JOIC logo

Your Duties and Responsibilities as a Data Controller

  1. This document provides guidance on the duties and responsibilities of data controllers under the Data Protection (Jersey) Law 2018 (DPJL 2018), including how to identify whether an organisation is acting as a controller or processor, what obligations apply to controllers, and what controllers must do when appointing and working with data processors.

  2. It also explains when and how a controller must appoint a Data Protection Officer (DPO), how to oversee processing activities carried out on its behalf, and the importance of accountability and transparency in managing personal data.

  3. Controllers are the decision-makers — they determine the why and how of processing. They carry the greatest responsibility for ensuring compliance with the DPJL 2018, including safeguarding the rights of individuals and demonstrating that appropriate technical and organisational measures are in place to protect those rights.

  4. Controllers may act alone or jointly with others (joint controllers). Where two or more organisations jointly decide the purposes and means of processing, they must have a transparent arrangement between them and must make key details of that arrangement available to individuals.

  5. Controllers must also ensure that when they engage others (data processors) to process personal data on their behalf, those processors act only on documented instructions and meet strict contractual, security and compliance standards.

Frequently used words used in this guidance note
Frequently used word(s) Description
Accountability The duty on controllers to be able to demonstrate compliance with the DPJL 2018 and with the data protection principles set out in Article 8 of the DPJL 2018.
Articles or Arts Specific provisions of the DPJL 2018 or DPAJL 2018.
Data Controller or Controller The natural or legal person, public authority, agency or other body that, whether alone or jointly with others, determines the purposes and means of the processing of personal data (Art.1 DPJL 2018).
Data Processor or Processor A natural or legal person, public authority, agency or other body which processes personal data on behalf of a controller (Art. 1 DPJL 2018).
Data Protection Officer or DPO Data Protection Officer or DPO An individual formally appointed by a controller (or processor) to advise on, monitor, and assist with compliance under the DPJL 2018.
Joint Controller Two or more controllers who jointly determine the purposes and means of processing.
Personal Data Any information relating to an identified or identifiable living natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing Any operation performed on personal data, whether or not by automated means, such as collection, storage, use, disclosure, alteration, or destruction.
Special Category Data Personal information relating to:
  • An individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership
  • Genetic or biometric data that is processed to uniquely identify an individual
  • An individual’s health
  • An individual’s sex life or orientation
  • An individual’s criminal record or alleged criminal activity.

What is a Data Controller?

  1. A data controller is the person or organisation that decides why and how personal data will be used. For example, a business that collects customer details to manage accounts, an employer that has records about it staff, a charity that has records about its volunteers, a school that keeps student records, will be acting as a controller.

  2. Controllers are responsible for following the rules in the DPJL 2018 and making sure individuals’ personal data is used lawfully, fairly, and kept securely.

How is a Controller Different from a Processor?

Controller or Processor

  • A controller makes decisions about the purpose and the way personal data is processed.
  • A processor only processes data for the controller, following written instructions.
  1. Ask yourself:
  • Who decided what data to collect?
  • Who decided the purpose for which it is used?
  • Who determines how long it is kept?
  • Who determines who has access to it?

If the answer is you/your organisation, you are the controller.

  1. Some organisations don’t have a separate legal personality of their own – for example, unincorporated associations such as sports clubs or voluntary groups. You should check the document which sets up and governs the management of that organisation. It should set out which individual(s) manage the organisation on behalf of its members and are likely to act as the controller or joint controllers, and how contracts may be entered into on behalf of the organisation. This is because an individual may actually be the data controller.

Example Jersey Dancing Club uses an electronic system to record details about members for admin purposes. The club receives a subject access request from one of its members. The club checks its governing document and notes that its chairperson is named as the controller, as they manage the club on behalf of its members and makes decisions about the processing of personal data. In this case the chairperson is legally the controller, although the club identifies the organisation as a whole as the controller in its privacy notice.

  1. For convenience you may identify the organisation as a whole as the controller (e.g. you may use the club or group name in your privacy information for individuals). But for legal purposes the controller will actually be the relevant individual(s) who make the decisions about the processing by the organisation.

  2. If you process data only under the detailed instruction of someone else, you are likely a processor. For example, if you have been hired by another organisation to carry out tasks like payroll or IT support, you will usually be a data processor because you act only on the controller’s instructions.

  3. Processors must not use information given to them by a controller for their own purposes. If a processor starts making its own decisions about how to use the data, it becomes a controller in its own right for that activity and takes on full legal responsibility. If you are a Processor, more information about what you can and cannot do can be found here.

  4. Sometimes, more than one organisation decides together. In those cases they are joint controllers and must set out clearly in writing who is responsible for what.

Example 1 Island Vets and DataSmart IT Solutions Island Vets, a veterinary clinic in St. Helier, engages DataSmart IT Solutions to manage its customer database and appointment booking system. Island Vets decides what personal data to collect, why it is collected, and how long it is kept. DataSmart IT Solutions only processes the data on Island Vets’ instructions and to make sure the database and booking system works. It does not use the information for any other purpose. In this scenario Island Vets is the controller and DataSmart IT Solutions is the processor.

Example 2 Island Vets and DataSmart IT Solutions jointly develop a pet health app that collects customer data to send reminders and promote services for both businesses. Both organisations decide together what data is collected and how it is used. They agree in writing who is responsible for meeting data protection obligations. In this case, Island Vets and DataSmart IT Solutions are joint controllers.

Example 3 A Jersey business engages an external HR consultancy to help manage its people-related functions. Under their agreement, the HR consultancy provides a range of services, including:

  • administrative tasks such as issuing training materials, managing staff surveys, and running payroll.
  • more independent services when requested such as running workplace mediations, handling disciplinary processes, and conducting workplace investigations. When the HR consultancy carries out administrative or support functions, it acts only on the instructions of the business e.g., sending training reminders or maintaining training records using data provided by the business. For these activities, the HR consultancy is a data processor, as it is processing personal data on behalf of, and under the authority of, the business. However, when the HR consultancy conducts independent mediations, disciplinary hearings, or investigations, it determines what information to collect, what questions to ask, how to report its findings and make recommendations. For those activities, it is acting as a data controller, because it decides the purpose and means of processing personal data in the context of that work. In this example:
  • The business is the controller for its own staff data and for HR tasks it directs and the HR consultancy acts as a processor when following the business’s instructions for routine administrative work.
  • The HR consultancy becomes a controller for the independent activities it undertakes where it exercises professional judgment and determines how personal data is used.
What Are the Main Duties of Controllers?
  1. Controllers must:
  • Use personal data fairly, lawfully, and transparently.
  • Collect only what is necessary for a clear purpose.
  • Keep data accurate and up to date.
  • Protect it with appropriate security measures.
  • Delete or anonymise it when it is no longer needed.
  • Be able to show evidence of compliance with the law (the “accountability principle”).

  1. Controllers must also tell people how their data will be used (usually through a privacy notice) and make sure people can exercise their rights such as access, correction, and erasure (deletion).

  2. We have a checklist available to help you show how you are complying with the DPJL 2018.

Appointing a Data Processor

  1. Controllers are responsible for any data processors they use. Before choosing one, Controllers should make sure the Processor can provide enough guarantees that it will handle data securely and comply with the DPJL 2018.

  2. There must always be a written contract between the Controller and Processor. This must say that:

  • The processor acts only on the controller’s written instructions.
  • Everyone handling the data are bound by confidentiality.
  • Appropriate technical and organisational security measures are in place.
  • The processor will help the controller with data-subject rights requests and data-breach reporting.
  • Sub-processors cannot be appointed without written approval.
  • Data will be deleted or returned when processing ends.

  1. Even though a processor carries out work, the controller remains legally responsible for what happens to the data.

  2. We have a checklist available for controllers to use to help when appointing a processor and a list of items that must be in any contract.

Routine Sharing Information with other Organisations

  1. Sometimes organisations need to share personal information regularly with another organisation. For example, a public authority might send monthly reports to another agency, a school might share attendance data with a government department, or a business might exchange information with a service partner to deliver a joint service.

  2. You need to make sure that any routine sharing is done lawfully, safely, and transparently. That means agreeing in writing why the data is shared, what is shared, how often, how it is sent and stored, and who is responsible for keeping it secure. You also need to check that individuals know about the sharing and that the information shared is accurate, necessary, and up-to-date.

  3. Having a clear, written data-sharing protocol (or agreement) helps everyone understand what happens to the data, supports good governance, and shows that you are being accountable. We have a checklist to help you.

Appointing a Data Protection Officer (DPO)
  1. Some controllers must appoint a DPO - for example, public authorities, or organisations whose core activities involve large-scale monitoring or processing of special category data. You wouldn’t usually need a formal DPO if:
  • You don’t regularly monitor, track or profile individuals.
  • You don’t hold or use any special category data.
  • You only process (use) personal information for secondary or ancillary purposes e.g. HR or payroll.

Do we need a DPO?

  1. The DPO’s role is to:
  • Advise the controller on data-protection obligations.
  • Monitor internal compliance and staff training.
  • Act as the contact point with the JOIC.
  • Provide guidance on data-protection impact assessments (DPIAs).

  1. The DPO must be independent, have expert knowledge of data-protection law, and be given sufficient authority and resources to perform their role. You can outsource, but you need to make sure that the provider can actually help you fulfil your legal responsibilities.

  2. Even if a formal DPO is not needed, it is good practice to identify someone within the organisation who is responsible for data protection matters. Appointing a DPO voluntarily, or designating a person to oversee compliance (sometimes called a data protection manager or data protection lead), helps ensure that data protection issues are properly managed and that staff know who to contact for advice or to report concerns.

  3. You can voluntarily appoint a DPO but if you do, they will be subject to the same legal rights and obligations as if they were mandatory.

  4. Controllers must publish the DPO’s contact details and share them with us when they register. Even if you don’t need a formal DPO you still need to publish the contact details for the person with responsibility for data protection matters and add those to your registration.

Identifying Your Role
  1. It is essential to determine whether your organisation is acting as a data controller, data processor, or joint controller for each processing activity you carry out. You may act as a controller for some processing and as a processor for other processing. The role you hold depends entirely on who decides the purpose and means of processing.
What is a controller?
  1. Art.1(1) of the DPJL 2018 defines a controller as

  • The natural or legal person, public authority, agency or other body that, whether alone or jointly with others, determines the purposes and means of the processing of personal data, and where those purposes and means are determined by the relevant law, the controller or the specific criteria for its nomination may be provided for by such laws.

  1. Controllers make the decisions about processing activities. They exercise overall control of the personal data being processed and are ultimately in charge of and responsible for the processing.

  2. A controller can be a limited company or other legal entity (such as an incorporated partnership, incorporated association or public authority), or an individual (such as a sole trader, partner in an unincorporated partnership, or self-employed professional). However, an individual processing personal data for the purposes of a purely personal or household activity is not subject to the DPJL 2018 (this is known as the domestic exemption).

Trusts, Foundations and Other Non-Incorporated Structures

  1. In Jersey, some structures and organisations do not have their own separate legal personality. This means that, although they can hold and manage assets or carry on activities, they cannot themselves enter into contracts or act as a legal person. Examples include trusts, certain unincorporated funds or joint ventures, and unincorporated associations such as clubs or societies. In these cases, you must look to the governing document (such as a trust deed, limited partnership agreement, or association constitution) to identify the individual(s) or legal person(s) who make decisions about how and why personal data is processed. Those individuals or entities will usually be the data controller(s) for the purposes of the Data Protection (Jersey) Law 2018 (DPJL 2018).

  2. Trusts

  1. A trust established under the Trusts (Jersey) Law 1984 does not have a separate legal personality. The trustee (or trustees, if there is more than one) holds property and makes decisions on behalf of the beneficiaries. Where personal data is processed in connection with a trust (for example, information about settlors, beneficiaries, protectors, or underlying companies) the trustee or trustees will normally be the controller(s) because they decide the purposes and means of that processing.

  2. If a trust receives a data-subject request, such as a subject access request (DSAR), the trustee(s) are responsible for responding. If there is more than one trustee, you should check the trust deed to see how decisions are made and whether the trustees act jointly or whether one has authority to act on behalf of the others. In most cases, all trustees act together and will therefore be joint controllers.

  3. Where a trust corporation (a company authorised to act as a professional trustee) is appointed, the corporate trustee itself (not the individual directors or staff — will be the data controller) as it is the legal person that determines how and why the personal data is processed.

  1. Foundations
  1. A foundation, established under the Foundations (Jersey) Law 2009, does have its own separate legal personality. This means the foundation itself will normally be the controller for the personal data it processes. In practice, the council of the foundation makes decisions on the foundation’s behalf, but the legal responsibility under the DPJL 2018 sits with the foundation as an entity. The qualified member and council members should ensure that appropriate governance, policies, and DPO arrangements are in place.
  1. Funds, Limited Partnerships and Other Arrangements

  1. Some funds, limited partnerships and unincorporated associations also lack separate legal personality. In such cases, the general partner, managing partner, or other managing body is likely to be the controller, as they make decisions about the purposes and means of processing investors’, partners’, or clients’ personal data.

  2. If the structure involves multiple parties (for example, a fund manager, administrator, and custodian), each should assess its own role carefully. It is common for the manager or general partner to act as the controller, and for other service providers to act as processors under written contracts.

  1. Ask yourself the following questions to help determine your role:
  • Who decides why the personal data is being collected and what it will be used for?
  • Who decides how the data will be processed — for example, what systems or methods are used, how long the data is kept, or who it is shared with?
  • Who decides what types of data are collected and which individuals the data relates to?
  • Who decides what lawful basis is relied upon?
  • Who determines who can access the data and for how long it is retained?

If your organisation answers “yes” to most of these questions, you are acting as the data controller. If you process personal data only on another organisation’s written instructions, you are likely a data processor.

What is a Joint Controller?

  1. If two or more organisations jointly decide the purpose and means of processing (i.e. they have the same or shared purposes), they are joint controllers. Art.7(1) of the DPJL 2018 states that:

  • Where 2 or more controllers jointly determine the purposes and means of the processing of personal data they are joint controllers.
Controllers will not be joint controllers if they are processing the same data for different purposes; they will simply be controllers in their own right.
  1. Art.7 of the DPJL 2018 says that joint controllers must:
  • Have a transparent written arrangement setting out who is responsible for which obligations under the DPJL 2018 (Art.7(2)).
  • Specify who will provide privacy information to individuals and who will handle any data-subject rights requests and make the essence of this arrangement available to affected individuals (Art.7(3)).

Each joint controller remains responsible for compliance with the DPJL 2018, even if one organisation takes the lead role.

What is a Processor?

  1. Art.1(1) of the DPJL 2018 states that a processor is:

  • A natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller, but does not include an employee of the controller.

  1. Processors act on behalf of the relevant controller and under their authority and on the controller’s instructions. They serve the controller’s purposes - not their own.

  2. While a processor may make day-to-day operational decisions about how to carry out a particular task assigned to it by the controller, it must always act in accordance with the controller’s documented instructions. Under Art.23(1) of the DPJL 2018, a processor may only process personal data on the controller’s instructions, unless required to do so by law.

  3. If a processor goes beyond the controller’s instructions and starts to decide why and how personal data is processed, it becomes a controller in respect of that processing and takes on the same legal responsibilities and liabilities as any other controller.

  4. A processor can be a company or other legal entity (for example, a trust company business, fund administrator, or law firm) or an individual (for example, a consultant providing outsourced services).

Example 1 A local law firm hires a Jersey IT support company. A local law firm hires a Jersey IT support company to maintain its client database and document-management system. The law firm decides why client personal data is collected (to provide legal services) and what information needs to be stored. The IT company only accesses that information to provide technical support and system maintenance, following the law firm’s instructions. In this case: The law firm is the data controller because it decides the purpose and means of processing. The IT support company is a data processor because it processes personal data only on the law firm’s instructions. If the IT company later uses any client data for its own training, marketing, or service-testing purposes, it would become a controller for that separate activity.

Example 2 A Jersey company-service provider provides company secretarial services to an administered company. Island Vets and DataSmart IT Solutions jointly develop a pet health app that collects customer data to send reminders and promote services for both businesses. The administered company decides why personal data about its directors, shareholders, and employees is collected and how it is used for example, to comply with company law, maintain statutory registers, and meet regulatory obligations. The company-service provider carries out certain administrative tasks such as preparing board minutes, maintaining registers, and filing annual returns, strictly in line with the administered company’s instructions and within the scope of its service agreement. In this situation: The administered company is the data controller, as it determines the purpose and means of processing the personal data. The company-service provider is a data processor, as it processes that information on behalf of, and under the authority of, the administered company. However, for activities relating to its own business — such as client due-diligence checks, employee management, and compliance with its own regulatory obligations — the company-service provider acts as a controller in its own right.

  1. Employees of the controller are not processors. As long as they are acting within the scope of their duties as an employee, they are acting as an agent of the controller itself. They are part of the controller, not a separate party contracted to process data on the controller’s behalf.

  2. Sometimes a processing wants to use another processor to carry out some of its processing activity. These are often referred to as a sub-processor. Sub-processors cannot be used by a processor without the controller’s specific agreement.

How to work out if you’re a Controller or Processor.

  1. It is important to recognise that your organisation is not automatically a controller or processor for all processing. You must assess on a processing-by-processing basis who determines the purposes and means of that specific activity. You will need to ask the following questions for each processing activity:
  • Who decides that personal data should be collected in the first place?
  • Who chooses the lawful basis for that processing?
  • Who determines what types of personal data will be collected?
  • Who decides the purpose(s) for which the data will be used?
  • Who determines which individuals the data will relate to?
  • Who decides if, how and to whom the data may be disclosed?
  • Who determines what individuals are told about the processing (e.g., via a privacy notice)?
  • Who chooses how to respond to individuals exercising their rights (access, correction, erasure etc.)?
  • Who determines how long the data will be kept, or when non-routine changes are made?

  1. If your organisation makes these kinds of decisions, you are likely to be the data controller for that processing activity under the DPJL 2018. If, however, your organisation processes personal data only on the documented instructions of another body (the controller), and does not decide the purpose or means of the processing, then your organisation is likely a data processor. (For example, you might choose technical methods for processing (what IT systems to use, how to store the data, how to delete it) as a processor — but you must not decide what data to collect or the purposes for its use.)

  2. In practice, there is a spectrum of decision-making. At one end, you (as client) decide everything and your service provider simply follows instructions — you are controller, they are processor. At the opposite end, your service provider determines both the purpose and the means of processing — they become controller (or joint controller) for that activity.

Can you be both Controller and Processor?

  1. An organisation may act as controller for some personal-data processing activities and as processor for others. For example:
  1. You manage your own employees’ data (you are controller).
  2. You provide services to another organisation and process data on their behalf (you are processor).

However, you cannot be both controller and processor for the same processing operation. If you process the same personal data partly on someone else’s instructions, and partly for your own purposes, you may become a joint controller. Similarly, as soon as a processor starts processing personal data outside the controller’s instructions, it will become a controller in its own right that that element of processing.

  1. If you are acting as both a controller and processor, you must ensure your systems and procedures distinguish between the personal data you are processing in your capacity as controller and what you process as a processor on another controller’s behalf. If some of the data is the same, your systems must be able to distinguish between these two capacities, and allow you to apply different processes and measures to each. If you cannot do this, you are likely to be considered a joint controller rather than a processor for the data you process on your client’s behalf.
Core Duties and Responsibilities Under the DPJL 2018.
  1. If you are a controller, you are responsible for ensuring that your processing is done in accordance with the DPJL 2018. This includes having responsibility for any processing carried out by a processor on your behalf. Responsibilities include:
  1. Complying with the data-protection principles set out in Art.8 of the DPJL 2018 and be able to demonstrate compliance under Art.9. These principles require controllers to ensure that personal data is:
  • Processed lawfully, fairly, and transparently.
  • Collected for specified, explicit, and legitimate purposes, and not used in a way that is incompatible with those purposes.
  • Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
  • Accurate and kept up to date.
  • Kept for no longer than necessary.
  • Processed securely, using appropriate technical and organisational measures to protect against unauthorised or unlawful processing, accidental loss, destruction, or damage.

You can find more information about the principles here.

  1. Respecting individuals’ data-protection rights and ensuring they can exercise those rights easily. You can find more information about data subject rights here.

  2. Implementing appropriate technical and organisational measures to ensure security of personal information. You can find more information about implementing appropriate security here.

  3. Choosing an appropriate processor (where required) that provides sufficient guarantees to ensure the protection of personal information, including that it has appropriate technical and organisational measures to ensure that their processing meets the requirements of the DPJL 2018.

  4. Having appropriate written contractual arrangements in place with the processor and that it meets all the requirements of Art.19(4) of the DPJL 2018.

Accountability and Governance
  1. Controllers carry the greatest responsibility for compliance with the DPJL 2018. You must be able to demonstrate how your organisation complies with the law. This is known as the accountability principle. To achieve this, controllers must:
  • Maintain records of processing activities, clearly describing each type of processing carried out, its purpose, the categories of data and individuals involved, and the security measures in place.
  • Keep a record of decisions about how you determined your organisation’s role (controller, processor, or joint controller).
  • Document the lawful basis for each processing activity and the reasons why it is appropriate.
  • Keep copies of data-processing contracts and any joint-controller arrangements.
  • Carry out and record data-protection impact assessments (DPIAs) for processing that may present a high risk to individuals.
  • Maintain evidence of staff training and awareness and ensure data-protection responsibilities are understood at all levels.
  • Periodically review and update all policies, contracts, and technical measures to ensure they remain effective and proportionate to risk.
  1. We may ask to see these records to confirm that a controller is meeting its obligations under the DPJL 2018 and we will expect controllers to be able to explain to us:
  • What information you are holding
  • Why are you holding it?
  • How did you obtain it?
  • Why was it originally gathered?
  • How long will you retain it?
  • How secure is it, both in terms of encryption and accessibility?
  • Whether you ever share it with third parties and on what basis might you do so?
Working with Data Processors

  1. When you appoint a processor to process personal data on your behalf, you must ensure that the processor provides sufficient guarantees that it can implement appropriate technical and organisational measures to meet the requirements of the DPJL 2018 and protect individuals’ rights. You are primarily responsible for overall compliance with the DPJL 2018, and for demonstrating that compliance. If this isn’t achieved, you may be liable to pay damages in legal proceedings or be subject to administrative fines or other penalties or corrective measures

  2. Before appointing a processor, you should:

  • Assess the processor’s experience and competence in handling personal data.
  • Check that they have appropriate security measures and policies in place.
  • Review their track record and ask for assurance reports, certifications, or audit findings if available.
  • Confirm where and how the data will be processed, including whether any personal data will be transferred outside Jersey.
  • Ensure they have effective breach-reporting procedures and staff training.

You should document your due-diligence findings and reasons for selecting the processor.

Contract Requirements

  1. Whenever a controller uses a processor, controllers must have a written contract (or other legally binding agreement) in place. A separate contract must be in place for each processor that you use. This is so that both parties understand their obligations, responsibilities and liabilities and to comply with the DPJL 2018. It also assists controllers in demonstrating to individuals and regulators compliance as required by the accountability principle.

  2. Art.19(3)(b) of the DPJ 2018 also sets out that the following information must be included in the contract:

  • The subject-matter of the processing.
  • The duration of the processing.
  • The nature and purpose of the processing.
  • The type of personal data.
  • The categories of data subjects.
  • The obligations and rights of the controller.
  1. That contract must:
  • State that the processor acts only on the controller’s written instructions.
  • Require all authorised personnel to maintain confidentiality.
  • Require the processor to apply appropriate technical and organisational security measures.
  • Require the processor to assist the controller with data-subject rights requests and data-breach reporting.
  • Require the processor to delete or return all personal data once processing ends.
  • Allow the controller to carry out audits or inspections to verify compliance.
  • Require the processor to obtain written authorisation before engaging any sub-processor.
  • Ensure that any sub-processor is bound by equivalent contractual obligations.

What responsibilities do processors have in their own right?

  1. In addition to its contractual obligations to the controller, a processor has some direct responsibilities under the DPJL 2018 (see. Art.22). If a processor fails to meet its obligations, or acts outside or against the controller’s instructions, it may be liable to pay damages in legal proceedings or be subject to fines or other penalties or corrective measures.

Sub-Processors

  1. Controllers remain responsible for all processing carried out on their behalf, including by sub-processors or the main processor. You must:
  • Approve any sub-processor in advance, either individually or under a general authorisation.
  • Require your processor to maintain an up-to-date list of all sub-processors used.
  • Ensure sub-processors are subject to the same obligations and safeguards as the main processor.
  • Monitor sub-processor performance through audits, reviews, or reporting arrangements.

Ongoing Oversight

  1. Your responsibilities do not end once a processor is appointed. You must:
  • Review processor contracts regularly to ensure terms and safeguards remain appropriate.
  • Monitor processor performance and compliance through reports, meetings, or audits.
  • Require processors to notify you immediately of any suspected or actual personal-data breach.
  • Keep records of monitoring, reviews, and corrective actions taken.
  • Failing to oversee a processor effectively may result in the controller being held responsible for breaches of the DPJL 2018.
Routine Data Sharing

  1. ‘Data sharing’ is the disclosure of data from one or more organisations to a third party organisation or organisations, or the sharing of data between different parts of an organisation. You should ensure that routine or ongoing data sharing between organisations is governed by a documented protocol or agreement that meets the requirements of the DPJL 2018 and demonstrates accountability.

  2. Data sharing can take the form of:

  • A reciprocal exchange of data.
  • A one way transmission of data.
  • One or more organisations providing data to a third party or parties.
  • Several organisations pooling information and making it available to each other.
  • Several organisations pooling information and making it available to a third party or parties.
  • Exceptional, one-off disclosures of data in unexpected or emergency situations.
  • Different parts of the same organisation making data available to each other.
  • An organisation provide another with access to personal data held on its own systems.

  1. Some data sharing doesn’t involve personal data, for example where only statistics that cannot identify anyone are being shared. The Data Protection (Jersey) Law 2018 does not apply to that type of sharing because it does not involve ‘personal data.

  2. There are the two main types of data sharing which requires careful consideration and execution:

  • Systematic, routine data sharing where the same data sets are shared between the same organisations for an established purpose.
  • Exceptional, one-off decisions to share data for any of a range of purposes.

  1. Different approaches apply to these two types of data sharing. Before sharing any of the personal data you hold, you will need to consider all the legal implications of doing so including whether it is necessary to share that information. The record of sharing checklist will assist you in identifying the issues you need to consider when deciding whether to share personal data.

  2. Primarily, any data controller must, when deciding whether to enter into an arrangement to share personal data (either as a provider, a recipient or both), have identified the objective that it is meant to achieve. You should consider the potential benefits and risks, either to individuals or society, of sharing the data. Additionally, an assessment of the likely results of not sharing the data should be undertaken and documented.

  3. When carrying out routine data sharing, you need to ensure that:

  • The purpose of sharing is clearly defined, lawful, and still necessary.
  • A valid lawful basis for sharing under the DPJL 2018 has been identified and recorded.
  • Each organisation’s role (controller, joint-controller, or processor) is documented and understood.
  • The scope of data shared is limited to what is required for the agreed purpose (data minimisation).
  • A data-sharing protocol or agreement sets out the operational details, including frequency, format, authorised personnel, and review cycle.
  • Accuracy is checked before each transfer, and inaccurate or outdated data is corrected or removed.
  • Appropriate technical and organisational security measures are in place, including access control, encryption, and secure transfer mechanisms.
  • Privacy information provided to individuals clearly explains the routine nature of the sharing, who receives their data, and why.
  • Each party maintains records of disclosures and audit logs to evidence compliance.
  • The arrangement is reviewed regularly (for example, annually) to ensure it remains necessary, proportionate, and secure.
  • A Data Protection Impact Assessment (DPIA) is completed if the sharing presents a high risk to individuals’ rights.
  • There is a clear process for breach reporting, termination, and deletion or return of shared data.
  1. If you are receiving the data are you confident about the source of the data and that the person providing it to you can explain: The lawful basis upon which it was obtained.
  • How it was collected.
  • What data subjects were told about any sharing.
  • Whether the information is accurate and up-to-date.
  • Whether you have only been provided with what is necessary for your purposes.
  1. We have a checklist available to help ensure that any data sharing is carried out in accordance with the DPJL 2018.
Appointing and Supporting a Data Protection Officer (DPO)
  1. Art.24(1) of the DPJL 2018 says that controllers must appoint a Data Protection Officer in any case where:
  • The controller is a public authority or body (other than courts acting in a judicial capacity).
  • The controller’s core activities involve regular and systematic monitoring of individuals on a large scale.
  • The controller’s core activities involve large-scale processing of special-category or criminal-offence data.

  1. You can appoint a DPO if you wish, even if you aren’t required to. If you decide to voluntarily appoint a DPO you should be aware that the same requirements of the position and tasks apply had the appointment been mandatory.

  2. Art.25 of the DPJL 2018 says that the controller must:

  • Involve the DPO early in all data-protection matters.
  • Support the DPO by providing sufficient resources, access to senior management, and ongoing training.
  • Ensure that the DPO has access to all personal-data processing operations.
  • Avoid conflicts of interest.
  • Publish the DPO’s contact details and provide them to the JOIC.
  1. The DPO should report directly to the highest management level within the organisation.

What is meant by “core activities”

  1. Your core activities will be the primary business activities of your organisation. If you need to process personal data to achieve your objectives, this will be a core activity. If you process personal data for other purposes which are incidental to your business, but which are not part of your primary goals, this will not be a core activity for the purposes of this part of the law.

Processing as a Core Activity (regular and systematic monitoring).

  • A financial services provider based in Jersey offers discretionary investment management and compliance monitoring services to a large client base. As part of its operations, it routinely tracks and analyses client transactions, investment behaviour, and communications to assess risk, detect potential financial crime, and ensure compliance with regulatory obligations. This constitutes regular and systematic monitoring of individuals on a large scale, and therefore the processing of personal data forms a core activity of the organisation.

Processing as a Core Activity (health sector).

  • A small GP surgery in Jersey provides medical care to its patients. To deliver this care, it must collect, record, and store sensitive health information about each patient, including medical histories, test results, and treatment records. Because the processing of special-category personal data (health data) is essential to providing healthcare services, it is a core activity.

Processing as a Core Activity (processing incidental).

  • A small Jersey construction company builds residential homes. Its primary business is physical construction work. The company processes personal data about its employees for payroll, health and safety, and HR purposes, but this processing is secondary and supports the main construction activity. In this case, the processing of personal data is not a core activity.
What does regular and systematic monitoring of data subjects on a large scale mean?

  1. Neither “regular and systematic monitoring” or “large scale” are defined under the DPJL 2018. However, the Article 29 Working Party (WP29) provided some guidance on these terms in its guidelines on DPOs. WP29 has been replaced by the European Data Protection Board (EDPB) which has endorsed these guidelines. Although these guidelines relate to the EU version of the GDPR, they are also a useful resource for understanding the requirements of the DPJL 2018.

  2. We are of the view that “regular and systematic monitoring” or data subjects includes all form of tracking and profiling both on and offline. When determining whether processing is “large scale” you should take the following into consideration:

  • The number of data subjects involved (either as a specific number or as a proportion of the population).
  • The volume of personal data being processed.
  • The range of different data sets (types of data) being processed.
  • The geographical extent of the processing activity.
  • The duration or permanence of the processing activity.
  1. Examples of “large scale” processing may include processing of:
  • Patient data in the regular course of business by a hospital.
  • Travel data of individuals using a public transport system (e.g. tracking via travel cards).
  • Customer data in the regular course of business by an insurance company or a bank.
  • Personal data for behavioural advertising by a search engine.
  • Data (content, traffic, location) by telephone or internet service providers.
What qualities and qualifications does a DPO need?

  1. A DPO must be independent and have expert knowledge of data-protection law and practice (Art.24(6)). The law doesn’t say exactly what credentials or professional qualifications they are expected to have, but it does say that this should be proportionate to the type of processing you carry out, taking into consideration the level of protection the personal data requires. So, where the processing of personal data is particularly complex or risky, the knowledge and abilities of the DPO must be advanced enough to provide effective oversight.

  2. It would be an advantage for your DPO to also have a good knowledge of your industry or sector, as well as your data protection needs and processing activities.

  3. A DPO doesn’t need to be an employee of your organisation and can be external, but it is your responsibility to ensure that any DPO you appoint is able to fulfil the functions required by law and has the experience and expertise that you need. If you appoint an external DPO you must have a written agreement in place.

Example 1 - High-risk, complex processing.

A financial services group in Jersey provides investment management, anti-money-laundering screening, and client profiling services. Because the organisation undertakes large-scale monitoring and processes sensitive financial and identification data (including KYC information and AML practices), its DPO should have advanced knowledge of data protection law and practice, including experience in regulatory compliance, information security, and risk management. The DPO must be independent from operational and compliance teams to ensure objective oversight and avoid conflicts of interest.

Example 2 - Moderate-risk, sector-specific processing.

A private medical clinic processes health and appointment data for its patients. While its data processing is not as large-scale as a hospital’s, it still involves special-category personal data. The DPO should therefore have solid working knowledge of data protection law, confidentiality obligations under health-sector standards, and patient-record systems. A background in healthcare administration or clinical governance would be advantageous.

Example 3 - Lower-risk, routine processing.

A small retail business in Jersey processes limited customer data for sales and marketing, and staff data for HR and payroll. In this case, the DPO (or the person carrying out the DPO role) does not need deep regulatory or technical expertise but should have a sound understanding of data-protection principles, record-keeping requirements, and data-subject rights. Independence can be maintained by ensuring the DPO role is separate from day-to-day marketing or sales decisions.

Example 4 - Importance of sector knowledge.

An organisation providing online education services appoints a DPO with prior experience in data protection law but limited understanding of educational technology. The DPO takes steps to familiarise themselves with the sector’s systems, including online learning platforms and child-data protections. Their growing knowledge of how the organisation uses personal data helps them identify and mitigate specific risks, such as unauthorised data sharing and inappropriate data retention.

  1. The law says that a DPO can be appointed in respect of a single entity, a group, or multiple independent entities. However, if a DPO covers several organisations they must be able to perform their tasks effectively, taking into account the structure and size of those organisations. When appointing a DPO, you should consider carefully if a single DPO can realistically perform the role required for your particular organisation (i.e. can a single DPO realistically cover a range of geographical areas or a particularly complex collection of organisations which have a range or processing activities.

  2. Art.25(4) of the DPJL 2018 says that the DPO must be bound by duties of secrecy or confidentiality concerning the performance of their tasks in accordance with any applicable laws and your own confidentiality policies/procedures.

Can a DPO perform other roles/duties?

  1. Art.25(5) of the DPJL 2018 says that the DPO may perform other roles within the organisation. However, it is imperative that the DPO must be able to perform his/her role in accordance with the DPJL 2018 and must not hold another role which conflicts or is likely to conflict with their obligations under the law. A conflict of interest exists if a person, in another role, decides how and why personal data is processed (the “purposes and means” of processing). Someone who makes those decisions cannot also be responsible for checking that they are lawful, because they would be assessing their own work.

  2. Examples of roles likely to conflict with the DPO function may be:

  • Senior management or board positions – e.g. Chief Executive Officer, Managing Director, Chief Operating Officer, or Chief Financial Officer. These roles make strategic decisions about how personal data is used.
  • Department heads involved in data use – e.g. Head of Marketing, Head of Human Resources, Head of IT, or Compliance Manager. They decide what data is collected and how it is processed.
  • IT or Security Managers – they design and control systems that determine who can access data and how it is stored or secured.
  • Small organisations – in smaller businesses or charities, conflicts may arise where, for example, the office manager or administrator responsible for staff records or marketing also acts as the DPO. In these cases, the organisation should consider appointing an external or shared DPO to ensure independence.

  1. Roles that may not conflict. Some advisory or oversight roles can be combined with the DPO function if they do not involve making day-to-day decisions about data processing. For example, a governance officer or in-house legal adviser who provides general compliance advice but does not decide how personal data is processed could also act as DPO, provided independence is maintained.

  2. How to manage or avoid conflicts you should:

  • Keep the DPO’s responsibilities separate from any operational data-processing decisions.
  • Set out the DPO’s independence clearly in their job description or contract.
  • Ensure the DPO reports to the highest management level (e.g. the board or senior leadership).
  • If resources are limited, consider appointing an external DPO or sharing a DPO with another organisation, provided confidentiality can be maintained.
  1. The DPO needs to be easily accessible to us, those within your organisation, and data subjects whose personal data is being processed by you and their contact details must be recorded in all of your privacy notices, and in any record of processing.

What are the duties/tasks of the DPO?

  1. Art.26 of the DPJL 2018 says that the DPO’s duties include:
  • Informing and advising you and your employees about your obligations to comply with the DPJL 2018.
  • Monitor compliance with the DPJL 2018 and other data protection laws, and with your data protection polices, including managing internal data protection activities; raising awareness of data protection issues, training staff and conducting internal audits.
  • Advising on data protection impact assessments and monitoring their progress.
  • To cooperate with us.
  • To be the first point of contact for the JOIC.

  1. The DPO’s tasks cover all personal data processing activities, not just those that require their appointment under Art.24.

  2. When carrying out their tasks the DPO is required to take into account the risk associated with the processing you are undertaking. They must have regard to the nature, scope, context and purposes of the processing. The DPO should prioritise and focus on the more risky activities, for example where special category data is being processed, or where the potential impact on individuals could be damaging. Therefore, DPOs should provide risk-based advice to your organisation.

  3. If you decide not to follow the advice given by your DPO, you should document your reasons to help demonstrate your accountability.

Supporting the DPO

  1. You must ensure that:
  • The DPO is involved, closely and in a timely manner, in all data protection matters.
  • The DPO reports to the highest management level of your organisation, i.e. board level.
  • The DPO operates independently and is not dismissed or penalised for performing their tasks.
  • You provide adequate resources (sufficient time, financial, infrastructure, and, where appropriate, staff) to enable the DPO to meet their obligations under the DPJL 2018, and to maintain their expert level of knowledge.
  • You give the DPO appropriate access to personal data and processing activities.
  • You give the DPO appropriate access to other services within your organisation so that they can receive essential support, input or information.
  • You seek the advice of your DPO when carrying out a DPIA.
  • You record the details of your DPO as part of your records of processing activities.
  1. This shows the importance of the DPO to your organisation and that you must provide sufficient support so they can carry out their role independently. Part of this is the requirement for your DPO to report to the highest level of management. This doesn’t mean the DPO has to be line managed at this level, but they must have direct access to give advice to senior managers who are making decisions about personal data processing.
Demonstrating Compliance with the DPJL 2018
  1. Controllers should establish and maintain a data-protection management framework to show how they comply with the DPJL 2018. This framework should include:
  • Written data-protection policies and procedures, including privacy notices, retention schedules, and incident-response plans.
  • Regular training and awareness for staff and contractors.
  • Processes for handling data-subject rights requests and responding to personal-data breaches.
  • A maintained record of processing activities and risk assessments.
  • Periodic internal audits and management reviews to ensure controls remain effective.
  • Documentation of decisions and continuous improvement actions (for example, policy updates or security upgrades).
  • Good record-keeping and governance are the clearest evidence that your organisation takes its responsibilities under the DPJL 2018 seriously.
Consequences of Non-Compliance
  1. Failure to comply with your duties as a controller can result in:
  • Individuals making formal complaints to us, that can lead to our carrying out a formal investigation under Art.20 of the Data Protection Authority (Jersey) Law 2018 (DPAJL 2018).
  • A formal inquiry under Art.21 of the DPAJL 2018.
  • Orders or directions from us requiring specific action (including order to stop processing).
  • Administrative fines of up to £5 million.
  • Potential civil claims from affected individuals.
  1. Controllers cannot avoid responsibility by relying on their processors. Even where a processor fails to meet its own obligations, the controller remains ultimately accountable for ensuring that personal data is processed lawfully and securely.
Related Downloads