Data Protection
Authority (Jersey) Law 2018
A LAW to provide for a new statutory
body to oversee the protection of personal data and for connected purposes.
Adopted by the
States 18th January 2018
Sanctioned by
Order of Her Majesty in Council 8th February 2018
Registered by the
Royal Court 16th
February 2018
THE STATES, subject to the sanction of Her Most Excellent Majesty in Council, have
adopted the following Law –
part 1
introductory and setting up of authority
1 Interpretation
(1) In
this Law –
“Authority” means
the Data Protection Authority established under Article 2(1);
“authorized officer”
means –
(a) the
Commissioner; or
(b) any
other employee of the Authority authorized by the Authority or the Commissioner
to exercise of perform any function under this Law;
“breach determination”,
in relation to a controller or processor, means a determination by the
Authority under Article 23(1) or 24(1)(b) that the controller or processor
has contravened or is likely to contravene the Data Protection Law;
“Commissioner” means
the Information Commissioner appointed under Article 5(1);
“Data Protection Law”
means the Data Protection (Jersey) Law 2018[1];
“registered controller”
means a controller registered under Article 17;
“registered processor”
means a processor registered under Article 17.
(2) Subject
to paragraph (1), words and phrases used in this Law that are defined in
the Data Protection Law have the same respective meanings as in that Law.
2 Establishment
of Data Protection Authority
(1) The
Data Protection Authority is established.
(2) The
Authority is a body corporate with perpetual succession and a common seal and
may –
(a) sue
and be sued in its corporate name;
(b) enter
into contracts and acquire, hold and dispose of any property; and
(c) so
far as is possible for a body corporate, exercise the rights, powers and
privileges and incur the liabilities and obligations of a natural person of
full age and capacity.
(3) The
application of the common seal of the Authority is authenticated by the
signature of a person authorized by the Authority to sign on its behalf and
every document bearing the imprint of the seal of the Authority is taken to be
properly sealed unless the contrary is proved.
3 Constitution
of Authority
(1) The
Authority consists of –
(a) the
Chairman;
(b) no
fewer than 3 and no more than 8 other voting members; and
(c) the
Commissioner as an ex officio and non-voting
member.
(2) Subject
to paragraph (4), the Chairman and the other voting members are appointed
by the Minister who must have particular regard to the need to ensure that
voting members of the Authority –
(a) have
the qualifications, experience and skills necessary to exercise and perform the
functions of a member, in particular relating to the protection of personal
data;
(b) have
a strong sense of integrity; and
(c) are
able to maintain confidentiality.
(3) Before
appointing any individual under this Article, the Minister may require the
individual to provide, or to authorize the Minister to obtain, any information
and references that the Minister reasonably requires to ascertain the
individual’s suitability for appointment as a voting member.
(4) At
least 2 weeks before making an appointment under this Article the Minister
must present to the States a notice of the Minister’s intention to make
the appointment.
(5) Each
voting member is appointed for a term of 5 years or such shorter period as
the Minister thinks fit in a particular case and is eligible for reappointment
up to a maximum period of service of 9 years.
(6) An
individual is ineligible to be a voting member if the individual –
(a) is,
or has at any time during the preceding 12 months been, a member of the
States of Jersey;
(b) is
a States’ employee or is otherwise under the direction and control of the
States; or
(c) is
engaged in any employment, occupation (whether or not remunerated) or business,
or receives any benefits, that is incompatible with the functions of a member
of the Authority.
4 Vacation
of office of voting members and vacancies
(1) The
Minister may revoke the appointment of any voting member of the Authority if he
or she is satisfied that the member –
(a) is
guilty of serious misconduct, as determined by a panel convened by the
Authority in consultation with the Minister and consisting of 3 or more
individuals, other than a member of the Authority or the Minister;
(b) has
been convicted of a criminal offence that is sufficiently serious to cast doubt
on the member’s suitability to continue in office;
(c) has
become bankrupt; or
(d) is
incapacitated physically or mentally from carrying out the duties of the office
or is otherwise unable or unfit to discharge his or her functions; or
(e) is
ineligible to be a voting member under Article 3(6).
(2) The
Minister must not remove a voting member from office on the ground specified in
paragraph (1)(a) unless a panel consisting of 3 or more individuals (none
of whom is a member of the States) appointed by the Minister determines the
voting member to be guilty of serious misconduct.
(3) A
panel convened under paragraph (2) may determine and adopt its own
procedures to determine whether or not the voting member is guilty of serious
misconduct.
(4) The
Minister must present to the States not more 2 weeks after terminating an
appointment under this Article a notice of the termination.
(5) Any
voting member may resign from office at any time by giving notice to the
Minister.
(6) The
Minister must take all reasonable steps to ensure that any vacancy under this
Article that would reduce the number of voting members to below the
requirements of Article 3(1) is filled as soon as practicable.
(7) A
person is not disqualified for holding office as a voting member of the
Authority on account of being an officer, employee or agent of the Authority.
(8) The
rights and obligations of the Authority and the performance of the Authority’s
functions are not affected by any vacancy or defect in any appointment to the
Authority.
5 Appointment
of Information Commissioner
(1) The
Authority must appoint a person, to be known as the Information Commissioner, who
is the chief executive and an employee of the Authority.
(2) The
Commissioner –
(a) is
responsible for managing the other employees of the Authority;
(b) is
in charge of the day-to-day operations of the Authority; and
(c) has
the functions conferred or imposed on him or her by this Law and any other
enactment.
(3) Subject
to this Article, the Commissioner holds office under this Law subject to terms
and conditions determined by the Authority.
(4) The
Commissioner holds office under this Law for –
(a) a
term of 5 years; or
(b) such
shorter term as may be specified in the terms and conditions of his or her
appointment,
and is eligible for re-appointment.
(5) The
Authority may remove the Commissioner from office under this Law before the
expiry of his or her term of office, but only on the grounds that the
Commissioner –
(a) is
guilty of serious misconduct, as determined by a panel convened by the
Authority in consultation with the Minister and consisting of 3 or more
individuals, other than a member of the Authority or the Minister;
(b) has
been convicted of a criminal offence that is sufficiently serious to cast doubt
on the Commissioner’s suitability to continue in office;
(c) has
become bankrupt;
(d) is
incapacitated physically or mentally from carrying out the duties of the
office; or
(e) is
otherwise unable or unfit to discharge his or her functions.
(6) A
panel convened under paragraph (5)(a) may determine and adopt its own
procedures to determine whether or not the Commissioner is guilty of serious
misconduct.
(7) Subject
to the Freedom of Information (Jersey) Law 2011[2], the Commissioner must not
engage in any other employment, occupation (whether remunerated or not) or
business, or receive any benefits other than the salary, allowances and other
emoluments and expenses awarded by the Authority, except with the approval of
the Authority.
6 Power
of Commissioner to discharge functions of Authority
(1) Subject
to any policies, procedures and specific directions issued by the Authority,
the Commissioner may exercise or perform, on behalf of the Authority and in its
name, any function of the Authority under this Law or the Data Protection Law other
than –
(a) the
issuing of a public statement under Article 14;
(b) the
making of an order to pay an administrative fine under Article 26;
(c) the
preparation of an annual report under Article 44; or
(d) any
other function specified by the Authority by written notice to the Commissioner.
(2) A
function exercised or performed by the Commissioner under paragraph (1) is
treated for all purposes as having been exercised or performed by the
Authority.
(3) Nothing
in paragraph (1) or (2) prevents the Authority from exercising or
performing the function concerned.
7 Remuneration
and resources
(1) The
voting members of the Authority are entitled to –
(a) such
fees, allowances and other emoluments as expenses as the Minister determines in
consultation with the Authority and publishes; and
(b) if
the Minister so determines, reasonable out-of-pocket or other expenses
occasioned in the course of carrying out the Authority’s duties.
(2) The
Authority may appoint such officers, employees and agents as it considers
necessary for the performance of its functions and may –
(a) make
those appointments on such terms as to remuneration, the payment of expenses
and other conditions of service as the Authority thinks fit; and
(b) establish
and make such schemes or other arrangements as it thinks fit for the payment of
pensions and other benefits in respect of such officers and employees.
(3) The
Authority may procure any accommodation, equipment, services or facilities it
reasonably requires for the proper and effectual discharge of its functions.
8 Confidentiality
of information
(1) A
person who is or has been a member of the Authority, a member of the Authority’s
staff or an agent of the Authority must not, except with lawful authority,
disclose information that –
(a) has
been obtained by, or furnished to, the Authority under or for the purposes of this
Law or the Data Protection Law;
(b) relates
to an identified or identifiable individual or business; and
(c) is
not at the time of the disclosure, and has not previously been, available to
the public from other sources.
(2) For
the purposes of paragraph (1), a disclosure of information is made with
lawful authority if –
(a) the
disclosure is made with the consent of the individual or of the person for the
time being carrying on the business;
(b) the
information was provided for the purpose of its being made available to the
public (in whatever manner) under this Law or the Data Protection Law;
(c) the
disclosure is made for the purposes of, and is necessary for, the discharge of
a function under this Law or the Data Protection Law, or an obligation under an
agreement, or other instrument, of the EU;
(d) the
disclosure is made for the purposes of any proceedings, whether criminal or
civil and whether arising under, or by virtue of, this Law or the Data
Protection Law or otherwise; or
(e) having
regard to the rights and freedoms or legitimate interests of any person, the
disclosure is necessary in the public interest.
(3) A person who knowingly or recklessly discloses information in
contravention of paragraph (1) is guilty of an offence and liable to imprisonment
for a term of 2 years and to a fine.
9 Proceedings
of Authority
(1) The
Authority must meet –
(a) at
least once every 2 months; or
(b) less
frequently if resolved by the Authority, but no fewer than 4 times a year.
(2) If
the Authority resolves to meet less frequently than once every 2 months,
it must record the reason in its resolution.
(3) The
person who presides at meetings is –
(a) the
Chairman, if the Chairman is present; or
(b) if
the Chairman is not present, the person elected to chair the meeting by, and
from among, the other voting members present.
(4) At
a meeting –
(a) a
quorum is constituted by the nearest whole number of voting members above one
half of the number of voting members for the time being in office;
(b) decisions
are made by a majority vote;
(c) the
Commissioner has no vote, but may participate in the Authority’s
proceedings;
(d) each
voting member other than the person presiding has one vote; and
(e) the
person presiding has no original vote, but in the event of equality in the
votes of the other voting members present, the person presiding must exercise a
casting vote.
(5) The
Authority may, if it thinks fit, transact any business by the circulation of
papers to all members, and a resolution in writing approved in writing by a
majority of its voting members is as valid and effectual as if passed at a
meeting by the votes of the members approving the resolution.
(6) The
Authority must keep proper minutes of its proceedings, including minutes of any
business transacted as permitted by paragraph (5).
(7) Subject
to the provisions of this Article the Authority may regulate its own procedure.
(8) The
validity of any proceedings of the Authority is unaffected by –
(a) a
vacancy in its membership;
(b) any
defect in the appointment or election of any member;
(c) any
ineligibility of an individual to be a voting member; or
(d) any lack of qualification of an individual to act as a member.
(9) In
this Article a reference to a meeting includes any meeting at which members of
the Authority transact business remotely and communicate by any means of
technology.
10 Delegation
(1) The
Authority may delegate any of its functions under this Law or the Data
Protection Law wholly or partly to an officer or employee of the Authority.
(2) Nothing
in this Article authorizes the Authority to delegate –
(a) this
power of delegation;
(b) the
function of reviewing any of its decisions;
(c) the
issuing of a public statement under Article 14;
(d) the
making of an order to pay an administrative fine under Article 26; or
(e) the
preparation of an annual report under Article 44.
(3) However,
the functions mentioned in paragraph (2)(c) and (d) may be delegated to a
committee consisting of such number of voting members as may be specified by
the Authority.
(4) The
delegation of any functions under this Article –
(a) does
not prevent the performance of those functions by the Authority; and
(b) may
be amended or revoked by the Authority.
part 2
functions of authority
11 General
functions of the Authority
(1) The
Authority has the following functions –
(a) to
administer and enforce this Law and the Data Protection Law;
(b) to
monitor and report to the States on the operation of this Law and the Data
Protection Law;
(c) to
advise the Minister and the States on any amendments that the Authority
considers should be made to this Law or the Data Protection Law or on any other
action required to be taken, in relation to the operation of either of those
Laws;
(d) to
promote public awareness of risks, rules, safeguards and rights in relation to
processing, especially in relation to children;
(e) to
promote the awareness of controllers and processors of their obligations under this
Law and the Data Protection Law;
(f) on
request, to provide reports and other information to the Minister or the States
on any matter connected with the protection of personal data;
(g) on
request, to provide information to any data subject concerning the exercise of
their rights under this Law and the Data Protection Law and, if appropriate,
cooperate with competent supervisory authorities to this end;
(h) to
cooperate with, including sharing information and providing mutual assistance
to, other supervisory authorities with a view to ensuring that the Data
Protection Law is applied and enforced;
(i) to
monitor relevant developments, insofar as they have an impact on the protection
of personal data, in particular the development of information and
communication technologies and commercial practices;
(j) to
encourage the drawing up of codes;
(k) to
keep confidential records of alleged contraventions of the Data Protection Law
and of the exercise of any of its powers under this Law; and
(l) any
other function conferred or imposed on it by this Law, the Data Protection Law
or any other enactment.
(2) The
Authority may impose a fee or charge for the performance of its functions in
response to a request made by any person, where the fee or charge is authorized
by this Law, the Data Protection Law, or any Regulations made under this Law.
(3) Regulations
made for the purposes of paragraph (2) may prescribe –
(a) the
fee or charge payable; or
(b) the
basis on which the amount of the fee or charge payable is to be calculated or
ascertained.
(4) Where
the Authority receives a request to perform a task associated with any of its functions
and the request is frivolous, vexatious, unnecessarily repetitive or otherwise
excessive, the Authority may –
(a) refuse
to perform the task; or
(b) in
exceptional circumstances, perform the task but charge the requestor a
reasonable fee for the administrative costs of doing so.
(5) The
Authority is not competent to supervise processing operations of courts and
judges acting in their judicial capacity.
12 Authority
to be independent
In exercising or performing its functions, the Authority must act
independently and in a manner free from direct or indirect external influence.
13 Power
to issue opinions and guidance
(1) The
Authority may issue, on its own initiative or on request by any
person –
(a) opinions
or guidance on any issue related to the protection of personal data, including
compliance with any provision of this Law or the Data Protection Law; and
(b) guidance
as to how the Authority proposes to exercise or perform any of its functions
under those Laws.
(2) The
opinions or guidance may be issued to –
(a) the
Minister;
(b) the
States; or
(c) the
public or any section of it.
(3) An
opinion or guidance issued under paragraph (1) is not legally binding but
compliance or non-compliance with any position or recommendation in the opinion
or guidance may be taken into account in determining whether or not a
controller or processor has contravened or is likely to contravene this Law or the
Data Protection Law.
14 Power
to issue public statements
(1) This
Article applies to any of the following matters –
(a) a
notification of a personal data breach made to the Authority under Article 20
of the Data Protection Law;
(b) a
recommendation or determination made under Article 23 or 24;
(c) an
action taken or order made under Article 25; or
(d) any
order to pay an administrative fine under Article 26.
(2) Where
the Authority considers that because of the gravity of the matter or other
exceptional circumstances, it would be in the public interest to do so, the
Authority may issue a public statement about any aspect of a matter to which
this Article applies.
(3) Without
limiting the generality of paragraph (2), a public statement may include the
following information –
(a) details
of any personal data breach;
(b) information
describing or identifying any data subject whose personal data is or has been
the subject of a personal data breach;
(c) information
as to the nature and the progress of any complaint, investigation or inquiry;
or
(d) the
outcome of any complaint, investigation or inquiry.
(4) Before
issuing a public statement, the Authority must, where practicable –
(a) consult
any individual whose personal data would be made public by that public
statement, or who is otherwise likely to be identifiable from the statement;
and
(b) give
written notice of the contents of the statement to any controller and any
processor that is likely to be identifiable from the statement.
15 Authority
to take steps to develop and facilitate international cooperation
The Authority must so far as practicable take steps to –
(a) develop
international cooperation mechanisms to facilitate the effective enforcement of
legislation for the protection of personal data;
(b) provide
international mutual assistance in the enforcement of legislation for the
protection of personal data, including through notification, complaint
referral, investigative assistance and information exchange, subject to
appropriate safeguards for the protection of personal data and the significant
interests of data subjects;
(c) engage
relevant stakeholders in discussion and activities aimed at furthering international
co-operation in the enforcement of legislation for the protection of personal
data; and
(d) promote
the exchange and documentation of personal data protection legislation and
practice, including on jurisdictional conflicts with third countries.
16 Further
provisions as to international co-operation
(1) The
Authority –
(a) is
the designated authority in Jersey for the purposes of Article 13 of the
Convention for the Protection of Individuals with regard to Automatic
Processing of Personal Data, which was opened for signature on 28th January 1981;
and
(b) is
to be regarded as the competent supervisory authority for Jersey for any
purposes related to the GDPR.
(2) Regulations
may make provision as to the functions to be performed by the Authority in its role
as that designated or competent authority.
(3) Regulations
may make provision as to co-operation by the Authority with the European
Commission or any other competent supervisory authority in connection with the
performance of their respective duties including –
(a) the
exchange of information with the European Commission or the other supervisory
authority; and
(b) the
exercise within Jersey at the request of a competent supervisory authority of
functions conferred on the Authority by the Regulations.
(4) Regulations
may give effect to –
(a) any
agreement made under Article 15 between the Authority and any other
competent supervisory authority or the European Commission; or
(b) any
of Jersey’s international obligations.
(5) Regulations
may do all or any of the following –
(a) confer
additional powers and functions on the Authority;
(b) regulate
or restrict the functions conferred on the Authority by Article 15; and
(c) create
and impose duties on controllers, processors and recipients of personal data.
(6) The
Authority must also carry out any functions relating to the protection of
individuals with respect to the processing of personal data that the States may
by Regulations direct for the purpose of enabling Jersey to give effect to any
of its international obligations.
(7) Subject
to Schedule 2, any Regulations made under Article 54 of the Data
Protection (Jersey) Law 2005[3] that are in force at the
time of commencement of this Article continue in force as if made under this
Article.
PART 3
registration and charges
17 Registration
of controllers and processors
(1) A
controller or processor established in Jersey must not cause or permit personal
data to be processed without being registered as a controller or processor
under this Article.
(2) However,
Regulations may make such exemptions from the requirements to register under
this Article as the States think fit.
(3) An
application for registration made to the Authority must –
(a) include
the fee as specified by the Authority;
(b) be in
a form and manner required by the Authority; and
(c) include
any information required by the Authority.
(4) Upon
receipt of an application made in accordance with paragraph (3), the
Authority must register the applicant as a controller or processor as the case
may be.
(5) The
Authority must –
(a) maintain
a register of controllers for the purposes of this Law; and
(b) publish
any such information as the Minister may by Order prescribe.
(6) A
person who contravenes paragraph (1) is guilty of an offence.
18 Registered
controllers and processors to pay prescribed charges
(1) Regulations
may require registered controllers, registered processors or both, to pay a charge
to the Authority in order to pay for the remuneration, salaries, fees,
allowances and other emoluments, costs and expenses of –
(a) the
establishment of the Authority; and
(b) the
Authority’s operations, including the exercise or performance of any
functions of the Authority.
(2) The
Regulations must provide for –
(a) the
amount of the charge, or the basis on which the amount of the charge is to be
calculated or ascertained;
(b) the
periods in respect of which, and the times at which, the charge must be paid,
or a means for ascertaining those periods and times; and
(c) the
manner and form in which the charge must be paid.
(3) The
Regulations may –
(a) impose
duties on the Authority, registered controllers, or registered processors in
connection with the collection or payment of the charge;
(b) confer
powers on the Authority in connection with the collection of the charge; and
(c) exempt
any person from paying the charge.
(4) A
person required by the Regulations to pay a charge must do so in accordance
with the Regulations.
(5) The
Authority may recover any charge due and payable by any person to the Authority
under the Regulations as a debt owed by the person to the Authority.
part 4
ENFORCEMENT BY AUTHORITY
19 Right
to make a complaint
An individual may make a complaint in writing to the Authority in a
form approved by the Authority if –
(a) the
individual considers that a controller or processor has contravened or is
likely to contravene the Data Protection Law; and
(b) the
contravention involves or affects, or is likely to involve or affect, any right
in respect of personal data relating to the individual.
20 Investigation
of complaints
(1) Upon
receiving a complaint, the Authority must –
(a) promptly
give the complainant a written acknowledgment of the receipt of the complaint;
and
(b) as
soon as practicable and in any event within 8 weeks of receiving the
complaint, determine in accordance with paragraph (2) whether or not to
investigate it.
(2) The
Authority must investigate the complaint unless –
(a) the
complaint is clearly unfounded;
(b) the
complaint is frivolous, vexatious, unnecessarily repetitive or otherwise
excessive; or
(c) the
Authority determines that it is inappropriate to investigate the complaint,
having regard to any other action taken by the Authority under –
(i) Article 14
or 15, or
(ii) any Regulations
made under Article 16.
(3) Where
a complaint is investigated, the Authority must give the complainant and the
controller or processor concerned –
(a) as
soon as practicable, and in any event within 8 weeks of receiving the
complaint, written notice that the complaint is being investigated; and
(b) at
least once within 12 weeks of the notice under sub-paragraph (a),
written notice of the progress and, if possible, the outcome of the
investigation.
(4) However,
where the Authority considers that giving the notice within the time specified
by paragraph (3) is likely seriously to prejudice the investigation, the
Authority may delay giving the notice, in which case it must give the notice
(including an update as to the progress of and, where applicable the outcome of
the investigation) as soon as it is possible to do so without seriously
prejudicing the investigation.
(5) If
the Authority determines not to investigate a complaint, the Authority must
give the complainant written notice of its determination and the reasons for it
within 8 weeks of receiving the complaint.
(6) A
notice under paragraph (4) must include information as to the complainant’s
right to bring proceedings under Article 31.
21 Inquiries
(1) The
Authority may conduct an inquiry on its own initiative into the application of
the Data Protection Law, including into whether –
(a) a
controller or processor has contravened the Data Protection Law; or
(b) any
intended processing in the context of a controller or processor, or any
intended act or omission of a controller or processor, is likely to contravene
that Law.
(2) An
inquiry may be conducted –
(a) on
the basis of information or a request received from any person or any other
basis;
(b) together
with, or in addition to and separately from, an investigation under Article 20.
(3) Where
the Authority decides to conduct an inquiry into any matter of a kind specified
in paragraph (1)(a) or (b), the Authority must give the controller or
processor concerned –
(a) as
soon as practicable, and in any event within 8 weeks of commencing the
inquiry, written notice of the nature of the inquiry; and
(b) at
least once within 12 weeks of the notice under sub-paragraph (a),
written notice of the progress and, if possible, the outcome of the inquiry.
(4) However,
where the Authority considers that giving the notice within the time specified
by paragraph (3) is likely seriously to prejudice the inquiry, the
Authority may delay giving the notice, in which case it must give the notice
(including an update as to the progress of and, where applicable the outcome of
the inquiry) as soon as it is possible to do so without seriously prejudicing
the inquiry.
(5) Nothing
in this Article limits –
(a) an
individual’s right to make a complaint under Article 19, or
(b) the
duties of the Authority under Article 20.
22 Powers
of investigation and inquiry
Schedule 1 has effect in relation to the powers of the
Authority in relation to any investigation or inquiry under this Part.
23 Determinations
on completion of investigation
(1) On
completing an investigation, the Authority must determine whether or not –
(a) the
controller or processor concerned has contravened the Data Protection Law; or
(b) any
intended processing in the context of the controller or processor concerned, or
any intended act or omission of the controller or processor concerned is likely
to contravene that Law.
(2) If
the Authority makes a breach determination against a controller or processor,
the Authority must also determine whether or not to impose a sanction under Article 25
on the controller or processor, and if so which one or more than one to impose,
or whether to impose an administrative fine under Article 26.
(3) As
soon as practicable after making a determination under paragraph (1)
or (2), the Authority must give the controller or processor concerned, and
the complainant, written notice of –
(a) the
determination and the reasons for it; and
(b) the
right of appeal under Article 32.
24 Recommendations
and determinations on completion of inquiry
(1) On
completing an inquiry, the Authority may do either or both of the following –
(a) make
such recommendation as the Authority thinks fit to the Minister or the States regarding
the operation of this Law or the Data Protection Law; or
(b) make
a determination that –
(i) a controller or
processor has contravened the Data Protection Law, or
(ii) any intended
processing in the context of a controller or processor, or any intended act or
omission of the controller or processor concerned is likely to contravene that
Law.
(2) If
the Authority makes a breach determination against a controller or processor,
the Authority must also determine whether or not to impose a sanction under Article 25
on the controller or processor; and, and if so which one or more than one to
impose, or whether to impose an administrative fine under Article 26.
(3) As
soon as practicable after making a determination under paragraph (1)(b) or
(2), the Authority must give the controller or processor concerned written
notice of –
(a) the
determination and the reasons for it; and
(b) the
right of appeal under Article 32.
25 Sanctions
following breach determination
(1) If
the Authority makes a breach determination against a controller or processor,
the Authority may by written notice to the controller or processor (“the
recipient”) take all or any of the following sanctions against the
recipient –
(a) issue
a reprimand to the recipient;
(b) issue
a warning to the recipient that the intended processing or other act or
omission is likely to contravene the Data Protection Law;
(c) make
an order under paragraph (3).
(2) Paragraph (1)
does not limit the Authority’s power to impose an administrative fine
under Article 26 in the case of a contravention of the Data Protection
Law.
(3) The
Authority may order the recipient to do all or any of the following –
(a) bring
specified processing operations into compliance with the Data Protection Law,
or take any other specified action required to comply with that Law, in a
manner and within a period specified in the order;
(b) notify
a data subject of any personal data breach;
(c) comply
with a request made by the data subject to exercise a data subject right;
(d) rectify
or erase personal data in accordance with Article 31 or 32 of the Data
Protection Law;
(e) restrict
or limit the recipient’s processing operations, which may include –
(i) temporarily
restricting processing operations in accordance with Article 33 of the
Data Protection Law,
(ii) ceasing all
processing operations for a specified period or until a specified action is
taken, or
(iii) suspending any
transfers of personal data to a recipient in any other jurisdiction; and
(f) notify
persons to whom the personal data has been disclosed of the rectification,
erasure or temporary restriction on processing, in accordance with Articles 31
to 33 of the Data Protection Law.
(4) Nothing
in paragraph (3)(d), (e) or (f) limits paragraph (3)(c).
(5) An
order under subsection (3) may, in relation to each requirement in the
order, specify –
(a) the
time at which, or by which, the requirement must be complied with; and
(b) the
period during which the requirement must be complied with (including the
occurrence of any action or event upon which compliance with the requirement
may cease).
(6) The
Authority may revoke or amend an order under paragraph (3) by giving
written notice to the person concerned.
(7) A
recipient in respect of whom an order is made under paragraph (3) must
comply with the order within any time specified for its compliance.
(8) A
person who contravenes paragraph (7) is guilty of an offence.
26 Administrative
fines
(1) Subject
to Article 27 the Authority may order a controller or processor to pay to
the Authority an administrative fine for any of the following –
(a) failure
to make reasonable efforts to verify that a person giving consent to the
processing of the personal data of a child as required by Article 11(4) of
the Data Protection Law is a person duly authorized to give consent to that
processing in accordance with that provision;
(b) breach
of any duty or obligation imposed by Article 7 of, and any provision of Parts 3,
4 or 5 of, the Data Protection Law;
(c) processing
personal data in breach of any other provision of Part 2 or 6 of the Data
Protection Law; or
(d) transfer
of personal data to a person in a third country or international organization
in contravention of Article 66 or 67 of the Data Protection Law.
(2) In
determining whether or not to order a fine and, if ordered, the amount of the
fine, the Authority must have regard to –
(a) the
nature, gravity and duration of the contravention of the Data Protection Law,
taking into account the nature, scope and purpose of the processing concerned
as well as the number of data subjects affected and the level of damage
suffered by them;
(b) whether
the contravention was intentional or negligent;
(c) any
action taken by the person concerned to mitigate the loss, damage or distress suffered
by data subjects;
(d) the
degree of responsibility of the person concerned taking into account technical
and organizational measures implemented by the person concerned for the
purposes of any provision of the Data Protection Law;
(e) any
relevant previous contraventions by the person concerned;
(f) the
degree of cooperation with the Authority, in order to remedy the breaches and
mitigate the possible adverse effects of the contravention;
(g) the
categories of personal data affected by the contravention;
(h) the
manner in which the contravention became known to the Authority, in particular
whether, and if so to what extent, the person concerned notified the contravention
to the Authority;
(i) where
an order under Article 25(3) has previously been made in respect of the
person concerned with regard to the same subject-matter, compliance with any
measures required to be taken by the order;
(j) compliance
or non-compliance with code or evidence of certification in respect of the
processing concerned; and
(k) any
other aggravating or mitigating factor applicable to the circumstances of the
case, such as financial benefits gained, or losses avoided, directly or
indirectly, from the contravention.
(3) In
ordering any fine, the Authority must take into account the need for fines to –
(a) be
effective;
(b) be
proportionate; and
(c) have
a deterrent effect.
(4) An
order imposing a fine –
(a) must
specify the date by which the fine must be paid; and
(b) may
provide for the fine to be paid by instalments of any number and amounts and at
any times specified in the order.
(5) The
Authority may, of its own motion or on the application of the person concerned,
vary –
(a) the
amount of a fine; or
(b) the
number, amounts and times of the instalments by which the fine is to be paid.
(6) The
Authority may publish the name of the person concerned and the amount of the
fine in any manner it considers appropriate.
(7) The
Authority may recover a fine as a debt owed and due to the Authority by the
person concerned.
(8) A
fine imposed on an unincorporated body by an order of the Authority must be
paid from the funds of the body.
(9) Nothing
in this Article authorizes the Authority to order a public authority other than
one falling only within paragraph (k) of the definition of “public
authority” in Article 1(1) of the Data Protection Law to pay a fine.
(10) Any fine
paid to or recovered by the Authority forms part of the annual income of the
States.
(11) In this Article –
“fine” means an administrative fine ordered under paragraph (1);
“person concerned” means the controller or processor
against whom an administrative fine is ordered.
27 Limits
on administrative fines
(1) Subject
to paragraphs (2) and (3) an administrative fine ordered against a person –
(a) for
any matter specified in Article 26(1)(a) and (b), must not exceed
£5,000,000;
(b) for
any matter specified in Article 26(1)(c) or (d), must not exceed
£10,000,000.
(2) An
administrative fine must not exceed £300,000 or 10% of the person’s
total global annual turnover or total gross income in the preceding financial
year, whichever is the higher.
(3) An
administrative fine ordered against any person whose processing of data that
gave rise to the fine was in the public interest and not for profit must not
exceed £10,000.
(4) Where
a person contravenes several provisions of the Data Protection Law in relation
to the same processing operations, or associated or otherwise linked processing
operations, the aggregate of the administrative fines issued against the
controller or processor in respect of those processing operations must not
exceed the limit specified under paragraph (1)(a) or, if applicable to any
such contravention, paragraph (1)(b).
(5) The
Minister may, by Order, amend any monetary amount set out in this Article and Regulations
may amend Article 26 and other provision of this Article.
28 Procedure
to be followed before making breach determination or order under this Part
(1) This
Article applies where the Authority, otherwise than with the agreement of the
person concerned, proposes to make –
(a) a
breach determination;
(b) an
order under Article 25(3); or
(c) an
order for the payment of an administrative fine.
(2) Before
making the determination or order, the Authority must give the person concerned
notice in writing –
(a) stating
that the Authority is proposing to make the determination or order;
(b) stating
the terms of, and the grounds for, the proposed determination or order;
(c) stating
that the person concerned may, within a period of 28 days beginning on the
date of the notice or any longer period that may be specified in the notice,
make written or oral representations to the Authority in respect of the
proposed determination or order in a manner specified in the notice; and
(d) of the right of appeal of the person
concerned under Article 32 if the Authority
were to make the proposed determination or order.
(3) The
Authority must consider any representations made in response to a notice under paragraph (2)
before giving further consideration to the proposed determination or order.
(4) The
Authority may reduce the period of 28 days mentioned in paragraph (2)(c)
where the Authority considers it necessary to do so –
(a) in
the interests of data subjects, or any class or description of data subjects,
or in the public interest; or
(b) where
there are reasonable grounds for suspecting any of the matters mentioned in paragraph (5).
(5) The
matters are –
(a) that,
if that period of notice were given, information relevant to or relating to the
proposed determination or order would be concealed, falsified, tampered with or
destroyed; or
(b) that
the giving of that period of notice is likely seriously to
prejudice –
(i) any criminal,
regulatory or disciplinary investigation, or any prosecution, in Jersey or
elsewhere,
(ii) co-operation or
relations with investigatory, prosecuting, regulatory or disciplinary
authorities, in Jersey or elsewhere, or
(iii) the performance by the
Authority of its functions.
(6) The
Authority may dispense with the procedures in paragraphs (2) and (3)
altogether if it considers that the determination or order needs to be made
immediately or without notice because of the interests or grounds mentioned in paragraph (4).
(7) For
clarity, where a notice under this Article relates to a proposed administrative
fine under Article 26 the notice must state the amount of the proposed
fine.
(8) In
this Article “person concerned” means the controller or processor
against whom the breach determination or order is proposed to be made.
29 Exclusion
of courts and tribunals acting in a judicial capacity
Nothing in this Law authorizes the Authority –
(a) to
investigate, inquire into or determine any matter; or
(b) exercise
any of its other powers,
in relation to processing operations carried out by, or any other
act or omission of, a court or tribunal acting in its judicial capacity.
30 Proceedings
by the Authority
The Authority may bring proceedings before the Royal Court in
respect of any contravention or likely contravention of this Law or the Data
Protection Law and if the court is satisfied that either of those Laws has
been, or will be, contravened it may make such order as it considers
appropriate, including –
(a) an
award of compensation for loss, damage or distress to any person in respect of
the contravention;
(b) an
injunction (including an interim injunction) to restrain any actual or likely
contravention;
(c) a
declaration that the controller or processor, as the case may be, has committed
the contravention or that a particular act, omission or course of conduct on
the part of the controller or processor would result in a contravention; and
(d) requiring
the controller or processor to give effect to any of the rights of data subjects
under Part 6 of the Data Protection Law.
31 Proceedings against
Authority
(1) Proceedings
may be brought in the Royal Court –
(a) by
a complainant where the Authority has omitted to give the complainant a written
acknowledgement of receipt of a complaint, or a notice as to whether or not the
complaint is being investigated in accordance with Article 20;
(b) by
a complainant where the Authority has made a decision not to investigate a
complaint under Article 20(2); and
(c) by
a person affected by a notice, decision or determination given by the Authority
in relation to a complaint under Article 20,
on the grounds that the action or omission by the Authority was
unreasonable in all the circumstances of the case.
(2) The
proceedings must be brought within 28 days of –
(a) in
the case of proceedings under paragraph (1)(a), the end of the 8 week
period mentioned in Article 20(1)(b) or (5); or
(b) in
any other case, the date on which the person receives notice of the relevant
notice, decision or determination from the Authority.
(3) On
receipt of the application the Royal Court may, on such terms as the court
considers just, suspend or modify the effect of the notice, decision or
determination in question pending the outcome of the proceedings.
(4) On
the hearing of the matter the court may –
(a) dismiss
the proceedings on such terms and conditions as it may direct; or
(b) make
such other order as it considers just, including an order –
(i) that
the Authority give the written acknowledgement or notice required,
(ii) annulling
the decision not to investigate the complaint and directing the Authority to
investigate it,
(iii) confirming,
modifying or substituting the notice, decision or determination, or
(iv) remitting
the matter back to the Authority for reconsideration.
(5) In
this Article –
“complainant” means a person who has summited a
complaint to the Authority under Article 19;
“person affected by a notice, decision or determination”
means –
(a) the
complainant in respect of the complaint giving rise to it; or
(b) a
controller, processor or responsible officer in respect of whom it was made.
32 Rights
of appeal against determinations or orders of the Authority
(1) This
Article applies where the Authority –
(a) makes
a breach determination; or
(b) makes
an order under Article 25(3);
(c) orders
the payment of an administrative fine under Article 26; or
(d) serves
an information notice under paragraph 1 of Schedule 1.
(2) The
controller or processor affected may appeal the determination, order or notice to
the Royal Court in accordance with this Article.
(3) The
appeal may be made on the grounds that in all the circumstances of the case the
decision was not reasonable.
(4) An
appeal must be made within the period of 28 days immediately following the
date on which the person concerned receives written notice of the determination,
order or notice from the Authority.
(5) An
appeal is made by summons served on the Authority stating the grounds and
material facts on which the appellant relies.
(6) On
the application of the appellant, the Royal Court may, on such terms as the
court thinks just, suspend or modify the effect of the determination or order
appealed against pending the determination of the appeal.
(7) Upon
determining an appeal under this Article, the Court may –
(a) confirm
the determination, order or notice, with or without modification; or
(b) annul
the determination, order or notice and remit the matter back to the Authority
for reconsideration, in addition to making any order it considers just.
33 General
provisions relating to offences
(1) A person guilty of an offence under this Law
is liable to a fine.
(2) Where an offence under this Law, or under
Regulations made under this Law, committed by a limited liability partnership
or body corporate or unincorporated body is proved to have been committed with
the consent or connivance of, or to be attributable to any neglect on the part
of –
(a) a person who is a partner of the limited
liability partnership, or director, manager, secretary or other similar officer
of the body corporate;
(b) in the case of any other partnership, any
partner;
(c) in the case of any other unincorporated
body, any officer of that body who is bound to fulfil any duty of which the
offence is a breach or, if there is no such officer, any member of the
committee or other similar governing body; or
(d) any person purporting to act in any capacity
described in sub-paragraph (a), (b) or (c),
the person is also guilty
of the offence and liable in the same manner as the partnership or body
corporate to the penalty provided for that offence.
(3) If the affairs of a body corporate are
managed by its members, paragraph (2) applies in relation to acts and
defaults of a member in connection with the member’s functions of
management as if the member were a director of the body corporate.
(4) Where an offence under this Law is alleged
to have been committed by an unincorporated body, proceedings for the offence
must, without limiting paragraph (2), be brought in the name of the body
and not in the name of any of its members.
(5) A fine imposed on an unincorporated body on
its conviction for an offence under this Law must be paid from the funds of the
body.
(6) A person who aids, abets, counsels or
procures the commission of an offence under this Law is also guilty of the
offence and liable in the same manner as a principal offender to the penalty
provided for that offence.
34 Proceedings
concerning unincorporated bodies.
Subject to Article 33,
where a breach is alleged to have been committed by an unincorporated body, any
complaint, investigation, action, order or notice, or other proceedings, for or
otherwise in relation to the breach must be brought, issued or (as the case may
be) served in the name of the body and not in the name of any of its members.
35 Rules of Court
(1) The
power to make Rules of Court under Article 13 of the Royal Court (Jersey)
Law 1948[4] includes the power to make Rules
regulating the practice and procedure on any matter relating to the Royal Court
under this Law.
(2) The
Rules may, in particular, make provision for –
(a) enabling
directions to be given to withhold material or restrict disclosure of any
information relevant to proceedings under this Law from any party (including
any representative of any party) to the proceedings; and
(b) enabling
the court to conduct such proceedings in the absence of any person, including a
party to the proceedings (or any representative of a party to the proceedings).
(3) In
making the Rules, regard must be had to –
(a) the
need to secure that the decisions that are the subject of such proceedings are
properly reviewed; and
(b) the
need to secure that disclosures of information are not made where they would be
contrary to the public interest.
36 Service of
notices etc.
(1) A
notice required by this Law to be given to the Authority is not regarded as
given until it is in fact received by the Authority.
(2) A
notice or other document required or authorized under this Law or under
Regulations made under this Law to be given to the Authority may be given by electronic
or any other means by which the Authority may obtain or recreate the notice or
document in a form legible to the naked eye.
(3) Any
notice, direction or other document required or authorized by or under this Law
to be given to or served on any person other than the Authority may be given or
served –
(a) by
delivering it to the person;
(b) by
leaving it at the person’s proper address;
(c) by
sending it by post to the person at that address; or
(d) by
sending it to the person at that address by electronic or any other means by
which the notice, direction or document may be obtained or recreated in a form
legible to the naked eye.
(4) Without
limiting the generality of paragraph (3), any such notice, direction or
other document may be given to or served on a partnership, company incorporated
outside Jersey or unincorporated association by being given to or served –
(a) in
any case, on a person who is, or purports (under whatever description) to act
as, its secretary, clerk or other similar officer;
(b) in
the case of a partnership, on the person having the control or management of
the partnership business;
(c) in
the case of a partnership or company incorporated outside Jersey, on a person
who is a principal person in relation to it (within the meaning of the Financial Services (Jersey) Law 1998[5]); or
(d) by
being delivered to the registered or administrative office of a person referred
to in sub-paragraph (a), (b) or (c) if the person is a body corporate.
(5) For
the purposes of this Article and of Article 7 of the Interpretation (Jersey) Law 1954[6], the proper address of any
person to or on whom a notice, direction or other document is to be given or
served by post is the person’s last known address, except that –
(a) in
the case of a company (or person referred to in paragraph (4) in relation
to a company incorporated outside Jersey), it is the address of the registered
or principal office of the company in Jersey; and
(b) in
the case of a partnership (or person referred to in paragraph (4) in
relation to a partnership), it is the address of the principal office of the
partnership in Jersey.
(6) If
the person to or on whom any notice, direction or other document referred to in
paragraph (3) is to be given or served has notified the Authority of an
address within Jersey, other than the person’s proper address within the
meaning of paragraph (5), as the one at which the person or someone on the
person’s behalf will accept documents of the same description as that
notice, direction or other document, that address is also treated for the
purposes of this Article and Article 7 of the Interpretation (Jersey) Law 1954 as
the person’s proper address.
(7) If
the name or the address of any owner, lessee or occupier of premises on whom
any notice, direction or other document referred to in paragraph (3) is to
be served cannot after reasonable enquiry be ascertained it may be served by –
(a) addressing
it to the person on whom it is to be served by the description of
“owner”, “lessee” or “occupier” of the
premises;
(b) specifying
the premises on it; and
(c) delivering
it to some responsible person resident or appearing to be resident on the
premises or, if there is no person to whom it can be delivered, by affixing it,
or a copy of it, to some conspicuous part of the premises.
part 5
ADMINISTRATIVE provisions
37 Guidance of
Minister
(1) The Minister may, if he or she considers
that it is desirable in the public interest to do so, and having consulted the
Authority, give to the Authority written guidance or general written directions
on matters relating to corporate governance.
(2) The guidance relates to the system and
arrangements by or under which the Authority is directed and controlled and may
relate to –
(a) accountability, efficiency and economy of
operation of the office of the Authority, but not to matters relating directly
to the Authority’s regulatory functions;
(b) conflicts of interest, the accounts of the
Authority and their audit, borrowing by the Authority and the investment of the
funds of the Authority.
(3) The Authority must have regard to any
guidance and must act in accordance with any directions addressed to the
Authority under this Article.
38 Fees and charges
The Authority may charge, retain and apply in the performance of the
Authority’s functions –
(a) fees
and charges (other than administrative fines) of such amounts, paid by such
persons and paid in such manner, as may be –
(i) prescribed
by Order of the Minister, the Minister having consulted the Authority, or
(ii) payable
in accordance with this Law or any other enactment; and
(b) such
fees and charges (not inconsistent with this or any other
enactment) –
(i) of
such amounts, paid by such persons and paid in such manner, as may be decided
by the Authority in respect of any service, item or matter, that does not arise
under this or any other enactment, and
(ii) as
may be agreed between the Authority and any person for whom the Authority provides
advice, assistance or other services under this or any other enactment, in
respect of the advice, assistance or other matters.
39 Grants
to Authority
(1) In
respect of each financial year, the States may make a grant to the Authority
from their annual income towards the Authority’s expenses in performing
any of its functions.
(2) The
amount of any grant referred to in paragraph (1) is determined by the
Minister for Treasury and Resources on the recommendation of the Minister made
after consultation with the Authority.
(3) In
making that recommendation, the Minister must have regard to the actual
financial position and the projected financial position of the Authority.
(4) In
determining the amount of grant, the Minister for Treasury and Resources must
have regard to the actual financial position and the projected financial
position of the Authority.
40 Consent to
borrowing
(1) The
Authority must not borrow money without the consent of the Minister.
(2) The
Minister for Treasury and Resources may, on such terms as he or she may
determine, on behalf of the States –
(a) guarantee
the liabilities of the Authority; or
(b) lend
money to the Authority.
(3) The
Minister for Treasury and Resources may act under paragraph (2) only on
the recommendation of the Minister.
41 Guidelines
on investment
In investing any funds
belonging to the Authority, the Authority must comply with any guidelines
specified by the Minister.
42 Exemption from
income tax
The income of the Authority is not liable to income tax under the Income Tax (Jersey) Law 1961[7].
43 Accounts and
audit
(1) The
Authority must –
(a) keep
proper accounts and proper records in relation to the accounts; and
(b) prepare
accounts in respect of each financial year; and
(c) after
the accounts have been audited in accordance with paragraph (3), provide
them to the Minister as soon as practicable after the end of the financial year
to which they relate, but in any event within 4 months of the end of that
year.
(2) The
Minister must lay a copy of the accounts so provided before the States as soon
as practicable after the Minister receives the report.
(3) The
accounts of the Authority must –
(a) be
audited by auditors appointed in respect of each financial year by the
Comptroller and Auditor General (as defined by the Comptroller and Auditor
General (Jersey) Law 2014[8]); and
(b) be
prepared in accordance with generally accepted accounting principles and show a
true and fair view of the profit or loss of the Authority for the period to
which they relate and of the state of the Authority’s affairs at the end
of the period.
44 Annual
reports
(1) The
Authority must prepare a report on its activities in each financial year.
(2) The
Authority must provide the Minister with the report as soon as practicable
after the end of the financial year to which the report relates, but in any
case within 4 months of the end of that year.
(3) The
Authority may also provide the Minister with other reports relating to the
Authority’s functions or activities.
(4) The
Minister must lay a copy of any report provided to the Minister under this
Article before the States as soon as practicable after receiving the report.
45 Limitation of
liability
(1) A
person or body to whom this Article applies is not liable in damages for
anything done or omitted in the performance or purported performance of any
functions of the Authority conferred by or under this Law or the Data
Protection Law, or any other functions conferred by or under either of those
Laws, unless it is shown that the act or omission was in bad faith.
(2) This
Article applies to the following –
(a) the
States;
(b) the
Minister;
(c) the
Authority or any person who is, or is acting as, an officer, employee or agent
of the Authority, or performing any function on behalf of the Authority.
(3) This
Article does not prevent an award of damages in respect of the act or omission
on the ground that it was unlawful as a result of Article 7(1) of the
Human Rights (Jersey) Law 2000[9].
part 6
CLOSING provisions
46 Regulations
and Orders
(1) The States may by Regulations and the
Minister may by Order make provision for the purpose of carrying this Law into
effect and, including for or with respect to any matter that may be prescribed
under this Law by Regulations or Orders as the case may be.
(2) Regulations and Orders made under this Law
may contain such transitional, consequential, incidental or supplementary
provisions as appear to the States to be necessary or expedient for the
purposes of the Regulations or Order.
47 Transitional
provisions
Schedule 2 has effect.
48 Consequential
amendments
Schedule 3 has effect.
49 Citation
and commencement
This Law may be cited as the Data Protection Authority (Jersey) Law 2018
and comes into force on 25th May 2018.
L.-M. HART
Deputy Greffier of the States
SCHEDULE 1
(Article 22)
POWERS OF invESTIGATION AND INQUIRy
1 Power
to issue information notice
(1) The
Authority may require any controller or processor to give the Authority any
information that the Authority considers necessary for a purpose specified in
sub-paragraph (2) by issuing the controller or processor (“the
recipient”) a notice (an “information notice”).
(2) The
purposes referred to in subparagraph (1) are –
(a) to
determine whether or not to investigate a complaint;
(b) to
determine whether or not to conduct an inquiry;
(c) for
the purpose of an investigation or inquiry;
(d) to
make a determination or an order, or take any other action, under any provision
of Part 4; or
(e) to
determine whether or not to exercise any other power conferred on the Authority
by this Law.
(3) An information
notice must include –
(a) a
statement of the purpose in sub-paragraph (2) for which the notice is
issued;
(b) a
description of the information required by the Authority;
(c) a
statement of the Authority’s reasons for requiring that information; and
(d) a
statement of the form and manner in which, and the period within which (“compliance
period”), the recipient must give the information to the Authority.
(4) A compliance
period must not be shorter than 28 days beginning on the date on which the
notice was issued.
(5) Despite
sub-paragraph (4), the Authority may specify a compliance period shorter
than 28 days but not shorter than 7 days beginning on the date on which
the notice was issued, but in this case the Authority must include in the
information notice a statement of its reasons for specifying that shorter
period.
(6) A recipient
of an information notice must comply with the notice.
(7) A recipient
is not required by virtue of this paragraph to furnish the Authority with any
information in respect of –
(a) any
communication between a professional legal adviser and a client in connection
with the giving of legal advice to the client with respect to the latter’s
obligations, liabilities or rights under this Law or the Data Protection Law;
or
(b) any
communication between a professional legal adviser and a client, or between
such an adviser or client and any other person, made in connection with or in
contemplation of proceedings under or arising out of this Law or the Data
Protection Law and for the purposes of such proceedings.
(8) In sub-paragraph (7),
references to a client of a professional legal adviser include references to
any person representing such a client.
(9) A recipient
is not required by virtue of this paragraph to furnish the Authority with any
information if to do so would, by revealing evidence of the commission of any
offence other than an offence under this Law, expose the recipient to proceedings
for that offence.
(10) The Authority
may cancel an information notice by written notice served on the person on whom
the information notice was served.
2 General
power of entry, search, etc.
(1) This
paragraph applies to any premises (“searchable premises”) if an
authorized officer believes on reasonable grounds that –
(a) those
premises are occupied by a registered controller or registered processor;
(b) personal
data is processed in the context of a controller or processor occupying or
operating at or from those premises, whether directly or by the use of agents;
(c) personal
data is processed at or on those premises;
(d) any
equipment, device or other thing used to process personal data (“processing
equipment”) is kept at or on those premises;
(e) any
information relating to the processing of personal data was or is present on
those premises;
(f) a
contravention of the Data Protection Law was or is being committed on or in
relation to those premises; or
(g) an
offence under the Data Protection Law was or is being committed on or in
relation to those premises.
(2) Subject
to paragraph 4, an authorized officer may during normal working hours
exercise any power specified in sub-paragraph (3) or (4) on or in relation
to any searchable premises, for any of the following purposes –
(a) establishing
whether a controller or processor contravened or is contravening this Law or
the Data Protection Law;
(b) establishing
whether any person has committed or is committing an offence under this Law or the
Data Protection Law;
(c) conducting
an investigation or inquiry, or exercising or performing any other function of
the Authority under this Law or the Data Protection Law;
(d) securing
anything which the authorized officer has reason to believe may be required –
(i) for the effective
conduct of any investigation or inquiry, or
(ii) as evidence in
any proceedings for an offence under this Law or the Data Protection Law.
(3) Sub-paragraph (2)
refers to the following powers –
(a) with
the assistance of a police officer, stop a person, vehicle, vessel or
container;
(b) enter
any searchable premises;
(c) search
the premises and examine, test or inspect anything at the premises and open it
(or break it open);
(d) photograph,
film or otherwise record anything at the premises;
(e) require
the production of any equipment, device or other thing used to process personal
data or otherwise used by a controller or processor;
(f) take
copies of or extracts from any information (including, in the case of
information in a non-legible form, a copy of or an extract from that
information in a legible form);
(g) if
anything at the premises cannot be conveniently removed, secure it against
interference;
(h) seize
any equipment, device or other thing, which is at the premises and detain it
for as long as the authorized officer considers necessary;
(i) require
any person to give the authorized officer any information, including (but without
limiting the generality of this paragraph) –
(i) information
regarding the ownership, identity or origin of, or any other information
regarding any equipment, device or other thing,
(ii) any information
regarding the premises, or
(iii) the name and address of
any controller, processor or other person involved in the processing of
personal data; and
(j) require any person to afford the authorized
officer any other facilities or assistance that the officer considers
necessary or expedient, including in relation to any documents or other
information provided to the officer.
(4) Without limiting the generality of sub-paragraph (3),
sub-paragraph (2) also refers to the following powers –
(a) power
to inspect any records (in whatever form they are held) relating to the business
of a controller or processor; and
(b) where
any such records are stored in electronic form, power to –
(i) inspect and check
the operation of any equipment, device or other thing which is or has been in
use in connection with those records,
(ii) require any
person having charge of, or otherwise concerned with the operation of, the
equipment, device, or other thing to afford the authorized officer such
assistance as the officer may reasonably require, or
(iii) require the records to
be produced in a form in which they may be taken away.
(5) Neither sub-paragraph (3)
nor sub-paragraph (4) applies to, or in relation to, any items for which any rule of privilege may be claimed.
3 Safeguards
for general powers of entry, search, etc.
(1) An authorized officer
entering any premises under paragraph 2 must, if the owner or occupier of those premises is present –
(a) identify
himself or herself to the owner or occupier; and
(b) produce
to the owner or occupier documentary evidence that the officer is an authorized
officer.
(2) If
the owner or occupier of those premises is not present at the time the authorized
officer leaves those premises, the authorized officer –
(a) must
leave the premises as effectively secured against trespassers as that authorized
officer found them; and
(b) must
leave in a prominent place on those premises written notice that those premises
have been entered and searched under paragraph 2, including that authorized
officer's name, an address at which that authorized officer may be contacted
and a copy of the documentary evidence referred to in sub-paragraph (1)(b).
(3) An
authorized officer who seizes anything under paragraph 2(3)(h) must leave
with the owner or occupier of the premises (if present) or leave on the
premises (if the owner or occupier is not present) a statement stating –
(a) particulars
of what has been seized; and
(b) that
the authorized officer has seized it.
4 Entry
to dwellings restricted.
An authorized officer must not enter a dwelling under paragraph 2,
except –
(a) with
the consent of the owner or occupier of those premises;
(b) by
giving the owner or occupier of those premises at least 7 days’ prior
written notice of the entry; or
(c) under
and in accordance with a warrant issued under paragraph 5.
5 Warrants
for entry, etc.
(1) If
the Bailiff or a Jurat is satisfied by information on oath supplied by the Authority
that there are reasonable grounds for suspecting –
(a) that
a controller has contravened or is contravening any of the data protection
principles; or
(b) that
an offence under this Law or the Data Protection Law has been or is being
committed,
and that evidence of the contravention or of the commission of the
offence is to be found on any premises specified in the information, the
Bailiff or Jurat may issue a warrant to the Authority.
(2) A
warrant may permit an authorized officer at any time within 7 days of the
date of the warrant to enter the premises, to search them, to inspect, examine,
operate and test any equipment found there which is used or intended to be used
for the processing of personal data and to inspect and seize any documents or
other material found there which may be such evidence as is mentioned in sub-paragraph (1).
(3) The
Bailiff or a Jurat must not issue a warrant unless satisfied –
(a) that
the Authority has given 7 days’ notice in writing to the occupier of
the premises in question demanding access to the premises;
(b) that
either access was demanded at a reasonable hour and was unreasonably refused or
although entry to the premises was granted, the occupier unreasonably refused
to comply with a request by the Authority to permit the authorized officer to
do any of the things referred to in subparagraph (2); and
(c) that
the occupier, has, after the refusal, been notified by the Authority of the
application for the warrant and has had an opportunity of being heard by the
Bailiff or Jurat on the question whether or not it should be issued.
(4) Sub-paragraph (3)
does apply if the Bailiff or Jurat is satisfied that the case is one of urgency
or that compliance with that sub-paragraph would defeat the object of the
entry.
(5) A
person executing a warrant issued under this paragraph –
(a) may
use such reasonable force as may be necessary;
(b) may
be accompanied by a police officer during its execution.
(6) A
warrant must be executed at a reasonable hour unless it appears to the person
executing it that there are grounds for suspecting that the evidence in
question would not be found if it were so executed.
(7) If
the person who occupies the premises in respect of which a warrant is issued –
(a) is
present when the warrant is executed, the person executing it must show the
warrant to that person and supply him or her with a copy of it;
(b) is
not present, the person executing it must leave a copy of it in a prominent
place on the premises.
(8) A
person seizing anything under a warrant must give a receipt for it to the
person in occupation of the premises.
(9) Anything
so seized may be retained for so long as is necessary for the purpose of the
investigation or inquiry, or any subsequent proceedings (whether civil or
criminal).
(10) Unless
the Royal Court orders otherwise, any property seized must be returned to its
owner as soon as practicable after the completion of the investigation, inquiry
or proceedings, and proceedings are taken to be completed when either any
appeal has been concluded or, if no appeal is made, the time limit for
appealing has expired.
6 Exemptions
from powers conferred by warrant
(1) The
powers of inspection and seizure conferred by a warrant are not exercisable in
respect of –
(a) any
communication between a professional legal adviser and the adviser’s
client in connection with the giving of legal advice to the client with respect
to the client’s obligations, liabilities or rights under this Law or the
Data Protection Law; or
(b) any
communication between a professional legal adviser and the adviser’s
client, or between such an adviser or such a client and any other person, made
in connection with or in contemplation of proceedings under or arising out of
this Law and for the purposes of such proceedings.
(2) Sub-paragraph (1)
applies also to –
(a) a
copy or other record of any such communication; and
(b) any
document or article enclosed with or referred to in any such communication if
made in connection with the giving of any advice or, as the case may be, in
connection with or in contemplation of and for the purposes of such
proceedings.
(3) This
paragraph does not apply to anything in the possession of any person other than
the professional legal adviser or the client or to anything held with the
intention of furthering a criminal purpose.
(4) In
this paragraph references to the client of a professional legal adviser include
references to any person representing such a client.
(5) If
the person in occupation of premises in respect of which a warrant is issued
objects to the inspection or seizure under the warrant of material on the
grounds that it consists partly of matters in respect of which those powers are
not exercisable, the person must, if the person executing the warrant so
requests, furnish the latter with a copy of so much of the material as is not
exempt from those powers.
7 Power to conduct or require
data protection audits
(1) The
Authority may –
(a) conduct
a data protection audit of any part of the operations of the controller or
processor; or
(b) require
the controller or processor to appoint a person approved by the Authority to –
(i) conduct a data
protection audit of any part of the operations of the controller or processor,
and
(ii) report the
findings of the audit to the Authority.
(2) The
Authority must specify the terms of reference of any audit carried out under
sub-paragraph (1).
(3) The
controller or processor concerned must pay for an audit required under sub-paragraph (1)(b).
SCHEDULE 2
(Article 47)
transitional provisions
1 Interpretation
In this Schedule “2005 Law” means the Data Protection (Jersey) Law 2005[10].
2 Registration
(1) A controller
who, immediately before the commencement of this Law, was registered as a data
controller under Part 3 of the 2005 Law, and any processor, is exempt
from the requirement to register under Part 3 of this Law until the end of
the registration period.
(2) Any
notification by a data controller of wish to be included in the register under Article 18
of the 2005 Law that did not result in an entry in the register under Article 19
of that Law before the commencement of this Law, shall be determined as if it
were an application made under Article 17 of this Law.
(3) In
respect of each controller who is exempt from registration under Article 17
of this Law for the duration of the registration period by virtue of paragraph (1),
the Authority must nevertheless register the controller under Article 17(4)
and include in the register maintained under paragraph (5) of that Article
the particulars that, immediately before the commencement of this Law, were
included (or treated as included) in respect of that controller maintained
under Article 19 of the 2005 Law.
(4) The
Minister may by Order make further provision modifying Article 17 of this
Law in its application to any person, including any controller mentioned in
sub-paragraph (3).
(5) In
this paragraph “registration period” means –
(a) in
the case of a controller, the period at the end of which, if Article 19 of
the 2005 Law had remained in force, the controller’s entry would
have fallen to be removed unless renewed; and
(b) in
the case of a processor, a period of 26 weeks from the day on which this
Law comes into force.
3 Enforcement
notices served under 2005 Law
(1) If,
immediately before the commencement of this Law an enforcement notice is served
under Article 40 of the 2005 Law, that notice has effect, after
commencement, as if it were an order made under Article 25(3) of this Law.
(2) The
Authority may make an order under Article 25(3) or Article 26(1) of
this Law on or after the day on which that Article comes into force if the
Commissioner has reasonable grounds for suspecting that, before that day, a
data controller contravened the data protection principles within the meaning
of the 2005 Law by reason of any act or omission that would also have
constituted a contravention of the data protection principles set out in Article 8
of the Data Protection Law if they had applied when the act or omission
occurred.
4 Requests for assessment under
Article 42 of 2005 Law
Any request for assessment under Article 42 of the 2005 Law
that the Commissioner has not dealt with before the commencement of this Law
has effect as if it were a complaint under Article 19 of this Law.
SCHEDULE 3
(Article 48)
consequential amendments
1 Corruption
(Jersey) Law 2006
For Article 4(1)(s) of the Corruption (Jersey) Law 2006[11] there is substituted the
following sub-paragraph –
“(s) any member of the Data
Protection Authority constituted under Article 3(1) of the Data Protection
Authority (Jersey) Law 2018[12];”.
2 Register
of Names and Addresses (Jersey) Law 2012
In Article 7(9) of the Register of Names and Addresses (Jersey)
Law 2012[13] for the words “Data
Protection Commissioner under the Data Protection (Jersey) Law 2005”
there are substituted the words “Data Protection Authority under the Data
Protection Authority (Jersey) Law 2018[14]”.
3 Data
Protection (International Co-operation) (Jersey) Regulations 2005
(1) The
Data Protection (International Co-operation) (Jersey) Regulations 2005[15] are amended as follows.
(2) For
the word “Commissioner” wherever occurring there is substituted the
word “Authority”.
(3) In Regulation 1(1)
for the words “Data Protection (Jersey) Law 2005” there are
substituted the words “Data Protection (Jersey) Law 2018[16]”.
(4) In Regulation 3 –
(a) in paragraph (3)(a)
for the words “Article 7” there are substituted the words
“Article 28”;
(b) in paragraph (4)(a)
for the words “Part 2” there are substituted the words
“Part 6”;
(c) in paragraph (4)(b)
for the words “Article 42 of the Law” there are substituted
the words “Article 21 of the Authority Law”;
(d) in paragraph (5)
for the words “prescribed for the purposes of Article 19(7)”
there are substituted the words “specified for the purposes of Article 17(3)(a)
of the Authority Law”.
4 Employment
of States of Jersey Employees (Jersey) Law 2005
In Schedule 1 to the Employment of States of Jersey Employees
(Jersey) Law 2005[17] for the words “Data
Protection Commissioner” there are substituted the words
“Information Commissioner”.
5 Public
Employees (Pensions) (Jersey) Law 2014
For Article 1(2)(b) of the Public Employees (Pensions) (Jersey)
Law 2014[18] there is substituted the
following sub-paragraph –
“(b) the holder of the office of Information
Commissioner (within the meaning of Article 5 of the Data Protection Authority
(Jersey) Law 2018[19]);”.
6 Freedom
of Information (Jersey) Law 2011
In Article 1 of the Freedom of Information (Jersey) Law 2011[20] for the definition
“Information Commissioner” there is substituted the following
definition –
“ ‘Information
Commissioner’ means the person appointed as such under Article 5(1)
of the Data Protection Authority (Jersey) Law 2018[21]”.
7 Public
Employees (Retirement) (Jersey) Law 1967
For Article 1(2)(aa) of the Public Employees (Retirement)
(Jersey) Law 1967[22] there is substituted the
following sub-paragraph –
“(aa) the holder of the office of Information
Commissioner (within the meaning of Article 5 of the Data Protection Authority
(Jersey) Law 2018[23]);”.
8 Public
Finances (Jersey) Law 2005
In Schedule 1 to the Public Finances (Jersey) Law 2005[24] for the words “Data
Protection Commissioner” there are substituted the words “Data
Protection Authority”.