determine and adopt its own procedures to determine whether or not the Commissioner is guilty of serious misconduct.

(7)     Subject to the Freedom of Information (Jersey) Law 2011[2], the Commissioner must not engage in any other employment, occupation (whether remunerated or not) or business, or receive any benefits other than the salary, allowances and other emoluments and expenses awarded by the Authority, except with the approval of the Authority.

6        Power of Commissioner to discharge functions of Authority

(1)     Subject to any policies, procedures and specific directions issued by the Authority, the Commissioner may exercise or perform, on behalf of the Authority and in its name, any function of the Authority under this Law or the Data Protection Law other than –

(a)     the issuing of a public statement under Article 14;

(b)     the making of an order to pay an administrative fine under Article 26;

(c)     the preparation of an annual report under Article 44; or

(d)     any other function specified by the Authority by written notice to the Commissioner.

(2)     A function exercised or performed by the Commissioner under paragraph (1) is treated for all purposes as having been exercised or performed by the Authority.

(3)     Nothing in paragraph (1) or (2) prevents the Authority from exercising or performing the function concerned.

7        Remuneration and resources

(1)     The voting members of the Authority are entitled to –

(a)     such fees, allowances and other emoluments as expenses as the Minister determines in consultation with the Authority and publishes; and

(b)     if the Minister so determines, reasonable out-of-pocket or other expenses occasioned in the course of carrying out the Authority’s duties.

(2)     The Authority may appoint such officers, employees and agents as it considers necessary for the performance of its functions and may –

(a)     make those appointments on such terms as to remuneration, the payment of expenses and other conditions of service as the Authority thinks fit; and

(b)     establish and make such schemes or other arrangements as it thinks fit for the payment of pensions and other benefits in respect of such officers and employees.

(3)     The Authority may procure any accommodation, equipment, services or facilities it reasonably requires for the proper and effectual discharge of its functions.

8        Confidentiality of information

(1)     A person who is or has been a member of the Authority, a member of the Authority’s staff or an agent of the Authority must not, except with lawful authority, disclose information that –

(a)     has been obtained by, or furnished to, the Authority under or for the purposes of this Law or the Data Protection Law;

(b)     relates to an identified or identifiable individual or business; and

(c)     is not at the time of the disclosure, and has not previously been, available to the public from other sources.

(2)     For the purposes of paragraph (1), a disclosure of information is made with lawful authority if –

(a)     the disclosure is made with the consent of the individual or of the person for the time being carrying on the business;

(b)     the information was provided for the purpose of its being made available to the public (in whatever manner) under this Law or the Data Protection Law;

(c)     the disclosure is made for the purposes of, and is necessary for, the discharge of a function under this Law or the Data Protection Law, or an obligation under an agreement, or other instrument, of the EU;

(d)     the disclosure is made for the purposes of any proceedings, whether criminal or civil and whether arising under, or by virtue of, this Law or the Data Protection Law or otherwise; or

(e)     having regard to the rights and freedoms or legitimate interests of any person, the disclosure is necessary in the public interest.

(3)     A person who knowingly or recklessly discloses information in contravention of paragraph (1) is guilty of an offence and liable to imprisonment for a term of 2 years and to a fine.

9        Proceedings of Authority

(1)     The Authority must meet –

(a)     at least once every 2 months; or

(b)     less frequently if resolved by the Authority, but no fewer than 4 times a year.

(2)     If the Authority resolves to meet less frequently than once every 2 months, it must record the reason in its resolution.

(3)     The person who presides at meetings is –

(a)     the Chairman, if the Chairman is present; or

(b)     if the Chairman is not present, the person elected to chair the meeting by, and from among, the other voting members present.

(4)     At a meeting –

(a)     a quorum is constituted by the nearest whole number of voting members above one half of the number of voting members for the time being in office;

(b)     decisions are made by a majority vote;

(c)     the Commissioner has no vote, but may participate in the Authority’s proceedings;

(d)     each voting member other than the person presiding has one vote; and

(e)     the person presiding has no original vote, but in the event of equality in the votes of the other voting members present, the person presiding must exercise a casting vote.

(5)     The Authority may, if it thinks fit, transact any business by the circulation of papers to all members, and a resolution in writing approved in writing by a majority of its voting members is as valid and effectual as if passed at a meeting by the votes of the members approving the resolution.

(6)     The Authority must keep proper minutes of its proceedings, including minutes of any business transacted as permitted by paragraph (5).

(7)     Subject to the provisions of this Article the Authority may regulate its own procedure.

(8)     The validity of any proceedings of the Authority is unaffected by –

(a)     a vacancy in its membership;

(b)     any defect in the appointment or election of any member;

(c)     any ineligibility of an individual to be a voting member; or

(d)     any lack of qualification of an individual to act as a member.

(9)     In this Article a reference to a meeting includes any meeting at which members of the Authority transact business remotely and communicate by any means of technology.

10      Delegation

(1)     The Authority may delegate any of its functions under this Law or the Data Protection Law wholly or partly to an officer or employee of the Authority.

(2)     Nothing in this Article authorizes the Authority to delegate –

(a)     this power of delegation;

(b)     the function of reviewing any of its decisions;

(c)     the issuing of a public statement under Article 14;

(d)     the making of an order to pay an administrative fine under Article 26; or

(e)     the preparation of an annual report under Article 44.

(3)     However, the functions mentioned in paragraph (2)(c) and (d) may be delegated to a committee consisting of such number of voting members as may be specified by the Authority.

(4)     The delegation of any functions under this Article –

(a)     does not prevent the performance of those functions by the Authority; and

(b)     may be amended or revoked by the Authority.

part 2

functions of authority

11      General functions of the Authority

(1)     The Authority has the following functions –

(a)     to administer and enforce this Law and the Data Protection Law;

(b)     to monitor and report to the States on the operation of this Law and the Data Protection Law;

(c)     to advise the Minister and the States on any amendments that the Authority considers should be made to this Law or the Data Protection Law or on any other action required to be taken, in relation to the operation of either of those Laws;

(d)     to promote public awareness of risks, rules, safeguards and rights in relation to processing, especially in relation to children;

(e)     to promote the awareness of controllers and processors of their obligations under this Law and the Data Protection Law;

(f)      on request, to provide reports and other information to the Minister or the States on any matter connected with the protection of personal data;

(g)     on request, to provide information to any data subject concerning the exercise of their rights under this Law and the Data Protection Law and, if appropriate, cooperate with competent supervisory authorities to this end;

(h)     to cooperate with, including sharing information and providing mutual assistance to, other supervisory authorities with a view to ensuring that the Data Protection Law is applied and enforced;

(i)      to monitor relevant developments, insofar as they have an impact on the protection of personal data, in particular the development of information and communication technologies and commercial practices;

(j)      to encourage the drawing up of codes;

(k)     to keep confidential records of alleged contraventions of the Data Protection Law and of the exercise of any of its powers under this Law; and

(l)      any other function conferred or imposed on it by this Law, the Data Protection Law or any other enactment.

(2)     The Authority may impose a fee or charge for the performance of its functions in response to a request made by any person, where the fee or charge is authorized by this Law, the Data Protection Law, or any Regulations made under this Law.

(3)     Regulations made for the purposes of paragraph (2) may prescribe –

(a)     the fee or charge payable; or

(b)     the basis on which the amount of the fee or charge payable is to be calculated or ascertained.

(4)     Where the Authority receives a request to perform a task associated with any of its functions and the request is frivolous, vexatious, unnecessarily repetitive or otherwise excessive, the Authority may –

(a)     refuse to perform the task; or

(b)     in exceptional circumstances, perform the task but charge the requestor a reasonable fee for the administrative costs of doing so.

(5)     The Authority is not competent to supervise processing operations of courts and judges acting in their judicial capacity.

12      Authority to be independent

In exercising or performing its functions, the Authority must act independently and in a manner free from direct or indirect external influence.

13      Power to issue opinions and guidance

(1)     The Authority may issue, on its own initiative or on request by any person –

(a)     opinions or guidance on any issue related to the protection of personal data, including compliance with any provision of this Law or the Data Protection Law; and

(b)     guidance as to how the Authority proposes to exercise or perform any of its functions under those Laws.

(2)     The opinions or guidance may be issued to –

(a)     the Minister;

(b)     the States; or

(c)     the public or any section of it.

(3)     An opinion or guidance issued under paragraph (1) is not legally binding but compliance or non-compliance with any position or recommendation in the opinion or guidance may be taken into account in determining whether or not a controller or processor has contravened or is likely to contravene this Law or the Data Protection Law.

14      Power to issue public statements

(1)     This Article applies to any of the following matters –

(a)     a notification of a personal data breach made to the Authority under Article 20 of the Data Protection Law;

(b)     a recommendation or determination made under Article 23 or 24;

(c)     an action taken or order made under Article 25; or

(d)     any order to pay an administrative fine under Article 26.

(2)     Where the Authority considers that because of the gravity of the matter or other exceptional circumstances, it would be in the public interest to do so, the Authority may issue a public statement about any aspect of a matter to which this Article applies.

(3)     Without limiting the generality of paragraph (2), a public statement may include the following information –

(a)     details of any personal data breach;

(b)     information describing or identifying any data subject whose personal data is or has been the subject of a personal data breach;

(c)     information as to the nature and the progress of any complaint, investigation or inquiry; or

(d)     the outcome of any complaint, investigation or inquiry.

(4)     Before issuing a public statement, the Authority must, where practicable –

(a)     consult any individual whose personal data would be made public by that public statement, or who is otherwise likely to be identifiable from the statement; and

(b)     give written notice of the contents of the statement to any controller and any processor that is likely to be identifiable from the statement.

15      Authority to take steps to develop and facilitate international cooperation

The Authority must so far as practicable take steps to –

(a)     develop international cooperation mechanisms to facilitate the effective enforcement of legislation for the protection of personal data;

(b)     provide international mutual assistance in the enforcement of legislation for the protection of personal data, including through notification, complaint referral, investigative assistance and information exchange, subject to appropriate safeguards for the protection of personal data and the significant interests of data subjects;

(c)     engage relevant stakeholders in discussion and activities aimed at furthering international co-operation in the enforcement of legislation for the protection of personal data; and

(d)     promote the exchange and documentation of personal data protection legislation and practice, including on jurisdictional conflicts with third countries.

16      Further provisions as to international co-operation

(1)     The Authority –

(a)     is the designated authority in Jersey for the purposes of Article 13 of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, which was opened for signature on 28th January 1981; and

(b)     is to be regarded as the competent supervisory authority for Jersey for any purposes related to the GDPR.

(2)     Regulations may make provision as to the functions to be performed by the Authority in its role as that designated or competent authority.

(3)     Regulations may make provision as to co-operation by the Authority with the European Commission or any other competent supervisory authority in connection with the performance of their respective duties including –

(a)     the exchange of information with the European Commission or the other supervisory authority; and

(b)     the exercise within Jersey at the request of a competent supervisory authority of functions conferred on the Authority by the Regulations.

(4)     Regulations may give effect to –

(a)     any agreement made under Article 15 between the Authority and any other competent supervisory authority or the European Commission; or

(b)     any of Jersey’s international obligations.

(5)     Regulations may do all or any of the following –

(a)     confer additional powers and functions on the Authority;

(b)     regulate or restrict the functions conferred on the Authority by Article 15; and

(c)     create and impose duties on controllers, processors and recipients of personal data.

(6)     The Authority must also carry out any functions relating to the protection of individuals with respect to the processing of personal data that the States may by Regulations direct for the purpose of enabling Jersey to give effect to any of its international obligations.

(7)     Subject to Schedule 2, any Regulations made under Article 54 of the Data Protection (Jersey) Law 2005[3] that are in force at the time of commencement of this Article continue in force as if made under this Article.

PART 3

registration and charges

17      Registration of controllers and processors

(1)     A controller or processor established in Jersey must not cause or permit personal data to be processed without being registered as a controller or processor under this Article.

(2)     However, Regulations may make such exemptions from the requirements to register under this Article as the States think fit.

(3)     An application for registration made to the Authority must –

(a)     include the fee as specified by the Authority;

(b)     be in a form and manner required by the Authority; and

(c)     include any information required by the Authority.

(4)     Upon receipt of an application made in accordance with paragraph (3), the Authority must register the applicant as a controller or processor as the case may be.

(5)     The Authority must –

(a)     maintain a register of controllers for the purposes of this Law; and

(b)     publish any such information as the Minister may by Order prescribe.

(6)     A person who contravenes paragraph (1) is guilty of an offence.

18      Registered controllers and processors to pay prescribed charges

(1)     Regulations may require registered controllers, registered processors or both, to pay a charge to the Authority in order to pay for the remuneration, salaries, fees, allowances and other emoluments, costs and expenses of –

(a)     the establishment of the Authority; and

(b)     the Authority’s operations, including the exercise or performance of any functions of the Authority.

(2)     The Regulations must provide for –

(a)     the amount of the charge, or the basis on which the amount of the charge is to be calculated or ascertained;

(b)     the periods in respect of which, and the times at which, the charge must be paid, or a means for ascertaining those periods and times; and

(c)     the manner and form in which the charge must be paid.

(3)     The Regulations may –

(a)     impose duties on the Authority, registered controllers, or registered processors in connection with the collection or payment of the charge;

(b)     confer powers on the Authority in connection with the collection of the charge; and

(c)     exempt any person from paying the charge.

(4)     A person required by the Regulations to pay a charge must do so in accordance with the Regulations.

(5)     The Authority may recover any charge due and payable by any person to the Authority under the Regulations as a debt owed by the person to the Authority.

part 4

ENFORCEMENT BY AUTHORITY

19      Right to make a complaint

An individual may make a complaint in writing to the Authority in a form approved by the Authority if –

(a)     the individual considers that a controller or processor has contravened or is likely to contravene the Data Protection Law; and

(b)     the contravention involves or affects, or is likely to involve or affect, any right in respect of personal data relating to the individual.

20      Investigation of complaints

(1)     Upon receiving a complaint, the Authority must –

(a)     promptly give the complainant a written acknowledgment of the receipt of the complaint; and

(b)     as soon as practicable and in any event within 8 weeks of receiving the complaint, determine in accordance with paragraph (2) whether or not to investigate it.

(2)     The Authority must investigate the complaint unless –

(a)     the complaint is clearly unfounded;

(b)     the complaint is frivolous, vexatious, unnecessarily repetitive or otherwise excessive; or

(c)     the Authority determines that it is inappropriate to investigate the complaint, having regard to any other action taken by the Authority under –

(i)      Article 14 or 15, or

(ii)      any Regulations made under Article 16.

(3)     Where a complaint is investigated, the Authority must give the complainant and the controller or processor concerned –

(a)     as soon as practicable, and in any event within 8 weeks of receiving the complaint, written notice that the complaint is being investigated; and

(b)     at least once within 12 weeks of the notice under sub-paragraph (a), written notice of the progress and, if possible, the outcome of the investigation.

(4)     However, where the Authority considers that giving the notice within the time specified by paragraph (3) is likely seriously to prejudice the investigation, the Authority may delay giving the notice, in which case it must give the notice (including an update as to the progress of and, where applicable the outcome of the investigation) as soon as it is possible to do so without seriously prejudicing the investigation.

(5)     If the Authority determines not to investigate a complaint, the Authority must give the complainant written notice of its determination and the reasons for it within 8 weeks of receiving the complaint.

(6)     A notice under paragraph (4) must include information as to the complainant’s right to bring proceedings under Article 31.

21      Inquiries

(1)     The Authority may conduct an inquiry on its own initiative into the application of the Data Protection Law, including into whether –

(a)     a controller or processor has contravened the Data Protection Law; or

(b)     any intended processing in the context of a controller or processor, or any intended act or omission of a controller or processor, is likely to contravene that Law.

(2)     An inquiry may be conducted –

(a)     on the basis of information or a request received from any person or any other basis;

(b)     together with, or in addition to and separately from, an investigation under Article 20.

(3)     Where the Authority decides to conduct an inquiry into any matter of a kind specified in paragraph (1)(a) or (b), the Authority must give the controller or processor concerned –

(a)     as soon as practicable, and in any event within 8 weeks of commencing the inquiry, written notice of the nature of the inquiry; and

(b)     at least once within 12 weeks of the notice under sub-paragraph (a), written notice of the progress and, if possible, the outcome of the inquiry.

(4)     However, where the Authority considers that giving the notice within the time specified by paragraph (3) is likely seriously to prejudice the inquiry, the Authority may delay giving the notice, in which case it must give the notice (including an update as to the progress of and, where applicable the outcome of the inquiry) as soon as it is possible to do so without seriously prejudicing the inquiry.

(5)     Nothing in this Article limits –

(a)     an individual’s right to make a complaint under Article 19, or

(b)     the duties of the Authority under Article 20.

22      Powers of investigation and inquiry

Schedule 1 has effect in relation to the powers of the Authority in relation to any investigation or inquiry under this Part.

23      Determinations on completion of investigation

(1)     On completing an investigation, the Authority must determine whether or not –

(a)     the controller or processor concerned has contravened the Data Protection Law; or

(b)     any intended processing in the context of the controller or processor concerned, or any intended act or omission of the controller or processor concerned is likely to contravene that Law.

(2)     If the Authority makes a breach determination against a controller or processor, the Authority must also determine whether or not to impose a sanction under Article 25 on the controller or processor, and if so which one or more than one to impose, or whether to impose an administrative fine under Article 26.

(3)     As soon as practicable after making a determination under paragraph (1) or (2), the Authority must give the controller or processor concerned, and the complainant, written notice of –

(a)     the determination and the reasons for it; and

(b)     the right of appeal under Article 32.

24      Recommendations and determinations on completion of inquiry

(1)     On completing an inquiry, the Authority may do either or both of the following –

(a)     make such recommendation as the Authority thinks fit to the Minister or the States regarding the operation of this Law or the Data Protection Law; or

(b)     make a determination that –

(i)      a controller or processor has contravened the Data Protection Law, or

(ii)      any intended processing in the context of a controller or processor, or any intended act or omission of the controller or processor concerned is likely to contravene that Law.

(2)     If the Authority makes a breach determination against a controller or processor, the Authority must also determine whether or not to impose a sanction under Article 25 on the controller or processor; and, and if so which one or more than one to impose, or whether to impose an administrative fine under Article 26.

(3)     As soon as practicable after making a determination under paragraph (1)(b) or (2), the Authority must give the controller or processor concerned written notice of –

(a)     the determination and the reasons for it; and

(b)     the right of appeal under Article 32.

25      Sanctions following breach determination

(1)     If the Authority makes a breach determination against a controller or processor, the Authority may by written notice to the controller or processor (“the recipient”) take all or any of the following sanctions against the recipient –

(a)     issue a reprimand to the recipient;

(b)     issue a warning to the recipient that the intended processing or other act or omission is likely to contravene the Data Protection Law;

(c)     make an order under paragraph (3).

(2)     Paragraph (1) does not limit the Authority’s power to impose an administrative fine under Article 26 in the case of a contravention of the Data Protection Law.

(3)     The Authority may order the recipient to do all or any of the following –

(a)     bring specified processing operations into compliance with the Data Protection Law, or take any other specified action required to comply with that Law, in a manner and within a period specified in the order;

(b)     notify a data subject of any personal data breach;

(c)     comply with a request made by the data subject to exercise a data subject right;

(d)     rectify or erase personal data in accordance with Article 31 or 32 of the Data Protection Law;

(e)     restrict or limit the recipient’s processing operations, which may include –

(i)      temporarily restricting processing operations in accordance with Article 33 of the Data Protection Law,

(ii)      ceasing all processing operations for a specified period or until a specified action is taken, or

(iii)     suspending any transfers of personal data to a recipient in any other jurisdiction; and

(f)      notify persons to whom the personal data has been disclosed of the rectification, erasure or temporary restriction on processing, in accordance with Articles 31 to 33 of the Data Protection Law.

(4)     Nothing in paragraph (3)(d), (e) or (f) limits paragraph (3)(c).

(5)     An order under subsection (3) may, in relation to each requirement in the order, specify –

(a)     the time at which, or by which, the requirement must be complied with; and

(b)     the period during which the requirement must be complied with (including the occurrence of any action or event upon which compliance with the requirement may cease).

(6)     The Authority may revoke or amend an order under paragraph (3) by giving written notice to the person concerned.

(7)     A recipient in respect of whom an order is made under paragraph (3) must comply with the order within any time specified for its compliance.

(8)     A person who contravenes paragraph (7) is guilty of an offence.

26      Administrative fines

(1)     Subject to Article 27 the Authority may order a controller or processor to pay to the Authority an administrative fine for any of the following –

(a)     failure to make reasonable efforts to verify that a person giving consent to the processing of the personal data of a child as required by Article 11(4) of the Data Protection Law is a person duly authorized to give consent to that processing in accordance with that provision;

(b)     breach of any duty or obligation imposed by Article 7 of, and any provision of Parts 3, 4 or 5 of, the Data Protection Law;

(c)     processing personal data in breach of any other provision of Part 2 or 6 of the Data Protection Law; or

(d)     transfer of personal data to a person in a third country or international organization in contravention of Article 66 or 67 of the Data Protection Law.

(2)     In determining whether or not to order a fine and, if ordered, the amount of the fine, the Authority must have regard to –

(a)     the nature, gravity and duration of the contravention of the Data Protection Law, taking into account the nature, scope and purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;

(b)     whether the contravention was intentional or negligent;

(c)     any action taken by the person concerned to mitigate the loss, damage or distress suffered by data subjects;

(d)     the degree of responsibility of the person concerned taking into account technical and organizational measures implemented by the person concerned for the purposes of any provision of the Data Protection Law;

(e)     any relevant previous contraventions by the person concerned;

(f)      the degree of cooperation with the Authority, in order to remedy the breaches and mitigate the possible adverse effects of the contravention;

(g)     the categories of personal data affected by the contravention;

(h)     the manner in which the contravention became known to the Authority, in particular whether, and if so to what extent, the person concerned notified the contravention to the Authority;

(i)      where an order under Article 25(3) has previously been made in respect of the person concerned with regard to the same subject-matter, compliance with any measures required to be taken by the order;

(j)      compliance or non-compliance with code or evidence of certification in respect of the processing concerned; and

(k)     any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the contravention.

(3)     In ordering any fine, the Authority must take into account the need for fines to –

(a)     be effective;

(b)     be proportionate; and

(c)     have a deterrent effect.

(4)     An order imposing a fine –

(a)     must specify the date by which the fine must be paid; and

(b)     may provide for the fine to be paid by instalments of any number and amounts and at any times specified in the order.

(5)     The Authority may, of its own motion or on the application of the person concerned, vary –

(a)     the amount of a fine; or

(b)     the number, amounts and times of the instalments by which the fine is to be paid.

(6)     The Authority may publish the name of the person concerned and the amount of the fine in any manner it considers appropriate.

(7)     The Authority may recover a fine as a debt owed and due to the Authority by the person concerned.

(8)     A fine imposed on an unincorporated body by an order of the Authority must be paid from the funds of the body.

(9)     Nothing in this Article authorizes the Authority to order a public authority other than one falling only within paragraph (k) of the definition of “public authority” in Article 1(1) of the Data Protection Law to pay a fine.

(10)    Any fine paid to or recovered by the Authority forms part of the annual income of the States.

(11)    In this Article –

“fine” means an administrative fine ordered under paragraph (1);

“person concerned” means the controller or processor against whom an administrative fine is ordered.

27      Limits on administrative fines

(1)     Subject to paragraphs (2) and (3) an administrative fine ordered against a person –

(a)     for any matter specified in Article 26(1)(a) and (b), must not exceed £5,000,000;

(b)     for any matter specified in Article 26(1)(c) or (d), must not exceed £10,000,000.

(2)     An administrative fine must not exceed £300,000 or 10% of the person’s total global annual turnover or total gross income in the preceding financial year, whichever is the higher.

(3)     An administrative fine ordered against any person whose processing of data that gave rise to the fine was in the public interest and not for profit must not exceed £10,000.

(4)     Where a person contravenes several provisions of the Data Protection Law in relation to the same processing operations, or associated or otherwise linked processing operations, the aggregate of the administrative fines issued against the controller or processor in respect of those processing operations must not exceed the limit specified under paragraph (1)(a) or, if applicable to any such contravention, paragraph (1)(b).

(5)     The Minister may, by Order, amend any monetary amount set out in this Article and Regulations may amend Article 26 and other provision of this Article.

28      Procedure to be followed before making breach determination or order under this Part

(1)     This Article applies where the Authority, otherwise than with the agreement of the person concerned, proposes to make –

(a)     a breach determination;

(b)     an order under Article 25(3); or

(c)     an order for the payment of an administrative fine.

(2)     Before making the determination or order, the Authority must give the person concerned notice in writing –

(a)     stating that the Authority is proposing to make the determination or order;

(b)     stating the terms of, and the grounds for, the proposed determination or order;

(c)     stating that the person concerned may, within a period of 28 days beginning on the date of the notice or any longer period that may be specified in the notice, make written or oral representations to the Authority in respect of the proposed determination or order in a manner specified in the notice; and

(d)     of the right of appeal of the person concerned under Article 32 if the Authority were to make the proposed determination or order.

(3)     The Authority must consider any representations made in response to a notice under paragraph (2) before giving further consideration to the proposed determination or order.

(4)     The Authority may reduce the period of 28 days mentioned in paragraph (2)(c) where the Authority considers it necessary to do so –

(a)     in the interests of data subjects, or any class or description of data subjects, or in the public interest; or

(b)     where there are reasonable grounds for suspecting any of the matters mentioned in paragraph (5).

(5)     The matters are –

(a)     that, if that period of notice were given, information relevant to or relating to the proposed determination or order would be concealed, falsified, tampered with or destroyed; or

(b)     that the giving of that period of notice is likely seriously to prejudice –

(i)      any criminal, regulatory or disciplinary investigation, or any prosecution, in Jersey or elsewhere,

(ii)      co-operation or relations with investigatory, prosecuting, regulatory or disciplinary authorities, in Jersey or elsewhere, or

(iii)     the performance by the Authority of its functions.

(6)     The Authority may dispense with the procedures in paragraphs (2) and (3) altogether if it considers that the determination or order needs to be made immediately or without notice because of the interests or grounds mentioned in paragraph (4).

(7)     For clarity, where a notice under this Article relates to a proposed administrative fine under Article 26 the notice must state the amount of the proposed fine.

(8)     In this Article “person concerned” means the controller or processor against whom the breach determination or order is proposed to be made.

29      Exclusion of courts and tribunals acting in a judicial capacity

Nothing in this Law authorizes the Authority –

(a)     to investigate, inquire into or determine any matter; or

(b)     exercise any of its other powers,

in relation to processing operations carried out by, or any other act or omission of, a court or tribunal acting in its judicial capacity.

30      Proceedings by the Authority

The Authority may bring proceedings before the Royal Court in respect of any contravention or likely contravention of this Law or the Data Protection Law and if the court is satisfied that either of those Laws has been, or will be, contravened it may make such order as it considers appropriate, including –

(a)     an award of compensation for loss, damage or distress to any person in respect of the contravention;

(b)     an injunction (including an interim injunction) to restrain any actual or likely contravention;

(c)     a declaration that the controller or processor, as the case may be, has committed the contravention or that a particular act, omission or course of conduct on the part of the controller or processor would result in a contravention; and

(d)     requiring the controller or processor to give effect to any of the rights of data subjects under Part 6 of the Data Protection Law.

31      Proceedings against Authority

(1)     Proceedings may be brought in the Royal Court –

(a)     by a complainant where the Authority has omitted to give the complainant a written acknowledgement of receipt of a complaint, or a notice as to whether or not the complaint is being investigated in accordance with Article 20;

(b)     by a complainant where the Authority has made a decision not to investigate a complaint under Article 20(2); and

(c)     by a person affected by a notice, decision or determination given by the Authority in relation to a complaint under Article 20,

on the grounds that the action or omission by the Authority was unreasonable in all the circumstances of the case.

(2)     The proceedings must be brought within 28 days of –

(a)     in the case of proceedings under paragraph (1)(a), the end of the 8 week period mentioned in Article 20(1)(b) or (5); or

(b)     in any other case, the date on which the person receives notice of the relevant notice, decision or determination from the Authority.

(3)     On receipt of the application the Royal Court may, on such terms as the court considers just, suspend or modify the effect of the notice, decision or determination in question pending the outcome of the proceedings.

(4)     On the hearing of the matter the court may –

(a)     dismiss the proceedings on such terms and conditions as it may direct; or

(b)     make such other order as it considers just, including an order –

(i)      that the Authority give the written acknowledgement or notice required,

(ii)      annulling the decision not to investigate the complaint and directing the Authority to investigate it,

(iii)     confirming, modifying or substituting the notice, decision or determination, or

(iv)     remitting the matter back to the Authority for reconsideration.

(5)     In this Article –

“complainant” means a person who has summited a complaint to the Authority under Article 19;

“person affected by a notice, decision or determination” means –

(a)     the complainant in respect of the complaint giving rise to it; or

(b)     a controller, processor or responsible officer in respect of whom it was made.

32      Rights of appeal against determinations or orders of the Authority

(1)     This Article applies where the Authority –

(a)     makes a breach determination; or

(b)     makes an order under Article 25(3);

(c)     orders the payment of an administrative fine under Article 26; or

(d)     serves an information notice under paragraph 1 of Schedule 1.

(2)     The controller or processor affected may appeal the determination, order or notice to the Royal Court in accordance with this Article.

(3)     The appeal may be made on the grounds that in all the circumstances of the case the decision was not reasonable.

(4)     An appeal must be made within the period of 28 days immediately following the date on which the person concerned receives written notice of the determination, order or notice from the Authority.

(5)     An appeal is made by summons served on the Authority stating the grounds and material facts on which the appellant relies.

(6)     On the application of the appellant, the Royal Court may, on such terms as the court thinks just, suspend or modify the effect of the determination or order appealed against pending the determination of the appeal.

(7)     Upon determining an appeal under this Article, the Court may –

(a)     confirm the determination, order or notice, with or without modification; or

(b)     annul the determination, order or notice and remit the matter back to the Authority for reconsideration, in addition to making any order it considers just.

33      General provisions relating to offences

(1)     A person guilty of an offence under this Law is liable to a fine.

(2)     Where an offence under this Law, or under Regulations made under this Law, committed by a limited liability partnership or body corporate or unincorporated body is proved to have been committed with the consent or connivance of, or to be attributable to any neglect on the part of –

(a)     a person who is a partner of the limited liability partnership, or director, manager, secretary or other similar officer of the body corporate;

(b)     in the case of any other partnership, any partner;

(c)     in the case of any other unincorporated body, any officer of that body who is bound to fulfil any duty of which the offence is a breach or, if there is no such officer, any member of the committee or other similar governing body; or

(d)     any person purporting to act in any capacity described in sub-paragraph (a), (b) or (c),

the person is also guilty of the offence and liable in the same manner as the partnership or body corporate to the penalty provided for that offence.

(3)     If the affairs of a body corporate are managed by its members, paragraph (2) applies in relation to acts and defaults of a member in connection with the member’s functions of management as if the member were a director of the body corporate.

(4)     Where an offence under this Law is alleged to have been committed by an unincorporated body, proceedings for the offence must, without limiting paragraph (2), be brought in the name of the body and not in the name of any of its members.

(5)     A fine imposed on an unincorporated body on its conviction for an offence under this Law must be paid from the funds of the body.

(6)     A person who aids, abets, counsels or procures the commission of an offence under this Law is also guilty of the offence and liable in the same manner as a principal offender to the penalty provided for that offence.

34      Proceedings concerning unincorporated bodies.

Subject to Article 33, where a breach is alleged to have been committed by an unincorporated body, any complaint, investigation, action, order or notice, or other proceedings, for or otherwise in relation to the breach must be brought, issued or (as the case may be) served in the name of the body and not in the name of any of its members.

35      Rules of Court

(1)     The power to make Rules of Court under Article 13 of the Royal Court (Jersey) Law 1948[4] includes the power to make Rules regulating the practice and procedure on any matter relating to the Royal Court under this Law.

(2)     The Rules may, in particular, make provision for –

(a)     enabling directions to be given to withhold material or restrict disclosure of any information relevant to proceedings under this Law from any party (including any representative of any party) to the proceedings; and

(b)     enabling the court to conduct such proceedings in the absence of any person, including a party to the proceedings (or any representative of a party to the proceedings).

(3)     In making the Rules, regard must be had to –

(a)     the need to secure that the decisions that are the subject of such proceedings are properly reviewed; and

(b)     the need to secure that disclosures of information are not made where they would be contrary to the public interest.

36      Service of notices etc.

(1)     A notice required by this Law to be given to the Authority is not regarded as given until it is in fact received by the Authority.

(2)     A notice or other document required or authorized under this Law or under Regulations made under this Law to be given to the Authority may be given by electronic or any other means by which the Authority may obtain or recreate the notice or document in a form legible to the naked eye.

(3)     Any notice, direction or other document required or authorized by or under this Law to be given to or served on any person other than the Authority may be given or served –

(a)     by delivering it to the person;

(b)     by leaving it at the person’s proper address;

(c)     by sending it by post to the person at that address; or

(d)     by sending it to the person at that address by electronic or any other means by which the notice, direction or document may be obtained or recreated in a form legible to the naked eye.

(4)     Without limiting the generality of paragraph (3), any such notice, direction or other document may be given to or served on a partnership, company incorporated outside Jersey or unincorporated association by being given to or served –

(a)     in any case, on a person who is, or purports (under whatever description) to act as, its secretary, clerk or other similar officer;

(b)     in the case of a partnership, on the person having the control or management of the partnership business;

(c)     in the case of a partnership or company incorporated outside Jersey, on a person who is a principal person in relation to it (within the meaning of the Financial Services (Jersey) Law 1998[5]); or

(d)     by being delivered to the registered or administrative office of a person referred to in sub-paragraph (a), (b) or (c) if the person is a body corporate.

(5)     For the purposes of this Article and of Article 7 of the Interpretation (Jersey) Law 1954[6], the proper address of any person to or on whom a notice, direction or other document is to be given or served by post is the person’s last known address, except that –

(a)     in the case of a company (or person referred to in paragraph (4) in relation to a company incorporated outside Jersey), it is the address of the registered or principal office of the company in Jersey; and

(b)     in the case of a partnership (or person referred to in paragraph (4) in relation to a partnership), it is the address of the principal office of the partnership in Jersey.

(6)     If the person to or on whom any notice, direction or other document referred to in paragraph (3) is to be given or served has notified the Authority of an address within Jersey, other than the person’s proper address within the meaning of paragraph (5), as the one at which the person or someone on the person’s behalf will accept documents of the same description as that notice, direction or other document, that address is also treated for the purposes of this Article and Article 7 of the Interpretation (Jersey) Law 1954 as the person’s proper address.

(7)     If the name or the address of any owner, lessee or occupier of premises on whom any notice, direction or other document referred to in paragraph (3) is to be served cannot after reasonable enquiry be ascertained it may be served by –

(a)     addressing it to the person on whom it is to be served by the description of “owner”, “lessee” or “occupier” of the premises;

(b)     specifying the premises on it; and

(c)     delivering it to some responsible person resident or appearing to be resident on the premises or, if there is no person to whom it can be delivered, by affixing it, or a copy of it, to some conspicuous part of the premises.

part 5

ADMINISTRATIVE provisions

37      Guidance of Minister

(1)     The Minister may, if he or she considers that it is desirable in the public interest to do so, and having consulted the Authority, give to the Authority written guidance or general written directions on matters relating to corporate governance.

(2)     The guidance relates to the system and arrangements by or under which the Authority is directed and controlled and may relate to –

(a)     accountability, efficiency and economy of operation of the office of the Authority, but not to matters relating directly to the Authority’s regulatory functions;

(b)     conflicts of interest, the accounts of the Authority and their audit, borrowing by the Authority and the investment of the funds of the Authority.

(3)     The Authority must have regard to any guidance and must act in accordance with any directions addressed to the Authority under this Article.

38      Fees and charges

The Authority may charge, retain and apply in the performance of the Authority’s functions –

(a)     fees and charges (other than administrative fines) of such amounts, paid by such persons and paid in such manner, as may be –

(i)      prescribed by Order of the Minister, the Minister having consulted the Authority, or

(ii)      payable in accordance with this Law or any other enactment; and

(b)     such fees and charges (not inconsistent with this or any other enactment) –

(i)      of such amounts, paid by such persons and paid in such manner, as may be decided by the Authority in respect of any service, item or matter, that does not arise under this or any other enactment, and

(ii)      as may be agreed between the Authority and any person for whom the Authority provides advice, assistance or other services under this or any other enactment, in respect of the advice, assistance or other matters.

39      Grants to Authority

(1)     In respect of each financial year, the States may make a grant to the Authority from their annual income towards the Authority’s expenses in performing any of its functions.

(2)     The amount of any grant referred to in paragraph (1) is determined by the Minister for Treasury and Resources on the recommendation of the Minister made after consultation with the Authority.

(3)     In making that recommendation, the Minister must have regard to the actual financial position and the projected financial position of the Authority.

(4)     In determining the amount of grant, the Minister for Treasury and Resources must have regard to the actual financial position and the projected financial position of the Authority.

40      Consent to borrowing

(1)     The Authority must not borrow money without the consent of the Minister.

(2)     The Minister for Treasury and Resources may, on such terms as he or she may determine, on behalf of the States –

(a)     guarantee the liabilities of the Authority; or

(b)     lend money to the Authority.

(3)     The Minister for Treasury and Resources may act under paragraph (2) only on the recommendation of the Minister.

41      Guidelines on investment

In investing any funds belonging to the Authority, the Authority must comply with any guidelines specified by the Minister.

42      Exemption from income tax

The income of the Authority is not liable to income tax under the Income Tax (Jersey) Law 1961[7].

43      Accounts and audit

(1)     The Authority must –

(a)     keep proper accounts and proper records in relation to the accounts; and

(b)     prepare accounts in respect of each financial year; and

(c)     after the accounts have been audited in accordance with paragraph (3), provide them to the Minister as soon as practicable after the end of the financial year to which they relate, but in any event within 4 months of the end of that year.

(2)     The Minister must lay a copy of the accounts so provided before the States as soon as practicable after the Minister receives the report.

(3)     The accounts of the Authority must –

(a)     be audited by auditors appointed in respect of each financial year by the Comptroller and Auditor General (as defined by the Comptroller and Auditor General (Jersey) Law 2014[8]); and

(b)     be prepared in accordance with generally accepted accounting principles and show a true and fair view of the profit or loss of the Authority for the period to which they relate and of the state of the Authority’s affairs at the end of the period.

44      Annual reports

(1)     The Authority must prepare a report on its activities in each financial year.

(2)     The Authority must provide the Minister with the report as soon as practicable after the end of the financial year to which the report relates, but in any case within 4 months of the end of that year.

(3)     The Authority may also provide the Minister with other reports relating to the Authority’s functions or activities.

(4)     The Minister must lay a copy of any report provided to the Minister under this Article before the States as soon as practicable after receiving the report.

45      Limitation of liability

(1)     A person or body to whom this Article applies is not liable in damages for anything done or omitted in the performance or purported performance of any functions of the Authority conferred by or under this Law or the Data Protection Law, or any other functions conferred by or under either of those Laws, unless it is shown that the act or omission was in bad faith.

(2)     This Article applies to the following –

(a)     the States;

(b)     the Minister;

(c)     the Authority or any person who is, or is acting as, an officer, employee or agent of the Authority, or performing any function on behalf of the Authority.

(3)     This Article does not prevent an award of damages in respect of the act or omission on the ground that it was unlawful as a result of Article 7(1) of the Human Rights (Jersey) Law 2000[9].

part 6

CLOSING provisions

46      Regulations and Orders

(1)     The States may by Regulations and the Minister may by Order make provision for the purpose of carrying this Law into effect and, including for or with respect to any matter that may be prescribed under this Law by Regulations or Orders as the case may be.

(2)     Regulations and Orders made under this Law may contain such transitional, consequential, incidental or supplementary provisions as appear to the States to be necessary or expedient for the purposes of the Regulations or Order.

47      Transitional provisions

Schedule 2 has effect.

48      Consequential amendments

Schedule 3 has effect.

49      Citation and commencement

This Law may be cited as the Data Protection Authority (Jersey) Law 2018 and comes into force on 25th May 2018.

L.-M. HART

Deputy Greffier of the States

 


SCHEDULE 1

(Article 22)

POWERS OF invESTIGATION AND INQUIRy

1        Power to issue information notice

(1)     The Authority may require any controller or processor to give the Authority any information that the Authority considers necessary for a purpose specified in sub-paragraph (2) by issuing the controller or processor (“the recipient”) a notice (an “information notice”).

(2)     The purposes referred to in subparagraph (1) are –

(a)     to determine whether or not to investigate a complaint;

(b)     to determine whether or not to conduct an inquiry;

(c)     for the purpose of an investigation or inquiry;

(d)     to make a determination or an order, or take any other action, under any provision of Part 4; or

(e)     to determine whether or not to exercise any other power conferred on the Authority by this Law.

(3)     An information notice must include –

(a)     a statement of the purpose in sub-paragraph (2) for which the notice is issued;

(b)     a description of the information required by the Authority;

(c)     a statement of the Authority’s reasons for requiring that information; and

(d)     a statement of the form and manner in which, and the period within which (“compliance period”), the recipient must give the information to the Authority.

(4)     A compliance period must not be shorter than 28 days beginning on the date on which the notice was issued.

(5)     Despite sub-paragraph (4), the Authority may specify a compliance period shorter than 28 days but not shorter than 7 days beginning on the date on which the notice was issued, but in this case the Authority must include in the information notice a statement of its reasons for specifying that shorter period.

(6)     A recipient of an information notice must comply with the notice.

(7)     A recipient is not required by virtue of this paragraph to furnish the Authority with any information in respect of –

(a)     any communication between a professional legal adviser and a client in connection with the giving of legal advice to the client with respect to the latter’s obligations, liabilities or rights under this Law or the Data Protection Law; or

(b)     any communication between a professional legal adviser and a client, or between such an adviser or client and any other person, made in connection with or in contemplation of proceedings under or arising out of this Law or the Data Protection Law and for the purposes of such proceedings.

(8)     In sub-paragraph (7), references to a client of a professional legal adviser include references to any person representing such a client.

(9)     A recipient is not required by virtue of this paragraph to furnish the Authority with any information if to do so would, by revealing evidence of the commission of any offence other than an offence under this Law, expose the recipient to proceedings for that offence.

(10)    The Authority may cancel an information notice by written notice served on the person on whom the information notice was served.

2        General power of entry, search, etc.

(1)     This paragraph applies to any premises (“searchable premises”) if an authorized officer believes on reasonable grounds that –

(a)     those premises are occupied by a registered controller or registered processor;

(b)     personal data is processed in the context of a controller or processor occupying or operating at or from those premises, whether directly or by the use of agents;

(c)     personal data is processed at or on those premises;

(d)     any equipment, device or other thing used to process personal data (“processing equipment”) is kept at or on those premises;

(e)     any information relating to the processing of personal data was or is present on those premises;

(f)      a contravention of the Data Protection Law was or is being committed on or in relation to those premises; or

(g)     an offence under the Data Protection Law was or is being committed on or in relation to those premises.

(2)     Subject to paragraph 4, an authorized officer may during normal working hours exercise any power specified in sub-paragraph (3) or (4) on or in relation to any searchable premises, for any of the following purposes –

(a)     establishing whether a controller or processor contravened or is contravening this Law or the Data Protection Law;

(b)     establishing whether any person has committed or is committing an offence under this Law or the Data Protection Law;

(c)     conducting an investigation or inquiry, or exercising or performing any other function of the Authority under this Law or the Data Protection Law;

(d)     securing anything which the authorized officer has reason to believe may be required –

(i)      for the effective conduct of any investigation or inquiry, or

(ii)      as evidence in any proceedings for an offence under this Law or the Data Protection Law.

(3)     Sub-paragraph (2) refers to the following powers –

(a)     with the assistance of a police officer, stop a person, vehicle, vessel or container;

(b)     enter any searchable premises;

(c)     search the premises and examine, test or inspect anything at the premises and open it (or break it open);

(d)     photograph, film or otherwise record anything at the premises;

(e)     require the production of any equipment, device or other thing used to process personal data or otherwise used by a controller or processor;

(f)      take copies of or extracts from any information (including, in the case of information in a non-legible form, a copy of or an extract from that information in a legible form);

(g)     if anything at the premises cannot be conveniently removed, secure it against interference;

(h)     seize any equipment, device or other thing, which is at the premises and detain it for as long as the authorized officer considers necessary;

(i)      require any person to give the authorized officer any information, including (but without limiting the generality of this paragraph) –

(i)      information regarding the ownership, identity or origin of, or any other information regarding any equipment, device or other thing,

(ii)      any information regarding the premises, or

(iii)     the name and address of any controller, processor or other person involved in the processing of personal data; and

(j)      require any person to afford the authorized officer any other facilities or assistance that the officer considers necessary or expedient, including in relation to any documents or other information provided to the officer.

(4)     Without limiting the generality of sub-paragraph (3), sub-paragraph (2) also refers to the following powers –

(a)     power to inspect any records (in whatever form they are held) relating to the business of a controller or processor; and

(b)     where any such records are stored in electronic form, power to –

(i)      inspect and check the operation of any equipment, device or other thing which is or has been in use in connection with those records,

(ii)      require any person having charge of, or otherwise concerned with the operation of, the equipment, device, or other thing to afford the authorized officer such assistance as the officer may reasonably require, or

(iii)     require the records to be produced in a form in which they may be taken away.

(5)     Neither sub-paragraph (3) nor sub-paragraph (4) applies to, or in relation to, any items for which any rule of privilege may be claimed.

3        Safeguards for general powers of entry, search, etc.

(1)     An authorized officer entering any premises under paragraph 2 must, if the owner or occupier of those premises is present –

(a)     identify himself or herself to the owner or occupier; and

(b)     produce to the owner or occupier documentary evidence that the officer is an authorized officer.

(2)     If the owner or occupier of those premises is not present at the time the authorized officer leaves those premises, the authorized officer –

(a)     must leave the premises as effectively secured against trespassers as that authorized officer found them; and

(b)     must leave in a prominent place on those premises written notice that those premises have been entered and searched under paragraph 2, including that authorized officer's name, an address at which that authorized officer may be contacted and a copy of the documentary evidence referred to in sub-paragraph (1)(b).

(3)     An authorized officer who seizes anything under paragraph 2(3)(h) must leave with the owner or occupier of the premises (if present) or leave on the premises (if the owner or occupier is not present) a statement stating –

(a)     particulars of what has been seized; and

(b)     that the authorized officer has seized it.

4        Entry to dwellings restricted.

An authorized officer must not enter a dwelling under paragraph 2, except –

(a)     with the consent of the owner or occupier of those premises;

(b)     by giving the owner or occupier of those premises at least 7 days’ prior written notice of the entry; or

(c)     under and in accordance with a warrant issued under paragraph 5.

5        Warrants for entry, etc.

(1)     If the Bailiff or a Jurat is satisfied by information on oath supplied by the Authority that there are reasonable grounds for suspecting –

(a)     that a controller has contravened or is contravening any of the data protection principles; or

(b)     that an offence under this Law or the Data Protection Law has been or is being committed,

and that evidence of the contravention or of the commission of the offence is to be found on any premises specified in the information, the Bailiff or Jurat may issue a warrant to the Authority.

(2)     A warrant may permit an authorized officer at any time within 7 days of the date of the warrant to enter the premises, to search them, to inspect, examine, operate and test any equipment found there which is used or intended to be used for the processing of personal data and to inspect and seize any documents or other material found there which may be such evidence as is mentioned in sub-paragraph (1).

(3)     The Bailiff or a Jurat must not issue a warrant unless satisfied –

(a)     that the Authority has given 7 days’ notice in writing to the occupier of the premises in question demanding access to the premises;

(b)     that either access was demanded at a reasonable hour and was unreasonably refused or although entry to the premises was granted, the occupier unreasonably refused to comply with a request by the Authority to permit the authorized officer to do any of the things referred to in subparagraph (2); and

(c)     that the occupier, has, after the refusal, been notified by the Authority of the application for the warrant and has had an opportunity of being heard by the Bailiff or Jurat on the question whether or not it should be issued.

(4)     Sub-paragraph (3) does apply if the Bailiff or Jurat is satisfied that the case is one of urgency or that compliance with that sub-paragraph would defeat the object of the entry.

(5)     A person executing a warrant issued under this paragraph –

(a)     may use such reasonable force as may be necessary;

(b)     may be accompanied by a police officer during its execution.

(6)     A warrant must be executed at a reasonable hour unless it appears to the person executing it that there are grounds for suspecting that the evidence in question would not be found if it were so executed.

(7)     If the person who occupies the premises in respect of which a warrant is issued –

(a)     is present when the warrant is executed, the person executing it must show the warrant to that person and supply him or her with a copy of it;

(b)     is not present, the person executing it must leave a copy of it in a prominent place on the premises.

(8)     A person seizing anything under a warrant must give a receipt for it to the person in occupation of the premises.

(9)     Anything so seized may be retained for so long as is necessary for the purpose of the investigation or inquiry, or any subsequent proceedings (whether civil or criminal).

(10)    Unless the Royal Court orders otherwise, any property seized must be returned to its owner as soon as practicable after the completion of the investigation, inquiry or proceedings, and proceedings are taken to be completed when either any appeal has been concluded or, if no appeal is made, the time limit for appealing has expired.

6        Exemptions from powers conferred by warrant

(1)     The powers of inspection and seizure conferred by a warrant are not exercisable in respect of –

(a)     any communication between a professional legal adviser and the adviser’s client in connection with the giving of legal advice to the client with respect to the client’s obligations, liabilities or rights under this Law or the Data Protection Law; or

(b)     any communication between a professional legal adviser and the adviser’s client, or between such an adviser or such a client and any other person, made in connection with or in contemplation of proceedings under or arising out of this Law and for the purposes of such proceedings.

(2)     Sub-paragraph (1) applies also to –

(a)     a copy or other record of any such communication; and

(b)     any document or article enclosed with or referred to in any such communication if made in connection with the giving of any advice or, as the case may be, in connection with or in contemplation of and for the purposes of such proceedings.

(3)     This paragraph does not apply to anything in the possession of any person other than the professional legal adviser or the client or to anything held with the intention of furthering a criminal purpose.

(4)     In this paragraph references to the client of a professional legal adviser include references to any person representing such a client.

(5)     If the person in occupation of premises in respect of which a warrant is issued objects to the inspection or seizure under the warrant of material on the grounds that it consists partly of matters in respect of which those powers are not exercisable, the person must, if the person executing the warrant so requests, furnish the latter with a copy of so much of the material as is not exempt from those powers.

7        Power to conduct or require data protection audits

(1)     The Authority may –

(a)     conduct a data protection audit of any part of the operations of the controller or processor; or

(b)     require the controller or processor to appoint a person approved by the Authority to –

(i)      conduct a data protection audit of any part of the operations of the controller or processor, and

(ii)      report the findings of the audit to the Authority.

(2)     The Authority must specify the terms of reference of any audit carried out under sub-paragraph (1).

(3)     The controller or processor concerned must pay for an audit required under sub-paragraph (1)(b).

 


SCHEDULE 2

(Article 47)

transitional provisions

1        Interpretation

In this Schedule “2005 Law” means the Data Protection (Jersey) Law 2005[10].

2        Registration

(1)     A controller who, immediately before the commencement of this Law, was registered as a data controller under Part 3 of the 2005 Law, and any processor, is exempt from the requirement to register under Part 3 of this Law until the end of the registration period.

(2)     Any notification by a data controller of wish to be included in the register under Article 18 of the 2005 Law that did not result in an entry in the register under Article 19 of that Law before the commencement of this Law, shall be determined as if it were an application made under Article 17 of this Law.

(3)     In respect of each controller who is exempt from registration under Article 17 of this Law for the duration of the registration period by virtue of paragraph (1), the Authority must nevertheless register the controller under Article 17(4) and include in the register maintained under paragraph (5) of that Article the particulars that, immediately before the commencement of this Law, were included (or treated as included) in respect of that controller maintained under Article 19 of the 2005 Law.

(4)     The Minister may by Order make further provision modifying Article 17 of this Law in its application to any person, including any controller mentioned in sub-paragraph (3).

(5)     In this paragraph “registration period” means –

(a)     in the case of a controller, the period at the end of which, if Article 19 of the 2005 Law had remained in force, the controller’s entry would have fallen to be removed unless renewed; and

(b)     in the case of a processor, a period of 26 weeks from the day on which this Law comes into force.

3        Enforcement notices served under 2005 Law

(1)     If, immediately before the commencement of this Law an enforcement notice is served under Article 40 of the 2005 Law, that notice has effect, after commencement, as if it were an order made under Article 25(3) of this Law.

(2)     The Authority may make an order under Article 25(3) or Article 26(1) of this Law on or after the day on which that Article comes into force if the Commissioner has reasonable grounds for suspecting that, before that day, a data controller contravened the data protection principles within the meaning of the 2005 Law by reason of any act or omission that would also have constituted a contravention of the data protection principles set out in Article 8 of the Data Protection Law if they had applied when the act or omission occurred.

4        Requests for assessment under Article 42 of 2005 Law

Any request for assessment under Article 42 of the 2005 Law that the Commissioner has not dealt with before the commencement of this Law has effect as if it were a complaint under Article 19 of this Law.

 


SCHEDULE 3

(Article 48)

consequential amendments

1        Corruption (Jersey) Law 2006

For Article 4(1)(s) of the Corruption (Jersey) Law 2006[11] there is substituted the following sub-paragraph –

“(s)    any member of the Data Protection Authority constituted under Article 3(1) of the Data Protection Authority (Jersey) Law 2018[12];”.

2        Register of Names and Addresses (Jersey) Law 2012

In Article 7(9) of the Register of Names and Addresses (Jersey) Law 2012[13] for the words “Data Protection Commissioner under the Data Protection (Jersey) Law 2005” there are substituted the words “Data Protection Authority under the Data Protection Authority (Jersey) Law 2018[14]”.

3        Data Protection (International Co-operation) (Jersey) Regulations 2005

(1)     The Data Protection (International Co-operation) (Jersey) Regulations 2005[15] are amended as follows.

(2)     For the word “Commissioner” wherever occurring there is substituted the word “Authority”.

(3)     In Regulation 1(1) for the words “Data Protection (Jersey) Law 2005” there are substituted the words “Data Protection (Jersey) Law 2018[16]”.

(4)     In Regulation 3 –

(a)     in paragraph (3)(a) for the words “Article 7” there are substituted the words “Article 28”;

(b)     in paragraph (4)(a) for the words “Part 2” there are substituted the words “Part 6”;

(c)     in paragraph (4)(b) for the words “Article 42 of the Law” there are substituted the words “Article 21 of the Authority Law”;

(d)     in paragraph (5) for the words “prescribed for the purposes of Article 19(7)” there are substituted the words “specified for the purposes of Article 17(3)(a) of the Authority Law”.

4        Employment of States of Jersey Employees (Jersey) Law 2005

In Schedule 1 to the Employment of States of Jersey Employees (Jersey) Law 2005[17] for the words “Data Protection Commissioner” there are substituted the words “Information Commissioner”.

5        Public Employees (Pensions) (Jersey) Law 2014

For Article 1(2)(b) of the Public Employees (Pensions) (Jersey) Law 2014[18] there is substituted the following sub-paragraph –

“(b)    the holder of the office of Information Commissioner (within the meaning of Article 5 of the Data Protection Authority (Jersey) Law 2018[19]);”.

6        Freedom of Information (Jersey) Law 2011

In Article 1 of the Freedom of Information (Jersey) Law 2011[20] for the definition “Information Commissioner” there is substituted the following definition –

“ ‘Information Commissioner’ means the person appointed as such under Article 5(1) of the Data Protection Authority (Jersey) Law 2018[21]”.

7        Public Employees (Retirement) (Jersey) Law 1967

For Article 1(2)(aa) of the Public Employees (Retirement) (Jersey) Law 1967[22] there is substituted the following sub-paragraph –

“(aa)  the holder of the office of Information Commissioner (within the meaning of Article 5 of the Data Protection Authority (Jersey) Law 2018[23]);”.

8        Public Finances (Jersey) Law 2005

In Schedule 1 to the Public Finances (Jersey) Law 2005[24] for the words “Data Protection Commissioner” there are substituted the words “Data Protection Authority”.

 

 


 



[1]                                    L.3/2018

[2]                                    chapter 16.330

[3]                                    chapter 15.240

[4]                                    chapter 07.770

[5]                                    chapter 13.225

[6]                                    chapter 15.360

[7]                                    chapter 24.750

[8]                                    chapter 24.140

[9]                                    chapter 15.350

[10]                                   chapter 15.240

[11]                                   chapter 08.090

[12]                                   L.4/2018

[13]                                   chapter 15.660

[14]                                   L.4/2018

[15]                                   chapter 15.240.25

[16]                                   L.3/2018

[17]                                   chapter 16.325

[18]                                   chapter 16.640

[19]                                   L.4/2018

[20]                                   chapter 16.330

[21]                                   L.4/2018

[22]                                   chapter 16.650

[23]                                   L.4/2018

[24]                                   chapter 24.900


Page Last Updated: 22 Oct 2018