This page provides you with information relating to how your personal data is used by the States of Guernsey. For ease of use, we have listed all of your rights as a data subject and also the lawful basis on which the organisation relies when processing information about you.
In accordance with the Data Protection (Bailiwick of Guernsey) Law, 2017, your rights as a Data Subject are as follows:
Right of access
- A data subject has the right to be advised as to whether a controller is processing personal data relating to them and, if so, that individual is entitled to one free copy of their personal data (with further copies available at a fee prescribed by the controller). This is known as a Subject Access Request (SAR). Upon receipt of an SAR, the controller has a period of one month to adhere to the request (an extension of two further months can be sought by the controller depending upon the complexity and number of requests submitted by the data subject).
Right to data portability
- A data subject has the right to data portability, this means that an individual is able to arrange for the transfer of their personal data from one controller to another without hindrance from the first controller. This right can only be utilized where the processing is based on consent or for the performance of a contract. This right cannot be used for processing by a public authority.
- Where a data subject invokes the right to data portability, the data subject has the right to be given their personal data in a structure, commonly used and machine-readable format suitable for transmission from one controller to another. Upon the request of a data subject, the controller must transmit their personal data directly to another controller unless it is technically unfeasible to do so.
Exception to right of portability or access involving disclosure of another individual's personal data
- A controller is not obliged to comply with a data subject's request under the right of access or right to data portability where the controller cannot comply with the request without disclosing information relation to another individual who is identified or identifiable from that information.
Right to object to processing
- A data subject has the right to object to a controller's activities relating to the processing of personal data for direct marketing purposes, on grounds of public interest and for historical or scientific purposes.
Right to rectification
- A data subject has the right to require a controller to complete any incomplete personal data and to rectify or change any inaccurate personal data.
Right to erasure
- A data subject has the right to submit a written request to a controller regarding the erasure of the data subject's personal data in certain circumstances. These include where:
- The personal data is no longer required in relation to its original purpose for collection by the controller;
- The lawfulness of processing is based on consent and the data subject has withdrawn their consent;
- The data subject objects to the processing and the controller is required to cease the processing activity;
- The personal data has been unlawfully processed;
- The personal data must be erased in order to comply with any duty imposed by law; or
- The personal data was collected in the context of an offer from an information society service directly to a child under 13 years of age.
Right to restriction of processing
- A data subject has the right to request, in writing, the restriction of processing activities which relate to the data subject's personal data. This right can be exercised where:
- The accuracy or completeness of the personal data is disputed by the data subject who wishes to obtain restriction of processing for a period in order for the controller to verify the accuracy or completeness;
- The processing is unlawful but the data subject wishes to obtain restriction of processing as opposed to erasure;
- The controller no longer requires the personal data, however the data subject requires the personal data in connection with any legal proceedings; or
- The data subject has objected to processing but the controller has not ceased processing operations pending determination as to whether public interest outweighs the significant interests of the data subject.
Right to be notified of rectification, erasure and restrictions
- Where any rectification, erasure or restriction of personal data has been carried out, the data subject has a right to ensure that the controller notifies any other person to which the personal data has been disclosed about the rectification, erasure or restriction of processing. The controller must also notify the data subject of the identity and contact details of the other person if the data subject requests this information.
Right not to be subject to decisions based on automated processing
- A data subject has the right not to be subjected to automated decision making without human intervention.
- To exercise these data subject rights, please contact either the data protection officer or the controller.
Right to make a complaint
- An individual may make a complaint in writing to the supervisory authority (the Office of the Data Protection Commissioner) if the individual considers that a controller or processor has breached, or is likely to breach, an operative provision of the data protection law, and the breach involves affects or is likely to affect any personal data relating to the individual or any data subject right of the individual (as listed above).
Complainant may appeal failure to investigate or progress and may appeal determinations
- An individual may appeal to the Court where:
- The Supervisory Authority has failed to give the complainant written notice that the complaint is being investigated or not within two months of receiving the complaint;
- The Supervisory Authority has failed to provide written notice of the progress and, where applicable, the outcome of the investigation at least once within three months of providing notice of the beginning of an investigation; or
- Where the individual seeks to appeal against a determination of the Supervisory Authority.
These rights apply when your personal data is being processed by any business or organisation in Guernsey, including the States of Guernsey. For more details regarding how each of the States of Guernsey Committee areas process your personal data and who to contact in each area in relation to the above, please see the documents listed on the right hand side of this page. There is also a page regarding how Deputies process personal data that they receive.
The States of Guernsey relies on a number of lawful basis' for processing your personal data. A full list of these conditions can be found below:
Lawful Basis for Processing
- Where we are processing personal data, we do so lawfully and in all matters, one or more of the following conditions of the law will apply:
- The data subject has requested or given consent to the processing of personal data.
- The processing is necessary for the conclusion or performance of a contract to which the data subject is a party, or made between the controller and a third party in the interest of the data subject, or to take steps at the request of the data subject prior to entering into such a contract.
- The processing is necessary to protect the vital interests of the data subject or any other individual who is a third party.
- The processing is necessary for purposes of the legitimate interest of the controller or a third party.
- The processing is necessary for the exercise or performance by a public authority of a function that is of a public nature, or a task carried out in the public interest.
- The processing is necessary for the controller to exercise any right or power, or perform or comply with any duty, conferred or imposed on the controller by an enactment or an order or a judgment of a court or tribunal having the force of law in the Bailiwick.
- Where we are processing special category data, we do so lawfully and in all matters, one or more of the following conditions of the law will apply:
- The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.
- The processing is necessary for the controller to exercise any right or power, or perform or comply with any duty, conferred or imposed on the controller by an enactment.
- The processing is necessary in order to comply with an order or a judgment of a court or tribunal having the force of law in the Bailiwick.
- The processing is necessary for a health or social care purpose and is undertaken by a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if the person were a health professional.
- The processing is necessary for reasons of public health.
- The processing is necessary, for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), or the discharge of any functions of a court or tribunal acting in its judicial capacity, for the purpose of obtaining legal advice, or otherwise for the purposes of establishing, exercising or defending legal rights.
- The processing is necessary for, the administration of justice, or the exercise of any function of the Crown, a Law Officer of the Crown, the States or a public committee.
- The processing is necessary for a historical or scientific purpose.
- The processing is authorised by regulations made by the Committee for this purpose and carried out in accordance with those regulations, or authorised or required by any other enactment and carried out in accordance with the enactment.
- The data subject has given explicit consent to the processing of the personal data.
- The processing is necessary to protect the vital interests of the data subject or any other individual who is a third party, and the data subject is physically or legally incapable of giving consent, or the controller cannot reasonably be expected to obtain the explicit consent of the data subject.