Your rights

Individuals are at the heart of data protection legislation. The Law builds on the current legal rights and responsibilities and specifically aims to strengthen individuals’ rights.

You have 10 rights under The Data Protection (Bailiwick of Guernsey) Law, 2017:

  1. Right to information for personal data collected from data subject (section 12 & 13)
  2. Right of access (section 15)
  3. Right to object to processing for direct marketing purposes (section 17)
  4. Right to object to processing on grounds of public interest (section 18)
  5. Right to object to processing for historical or scientific purposes (section 19)
  6. Right to rectification (section 20)
  7. Right to erasure (section 21)
  8. Right to restriction of processing (section 22)
  9. Right not to be subject to decisions based on automated processing (section 24)
  10. Right to data portability (section 14) – coming in May 2019

1. Right to information for personal data collected from data subject (section 12 & 13)
When you are asked to provide any information about yourself (i.e. personal data) to any organisation, there is a legal requirement for that organisation to make it clear who they are and what exactly is going to happen to your data. An organisation is required to supply this ‘fair processing information’ to you in the form of a privacy policy or a data collection statement. You can find out more about how organisations should handle your information fairly by reading our guidance on the ‘information to be given’ aspect of the Law. The higher standards the Law requires in respect of transparency are a fundamental part of the legislative framework that came into force in 2018 and you are encouraged to understand your rights and demand that they are respected.

If your data was collected prior to implementation of the Law (i.e. prior to 25 May 2018), the processing is subject to what is known as ‘transitional relief‘. It is expected that controllers review the information provided to individuals so you may find that companies that have your data get in touch with you to update this information. This is certainly good practice but not necessarily a legal requirement. Each controller will need to review its own position in this respect.

2. Right of access (section 15)
The Law enhances the already existing right of access to your personal data. This entitles you to ask what data an organisation holds about you and why by submitting a ‘subject access request’. Organisations must respond to your request within one month, although this can be extended if the request is complex. In most cases the organisations cannot ask you to pay a fee for them to supply this information to you. The Law provides for certain, limited and specific exemptions to this right, as it does for most rights.

3. Right to object to processing for direct marketing purposes (section 17)
If an organisation is processing your personal data for direct marketing purposes, you have a right to require them to stop. You should write directly to the organisation concerned to make any such request and they must stop sending you material when asked.

4. Right to object to processing on grounds of public interest (section 18)
If an organisation says it is processing your personal data based on the grounds that is in their ‘legitimate interests’, or by virtue of being a public authority, you have a right to request it ceases processing. You should write directly to the organisation concerned to make any such request. If the organisation is a public authority, it is required to have a data protection officer whom you can contact. When you make such a request the organisation must stop the processing unless it can prove that the public interest in that processing continuing outweighs your ‘significant interests’.

5. Right to object to processing for historical or scientific purposes (section 19) 
If an organisation is processing your personal data based on it being necessary for historical or scientific purposes, you have a right to request it stops processing. You should write directly to the organisation concerned to make any such request. If the controller is a public authority, it is required to have a data protection officer whom you can contact. As above, when you make such a request, the organisation must stop the processing unless the controller is a public authority and can demonstrate that the public interest in that processing continuing outweighs your ‘significant interests’.

6. Right to rectification (section 20) 
If you dispute the accuracy or completeness of personal data about you, you have the right to require the controller to rectify or change the data. You should write directly to the organisation concerned to make any such request. If the controller is a public authority, it is required to have a data protection officer whom you can contact.

7. Right to erasure (section 21) 
For data processed in certain circumstances (please refer to section 21 of the Law for full details) you have a right to require the controller to erase your personal data. This right is sometimes referred to as a ‘right to be forgotten’. You should write directly to the organisation concerned to make any such request. If the controller is a public authority, it is required to have a data protection officer whom you can contact.

8. Right to restriction of processing (section 22) 
For data processed in certain circumstances (please refer to section 22 of the Law for full details) you have a right to obtain a restriction of processing by the controller. You should write directly to the organisation concerned to make any such request. If the controller is a public authority, it is required to have a data protection officer whom you can contact.

9. Right not to be subject to decisions based on automated processing (section 24) 
‘Automated decision making’ often means that no human is involved in the processing of personal data. The Law recognises that individuals should be protected against unfair and harmful practice and provides you with a right not to be subjected to an automated decision. In accordance with your rights under section 12 of the Law (see right #1 above) you should be made aware of all such processing by the organisation when it first asks you to provide your data.

10. Right to data portability (section 14) – coming in May 2019 
This element of the Law is subject to what is known as transitional relief which means that you will not be able to exercise it until 25 May 2019. Once in force, it will allow you to instruct for your personal data to be transmitted from one organisation who acts as a ‘controller’ of your data to another organisation who you wish to have control of your data (e.g. moving your medical records from one GP practice to another). The Law sets out certain requirements for controllers to ensure such requests can be handled easily. Because this will require potential system changes for many organisations, they have until 25 May 2019 to get ready for any requests from citizens exercising this right.

For more information around how you can exercise your rights under The Data Protection (Bailiwick of Guernsey) Law, 2017 please call us on +44 1481 742074 or email enquiries@odpc.gg