Privacy Notice

PLEASE NOTE: This Data Collection Notice applies to all personal data collected by the Office of the Data Protection Commissioner (ODPC).

WHO ARE WE?

We are the Office of the Data Protection Commissioner for the Bailiwick of Guernsey (ODPC). Our legal identity and powers come from the Data Protection (Bailiwick of Guernsey) Law, 2017 (and associated statutory instruments) (the Law) where we are described as ‘the Authority’. You can find contact details here.

 

DATA PROTECTION OFFICER (DPO)

The Data Protection Officer for the ODPC is Rachel Masterton, who can be contacted by email (r.masterton@odpc.gg), telephone (+44 1481 742074) or in writing (contact details here).

 

WHEN PERSONAL DATA IS COLLECTED

Personal data is collected

 

HOW WE USE YOUR PERSONAL DATA

Data collected in relation to complaints submitted under the Law or other enforcement action taken by the ODPC

All personal data collected for this purpose is processed under paragraphs 5 (exercise of functions by a public authority) and/or 8 (to exercise any right or power, or perform or comply with any duty, conferred or imposed on the controller by an enactment) of Schedule 1, Parts I and II of the Law. All special category data collected for this purpose is processed under paragraphs 8 (to exercise any right or power, or perform or comply with any duty, conferred or imposed on the controller by an enactment) and/or 12 (legal proceedings & establishing, exercising and defending legal rights) of Schedule 2, Part II of the Law.

This information is processed for the purpose of responding to or investigating your complaint. It is likely that we will need to provide some or all of this information to the controller or processor you have complained about to allow for further enquiry and investigation.  If there is information you do not wish to be passed on, please let us know.

In certain cases, it may not be possible to complete a full review of the circumstances surrounding the complaint/enquiry without disclosing some or all of the information you have provided, including your name. In such circumstances, we will discuss this in detail with you and agree on the next steps. Only in exceptional cases, where there is evidence of a serious compliance concern, would we consider pursuing an investigation where the complaint has been withdrawn. We will discuss this with you in detail should that situation arise.

We recognise that an enquiry or complaint may involve sensitive and confidential matters and will ensure we involve you in decisions made relating to the progress of the case and will keep you updated.

If you are concerned about providing information relating to a complaint or investigation, please discuss this with us.

We do compile and publish statistics relating to the number and nature of complaints received but never in a form that would identify any individual.

 

Data collected as part of the breach reporting process

All personal data collected for this purpose is processed under paragraph 8 (to exercise any right or power, or perform or comply with any duty, conferred or imposed on the controller by an enactment) of Schedule 2, Part II of the Law.

Breach reports will be reviewed and the ODPC may get in contact for further information or to assess compliance with the Law.

 

Data collected as part of the notification process

All personal data collected for this purpose is processed under paragraph 8 (to exercise any right or power, or perform or comply with any duty, conferred or imposed on the controller by an enactment) of Schedule 2, Part II of the Law.

Many businesses and organisations are required by law to notify the Data Protection Commissioner of the processing they carry out. This may contain personal information, for example where the business is a sole trader. Notification information is compiled into a public register, as is required by law.

Details of a relevant member of staff are requested as part of this process but are not published on the public register and are used solely by the ODPC for administration purposes.

 

Data collected by email

Personal data collected for this purpose is processed under paragraphs 5 (exercise of functions by a public authority) and 8 (to exercise any right or power, or perform or comply with any duty, conferred or imposed on the controller by an enactment) of Schedule 2, Parts I and II of the Law. Special category data collected for this purpose is processed under paragraph 8 to exercise any right or power, or perform or comply with any duty, conferred or imposed on the controller by an enactment) of Schedule 2, Part II of the Law

We process information supplied by email using standard email applications (e.g. Outlook and Exchange), and we may also record it in our customer relationship management system if it relates to a complaint, notification or other matter of significance.

 

Data collected as part of newsletter sign-up

We process your personal data (in this instance: email address only) in relation to our newsletter sign-up process under paragraph 1 (consent) of Schedule 2, Part I of the Law.

When completing our newsletter sign up form, you only need to provide your email address. We use your email address for the sole purpose of sending you our monthly newsletter. During the sign-up process you will receive an email to verify your details and a confirmation email once sign-up has been completed.

We use the legal basis of ‘consent’ to process your data in this way, as such you are free to withdraw your consent at any time. An unsubscribe link is included in each newsletter email to enable you to unsubscribe.

We use Campaign Master to deliver our newsletter, they are a UK-based organisation.

 

Data collected as a result of enquiries made by phone or in person

Personal data collected for this purpose is processed under paragraphs 5 (exercise of functions by a public authority) and/or 8 (to exercise any right or power, or perform or comply with any duty, conferred or imposed on the controller by an enactment) of Schedule 2, Parts I and II of the Law. Special category data collected for this purpose is processed under paragraph 8 (to exercise any right or power, or perform or comply with any duty, conferred or imposed on the controller by an enactment) of Schedule 2, Part II of the Law

We may record information in our customer relationship management system if the information relates to a complaint, notification or other matter of significance.

 

YOUR RIGHTS

The Law provides you with a number of specific rights.

If you want to make a submission in respect of any one of these rights, please contact our data protection officer.

 

TRANSFERS OF DATA

The ODPC does not intend to transfer any personal data to authorised jurisdictions outside of the EU, or to unauthorised jurisdictions unless we are required to do so by Law.

If you provide information as part of the process of notifying us that you are a data controller, this will be published on our website, which is available worldwide. The only exception to this is the contact details you provide, which will only be accessible to ODPC for our administration purposes.

 

LINKS TO OTHER WEBSITES

This notice does not cover any third-party websites reached via links on this website. You are advised to read the data collection statements on the other websites you visit.

 

RETENTION OF DATA

The ODPC fulfils a statutory function as set out in the Law. All data is retained securely and only used for the purposes set out in the Law. Data is retained to comply with our statutory obligations and in accordance with the retention policy of the ODPC.

 

COMPLAINTS AND APPEALS

Section 67 of the Law provides for a right to complain to the Authority. Sections 82 and 83 of the Law provides for rights of appeal. Where that complaint relates to the processing of personal data by the ODPC, specific procedures are in place to ensure appropriate review.

Complaints can be lodged via the Online Complaints page of our website or using the contact details listed here.

 

ANALYTICS

When you visit www.odpc.gg we use a third-party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns.  We do this to find out such things as the number of visitors to the various parts of the site in order to better understand how people use the website and to improve the site and the services offered. This information is only processed in a way that does not identify anyone.  We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website.

If we do collect personal data through our website, how this is processed and under what lawful processing condition depends on which part of the website is used and is listed above.

 

 

This has been updated on 3 October 2018.