JOIC logo

What does Enforcement look like? Procedures, Powers and Penalties, Criminal and Civil

  1. The Data Protection Authority (Jersey) Law 2018 (DPAJL 2018) established Jersey’s Data Protection Authority (JDPA). The JDPA is part of the Jersey Office of the Information Commissioner (JOIC), and the Information Commissioner is the Chief Executive Officer of the JDPA.

  2. We have powers to protect people if there has been a breach of the Data Protection (Jersey) Law 2018 (DPJL 2018) or the Data Protection Authority (Jersey) Law 2018 (DPAJL 2018).

  3. This guidance note explains what happens when we take enforcement action, the various sanctions (penalties) we can impose, when we may take them and who may be subject to them. We always use our powers in a targeted and proportionate way.

  4. The purpose of sanctions is to control and manage breaches and potential breaches of personal data with the aim of protecting data subjects from harm and/or further harm.

  5. We will also cover criminal offences (focusing on what happens if our orders are not complied with or a controller/processor fails to engage with us), civil remedies and our approach to issuing administrative fines.

Frequently used words in this guidance note.
  1. There are some words and/or phrases that will be used in this guidance note.
Frequently used word(s) Description
Administrative Fine or Fine a financial penalty that may be imposed by the Authority under Art.26 of the DPAJL 2018
Amicable Resolution or AmRes a voluntary procedure offered by the Authority to resolve certain issues informally, without the need for a full, formal investigation
Articles or Arts. specific provisions of the DPJL 2018 or DPAJL 2018
Authority the Jersey Data Protection Authority (JDPA) which is part of the Jersey Office of the Information Commissioner (JOIC)
Complaint a formal complaint received from an individual under Art.19 of the DPAJL 2018
Data Controller or Controller The entity (e.g. sole trader or organisation itself) that decides why and how personal information is processed
Data Subject a living individual whose personal information is being collected, held or processed in some way
Investigation a formal investigation carried out under Art.20 DPAJL 2018 in response to a Complaint
Inquiry a formal inquiry carried out under Art.21 DPAJL 2018
Processor an entity (e.g. sole trader or organisation itself) that processes personal information on behalf of a controller, under their instructions
Remedial Action steps taken by a controller or processor to correct a problem, limit harm, or prevent a breach from happening again
Reprimand a formal written statement saying that a controller or processor has broken the law
Warning a formal notice telling a controller or processor that their planned or current processing is likely to break the law if it goes ahead as intended.

Making a complaint
  1. If you think your personal information has not been treated properly, you can make a complaint to us. This is your right under Art.19 of the DPAJL 2018. You can do this in writing, or by using the complaint form on our website. When we receive your complaint, we look at it carefully and decide what should happen next.
What action can we take?
  1. There are three main ways we check that organisations are following the law:
  • Investigations – when someone makes a complaint and we look into it.
  • Inquiries – when we decide to check something ourselves, even if nobody has complained.
  • Audits – when we carry out a planned check of how an organisation is handling people’s information.
When might we not investigate?
  1. Not every complaint will lead to a full investigation. We may decide not to continue if:
  • the issue is not really about data protection;
  • the complaint is based on a misunderstanding;
  • the same issue has already been looked at and nothing new has been shown;
  • the complaint is mainly being made to cause trouble; or
  • the problem is very minor and has already been fixed.
  1. We can reject complaints in some circumstances, For examples
  • If there is no evidence that anything actually happened, we may say the complaint is unfounded.
  • If the issue is very small and causes no real harm, we may say it is frivolous.
  • If someone makes the same complaint over and over again, or mainly to cause trouble, it may be classed as vexatious or repetitive.
  • If someone sends us a huge number of complaints about very small problems, it may be excessive.
  1. Sometimes a complaint is about more than one thing. For example, one person might tell us that they:
  • Had their personal information shared without permission (data protection)
  • Were unfairly treated at work (employment law)
  • Have been receiving threatening messages (harassment, a police matter)
  • Feel their reputation has been damaged by false claims (defamation, a civil legal matter)

We can only deal with the data protection part of the complaint. We cannot make decisions about employment rights, criminal offences or other legal matters that are not in our remit. When this happens, we will look at the data protection matters and signpost you to the right organisation that may be able to deal with the other parts of the complaint.

Jo makes a complaint saying their employer:

  • shared private medical details with colleagues
  • treated them badly at work, and
  • sent them threatening messages after they raised concerns.
    • We would investigate the data protection issue (the sharing of medical details), but the workplace treatment would be for the Employment and Discrimination Tribunal, and the threatening messages would be for the police. We would explain this to Jo and point them in the right direction for help with the other issues.

What can happen if there is a problem?

  1. If we find that an organisation has broken the rules, we can take action. This could include:
  • A Reprimand – a formal written notice saying that the organisation did something wrong.
  • A Warning – if we believe the organisation is about to do something that breaks the rules.
  • An Order – a legal instruction to put things right.
  1. There are many different types of order that we can make. An order could tell an organisation to:
  • Correct or delete personal information,
  • Stop using personal information in the wrong way,
  • Tell people if their information was breached, or
  • Reply properly (and/or more fully) to someone who has asked to see their information.

  1. In some cases, we may also issue a fine (a financial penalty). The worse the problem, or the longer it goes on, the bigger the fine is likely to be (we can fine a maximum of £10 million for certain breaches). When deciding how much to fine there are a list of things we need to take into consideration (including the organisation’s prior year turnover and financial circumstances generally), and we look at how many people were affected, how much harm was caused, and whether the organisation fixed the problem quickly.

  2. We also have the ability to issue a public statement. The law says that we should only do this where we think that the case has reached a particular level of seriousness and that it is in the public interest to do so. We do not usually publish our decisions in full but what we do publish is a summary of what has happened, what our findings and orders were and what lessons can be learned. The name of the controller/processor will be published, but we don’t usually publish the name of the person who has complained. Before we publish any statement (depending on what it says) we may need to:

  • consult any individual whose personal data would be made public by that public statement, or who is otherwise likely to be identifiable from the statement; and
  • give written notice of the contents of the statement to any controller and any processor that is likely to be identifiable from the statement.

You can find our more about the decisions we make here.

  1. We always make sure that what we do matches the problem. This is called being proportionate. That means:

Small problems are dealt with in simple ways, Bigger or repeated problems may lead to stronger action, and We only use fines or very strict orders if they are really needed.

Our aim is always to protect people’s information and to stop problems from happening again, without using heavier action than necessary.

Example 1 Sarah asks a company for a copy of the personal information they hold about her. By law, the company must respond within a set time. The company does not reply, even after Sarah reminds them. Sarah makes a complaint to us. We investigate and find that the company has ignored other people’s requests too. We order the company to: Send Sarah her information, Improve their systems for handling requests, and Report back to us on the changes they have made.

If the company fails to follow this order, they could face legal action.

Example 2 David updates his address with his bank. The next month, the bank sends his statement to his old address by mistake. David worries that someone else could see his personal information. David complains to the bank, and they quickly admit the error and put things right. They tell him they have changed their systems to make sure it does not happen again. If David had complained to us, we would look at whether the bank had acted responsibly.

Because the mistake was fixed quickly and new safeguards were put in place, we may decide it is not necessary to take formal action. But if the bank kept making the same mistake, we could step in and issue an order or other sanctions.

  1. If someone suffers harm because their information was not looked after properly, they can ask the Royal Court for money (compensation). We cannot award compensation ourselves and only the Court can decide how much should be paid

  2. You can find more information in our separate guidance note on “How we deal with Complaints”.

What if an organisation ignores us?

  1. If an organisation does not do what we order, this is a criminal offence. We can take formal legal proceedings against them in the Royal Court.

  2. There are other criminal offences under the law. For example:

  1. Taking or sharing personal information without permission
  2. Forcing a person to apply for a full copy of their own criminal record when its not actually needed and the organisation isn’t able to get hold of this information otherwise (we call this a forced subject access request and you can find out more here).
  3. Lying to us or giving false information
  4. Blocking our staff when we are investigating
  1. These crimes can lead to fines and, in some cases, up to two years in prison.
What if someone is unhappy with our decision?
  1. Both individuals and organisations can appeal certain decisions through the Royal Court of Jersey; but an appeal is not the same as saying “I don’t like this decision”. To appeal, you must show that our decision was unreasonable or unfair in law e.g., that we made a mistake, did something beyond our powers, or we did not act fairly. The Court will not change a decision just because someone would have preferred a different outcome.

Example 1 Alex’s complaint is rejected because it was not about data protection, but about an employment issue (they were complaining that they’d been unfairly dismissed based on false information and a flawed process). Alex is unhappy and wants a different answer. This is not enough for an appeal, because we acted correctly and within the law. If the company fails to follow this order, they could face legal action.

Example 2 Sam makes a subject access request to their former employer. The employer provides the information they hold and relies on legal exemptions where some data cannot be shared. We review the complaint and accept that the exemptions were used properly and that there is no other information to give. If Sam simply refuses to believe this, that is not grounds for an appeal. But if Sam could show that we misunderstood the law on exemptions or ignored important evidence, that could be grounds for a valid appeal.

What types of enforcement action are there?
  1. Broadly speaking, we have three enforcement activity types:
  1. Investigations
  2. Inquiries
  3. Audits

Investigations

  1. Art.19 of the DPAJL 2018 says that individuals have the right to raise a complaint with us about the way their personal information has been handled. This needs to be done in writing and we offer an online portal for submission of formal complaints (together with other non-formal routes of action such as Ask A Question, or requesting to take part in our Amicable Resolution (AmRes) procedure.

  2. Art.20 of the DPAJL 2018 sets out what we need to do once we have received a complaint. More about how we carry out investigations specifically can be found in our guidance note “How we deal with formal complaints”.

  3. We must investigate the complaints we receive unless the complaint is:

  1. Unfounded;
  2. Frivolous, vexatious, unnecessarily repetitive or otherwise excessive; or
  3. We decide that it is inappropriate to investigate the complaint having regard to any other action taken by us under Art.14 or Art.15 of the DPAJL 2018
What do we mean by “unfounded”?
  1. When we say that a complaint is “unfounded” and won’t be investigated, we mean that based on the information we’ve reviewed, there’s no credible evidence or reasonable basis to believe the alleged issue actually occurred. “Unfounded” means the facts simply don’t support the claim; it could be demonstrably false, based on a misunderstanding, outside our jurisdiction, or otherwise lacking the foundation needed to proceed. This is different from saying something is “unsubstantiated,” which means there isn’t enough evidence either way, but if we call something “unfounded” we’ve concluded there’s no valid case to investigate.

Examples

  • The alleged breach didn’t happen.
  • Someone complained that a bank leaked their personal details online. We reviewed the logs, security reports, and relevant timeframes, and found no access or disclosure event matching the claim. The data was never exposed.
  • Based on a misunderstanding of the law
  • A person reported that an online retailer breached data protection rules by sending them a receipt after a purchase. We explained that providing a receipt in this context is a lawful processing activity and not a breach, so the complaint was unfounded.
  • Mistaken identity of the organisation
  • A complainant accused “XYZ Ltd” of sending them spam emails without consent. Our checks showed the sender was actually “XYZ Services,” a completely different company outside our jurisdiction, so the original allegation was unfounded.
  • Already disproven by credible evidence
  • Someone claimed their employer shared their medical information without permission. The employer provided system audit trails and HR records showing no such disclosure took place, making the complaint unfounded.
  • A complaint concerns regulatory matters that fall under the Jersey Financial Services Commission (JFSC) rather than data protection law.
  • The issue raised involves potential criminal activity, such as harassment, which is for the police to investigate, not us.
  • An employee was dismissed from their job, but they think that the whole disciplinary process was flawed and want to challenge it. The matter relates to workplace rights under employment law, which falls outside the regulator’s jurisdiction.
  • Complainant made a premature complaint to our offices before allowing the Controller the full statutory period in which to respond to their subject access request.
Frivolous
  1. A complaint is considered frivolous when it is trivial, lacking in seriousness, or clearly does not warrant the time and resources required for formal consideration. This might include matters raised solely on minor technicalities with no meaningful impact, where the issue has been completely dealt with by the controller, or complaints that do not relate to any legitimate regulatory concern. Such complaints often have little or no prospect of resulting in a finding or action, even if investigated.

Examples

  • A person complains to us because a café’s Wi-Fi login page uses a light grey font that they find hard to read, alleging it is a “data breach”. On review, we find no breach of the DPJL 2018 and no actual misuse or exposure of personal data. The matter is trivial and not a legitimate regulatory concern.
  • Two neighbours are in a dispute and complaining that the other is moving their bins. Both of them have put up CCTV cameras on the outside of the house covering their bins but both think that the cameras are looking beyond their boundary into the other’s property (i.e. they’re not processing for a purely domestic activity anymore). Neither has any evidence of this and there’s been no harm to either party. This matter is trivial and not a legitimate regulatory concern.
Vexatious
  1. A vexatious complaint is one that is brought with the intention of causing disruption, inconvenience, or harm rather than genuinely seeking resolution. These may include allegations made maliciously, repeatedly raising issues already addressed, or using inflammatory and abusive language to pressure the regulator into investigating. The underlying motive is often to harass or burden the organisation or individual rather than to resolve a legitimate concern.

Example

  • An individual repeatedly files complaints against their former employer, each time making slightly different allegations, despite multiple investigations finding no breach. Their communications include threats to “destroy the company’s reputation” and “take matters to the press” unless management “pays up”. They have told the former employer that if they do “pay up” that they will withdraw their complaint to us. This shows that the primary motive is to harass rather than resolve a genuine data protection issue.
Unnecessarily repetitive
  1. A complaint is unnecessarily repetitive when it re-raises the same issue that has already been properly considered and concluded, without presenting any new evidence or information. While complainants are entitled to challenge decisions through the proper appeal channels, repeatedly submitting the same complaint outside those processes can divert resources from handling new, substantive matters.

Example

  • A complainant submits the same complaint three times in six months that their name was misspelled in a marketing email, even though we have already investigated, confirmed the organisation corrected the error, and closed the matter. No new evidence or information is provided with each resubmission.
Otherwise excessive
  1. A complaint may be classified as otherwise excessive when its scope, volume, or frequency is unreasonable in the circumstances, even if it is not frivolous, vexatious, or repetitive. This could involve submitting an unmanageable number of separate but related complaints in a short period or providing unnecessarily large volumes of irrelevant material that significantly burden the investigation process. The focus is on proportionality — ensuring the process remains fair and workable for both the regulator and the complainant.

Example

  • A complainant contacts us about a bank statement that was sent to their old address one day after they had updated their contact details. Whilst this was a minor technical breach of the DPJL 2018, the bank identified the error, contacted the customer, and implemented corrective measures within 24 hours. Despite this, the complainant submits dozens of follow-up complaints over several months, demanding repeated investigations into the same incident. Given the trivial nature of the breach, the swift remedial action, and the disproportionate persistence, the matter is considered otherwise excessive and not a good use of our resources to carry out a full investigation.
  • Complainant was cc’d rather than bcc’d into an email in error, could not evidence that any harm was directly occasioned by this or that the email address was misused, and the Controller had also already taken appropriate steps upon becoming aware of the breach.

Inquiries

  1. Art.21 of the DPAJL 2018 says that we can, on our own initiative, carry out an inquiry into how the DPJL 2018 is being applied. This may involve examining whether a controller or processor has breached the Law, or whether any planned processing, action, or omission by a controller or processor is likely to breach it.

  2. We can start an inquiry based on information or a request from any person (including provided to us on an anonymous basis), or on any other grounds, and it can be conducted alongside, in addition to, or separately from an investigation under Art.20.

How do we decide who to investigate?

  1. If we consider that you have failed (or are failing or will fail) to comply with data protection law, we have the power to take enforcement action against you. This may require you to bring your processing operations into compliance or we may decide to issue a formal reprimand, or fine you, or any combination of those options.

What are our enforcement powers?

  1. The DPAJL 2018 has certain sanctions as set out in Art.25(1). These sanctions can be made against a controller or a processor by us when we believe a breach has been made or is likely to be made by a controller or a processor. We are not limited to making just one sanction against a controller or a processor, and the circumstances may be that we decide to issue them all. They are:
  1. A reprimand
  2. A warning that the recipient has or is likely to process data in a way which is unlawful
  3. An order, which will be explained in more detail below.

Reprimand

  1. The DPAJL 2018 does not specify the conditions upon which a reprimand may be issued, but usually takes the form of a notice which is included within our formal findings, and may accompany an administrative fine or other formal orders made by us to ensure that the controller or processor meets its compliance obligations with any part of the DPJL 2018 or DPAJL 2018.

  2. A reprimand is a formal written expression of disapproval by us when you breach the DPJL 2018 or DPAJL 2018. Of itself, it does not impose a fine, suspension, or other substantive penalty, but it becomes part of your regulatory record and may be considered in any future compliance or enforcement action. It is not usually a separate document and where issued, it will simply be included as part of our determination.

Warning

  1. This sanction applies to incidences where it appears to us that the intended processing or other act or omission is likely to contravene the DPJL 2018 or DPAJL 2018. Such warnings may be issued by way of a formal notice in advance of any intended processing.

Order

  1. This refers to a formal notice of enforcement and can order any or all of the following:
  1. bring specified processing operations into compliance with the DPJL 2018, or take any other
  2. specified action required to comply with that Law, in a manner and within a period specified in the order;
  3. notify a data subject of any personal data breach;
  4. comply with a request made by the data subject to exercise a data subject right (which may include re-issuing a response to a subject access request previously submitted under Art.28 of the DPJL 2018);
  5. rectify or erase personal data in accordance with Art.31 or Art.32 of the DPJL 2018;
  6. restrict or limit the recipient’s processing operations, which may include –
  7. temporarily restricting processing operations in accordance with Art.33 of the DPJL 2018,
  1. ceasing all processing operations for a specified period or until a specified action is taken, or
  2. suspending any transfers of personal data to a recipient in any other jurisdiction; and
  3. notify persons to whom the personal data has been disclosed of the rectification, erasure or temporary restriction on processing, in accordance with Art.31 to 33 of the DPJL 2018.

  1. Nothing in (d), (e) or (f) above prevents an order being issued by us to comply with a request made by the data subject to exercise a data subject right.

  2. Any order we issue will usually indicate the required deadline by which compliance with the order must be met. We can also revoke or amend an order by giving written notice to the recipient.

  3. Failure to comply with the order, or failure to comply with the order within the specified timeframes is a criminal offence under Art.25(8) of the DPAJL 2018.

When will a sanction be issued?
  1. A sanction may be issued by us if we determine that a controller or processor has breached any part of the DPJL 2018 or DPAJL 2018. We will consider many factors before determining a breach and issuing a sanction. These factors may include (but are not limited to) the level of damage or distress suffered, or likely to be suffered by affected data subjects, the number or potential number of data subjects affected, the severity of the breach, the technical and organisational measures in place at the time of the breach, and the steps already taken by the controller or processor to rectify the breach.

Example

  • ABC Limited have failed to respond to a subject access request under Art.28 of the DPJL. This is the third time this has happened, and on the first occasion the controller signed a formal undertaking to ensure future compliance. In this case we may make an order instructing the controller to comply with the request by a certain date and to implement a robust policy and procedure for dealing with subject access requests in the future. The order may also instruct the controller to notify the data subject that they have been found to be in breach.

Who can we issue a sanction against?

  1. We may issue sanctions against a controller or a processor under Art.25(1) of the DPAJL 2018.

What happens before we make a breach determination (including issuing an administrative fine)?

  1. Art.28 of the DPAJL 2018 says that where we propose to make:
  1. A breach determination
  2. An order under Art.25(3); or
  3. An order for the payment of an administrative fine

we must give the person concerned a notice in writing.

  1. Art.28(2) of the DPAJL 2018 goes on to say that notice must:
  1. State that we are proposing to make a determination or order (which includes setting out the amount of any administrative fine);
  2. Set out the terms of and the grounds for the proposed determination (i.e. our reasons for coming to the decision we have);
  3. State that the person concerned may make written or oral representation to us (in the manner specified in the notice) within 28 days; and
  4. Give notice of the right of appeal to the Royal Court in the event that we make the proposed determination or order(s).
  1. We give controllers/processors this notice in a document called a “Proposed Determination”. It is, essentially, our notice of intent in which we set out the background to the matter, our findings (including any reasons why we think you have breached the law) and we also set out the sanctions we are minded to impose. We only need to give this to the controller/processor at this stage and do not provide it to the person who raised the complaint until later in the process.

Making Representations to Us

  1. The purpose of the Proposed Determination is for us to set out our findings and to enable you to make representations to us. This is your opportunity to comment on the facts and views set out by us in the Proposed Determination or to make general remarks on the case and provide documents or other relevant information, such as details of your finances. You should also tell us if there is any confidential or commercially sensitive information that should be redacted from any information we may decide to publish in due course, including in our Final Determination.

  2. We must consider any representations made in response to the Proposed Determination before making our final decision which we set out in a document called a “Final Determination”. The Final Documentation is usually in substantially the same format as the Proposed Determination and will usually be sent in full to both parties.

Administrative Fines

  1. Our objective in imposing an administrative fine is to promote compliance with the DPJL 2018 and DPAJL 2018 and such must be sufficiently effective to act both as a sanction and as a deterrent to prevent non-compliance of similar seriousness in the future by the contravening person and by others.

  2. The amount of the administrative fine depends on the nature of the breach. In respect of any matters set out in Art.26(1)(a)-(b) of the DPAJL 2018, the administrative fine must not exceed £5,000,000 and for the matters specified in Art.26(1), must not exceed £10,000,000. Art.27(2) of the DPAJL 2018 also sets out that “An administrative fine must not exceed £300,000 or 10% of the person’s total global annual turnover or total gross income in the preceding financial year, whatever is the higher.”

  3. When deciding the level of administrative fine, we will take into account the factors set out at Art.26(2) of the DPAJL 2018 including the nature, gravity and duration of the breach, the effect of the breach on the data subjects, and previous contraventions and the degree of your cooperation with us.

  4. Where we intend to issue an administrative fine, we set this out in our Proposed Determination and (unless exceptional circumstances apply) you will have the usual 28 days (beginning on the date of the notice) within which you can make written representations to us. If you do not agree with the level of the fine proposed, you need to be able to explain to us why. This might include giving us information about your ability to pay (your financial circumstances might have changed) or why you might need more time.

Who is eligible for a fine?

  1. Art.26(11) of the DPAJL 2018 refers to “person concerned” which is defined as meaning “the controller or processor against whom an administrative fine is ordered”. Any controller or processor will fall within this definition, including those who are not registered with us.

  2. The power to impose an administrative fine is part of our overall regulatory regime which includes the power to conduct an inquiry under Art.21 of the DPAJL 2018 and, following any breach determination, to issue a reprimand, a warning or make any other order under Art.25(3) of the DPAJL 2018 including restricting, limiting or ceasing (for a specified period or until specified action is taken) a controller or processors’ processing operations, or suspending any transfers of personal data to a recipient in any other jurisdiction.

  3. The proceeds raised from an administrative fine are not kept by us (or the Commissioner). We have to pay them to the Government of Jersey and form part of the annual income of the States (Art.26(10) of the DPAJL 2018).

  4. The power to impose administrative fines applies to any controller or processor in the private, public and not for profit sectors. They will not be imposed on an employee who was acting on the instructions of the employer.

  5. As a general rule, a person with substantial financial resources is more likely to attract a higher monetary penalty than a person with limited resources for a similar contravention of the DPJL.

Level of fines

  1. As noted in our Regulatory Action & Enforcement Policy, our underlying objective in imposing administrative fines is to promote compliance with the DPJL 2018. Such must be sufficiently effective to act both as a sanction and also as a deterrent to prevent non-compliance of similar seriousness in the future by the contravening person and by others. We will seek to ensure that the imposition of a monetary penalty is appropriate and the amount of that penalty is reasonable and proportionate, given the facts of the case and the underlying objective in imposing the administrative fine.

Factors we will take into account when deciding whether to issue an administrative fine

  1. In deciding whether it is appropriate to impose an administrative fine and in determining the amount of such, we will take full account of the specific facts and the circumstances of the contravention and of any representations made. Art.26(2)(a)-(k) of the DPAJL 2018 says that when deciding whether or not to issue an administrative fine (and, if so, the amount) we must have regard to the following matters:
  1. The nature, gravity and duration of the contravention of the DPJL 2018, taking into account the nature, scope and purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
  2. Whether the contravention was intentional or negligent;
  3. Any action taken by the person concerned to mitigate the loss, damage or distress suffered by data subjects;
  4. The degree of responsibility of the person concerned taking into account technical and organisational measures implemented by the person concerned;
  5. Any relevant previous contraventions;
  6. The degree of cooperation with us, in order to remedy the breaches and mitigate the possible adverse effects of the contraventions;
  7. The categories of personal data affected by the contravention;
  8. The manner in which the contravention became known to us, in particular whether, and if so to what extent, the person concerned notified the contravention to us;
  9. Where we have previously made an order against the person concerned following a breach determination with regard to the same subject matter, compliance with any measures required to be taken by the order;
  10. Compliance (or not) with any code or evidence of certification in respect of the processing concerned;
  11. Any other aggravating or mitigating factor applicable to the circumstances of the case (i.e. financial benefits gained, or losses avoided, directly or indirectly from the contravention).

The nature, gravity and duration of the contravention

  1. Almost all of the obligations of the controllers and processors are categorised according to their nature in the provisions of Art.26(1)(a)-(d) of the DPAJL 2018. In setting up two different maximum amounts of administrative fine, this clearly indicates that a breach of certain provisions of the DPJL 2018 may be more serious than for others. This means that:
  1. Breaches of core data protection principles (such as lawfulness, fairness, transparency, data minimisation, or integrity and confidentiality) will usually be treated as more serious than failures of administrative detail.
  2. The impact of the breach on data subjects, including the number of people affected and the severity of any harm, will increase its gravity. This may include physical, material or non-material e.g. physical or psychological harm, economic or financial harm, discrimination, reputational harm or loss of dignity and we will ask affected individuals to provide us with impact statements and additional evidence of such stated harms where appropriate.
  3. The duration of the breach also matters: a one-off, short-lived error may attract a lower sanction than an ongoing failure over many months or years.
  1. The more serious the breach and the longer it goes on for, the more likely it is that any administrative fine will be higher.

Examples

  • A parish authority accidentally sends one email newsletter where the recipients’ addresses are placed in the “To” field instead of “Bcc.” This is a one-off error, quickly acknowledged, and corrective measures are put in place. While a breach has occurred, its nature and duration make it less serious, and the Authority may resolve it with a reprimand rather than a fine.
  • By contrast, a financial services firm is repeatedly told by its IT team that it is running outdated software which is no longer supported and has known security vulnerabilities. Management refuses to approve an upgrade due to cost. Over time, attackers exploit these flaws, exposing thousands of client records in multiple incidents. Because this breach involves a core security obligation, continued failures over a long period, and known risks that were ignored, it is grave in nature. In such circumstances, a substantial fine is more likely.

Intentional or negligent

  1. We will consider whether the infringement was intention or negligent as part of the assessment of seriousness. The Guidelines produced by the then Article 29 Working Party on the application and setting of administrative fines notes (since endorsed by the European Data Protection Board) note that “In general, “intent” includes both knowledge and wilfulness in relation to the characteristics of an offence, whereas “unintentional” means that there was no intention to cause the infringement although the controller/processor breached the duty of care which is required in the law”. We agree with this statement.

  2. In general, if an infringement is committed intentionally we will likely consider the infringement to be particularly serious. Intentional infringements will include those things done by a controller or processor where it deliberately continued with certain conduct or was indifferent about whether such infringed the law i.e. it wilfully ignored known risks of its conduct infringing the law. This would also include circumstances where certain conduct was actively sanctioned, or where processing was carried out in any event and despite it having been made aware of the relevant risks (including by any internal DPO).

  3. Similarly, we also agree with the statement that “intentional breaches, demonstrating contempt for the provisions of the law, are more severe than unintentional ones and therefore may be more likely to warrant the application of an administrative fine. The relevant conclusions about wilfulness or negligence will be drawn on the basis of identifying objective elements of conduct gathered from the facts of the case… Other circumstances, such as failure to read and abide by existing policies, human error, failure to check for personal data in information published, failure to apply technical updates in a timely manner, failure to adopt policies (rather than simply failure to apply them) may be indicative of negligence.” In assessing negligence we will take into account all relevant evidence about whether the controller or processor breached the duty of care required by law. This could include things like:

  1. Failing to adopt policies aimed at ensuring compliance with data protection law
  2. Failing to adhere to/abide by any policies in place
  3. Failing to provide appropriate training to individuals handling personal data (including such not being appropriate for a particular role)
  4. Failing to ensure any technical systems remain up-to-date and fit for purpose (e.g. relying on software that is no longer supported or not applying patches/fixes in a timely manner)

Examples

  • The managing director of a Jersey trust company is told by their IT manager that the business is using outdated software that is no longer supported and is therefore vulnerable to attack. The IT manager recommends upgrading to a secure, supported system. The director refuses to approve the purchase because of cost, despite knowing about the risk. Soon after, the company suffers another personal data breach through the same flaw. This repeated failure to act on clear advice shows a disregard for data protection obligations and could result in a significant fine.
  • A St Helier retailer sends regular marketing emails to its customers. Several customers use the unsubscribe function and ask for their details to be removed from the mailing list. Instead of removing them, the retailer keeps their details and emails them again to ask if they want to “opt back in”. By continuing to use personal information against clear instructions, the retailer has failed to respect data subjects’ rights and could be fined for unlawful processing.

Action taken to mitigate the loss, damage or distress

  1. The steps an organisation takes following discovery of a breach will be extremely important in determining the type of penalty to impose on an organisation and an organisation is obliged to take whatever steps necessary to reduce the consequences of the breach for the individuals concerned. Responsible behaviour will be taken into account by us when deciding what sanction is appropriate as well as the level of any administrative fine and we will look closely at what the organisation did to reduce the impact on affected individuals. Controllers and processors are under an obligation to take all necessary steps to limit loss, damage, or distress. Responsible actions might include:
  • Quickly containing the breach (e.g. closing off unauthorised access or recalling mis-sent communications).
  • Notifying affected individuals promptly and explaining the risks.
  • Providing support, such as credit monitoring, helplines, or identity protection services.
  • Cooperating fully with the Authority, being transparent about what happened, and demonstrating lessons learned.
  1. An organisation that takes swift and effective remedial action will generally face a lower sanction than one that delays, minimises the issue, or fails to help affected individuals.

The degree of responsibility of the controller or processor

  1. When assessing the degree of responsibility, the Authority will look at whether the organisation had appropriate and effective controls in place, and whether those controls were actually applied in day-to-day practice. This includes:
  1. Technical measures – such as up-to-date software, access controls, encryption, firewalls, and system monitoring.
  2. Organisational measures – such as staff training, clear lines of accountability, and oversight of data handling.
  3. Security measures – both physical (e.g. secure storage, restricted access to offices) and digital (e.g. secure passwords, multi-factor authentication).
  4. Policies and procedures – whether the organisation has them, whether they follow recognised industry standards or best practice, and whether they are actively followed in practice rather than existing only on paper.
  1. An organisation that can demonstrate it adopted and applied recognised best practice/industry standards (and kept those measures under review) will generally be seen as less responsible for a breach than one that ignored clear risks or failed to implement basic safeguards.

Any previous contraventions?

  1. The track record of an organisation will be assessed when considering an appropriate sanction. We will consider whether or not the organisation has committed an identical or substantially similar contravention previously. Repeat offenders should expect a more severe sanction than a first-time offender.

Examples

  • A financial services business in St Helier receives several subject access requests from clients who want to see the personal information held about them. The law gives the business a set time to respond, but the business repeatedly fails to reply. The Authority had previously investigated the same issue and, at that time, gave the business a reprimand and formal orders to improve its compliance. The business produced new written policies and procedures to satisfy the Authority that improvements had been made. However, when new requests were received, it became clear that those improvements had not been put into practice. Clients were still being ignored, and the same breaches continued. This shows that the business failed to translate policy into real compliance. Repeated non-compliance after previous enforcement action could lead the Authority to impose a fine.

Categories of the personal data affected

  1. When deciding how serious a breach is, we will look closely at the type of personal data involved and the risks it creates for individuals. The more sensitive, identifiable, harmful, or unprotected the data is, the more serious the regulator will treat the breach, and the stronger the enforcement action is likely to be. For example:
  1. Special category data (like health records, racial or ethnic background, political opinions, or biometric data) is more sensitive. If a breach involves this type of data, it is more likely to attract stronger enforcement.
  2. Directly identifiable data (like names, addresses, phone numbers, social security numbers) can immediately reveal who someone is. If this data is exposed, the risk of harm is higher than if the data was fully anonymised.
  3. Potential for harm is considered. Would the breach cause embarrassment, financial loss, identity theft, discrimination, or other distress? The more likely or serious the harm, the more severe the sanction may be.
  4. Level of protection matters. If the personal data was encrypted, anonymised, or otherwise secured, the risk to individuals may be lower — and the sanction may be less severe. But if the data was stored or shared without basic protections, that will weigh against the organisation.

Variation of administrative fine

  1. Art.26(5) of the DPAJL 2018 says that we may (of our own motion or on the application of the person concerned):
  1. Vary the amount of fine; or
  2. Vary the number, amounts and times of the instalments by which the fine is to be paid.

Proportionality in Enforcement

  1. We apply all enforcement measures in a targeted and proportionate manner.

  2. This means the type and scale of action we take will always be tailored to the nature and seriousness of the breach. In practice, this means:

  1. Minor or isolated breaches that cause little or no harm may result in advice, guidance, a reprimand or no further action.
  2. Repeated, systemic, or serious breaches — particularly where data subjects have suffered harm or been placed at significant risk — are more likely to result in stronger sanctions such as orders or administrative fines.
  3. The choice of sanction will also take into account the organisation’s level of cooperation, any remedial steps already taken, and the overall impact on affected individuals.

  1. Any administrative fine must be sufficiently meaningful to act both as a sanction and also as a deterrent to prevent non-compliance of similar seriousness in the future by the contravening organisation and by others and we will seek to ensure that the imposition of an administrative fine is appropriate and the amount of that penalty is reasonable and proportionate, given the particular facts of the case and the underlying objective in imposing the administrative fine.

  2. Our overarching aim is to restore compliance, change organisational behaviour to prevent future harm but not to punish disproportionately

Right of Appeal

  1. A controller or processor affected by any determination or order of the Authority (including the making of an order for payment of an administrative fine) may appeal to the Royal Court, in accordance with Art.32 of the DPAJL 2018 on the grounds that “in all the circumstances of the case the decision was not reasonable”.

Public statements

  1. Following the issuing of an administrative fine, and “Where the Authority considers that because of the gravity of the matter or other exceptional circumstances, it would be in the public interest to do so” we may issue a public statement about any aspect of the issuing of the administrative fine, including the circumstances that gave rise to it (Art.14 of the DPAJL 2018). As noted in our Regulatory Action and Enforcement Policy, our main objectives in issuing a public statement are to educate organisations and the general public, to act as a deterrent to other organisations, and to raise general levels of compliance with the DPJL 2018 and DPAJL 2018.

  2. Such statement may include:

  1. Details of any personal data breach
  2. Information describing or identifying any data subject whose personal data is or has been the subject of a personal data breach;
  3. Information as to the nature and the progress or any complaint, investigation or inquiry; or
  4. The outcome of any complaint, investigation or inquiry.
  1. Before issuing a public statement, we must:
  1. Consult any individual whose personal data would be made public by that public statement, or who is otherwise likely to be identifiable from the statement; and
  2. Give written notice of the contents of the statement to any controller and any processor that is likely to be identifiable from the statement.
Criminal Offences and Civil Remedies

  1. The DPJL 2018 gives data subjects rights to bring complaints and seek judicial remedies and it also brings forward certain criminal offences. Similarly, the DPAJL 2018 places certain other obligations on controllers and processors and also brings forward criminal offences in certain circumstances.

  2. The offences the DPJL 2018 brings forward are:

  1. Unlawfully obtaining personal data (Art.71 of the DPJL 2018);
  2. Requiring a person to produce certain records (Art.72 of the DPJL 2018);
  3. Providing false information to us (Art.73 of the DPJL 2018); and
  4. Obstructing us in the course of our duties (Art.74 of the DPJL 2018).

  1. Under the DPJL 2018, most of the offences are punishable by fine, but offences under Art.72 and Art.73 of the DPJL 2018 also attract a maximum prison sentence of two (2) years.

  2. The offences the DPAJL 2018 brings forward are:

  1. Failing to register with us as a controller or processor (Art.17(6) of the DPAJL 2018);
  2. Failing to comply with an order made by us following a breach determination (Art.25(8) of the DPAJL 2018).

  1. Under the DPAJL 2018, the above offences are punishable by fine.

  2. Individuals also have a number of civil remedies available to them under both the DPJL 2018 and DPAJL 2018 namely:

  1. the right to lodge a complaint with us where their data has been processed or is to be processed in a way that does not comply with the DPJL 2018 (Art.19 DPAJL 2018);
  2. the right to bring civil proceedings against controllers in the Royal Court (Art.68 DPJL 2018); and
  3. The right to compensation from a relevant controller or processor for loss, damage or distress resulting from infringement of the DPJL 2018 (Art.69 DPJL 2018).

Who can bring criminal proceedings?

  1. Proceedings for criminal offences under the DPJL 2018 and DPAJL 2018 can only be commenced by Her Majesty’s Attorney General. We (neither the JDPA nor the Commissioner) cannot bring prosecutions personally as a matter of Jersey law.

Who can bring civil proceedings?

  1. A data subject can bring proceedings personally (see Art.68(1) of the DPJL 2018) and there is also provision for a data subject to be represented by a “data protection organization” (this meaning any non-profit organisation properly constituted in accordance with relevant law that has objectives in the public interest and is active in the field of the protection of data subject rights).

In which Court can proceedings be brought?

  1. Generally speaking, the seriousness of the criminal offence will determine whether or not such offences are dealt with in the Magistrate’s or the Royal Court. The maximum penalty that may be imposed by the Magistrate’s Court is 12 months’ imprisonment and/or a fine of up to £10,000 (ten thousand pounds Sterling)1 . The Royal Court has no upper limit either in terms of fine or prison sentence.

  2. On conviction of an offender, the Court may order any data apparently connected with the crime to be forfeited, destroyed or erased.

  3. In respect of civil proceedings, these need to be brought in the Royal Court (see Art.68 of the DPJL 2018).

Criminal offences under the DPJL 2018

Unlawfully obtaining personal data (Art.71)

  1. Under Art.71 of the DPJL 2018, it is an offence for a person, knowingly or recklessly, without the consent of the controller to:
  1. obtain or disclose personal data or the information contained in the personal data; or
  2. procure the disclosure to another person of the information contained in the personal data.
  1. Art.71(3) of the DPJL 2018 provides specific exemptions to liability for this offence where the person can show:
  1. That the obtaining, disclosing or procuring:
    1. was necessary to prevent or detect crime; or
    2. was required or authorised by any enactment, rule of law or by order of the Court,
  2. That he acted in the reasonable belief that he had the legal right to obtain, disclose or procure the disclosure;
  3. That he acted in the reasonable belief that the controller would have consented to their obtaining, disclosing or procuring the data if the controller had known; or
  4. That in the circumstances, the obtaining, disclosing or procuring was in the public interest.

A person will not be guilty of this offence if the personal data in question falls within the national security exemption at Art.41.

  1. It should be noted that an offence under this section cannot be committed by a controller in respect of data of which he is the controller. However, a controller who discloses personal data of which he is the controller may breach Art.8(1)(a) of the DPJL 2018 if the disclosure is unfair or unlawful (and thus disclosed in breach of the data protection principles).

  2. Where employees of a controller have authority to obtain and disclose personal data in the course of their employment (i.e. police or civilian officers who have access to certain databases for policing purposes or employees who need to deal with personal data as part of their usual role), they will commit these offences if they use their position to obtain, disclose or procure disclosure of personal data for their own purposes.

Examples

  • Jane Doe, a former nursing auxiliary was fined for accessing a patient and her neighbour’s medical records without a valid legal reason. She worked at the hospital and unlawfully accessed the records of a patient who was also her neighbour when she had no legitimate reason for doing so.
  • John Doe, who at the time worked for the Government of Jersey, emailed personal data relating to 349 individuals, which included special category data of service users of the Adult Social Care Department, to his personal email address without his employer, the data controller’s, consent.
  1. A person found guilty of an offence under this article is liable to a fine (Art.75(1)).

Requirement to produce certain records illegal (Art.72)

  1. The offence created under Art.72 of the DPJL 2018 is commonly known as “enforced subject access”. Unless one of the statutory exceptions apply, it is an offence for a person to require another person or a third party to supply or produce a relevant record in connection with:
  1. the recruitment of that other person as an employee (Art.72(1)(a));
  2. the continued employment of that person (Art.72(1)(b));
  3. any contract for the provision of services to him by that person (Art.72(1)(c)); or
  4. where a person is concerned with providing (for payment or not) goods, facilities or services to the public or a section of the public, as a condition of providing or offering to provide any goods, facilities or services to that other person (Art.72(2)).
  1. This is because subject access rights are designed to help individuals understand and control their own personal information — not to be used as a screening tool by employers, landlords, insurers, or service providers. Organisations that need to check criminal records must use the proper legal channels (such as disclosure checks authorised by law), not force individuals to obtain this information themselves. The following examples show how this rule works in practice

Examples

  • A café in St Helier advertises for a barista. When Sam applies, the manager says Sam must first provide a copy of their full criminal record. The manager tells Sam to make a subject access request to the States of Jersey Police and then hand over the results before they will be considered for the job. Requiring an applicant to obtain and share their criminal record in this way is likely to be an offence under Art.72(1)(a) DPJL 2018.
  • A property owner hires a small local builder to carry out home renovations. Before agreeing the contract, the property owner asks the builder to prove whether they have ever been in prison. They insist the builder makes a subject access request to the Prison Service and hand over the results. This requirement is likely to be an offence under Art.72(1)(c) DPJL 2018.
  • An individual applies to a Jersey insurer for home insurance. The insurer agrees to provide cover, but only if the applicant makes a subject access request for their criminal record and supplies the results. Making insurance conditional on this type of request is likely to be an offence under Art.72(2) DPJL 2018.
  • A landlord in Jersey advertises a flat to rent. When Alex applies, the landlord says they will only sign the lease if Alex makes a subject access request to the States of Jersey Police for their criminal record and provides the results. Requiring a prospective tenant to obtain and share their criminal record in this way is likely to be an offence under Art.72(1)(b) DPJL 2018.

  1. The term “relevant record” is defined in Art.72(6) of the DPJL 2018 by reference to a table which lists certain data controllers and the subject-matter of subject access requests that may be made to them by data subjects. Generally, the term relates to records of cautions, criminal convictions and to certain social security records relating to the data subject. Enforced subject access will accordingly typically occur where a person wishes to see another individual’s criminal record but chooses not to use the established lawful system (i.e. via through the criminal records disclosure regime). The Rehabilitation of Offenders (Exceptions) (Jersey) Regulations 2002 lists the types of work, employment or professions on which an organisation can legally obtain a DBS check, and the States of Jersey Police have more information about disclosure and vetting services on their website2.

  2. An individual providing the results of a subject access request rather than using the appropriate channel set out above, runs the risk of greater, and sometimes excessive disclosure. This is because a subject access request requires all personal information to be disclosed (subject to some exemptions) and does not distinguish between spent and unspent convictions. Making this type of request is a right set out in the DPJL 2018, but there is a distinction between someone doing so of their own volition and somebody being forced to make such a request by someone else.

  3. It is the act of “requiring” an individual to make a subject access request that is the offence. The requirement is enough and is not dependant on the withdrawal of the offer or employment or the provision of goods, facilities or services. Suggesting that it would be cheaper for an individual to make a subject access request (free) than going through an appropriate criminal record check and thus encouraging or incentivising the data subject to use their subject access rights to obtain the information would be sufficient to constitute a requirement.

  4. Art.72(3) of the DPJL 2018 explains that it will not be a criminal offence for a person to request an individual to make a subject access request for their personal data if:

  1. that the imposition of the requirement was required or authorised by or under any enactment, rule of law or by order of a court (Art.72(3)(a)); or
  2. that in the particular circumstances the imposition of the requirements was justified as being in the public interest (Art.72(3)(b)).

  1. In respect of the latter exemption, given the importance of subject access as a core right within the DPJL 2018, there will need to be an extremely strong justification for enforced subject access to be justified as being in the public interest, supported by clear, specific and convincing evidence. This may be difficult to achieve as there is already clear public policy and laws relating to criminal record checking and rehabilitation and the availability of such information.

  2. A person found guilty of an offence under this article is liable to a fine of level 3 on the standard scale (Art.72(4)). (Level 3 on the Criminal Justice (Standard Scale of Fines) (Jersey) Law 1993 is £10,000.)

False information (Art.73)

  1. Under Art.73 of the DPJL 2018, it is an offence for a person to either knowingly or recklessly provide the Authority (or any other person entitled to information under the DPJL 2018, DPAJL 2018 or any Regulations made thereunder) with information that is false or misleading in a material way.

  2. “Information” means that which has been provided in connection with an application under the DPJL 2018 or DPAJL 2018 (Art.73(2)(a)), or in purported compliance with a requirement under the DPJL 2018 and/or DPAJL 2018 and/or any Regulations or in circumstances in which the person

Examples

  • A local company applies to register as a data controller. In the application form, the company knowingly states that it only processes customer contact details, when in fact it also collects and processes sensitive health information (special category data) as part of its services. The company does this deliberately to avoid paying the higher registration fee and to reduce scrutiny of its processing activities.
  • An organisation suffers a data breach when customer records are accidentally emailed to the wrong recipient. When we investigate, the organisation deliberately tells us that only 10 records were involved, even though they know the true number is over 1,000. They do this to minimise the seriousness of the breach and avoid regulatory action.
  • A local business experiences a cyber incident and rushes to submit a breach notification to us. In the report, they state that no financial information was affected. However, they never properly checked their system logs or verified the extent of the breach before submitting the form. It later becomes clear that hundreds of customers’ credit card details were exposed. Even though the business did not set out to lie, their reckless failure to check the facts meant they provided misleading information in a material way.
  1. Whether false information is given deliberately or provided recklessly without proper checks, the effect is the same: it misleads us and undermines regulation. Both types of behaviour are treated very seriously by us and may result in our referring the matter to the Attorney General for prosecution. Where a person is found guilty of an offence under this article, they may be liable to imprisonment for a term of two years and to a fine.

Obstruction (Art.74)

  1. Under Art.74 of the DPJL 2018, a person must not:
  1. intentionally obstruct or impede;
  2. interfere with, cause or knowingly permit to be interfered with anything done by;
  3. fail to give assistance or information that is reasonably required;
  4. fail to produce a record when required to do so;
  5. fail to cooperate with the exercise of any power under Sched.1 of the DPAJL 2018 by the Authority or any person acting in the execution or enforcement of the DPJL 2018 or DPAJL 2018.
  1. In practice, Art.74 requires controllers and processors to cooperate fully with us during investigations, inquiries, audits, or enforcement. This means providing timely and accurate information, producing records when requested, giving reasonable assistance (for example from relevant staff), and giving us lawful access to premises or systems. Organisations must not obstruct, delay, interfere with, or conceal evidence, as failure to cooperate may itself amount to an offence.

Examples

  • During an on-site inspection, staff at a company deliberately block our officers from entering the server room where personal data is stored, even though access has been lawfully requested.
  • An IT manager learns that we have issued an enforcement order requiring that the company’s systems must be preserved for review. Instead of complying, the IT manager instructs staff to delete certain files and emails, and knowingly allow backups to be overwritten, to prevent us from accessing evidence we need for our investigation.
  • As part of an investigation, we ask a social club to explain how it obtained members’ contact details for a marketing campaign. The club committee refuses to provide any explanation or supporting documents, despite repeated requests, and without any lawful reason.
  • We formally require a finance business to give us a copy of its data retention policy and logs of subject access requests. The business refuses to hand over the records, even though they are readily available, in order to avoid scrutiny.
  • We lawfully exercises our powers to carry out an audit of an online retailer. The retailer refuses to allow access to its systems or staff, ignores formal information notices, and fails to respond within the deadlines set.
  1. A person found guilty of an offence in respect of Art.74(a) or (b) above is liable to imprisonment for a term of two years and to a fine. In all other cases (Art.74 (c) – (e)), a person found guilty of an offence is liable to a fine.

Personal liability where the data controller is a company or corporate body

  1. If a company or other organisation commits a criminal offence under the DPJL 2018 (specifically in respect of Arts.71 and 74), any director, manager, secretary or similar officer or someone purporting to act in such capacity is personally guilty of an offence in addition to the corporate body if:
  1. The offence was committed with his/her consent or connivance; or
  2. The offence is attributable to any neglect on his/her part (see Art.75(2) of the DPJL 2018).

Criminal Offences under the DPAJL 2018

Registration of controllers and processors (Art.17(1))

  1. It is an offence for a controller or processor to process personal data without registration (which includes not paying the applicable fee). An offence under this article is punishable by way of a fine.

Failing to comply with an order made by the Authority following a breach determination (Art.25(8))

  1. If we make a breach determination against a controller or processor and also make an order(s) under Art.25(3)(a)-(f) of the DPAJL 2018, the recipient commits an offence if they fail to comply with the order within any time frame specified for its compliance. An offence under this article is punishable by way of a fine.

Personal liability where the data controller is a company or corporate body

  1. If the above offences are committed with the consent or connivance of:
  1. A person who is a partner of a limited liability partnership (LLP), or director, manager, secretary or other similar officer;
  2. In the case of any other partnership, a partner;
  3. In the case of any other unincorporated body, any officer of that body who is bound to fulfil any duty of which the offence is a breach or, if there is no such officer, any member of the committee or other similar governing body; or
  4. Any person purporting to act in any capacity described above

then such person is also guilty of the offence and liable in the same manner as the relevant body to the penalty provided for that offence.

Aiding and abetting

  1. A person who aids, abets, counsels or procures the commission of an offence under the DPAJL 2018 is also guilty of an offence and liable in the same manner as the principal offender.

Civil Remedies for Data Subjects

  1. Art.68 of the DPJL 2018 says that an individual who suffers loss, damage or distress as a result of any contravention of the transparency and subject rights provisions may bring proceedings against the controller responsible for the contravention in the Royal Court and is entitled to compensation under Art.69(1). Art.1(1) of the DPJL 2018 defines “transparency and subject rights provisions” as follows:

“(a) the first data protection principle set out in Article 8(1)(a), to the extent that it requires data to be processed transparently; (b)the provisions as to information to be provided to a data subject under Article 12; and (c)the rights of data subjects set out in Part 6.”

Under Part 6 of the DPJL 2018, data subjects are entitled (subject to certain exceptions):

  1. to receive certain minimum information from the controller about the processing of their data and a copy of the data itself (the right of access);
  2. to have rectified any inaccurate date concerning him or her or to have incomplete personal data completed (the right of rectification);
  3. to have their personal data erased without undue delay under certain circumstances (the right of erasure (but sometimes also known as the “right to be forgotten”);
  4. to obtain from the controller a restriction of processing where specific circumstances apply;
  5. to receive from the controller certain data in a structured, commonly used and machine-readable format (the right to data portability);
  6. to object to processing in certain circumstances; and
  7. not to be subject to a decision based solely on automated processing when it has a legal effect or other significant effect on the data subject.

  1. All applications for compensation must be made to the Royal Court of Jersey; we have no power to award compensation (even if, for example, we have made an assessment that it is likely that the processing has not or is not being carried out in compliance with the provisions of the DPJL 2018).

  2. A controller or processor who proves that they are not responsible for the event giving rise to the loss, damage or distress are exempt from any liability to pay.

How much will the Royal Court award if a claim for compensation is successful?

  1. There are no guidelines as to appropriate levels of compensation for a claim under the DPJL 2018 and it is difficult to predict the Royal Court’s approach to such until such cases have come before the Court for determination. The judge and jurats hearing the case have discretion in such matters and will take into account many factors when considering the appropriate level of compensation likely including the seriousness of the breach and the actual impact of the breach upon the data subject.

Who will pay the compensation?

  1. Controllers are liable only for loss, damage or distress caused by processing which is not in compliance with the DPJL 2018.

  2. Processors are only liable for damage caused by any processing in breach of obligations specifically imposed on processors by the DPJL 2018 (Art.69(3)(a)) or caused by processing that is outside or contrary to lawful instructions of the controller (Art.69(3)(b)).

  3. Where one or more controllers or processors are involved in the same processing that caused the loss, damage or distress, each controller and processor is jointly and severally liable for the loss, damage and distress (Art.69(4)). However, a controller or processor is entitled to reimbursement if they pay out compensation and part of the compensation corresponds to that other controller or processor’s responsibility for the loss, damage or distress.

What other civil powers does the Royal Court have?

  1. The Royal Court may also make such other orders as it considers appropriate in the circumstances of the case including:
  1. the granting of an injunction (including an interim injunction) to restrain any actual or anticipated contravention;
  2. making a declaration that the controller is responsible for the contravention or that a particular act, omission or course of conduct on the part of the controller would result in a contravention; and requiring the controller to give effect to the transparency and subject rights provisions.

  1. See Art.3(1) of the Magistrate’s Court (Miscellaneous Provisions) (Jersey) Law 1949

  2. https://www.jersey.police.je/s/accessing-information/personal-information-access

Related Downloads

No related downloads available.

Related Downloads

No related downloads available.