Transitional Relief. The Data Protection (Bailiwick of Guernsey) Law, 2017 came into force on 25 May You can find a copy of the Law here.

Similar documents
The Data Protection (Commencement, Amendment and. Transitional) (Bailiwick of Guernsey) Ordinance, 2018

PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2017 ARRANGEMENT OF SECTIONS PART I PRELIMINARY

FINANCIAL SERVICES (GENERAL INSURANCE MEDIATION BUSINESS (ACCOUNTS, AUDITS, REPORTS AND SOLVENCY)) (JERSEY) ORDER 2005

About the form. How notifications are dealt with

PROJET DE LOI ENTITLED. The Protection of Investors. (Bailiwick of Guernsey) Law, 2018 ARRANGEMENT OF SECTIONS

Data Protection Bill [HL]

BERMUDA COMPANIES AND LIMITED LIABILITY COMPANY (BENEFICIAL OWNERSHIP) AMENDMENT ACT : 41

Registration Authority Registration & Licensing Handbook

PROJET DE LOI. The Fraud (Bailiwick of Guernsey) Law, 2009 * Consolidated text. States of Guernsey 1

BERMUDA COMPANIES AND LIMITED LIABILITY COMPANY (BENEFICIAL OWNERSHIP) AMENDMENT ACT : 41

PART I PRELIMINARY MATTERS

MANDATORY PROVIDENT FUND SCHEMES AUTHORITY. Guidelines on Notification of Events of Significant Nature

TECHNOLOGY AND DATA PRIVACY. Investigative Powers of the Data Protection Commissioner. by Peter Bolger, Jeanne Kelly

Data Protection Bill [HL]

Copyright Juta & Company Limited

Public Defender Service. Code of Conduct

A BILL. entitled CORPORATE SERVICE PROVIDER BUSINESS ACT 2012

Charities & Not-for-Profits Overview of Data Protection Law

Application for Financial Services Permission

PROJET DE LOI. The Banking Supervision (Bailiwick of Guernsey) Law, 1994 * Consolidated text. States of Guernsey 1

The Auditor s Responsibilities Relating to Other Information in Documents Containing Audited Financial Statements

Consolidated text PROJET DE LOI ENTITLED. The Criminal Justice (International Co-operation) (Bailiwick of Guernsey) Law, 2001 * [CONSOLIDATED TEXT]

PROJET DE LOI ENTITLED. The Banking Supervision (Bailiwick of Guernsey) (Amendment) Law, 2003

Supplement to Extraordinary Gazette dated 31st December, 2018 FOREIGN CURRENCY PERMITS ACT, Arrangement of Sections PART I PART II

Consolidated text PROJET DE LOI ENTITLED. The Protection of Investors. (Bailiwick of Guernsey) Law, 2018

PART 2 REGULATED ACTIVITIES Chapter I Regulated Activities 3. Regulated activities. Chapter II The General Prohibition 4. The general prohibition.

Environmental Planning and Assessment Amendment (Infrastructure and Other Planning Reform) Act 2005 No 43

GUERNSEY STATUTORY INSTRUMENT 2009 No. 48. The Uncertificated Securities (Guernsey) Regulations, 2009 ARRANGEMENT OF REGULATIONS PART I INTRODUCTORY

Consolidated text PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2001 [CONSOLIDATED TEXT] NOTE

Licensed Immigration Advisers Code of Conduct 2014

Consolidated text PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2001 * [CONSOLIDATED TEXT] NOTE

CUSTOMER CODE OF PRACTICE

As approved by the Office of Communications for the purposes of Sections 120 and 121 of the Communications Act 2003 on 21 June 2016

PROJET DE LOI ENTITLED. The Criminal Justice (Fraud Investigation) (Bailiwick of Guernsey) Law, 1991 * [CONSOLIDATED TEXT] NOTE

Protection of the Environment Legislation Amendment Act 2014 No 65

The DFSA Rulebook. Recognition (REC)

The Beneficial Ownership of Legal Persons (Nominee Relationships) Regulations, 2017

(28 February 2014 to date) FINANCIAL ADVISORY AND INTERMEDIARY SERVICES ACT 37 OF 2002

Antisocial Behaviour etc. (Scotland) Bill

TURKS AND CAICOS ISLANDS POLITICAL ACTIVITIES ORDINANCE (Ordinance 22 of 2012) PRELIMINARY

Victims of Crime (Rights, Entitlements, and Notification of Child Sexual Abuse) Bill [HL]

Food Hygiene Rating Act (Northern Ireland) 2016

ASYLUM AND IMMIGRATION ACT 1996 (JERSEY) ORDER 1998

Enforcement and prosecution policy

Designated Businesses Registration Policy. 16 November 2017

Disclosure and Barring Service

A5 KELDA HOLDINGS LTD AUDIT COMMITTEE TERMS OF REFERENCE

REPORTING COMPANY LAW OFFENCES. Information for auditors

HUMAN TISSUE (SCOTLAND) BILL

Trustee Licensing Act 1994 [50 MIRC Ch 3]

DIFC LAW No.12 of 2004

BERMUDA PROCEEDS OF CRIME (ANTI-MONEY LAUNDERING AND ANTI-TERRORIST FINANCING SUPERVISION AND ENFORCEMENT) ACT : 49

Chief Constable's Scheme of Delegation

Data Protection Bill [HL]

VOLUNTARY REGISTER OF DRIVING INSTRUCTORS GOVERNING POLICY

Consolidated text PROJET DE LOI ENTITLED. The Registration of Non-Regulated Financial Services Businesses (Bailiwick of Guernsey) Law, 2008 *

THE NATIONAL PAYMENT SYSTEM ACT, 2011 NO. 39 OF 2011 LAWS OF KENYA

ENERGY EFFICIENCY ACT

The Al-Qaida and Taliban (Freezing of Funds) (Guernsey) Ordinance, 2011

Ordinance of the States

STATUTORY INSTRUMENTS. S.I. No. 443 of 2014 EUROPEAN UNION (EUROPEAN MARKETS INFRASTRUCTURE) REGULATIONS 2014

Family Dispute Resolution Act 2013

THE PERSONAL DATA PROTECTION BILL, 2018: A SUMMARY

Replaced by 2018 version

INVESTMENT BUSINESS ACT 2003 BERMUDA 2003 : 20 INVESTMENT BUSINESS ACT 2003

Reporting Obligations 2. Recorded online. September /10/2017 ACCA Ireland ACCA

General Scheme. of a. Qualifications and Quality Assurance (Amendment) Bill

STARTING UP. Constitution of a Charitable Incorporated Organisation with voting members other than its charity trustees

GUERNSEY FINANCIAL SERVICES COMMISSION APPOINTMENT OF ADMINISTRATOR AND ADMINISTRATION MANAGER

KINGDOM OF SAUDI ARABIA. Capital Market Authority. Draft Rules for Qualified Foreign Financial Institutions Investment in Listed Shares

Consolidated text PROJET DE LOI ENTITLED

Private Higher Educational Institutions (Amendment) 1 A BILL. i n t i t u l e d [ ]

PREVENTION OF OIL POLLUTION OF NAVIGABLE WATERS ACT. Act No. 48, 1960.

Financial Services Authority FINAL NOTICE. Scott Robert Merrell. 203 Wigston Road Oadby Leicester LE2 5JF. FSA Reference Number: Dated: 14 July 2010

(Copyright and Disclaimer apply)

BERMUDA INVESTMENT FUNDS AMENDMENT ACT : 28

SAMOA IMMIGRATION ACT , No. 4. Arrangement of Provisions PART 1 PRELIMINARY PART 2 ENTRY AND DEPARTURE

REPUBLIC OF SOUTH AFRICA

Ireland passes Data Protection Act 2018 GDPR. Key provisions and amendments

STATEMENT OF PRINCIPLES

LIQUIDATION/DE-REGISTRATION MODULE

Planning (Listed Buildings and Conservation Areas) Act 1990

United Nations Measures enabling Freezing of Terrorist Funds

(RSA) (RSA GG

[DRAFT AMENDMENTS AS AT 24/10/17 ILLUSTRATIVE REGULATIONS FOR THE PURPOSES OF CONSULTATION ONLY] 2004 No HEALTH AND SAFETY

Application for registration for an entity to be regulated by IPReg

PREVENTION OF TERRORISM ACT

A Legal Overview of the Data Protection Act By: Mrs D. Madhub Data Protection Commissioner

1ST SESSION, 42ND LEGISLATURE, ONTARIO 67 ELIZABETH II, Bill 5. (Chapter 11 of the Statutes of Ontario, 2018)

SCHEDULE Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

DATA PROTECTION (AMENDMENT) REGULATIONS Amendments to the Data Protection Regulations Insertion of new sections...

An Bille um Chosaint Raideolaíocht (Leasú), 2018 Radiological Protection (Amendment) Bill Meabhrán Mínitheach Explanatory Memorandum

2006 No AGRICULTURE, ENGLAND. The Environmental Impact Assessment (Agriculture) (England) Regulations 2006

Government Gazette REPUBLIC OF SOUTH AFRICA

Statutes for the Groningen Declaration network. Chapter I: definitions, name, seat, legal status and objective

SECURITIES AND FUTURES (STOCK MARKET LISTING) RULES (NO. 5 OF 2002, SECTION 36(1)) ARRANGEMENT OF SECTIONS PART I PRELIMINARY. 1. Commencement...

Enforcement guidelines. October 2015

FINANCIAL SERVICES COMMISSION (AMENDMENT) ACT, 2016 ARRANGEMENT OF SECTIONS

The DFSA Rulebook. Authorisation Module (AUT)

SAMOA INTERNATIONAL MUTUAL FUNDS ACT 2008

Transcription:

The Data Protection (Bailiwick of Guernsey) Law, 2017 ( the Law ) Transitional Relief The Data Protection (Bailiwick of Guernsey) Law, 2017 came into force on 25 May 2018. You can find a copy of the Law here. It replaced the Data Protection (Bailiwick of Guernsey) Law, 2001 (the 2001 Law) The Data Protection (Commencement, Amendment and Transitional) (Bailiwick of Guernsey) Ordinance, 2018 provides for certain transitional provisions. You can find a copy of the Ordinance here. In practical terms, this means that a number of the new requirements will not come into force until 25 May 2019. This will allow controllers and processors time to prepare fully for the changes ahead whilst also giving the regulatory office time to publish and disseminate guidance to support controllers and processors. Details of the key elements of these transitional provisions are set out below. This serves as a guidance note and is not legal advice. For full details of transitional arrangements please refer to the Ordinance itself. Page 1 of 13 June 2018

Key Definitions "pre-collected personal data" means any personal data processed in the context of a controller, where the personal data was collected before the commencement date by the controller, or a processor acting on the controller's behalf, or otherwise for the purposes of the processing. You already have the personal data and it was collected prior to 25 May 2018. (1) For the purposes of sections 3 to 7, processing of personal data ("the processing concerned") is continued processing in the context of a controller or processor where processing of the same kind as the processing concerned was carried out on the personal data in the context of the controller or processor concerned lawfully, in relation to the former Law, before the commencement date, and is continued in the context of the controller or processor concerned after the Law comes into force. (2) Whether any processing carried out in the context of a controller or processor before the commencement date ("the previous processing") is of the same kind as the processing concerned must be determined having regard to the nature, scope, context and purpose of the previous processing in comparison to the processing concerned, including whether or not the processing concerned involves the use or application of a technology, mechanism or procedure that was neither used nor applied in the previous processing. You have the personal data and are processing it under the 2001 Law and will continue to process it for the same purposes after 25 May 2018. transitional date is 25 May 2019 commencement date is 25 May 2018 Page 2 of 13

Controller to provide information to data subjects (notification duty) Regulation 2 Transitional exemption from duty to notify pre-collected personal data (1) Until the transitional date and subject to paragraph (2), a controller is not required to comply with a notification duty in relation to the processing of pre-collected personal data in the context of the controller. (2) On request by a data subject, a controller exempt from a notification duty by reason only of subsection (1) must give the data subject any information that the notification duty would otherwise have required the controller to give to the data subject, or otherwise publish in relation to the pre-collected personal data relating to the data subject. (3) In this section "notification duty" means any duty imposed on a controller by (c) (d) (e) section 12(2), (3) or (3A) of the Law, section 13(1), (2) or (2A) of the Law, section 17(3) of the Law, section 18(3) of the Law, or section 12(2) or (3) of the Law Enforcement Ordinance, and "pre-collected personal data" means any personal data processed in the context of a controller, where the personal data was collected before the commencement date by the controller, or a processor acting on the controller's behalf, or otherwise for the purposes of the processing. The Law requires controllers to provide certain information to data subjects (notification duty) when data are collected (see sections 12 & 13). You can find a link to further details about this requirement here. The 2001 Law contained similar requirements but the new standards require more comprehensive information to be given. If, as a controller, you have collected personal data before 25 May 2018, this new requirement will not apply until 25 May 2019. However, if a data subject requests the information from you, it must be provided. Page 3 of 13

Duties of joint controllers (joint controller duty) Regulation 3 Transitional exemption from duties of joint controllers in relation to continued processing (1) Until the transitional date, a controller is not required to comply with a joint controller duty in relation to continued processing of personal data in the context of the joint controllers concerned. (2) In subsection (1), "joint controller duty" means the duty imposed on joint controllers by section 33(1) or (3) of the Law, or section 28(1) of the Law Enforcement Ordinance The Law places new obligations where there are two or more controllers (joint controllers) (see section 33 of the Law). Briefly, these require greater detail and clarity around respective responsibilities for compliance and a duty to notify data subjects of agreements. If the processing you are doing is continued processing, this new joint controller duty will not come into force until 25 May 2019. For new processing you will be required to comply in full. Page 4 of 13

Requirement to carry out impact assessment (impact assessment duty) Regulation 4 Transitional exemption from impact assessment duties in relation to continued processing (1) Until the transitional data, a controller is not required to comply with an impact assessment duty in relation to continued processing of personal data in the context of the controller. (2) In subsection (1), "an impact assessment duty" means any duty imposed on a controller to carry out, review or revise an assessment under section 44(1) or (5) of the Law or section 36(1) of the Law Enforcement Ordinance, or to consult the Authority under section 45(2) of the Law or section 37(2) of the Law Enforcement Ordinance The Law requires controllers processing special category data to carry out a data protection impact assessment before commencing any processing (see sections 44 & 45 of the Law). Briefly, this requires controllers to carry out an assessment of the impact of any high-risk processing prior to processing. This is to ensure that risks are identified, mitigated and documented appropriately. If the processing you are doing is continued processing, this new impact assessment duty will not come into force until 25 May 2019. For new processing you will be required to comply in full. Page 5 of 13

Controller and processor duties (processor-use duty) Regulation 5 Transitional exemption from processor-use duties in relation to continued processing (1) Until the transitional data, a controller is not required to comply with a processor use duty where the controller causes or permits a processor to carry out processing of personal data in the context of that controller, and the processing is continued processing in the context of both the controller and the processor concerned. (2) In subsection (1), "processor use duty" means any duty imposed on a controller by section 34(1) of the Law, or section 29(1) of the Law Enforcement Ordinance. The Law places new obligations on controllers where they use a processor for the processing of personal data (see section 34 of the Law). Briefly, this sets out new conditions which must be met where a controller uses the services of a processor. Specifically, processors will be required to provide comprehensive guarantees to ensure compliance and there must be a legally binding written agreement in place setting out certain specified details. If the processing you are doing is continued processing, this new processor use duty will not come into force until 25 May 2019. For new processing you will be required to comply in full. Page 6 of 13

Controller and processor duties (duty to establish measures) Regulation 6 Transitional exemption from processor's duty to establish measures in relation to continued processing (1) Until the transitional date, a processor is not required to comply with a duty to establish measures in respect of the controller, in relation to continued processing of personal data in the context of both the processor and that controller. (2) In subsection (1), "duty to establish measures" means any duty imposed on a processor by (c) section 35(1)(e) of the Law, section 36(3) of the Law, to the extent that it imposes a duty on the processor under section 35(1)(e) of the Law, or section 30(1)(e) of the Law Enforcement Ordinance. The Law places new obligations on processors to assist controllers with their duties (see sections 35 & 36 of the Law). Briefly, this requires processors to put in place appropriate measures to help the controller to comply with their obligations relating to data subject rights (Part III of the Law). If the processing you are doing is continued processing, this new duty to establish measures will not come into force until 25 May 2019. For new processing you will be required to comply in full. Page 7 of 13

Controller and processor duties (duty to obtain authorisation) Regulation 7 Transitional exemption from processor's duty to obtain controller authorisation for secondary processors (1) Until the transitional date, a processor is not required to comply with a duty to obtain authorisation from the controller in relation to a secondary processor where the processor is carrying out continued processing of personal data in the context of both the processor and that controller, and the processor had, before the commencement date, engaged the secondary processor concerned to process that personal data. (2) In subsection (1) "duty to obtain authorisation" means any duty imposed on a processor by section 36(1) of the Law, or section 31(1) of the Law Enforcement Ordinance. The Law places new obligations on processors if they propose engaging with another processor ( secondary processor ) (see section 36 of the Law). Briefly, this requires processors intending to engage the services of a secondary processor to ensure the relevant controller has given specific or general authorisation for such engagement. If the processing you are doing is continued processing, this new duty to obtain authorisation will not come into force until 25 May 2019. For new processing you will be required to comply in full. Page 8 of 13

Processing by public authorities based on legitimate interests Regulation 8 Transitional provision for processing by public authorities based on legitimate interest (1) Until the transitional date, paragraph 4 of Schedule 2 to the Law has effect as if a full stop were substituted for the comma after "party", and the words "except where the processing is in the context of the exercise or performance by a public authority of a function or task described in paragraph 5". The Law does not allow public authorities to rely on condition 4 of Schedule 2, Part II of the Law (conditions for processing to be lawful). If you are a public authority you will have a data protection officer (see section 47 of the Law) and will be able to discuss this further with them. This restriction will not apply until 25 May 2019. Page 9 of 13

Data subject right - data portability Regulation 9 Delayed effect of section 14 (right to data portability) of the Law (1) Until the transitional date, neither section 14 of the Law nor any corresponding provision has effect. (2) In subsection (1), "any corresponding provision" means any provision of section 6 of the Law or any other section of the Law, so far as the provision corresponds to a right or duty in section 14 of the Law. The Law provides for a data subject to have their personal data transmitted from one controller to another (data portability) (see section 14 of the Law). This new right will not come into force until 25 May 2019 to allow controllers sufficient time to put appropriate mechanisms in place to allow them to comply. Page 10 of 13

Reporting of data breaches Regulation 7 Reporting of personal data breaches occurring before commencement (1) A controller or processor is required to comply with a duty to report a personal data breach regardless whether the breach occurred before or after the Law comes into force. (2) However, a controller is not required to comply with a duty imposed on the controller to report a personal data breach unless the controller first becomes aware of the personal data breach after the Law comes into force. (3) In this section, "a duty to report", in relation to a personal data breach, means a duty to give notice of the breach imposed on a controller by any of the following provisions (i) section 42(2) or 43(1) of the Law, or (ii) section 34(2) or 35(1) of the Law Enforcement Ordinance, and imposed on a processor by any of the following provisions (i) section 42(1) of the Law, or (ii) section 34(1) of the Law Enforcement Ordinance. The Law places obligations on controllers and processors in respect of personal data breaches (see sections 42 & 43 of the Law). This obligation applies regardless of whether the breach occurred before or after 25 May 2018. If you are a controller, you are required to report a personal data breach only if you first become aware of it after 25 May 2018. Read the guidance and familiarise yourself with the reporting requirements so you are clear about the actions required in the event of a personal data breach that needs to be reported to the Authority. Page 11 of 13

Consent Regulation 10 Validity of consents obtained before commencement (1) This section applies to consent to the processing of personal data ("precommencement consent"), where the consent was given by the data subject before the commencement date, the consent had effect as consent for that processing under the former Law immediately before the commencement date, (c) the consent was not given on the basis of false, deceptive or misleading information or conduct, knowingly or recklessly provided or perpetrated by (i) the controller, (ii) the processor, or (iii) any other person who sought the consent or to whom the consent was given, and (d) the data subject has not withdrawn the consent (i) by giving written notice to the controller, or (ii) by any other means provided for by the controller. (2) Where consent to which this section applies also meets the definition of a consent in section 10(1) and all the other requirements and conditions in section 10 of the Law for consent to be valid for the purposes of the Law, the consent has effect as consent to that processing for the purposes of the Law and the Law Enforcement Ordinance. (3) In any other case, despite any provision to the contrary in section 10 of the Law, a consent to which this section applies must be regarded as consent to that processing for the purposes of the Law and the Law Enforcement Ordinance only until the earlier of the data subject withdrawing the consent (i) by giving written notice to the controller, or (ii) by any other means provided for by the controller, or the occurrence of the transitional date. The Law sets different standards for controllers when seeking to rely on consent as a basis for processing (see section 10 of the Law). Page 12 of 13

If you have obtained consent prior to 25 May 2018 in compliance with the Data Protection (Bailiwick of Guernsey) Law, 2001, and the requirements of 10(1) are satisfied, that consent remains valid unless - That consent was given on the basis of false, deceptive or misleading information or conduct; or - The data subject has withdrawn consent. If you are unable to establish the above, the consent you have obtained will only be valid until the earlier of - The date the data subject withdraws consent; or - 25 May 2019. Page 13 of 13

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback