Individual Rights – what they are, how to exercise them and how to manage them

This document provides guidance on individual’s rights under the Data Protection (Jersey) Law 2018 (DPJL 2018). It sets out:

What the rights are
How individuals can exercise them
How data controllers/processors need to deal with them

Our guidance is split into three (3) sections:

General Overview. This sets out what the guidance is about
Easy Read Information. This part of our guidance notes are for members of the public about their rights, but are also useful for those new to data protection.
Technical guidance.

This part of the guidance is split into two parts – a section for individuals on how to exercise their rights and a section for data controllers on their obligations (in easy read format).

Individuals - What are my rights?

You have several rights under the law. Most of these are set out in Part 6 of the DPJL 2018. The rights are:

Right to be informed (Art.12)
Right to subject access (Art.28)
Right to rectification (Art.31)
Right to erasure (Art.32)
Right to restriction of processing (Art.33)
Right to data portability (Art.34)
The right to object to processing for the purpose of public functions or legitimate interests (Art.35), for direct marketing purposes (Art.36) and for historical or scientific purposes (Art.37)
Right regarding automated individual decision-making and profiling (Art.38).

Right to be informed

When personal data (like your name, address, or online activity) is collected or used by a Data Controller (e.g. the Government, a company, sole trader or charity etc.), it should be done in a way that is legal, fair, and clear. You should always know when and why your personal data is being collected, how it will be used, and to what extent it will be processed. You should also be told about the risks, rules, and protections related to your personal data, as well as your rights and how to exercise them.
These organisations must be open with you about how they handle your information. This means they must give clear, simple explanations that are easy to access and understand.
This is to make sure you know what’s happening with your personal data and can make informed choices. This is known as the “right to be informed”.

What information needs to be provided?

A Data Controller needs to tell you:

Who they are and how to contact them (and their representative, if they have one).
How to contact their data protection officer (if they have one).
Why they are collecting your data and the legal reason for doing so.
If they are using your data for their own interests or for a third party, what those interests are, and why.
Who else will receive your data, if anyone.
If your data will be sent to another country or international organisation (outside Jersey or the EU/EEA), and if so, whether it will still be properly protected.
How long they will keep your data or how they decide that.
What rights you have over your data, such as asking for it to be deleted or corrected.
If they are using your consent to process your data, how you can withdraw it.
If they are making automated decisions about you, like using AI or algorithms, how they do that and how that might affect you.
Your right to complain to the JOIC if you are concerned about how the Data Controller is dealing with your data.
If they need your data because of a law or a contract, and what happens if you don’t provide it.
Where they got your data from if you didn’t give it to them directly.
Any other important information that affects how your data is used.

How does the information need to be provided?

If the organisation (Data Controller) collects your personal data directly from you, they must give you all the necessary information right away or make it easy for you to find. Many Data Controllers do this by publishing a notice on their website. There is no set name for this, but it’s usually called a “Data Protection Statement” or “Privacy Notice”.
If they collect your data from somewhere else, they must give you this information before a certain deadline, unless they already have the information or there’s a legal reason they don’t have to. The deadline for informing you depends on how your data is being used but this should usually be within 4 weeks of collecting your data. Otherwise:

if they contact you using your data it needs to be before or at the time of the first communication with you;
if they are going to share your data with someone else, before or when they first share it.

If the Data Controller wants to use your data for an entirely new/different purpose (i.e. for something else which you weren’t originally told about) then the Data Controller must provide you with any further relevant information before they start using your data for that new purpose.

Should I always be given this information?

In most cases, organisations must tell you how they’re using your personal data but, there are some situations where they don’t have to, such as:

You have already been given the information, and nothing has changed.
It’s too difficult or unrealistic to provide the information (for example, if it would take too much time, money, or effort).
Telling you would ruin the purpose of using your data (for example, if your data is being used in a criminal investigation, telling you might undermine the process).

What if I have concerns about how my information is being used?

You should raise any concerns with the Data Controller first. You can use this template to help you. They should respond to your concerns within four (4) weeks. If they need longer to consider your concerns, they should let you know why they need more time and when they should be able to respond.
If you are not happy with the response, you can then Raise A Concern with us.

Right to subject access

This right lets you ask an organisation for access to your personal data and for information about how it is being used. It’s called a subject access request, but is sometimes referred to as a 'SAR' or 'DSAR'. We use the term 'DSAR'.

What this right gives you

You have a right to access your personal data, not necessarily a right to receive full copies of documents. Organisations can extract your personal information from records rather than provide whole documents, especially where documents contain other people’s information. You must be given your information in a form you can understand.

Third-party information

You cannot use this right to obtain someone else’s personal information. You will only receive your personal data. Organisations must remove or withhold information that identifies other people, unless:

The other person has consented, or
It is reasonable to disclose their information without consent.

When deciding what is reasonable, organisations must think about:

Whether the other person’s identity would be revealed.
Whether the information is confidential.
Whether disclosing it could cause harm.
Whether you already know who the other person is in context.
Whether redaction can protect the other person.

If they cannot safely provide the full document, they may:

Redact it,
Summarise it, or
Extract just the parts containing your data.

How to make a request

You can make a request verbally or in writing. If you make the request verbally we recommend that you follow this up in writing because this will allow you to explain your complaint, give evidence and say what you want as an outcome. It will also provide clear proof of your actions if you decide to challenge the organisation’s initial response or raise a concern with us.
We have a template letter you can use, but we suggest you include the following information in your request:

A subject line or header that says "subject access request";
The date you’re making the request;
Your name (and any other names where relevant, e.g. your name before you were married);
Your email address, home address and phone number;
Customer account numbers, hospital number, employee number, product number or similar information that can help identify you;
What personal information you want (be specific about the information you’re asking for, and where relevant say what information you don’t need);
Details or dates that will help the organisation find the information you want;
The reason you want the information (you don't have to include this but it will help the organisation find what you need); and
How you would like to receive the information (e.g. electronically or printed and sent by post) and if you have any accessibility requirements (e.g. large fonts).

When asking for information, be as specific as possible. This may help you to get the fastest possible reply and more useful information back.
You can make a DSAR for someone else if you can prove you have their permission or the lawful authority to act on their behalf. You will need to provide the organisation with a letter of consent from the other person or any other document that shows you have the power to ask for the information (e.g. Act of Court showing you’re someone’s delegate, or a Power of Attorney)

What you can expect

You can ask for all the information an organisation holds about you. However, this doesn’t mean you will get all the information they have about you and organisations can refused to provide you with some or all of the information you’ve asked for. It might also mean you get a lot of information back that you don't need. Sometimes, the organisation is allowed to take longer to send it as well.
Organisations need to provide you with a response within four (4) weeks, unless the request is complex and more time is needed. The need to tell you if they’re going to take longer and must do this before the end of the initial four (4) week timeframe.
In addition to copies of your information, you should also receive information about why your data is used, how long it is kept, and who it is shared with. They should also explain to you if any information cannot be provided.

Right to rectification

Your rights

If information about you is factually wrong (for example, an incorrect date of birth, wrong address, or a mistaken entry), the organisation must correct it.
If information is incomplete, you can ask for it to be completed — for example, by adding a missing detail or adding a clarifying note.
The organisation should take reasonable steps to check the accuracy of the information and consider any evidence you provide.
If they decide not to correct the data, they must explain why and record the fact that you challenged it.
If the inaccurate data has been shared with others, the organisation should tell those recipients about the correction — unless doing so is impossible or requires disproportionate effort
This right does not require an organisation to remove or change information simply because you disagree with it.

What you can expect

You can ask for a note to be added stating that you dispute the opinion or providing your own version of events. Opinions should be clearly recorded as opinions, not presented as facts and, where appropriate, the record should show whose opinion it is.
Organisations need to provide you with a response within four (4) weeks, unless the request is complex and more time is needed. The need to tell you if they’re going to take longer and must do this before the end of the initial four (4) week timeframe.
The organisation may temporarily restrict the use of your data while they are checking accuracy.

Opinions and subjective information

Not all information can be “corrected” simply because you disagree with it. Some information is based on opinion, judgement or observation, and these are treated differently from factual errors. A professional opinion (such as a medical view, a social worker’s assessment, or a manager’s note) is not automatically “inaccurate” just because you do not accept it, and a colleague’s statement or complaint may reflect their personal view at the time. Even if you strongly disagree, it may still be accurate as a record of what they said or believed at that point in time.

Example

An employee, Sam, makes a rectification request after reading a note written by their line manager during an appraisal. The note says: “Sam often appears disengaged in team meetings and seems reluctant to contribute.” Sam strongly disagrees and asks for the comment to be deleted, arguing that it is “inaccurate” and “unfair”.

In this situation, the comment is a manager’s opinion based on their observations. Even if Sam disagrees, the opinion itself is not “factually incorrect”. It reflects what the manager believed at the time. The organisation does not have to delete or change this comment, as long as: it is clear that it is an opinion, not a factual statement; and the record accurately shows who expressed that opinion.

Sam can ask for a note to be added explaining that they dispute the comment or offering their own explanation, but the original opinion stays, because it is an accurate record of what the manager thought at the time — not a statement of objective fact.

Mistakes and changing circumstances

Sometimes a record accurately reflects what was believed at the time, even if it later turns out to be incorrect. For example, a doctor makes an initial diagnosis that later changes. The record of the incorrect diagnosis should not deleted because it forms part of your medical history — but the correct diagnosis must be added clearly.

How to make a request

You can make a request verbally or in writing. We have a template letter you can use, but we suggest that you include information in your letter about why the information is incorrect/incomplete and why it requires amending. You should explain why you believe the data is wrong and, where possible, provide evidence. If you make the request verbally we recommend that you follow this up in writing because this will allow you to explain your complaint, give evidence and say what you want as an outcome. It will also provide clear proof of your actions if you decide to challenge the organisation’s initial response or raise a concern with us.

Right to erasure

You have the right to ask an organisation to delete your personal data in certain circumstances. This is known as the “right to erasure” or sometimes the “right to be forgotten”. This right is not absolute, which means that in many cases the organisation may need to keep some or all of your data.

Your rights

You can ask an organisation to erase your data if:

The organisation no longer needs the data for the purpose it was collected.
You previously gave consent and you now withdraw it.
You have objected to the processing and there is no overriding reason for the organisation to continue.
The data has been used unlawfully.
The data was collected from you as a child and you were not able to give valid consent.

If the organisation agrees to erase your data, they should also tell any other organisations they have shared it with — unless this is impossible or requires disproportionate effort. Where the information has been made public (for example, online), the organisation should take reasonable steps to ask others who are processing it to delete copies or links, taking into account available technology and the cost of doing so.

What you can expect

You should receive a response within four (4) weeks, unless the request is complex and the organisation needs more time. If more time is needed, they must tell you before the end of the initial four-week period.
The organisation must explain clearly whether they can erase your data. If they cannot delete it, they must tell you why and explain what will happen next. An organisation may refuse erasure if they need to keep your data for reasons such as:

Complying with a legal obligation (for example, tax or employment law).
Completing a task carried out in the public interest.
Public health or safety reasons.
Archiving, research or statistical purposes where deletion would seriously affect the results.
Establishing, exercising or defending legal claims.

These are legitimate reasons for them to retain your data, even when you ask for it to be deleted.

Example -Pat a former employee.

Pat asks their former employer to delete all information held about them. Pat left the organisation two years ago and wants their entire HR file removed.

The organisation reviews the request but explains that while some information can be deleted (such as outdated contact details or internal notes that are no longer needed), other data must be kept. This includes:

Payroll and tax records that must be retained by law for a set number of years.

Records relating to any grievances, performance processes or incidents that may be needed in case of a future legal claim.

Information needed to comply with regulatory requirements.

The organisation deletes the information it no longer needs, restricts access to older archived material, and explains clearly why some data cannot be erased. Pat is informed of their right to challenge the decision to the JOIC if they remain unhappy.

How to make a request

You can make a request verbally or in writing. We have a template letter you can use, but we recommend explaining why you believe your data should be deleted and which specific data you want removed.
If you make the request verbally, we recommend following up in writing so you have clear evidence of your request, your reasoning, and what outcome you want. This will also help if you later challenge the organisation’s response or raise a concern with us.

Right to portability

You have the right to ask an organisation to give you certain personal data in a portable, machine-readable format, or to ask them to transfer it directly to another organisation. This is known as the 'right to data portability'.

Your rights

This right only applies to personal data that:

You provided to the organisation.
Is being processed based on your consent or a contract.
Is being processed by automated means (for example, through an online system, app, or digital service - not paper files).

It also includes data the organisation has gathered from monitoring your activities when you have used a device or service such as:

Website or search usage history
Traffic and location data, or
‘Raw’ data processed by connected objects such as smart meters and wearable devices. An example of this could be data recorded on a fitness app.

You can ask for a copy of your data in a format that is:

Structured.
Commonly used.
Machine-readable (for example, CSV, JSON or XML).

You can also ask the organisation to send your data directly to another organisation, if it is technically possible for them to do so.
The organisation must not refuse simply because they use an unusual system — they should provide the data in the most accessible format they can.

What you can expect

The organisation must respond within four (4) weeks. If the request is complex or they receive a number of requests, they may take more time, but they must tell you before the initial four-week period ends.
You will receive only data that you provided, not data created by the organisation as part of their own analysis, decisions or assessments.
You may not receive all data held about you, and you will not receive data that relates to other people unless they have consented or it is reasonable to provide it without consent (and any identifying information can be safely removed).

Example

Taylor uses a fitness app that tracks steps, sleep patterns and heart rate. Taylor wants to switch to a new provider offering a better analysis service. Taylor asks the original provider for their data in a machine-readable format. The provider checks whether the right applies:

Taylor provided the data (by entering information and through their use of the device). The data is processed based on a contract (the terms of service). It is processed by automated means within the app.

The provider exports Taylor’s step count, sleep data and heart rate information in a CSV file. Taylor also asks for the data to be transferred directly to the new provider, which the organisation does because it is technically possible.

The provider does not include its internal scoring model or behavioural predictions because these are generated by the organisation and are not data Taylor “provided”.

How to make a request

You can make your request verbally or in writing. We have a template letter you can use, but we recommend stating clearly:

Which data you want.
Whether you want a copy for yourself or want it transferred to another organisation.
The format you would prefer (for example, CSV).

If you make the request verbally, follow up in writing so you have a record of what you asked for. This is helpful if you later challenge the organisation’s response or raise a concern with us.

Right to restriction

You have the right to ask an organisation to limit the way they use your personal data in certain circumstances (including asking them not to delete it). This is known as the “right to restriction”. Quite often it’s a temporary restriction that simply puts it “on hold” so it cannot be used until a particular issue you’re raised is resolved (it’s often linked to a challenge to the accuracy of your data or your objecting to its use).

Your rights

You can ask an organisation to restrict their use of your personal data if:

You believe the data is inaccurate and the organisation is checking its accuracy.
The data has been used unlawfully but you prefer restriction instead of deletion.
The organisation no longer needs the data, but you need it to establish, exercise or defend a legal claim.
You have objected to the processing and the organisation is considering that objection.

During restriction, the organisation can store your data but must not use it for most other purposes unless you agree or they need it for legal reasons. The organisation must clearly mark or separate the restricted data so it is not accidentally used.
If the data has been shared with others, the organisation should tell those recipients that the data is restricted — unless doing so is impossible or requires disproportionate effort.

What you can expect

When you ask for restriction, the organisation should explain what will happen next, including what parts of your data are restricted and for how long.
The organisation must respond within four (4) weeks, unless the request is complex and more time is needed. They must tell you if they are going to take longer and must do this before the end of the initial four-week timeframe.
If the organisation lifts the restriction (for example, after resolving an accuracy issue or completing its review), they must tell you before they start using your data again.
Restriction usually means one or more of the following:

Temporarily removing your data from active systems.
Blocking or disabling access to the data.
Flagging the record as “restricted” so staff cannot use it.
Moving the data into an archive or secure area.

It does not usually mean deleting the data or stopping essential storage functions such as security or back-ups.

Example

An employee, Alex, objects to the way their employer is using their performance data in a new analytics tool. Alex believes the tool is unfair and raises a formal objection. While the employer considers Alex’s objection, Alex also asks for restriction of their personal data. The employer agrees that the objection needs to be reviewed and therefore marks Alex’s performance data as restricted.

The organisation can store Alex’s data but cannot use it in the analytics tool. Managers with access to the tool see a “restricted” flag and cannot process Alex’s data. The HR team reviews whether the employer’s reasons for using the data override Alex’s objection.

The data is processed based on a contract (the terms of service). It is processed by automated means within the app.

If the employer decides the processing is justified, it must tell Alex before removing the restriction and must explain why. If the employer agrees with Alex, it must stop using the data for that purpose permanently. .

How to make a request

You can make a request verbally or in writing. We have a template letter you can use, but if you write to the organisation we suggest you explain why you are asking for restriction and the circumstances that apply. If you make the request verbally, we recommend following up in writing. This helps you clearly explain your concerns, set out what you want to happen, and keep a record if you later challenge the organisation’s response or raise a concern with us.

Right to object

You have the right to object to an organisation using your personal data in certain situations. This means you can ask them to stop using your data, but the organisation may be able to continue using it if they have strong reasons to do so — except in the case of direct marketing, where they must stop immediately.

Your rights

You can object to your data being used when the organisation is processing it based on:

Legitimate interests (e.g., internal business purposes);
Public functions (e.g., tasks carried out in the public interest or under official authority);
Research or statistical purposes (in certain circumstances);
Direct marketing (including profiling linked to marketing).

If you object to direct marketing, the organisation must stop using your data for this purpose straight away. They cannot refuse.
If you object to processing based on legitimate interests or public functions, the organisation can only continue if they can show compelling legitimate grounds that override your interests, rights and freedoms.
If you object to processing for research or statistical purposes, the organisation may refuse if stopping the processing would seriously impair the research.

What you can expect

The organisation must respond to your objection within four (4) weeks. If the issue is complex and they need more time, they must tell you before the initial four-week period ends. The organisation must look at your specific situation and explain clearly whether they will stop the processing or continue it. If they decide to continue, they must explain the strong legitimate reasons they are relying on.
During their decision-making, you can also ask for restriction of your data so it is not used while your objection is being considered.

Example - Jordan receives regular promotional messages .

Jordan receives regular promotional messages from a retailer about upcoming sales. Jordan no longer wants these messages and objects to their data being used for direct marketing. The retailer must stop sending marketing messages straight away — there is no balancing test, and they cannot refuse.

Separately, Jordan also objects to their purchase history being used for internal analysis based on the retailer’s legitimate interests. The retailer reviews Jordan’s objection and weighs Jordan’s concerns against their own reasons for processing the data.

The retailer concludes that internal analysis is essential to their operations and that they have strong legitimate grounds to continue. They explain this to Jordan and confirm that marketing has stopped but the internal analysis will continue. Jordan is informed of their right to complain if they disagree..

*How to make a request*

You can make an objection verbally or in writing. We have a template letter you can use, but we recommend explaining:

What processing you object to.
Why you object.
What outcome you want.

If you object verbally, we recommend following up in writing. This helps you set out your reasons clearly, and provides evidence of your request if you later challenge the organisation’s response or raise a concern with us.

Right regarding automated individual decision-making and profiling

You have rights when an organisation makes decisions about you solely by automated means, including profiling, where the decision has a legal or significant effect on you. This right helps ensure that important decisions about you are not made without meaningful human involvement.
When we talk about automated decision-making, we are talking about decisions made about you without any human involvement.

Example

Online Loan Application You apply for a loan online and get an instant “approved” or “declined” message. A computer system made the decision automatically — no human reviewed your information

Job Application Screening You upload your CV to a recruitment website. The system automatically rejects your application because your qualifications don’t meet preset criteria. No one has read your CV.

Insurance Quote You enter details into an insurance website and instantly receive a price or refusal. The system uses preset rules to decide the outcome with no human check.

Fraud Flagging Your bank automatically blocks a card payment because its system detects “unusual activity” — the decision is made solely by a computer.

When we talk about profiling, we are talking about organisations using your personal data to analyse or predict things about your behaviour such as:

What you might buy – for example, an online shop predicting products you are likely to purchase based on your browsing and past orders.
Your interests – such as social media platforms suggesting content, groups or adverts based on what you click on.
Your financial reliability – like banks or lenders predicting your likelihood of repaying a loan based on your spending patterns and credit history.
How you might behave – for example, a company assessing whether you are likely to cancel a subscription or respond to certain marketing.
Your characteristics – such as apps estimating your fitness level, location habits or lifestyle patterns from your activity data.

Some profiling occurs in automated decision making. For example:

Credit scoring - A lender uses your financial history, spending patterns and repayment behaviour to create a profile of your 'creditworthiness'. The system then uses this profile to automatically approve or decline your application.
Insurance risk ratings - An insurance company analyses your age, location, claims history and lifestyle information to predict how likely you are to make a claim. This profile is then used by a computer system to instantly generate a quote or refusal.
Fraud detection - Your bank builds a profile of how you normally spend (where, when, and on what). If a transaction falls outside this pattern, the system may automatically block it.
Recruitment algorithms - An automated system analyses your CV, qualifications and application answers to predict your suitability for a role. This profile may trigger an automatic rejection before a human sees your application

Your rights

You have the right not to be subject to a decision that is based solely on automated processing if the decision affects your legal rights or other equally important matters and to:

Ask an organisation to explain any automated decision made about you that has a legal or similarly significant effect (for example, decisions about credit, insurance, employment, school admissions or access to essential services)
Ask for human intervention — meaning a person must review the decision, not just a computer system
Challenge the automated decision and ask the organisation to reconsider it.
Ask for information about: The logic involved in making the decision. The personal data used. The factors that were considered by the system. The likely consequences for you.

What you can expect

The organisation must respond within four (4) weeks. If the request is complex, they may extend the timeframe but must tell you this before the initial four-week period ends.
If an automated decision has been made about you, the organisation must be able to explain:

What data was used.
How the decision was reached (in clear, understandable terms).
How the decision affects you.

If you request human review, the organisation must make sure the decision is genuinely reconsidered by someone with the authority and understanding to change the outcome if needed.
The organisation must not use solely automated decisions to make significant choices about you unless this is:

Necessary for a contract.
Authorised by law.
Based on your explicit consent.

They must be able to demonstrate that safeguards are in place to protect your rights and interests.

Example

Ella applies for a short-term loan through an online finance company. The company uses an automated system to make instant decisions based on Ella’s income, spending patterns and credit history. The system rejects Ella’s application within seconds. Ella is concerned about the decision and asks the company To explain how the decision was made. What information was used. For a human being to review the decision.

The company arranges for a staff member trained in credit assessment to review Ella’s case manually. After looking at the details, the staff member decides that the initial automated decision was too strict and approves the loan with conditions.

Ella is informed of the outcome and her right to complain if she is still unhappy.

How to make a request

You can make a request verbally or in writing. We have a template you can use here. If you write to the organisation, you should explain:

Which automated decision you are concerned about.
Why you believe it should be reviewed.
Whether you want a human to re-assess the decision.

If you make the request verbally, we recommend following up in writing so you can set out your concerns clearly and keep evidence of your request, especially if you later challenge the organisation’s response or raise a concern with us.

Organisations – what are the data subject rights and what do you need to do

If your organisation collects or uses personal data, you are a Data Controller under the DPJL 2018. Individuals have several rights under the law. These are set out in Part 6 of the DPJL 2018. Their rights are:

Right to be informed (Art.12) Right to subject access (Art.28) Right to rectification (Art.31) Right to erasure (Art.32) Right to restriction of processing (Art.33) Right to data portability (Art.34)

The right to object to processing for the purpose of public functions or legitimate interests (Art.35), for direct marketing purposes (Art.36) and for historical or scientific purposes (Art.37)

Right regarding automated individual decision-making and profiling (Art.38).

Your obligations

As data controller, you have legal responsibilities to help people use their rights under the law. Below is an easy read overview of each of those rights and what you must do when you receive a request from an individual. More information can be found in our technical guidance in section 3.

Right to be informed (Art.12 DPJL 2018)

This is an obligation under the DPJL 2018. You must be open, clear and honest with people about how you collect and use their personal data and you must give people certain key information before you start processing their personal data, unless a specific exemption applies. Art.12 of the DPJL 2018 says that you must tell people:

Who you are and how they can contact you
Why you use their personal data
The lawful basis you rely on
Who you share their data with
How long you keep their data (or how you decide this)
What rights they have over their data
Whether you use automated processes to make decisions about them or profile them
Whether their data will be sent outside Jersey or the /EEA
Where you got their data if it didn’t come directly from them
Right to complain to the JOIC
Right to withdraw consent (if relying on consent)
Whether providing personal data is a legal/contractual requirements and the consequences of not providing it (if applicable)

You normally provide this information in a Privacy Notice (sometimes called a Data Protection Statement), which must be written clearly and be easy for people to access and understand. Many organisations make this easily accessible by publishing it on their website, but you can also provide it in other formats (e.g., printed leaflets, emails, or just-in-time notices).
There are limited exemptions where you do not need to provide some or all of this information — for example, where the person already has it or where providing it would be impossible, involve disproportionate effort, or undermine certain lawful activities (such as crime prevention).
We also provide a template Privacy Notice that you can use and adapt for your organisation and a Checklist to make sure you’ve thought about everything that needs to go into your Privacy Notice.

Right to access (Art.28 DPJL 2018)*

This right allows individuals to ask you whether you are processing their personal data and, if so, to receive a copy of that data together with additional information about how you use it. This is known as a Data Subject Access Request (DSAR). Under Art.28, when someone makes a DSAR you must tell them:

Whether you are processing their personal data.
Why you are processing it.
What categories of personal data you hold.
Who you share it with (including any transfers outside Jersey or the EU/EEA).
How long you keep it (or how you decide this).
What their rights are.
Where the information came from if you did not collect it directly.
Whether you use automated decision-making.

You must provide the data in an intelligible format and respond within four (4) weeks, unless the request is complex or numerous, in which case you may extend the time by a further eight (8) weeks (up to twelve (12) weeks total). If you do need an extension, you must tell the individual before the initial four-week period expires and tell them why you need the extension.
You must make sure you do not disclose other people’s personal data to the person making the request unless:

They have consented, or
It is reasonable to disclose it without their consent.

You may need to redact (remove) or summarise information where necessary.

You can ask for proof of identity if you have reasonable doubts about who is making the request, and you may ask for clarification if the request is unclear — but you cannot require someone to use a particular form or ask them to justify why they want their data.
If you use another company to process personal information for you (called a “processor”), you are still responsible for dealing with people’s rights requests and you must have a written agreement with your processor that clearly says what they can and cannot do with the information. Your processor must not answer a rights request themselves and they must send any request to you straight away. You must also know what personal information your processor holds so you can give the person a full and correct reply.

Right to rectification (Art.31 DPJL 2018)

Individuals have the right to ask you to correct personal data that is factually inaccurate or incomplete. Under Art.31 you must take reasonable steps to check whether the information is accurate, taking into account the individual’s evidence and the nature of the data.
If data is incomplete, you may need to add a note or additional information to complete the record. If it is factually wrong, you must correct it promptly. If you have shared the incorrect data with others, you must tell them about the correction unless doing so is impossible or disproportionate.
This right does not require you to alter or delete opinions, professional judgements or observations. These may be kept as long as they are clearly recorded as opinions and it is clear whose opinion it is. If the individual disagrees with an opinion, you can add a note explaining their view.
You must respond within four (4) weeks, with the possibility of extending only if the request is complex.

Right to erasure (Art.32 DPJL 2018)

Individuals can ask you to delete their personal data in certain circumstances. Under Art.32, you must erase data if:

You no longer need it for the purpose you collected it.
You rely on consent and the person withdraws it.
The person objects and you have no overriding reason to keep using the data.
You are processing the data unlawfully.
You collected the data from a child who could not give valid consent.

If you agree to erase the data, you must also tell any third parties you have shared it with, unless this is impossible or disproportionate. Where the data has been made public online, you should take reasonable steps to inform others processing it.
There are important exceptions where you may refuse erasure. You may keep data where it is needed:

To comply with the law.
For tasks carried out in the public interest.
For public health or safety.
For archiving, research or statistics (where deletion would seriously affect the results).
To establish, exercise or defend legal claims.

You must still respond within four (4) weeks, explaining clearly whether you can erase the data and why.

Right to restriction of processing (Art.33 DPJL 2018)

Under Art.33, individuals can ask you to limit how you use their data. Restriction usually means “pausing” your use of the data while an issue is resolved. You must restrict processing if:

The individual says the data is inaccurate and you are checking it.
Your processing is unlawful and they prefer restriction instead of deletion.
You no longer need the data but they need it for a legal claim.
They have objected and you are considering whether your reasons override theirs.

When data is restricted, you can still store it, but you must not use it for most other purposes unless the individual agrees or you need it for legal reasons. You should clearly mark or separate restricted data to avoid accidental use.
If you lift the restriction, you must tell the individual before doing so. You must respond to requests within four (4) weeks.

Right to data portability (Art.34 DPJL 2018)

Art.34 gives individuals the right to receive certain personal data in a portable, machine-readable format (e.g., CSV, JSON) or to ask you to transfer it directly to another organisation. This right only applies to data that:

The individual provided to you.
You process based on consent or a contract.
You process by automated means (not paper files).

You must provide the data in a structured, commonly used format and respond within four (4) weeks. You do not have to include data generated solely by you (e.g., internal analysis, scores, or opinions).
You cannot refuse portability simply because your systems are unusual — you must provide the data in the closest accessible format.

Legitimate interests.
Public functions.
Research or statistical purposes (in some circumstances).
Direct marketing (including profiling).

If someone objects to direct marketing, you must stop immediately. There is no balancing test and no exemption. For objections to legitimate interests or public functions, you may only continue processing if you can show compelling legitimate grounds that override the individual’s rights and interests. You must consider their situation carefully. For objections to research or statistics, you may refuse if stopping the processing would seriously impair the research.
You must respond within four (4) weeks and explain your decision clearly. During consideration of an objection, individuals may also request restriction (Art.33).

Rights relating to automated decision-making and profiling (Art.38 DPJL 2018)*

Under Art.38, individuals have rights when decisions about them are made solely by automated means, including profiling, where the decision has a legal or similarly significant effect (such as credit decisions, job screening, or insurance assessments). Individuals have the right to:

Ask for human intervention Challenge the decision Ask for an explanation of how the decision was made Receive information about the logic used, the data involved, and the likely consequences

You must not make solely automated decisions that significantly affect someone unless:

It is necessary for a contract.
It is authorised by law.
The individual has given explicit consent.

Where automated decision-making is used, you must have safeguards in place, including ensuring individuals can contact a human who is able to review and potentially change the decision.
You must respond to requests within four (4) weeks and explain your processes in clear, understandable language.

What are individual rights?

Data subjects have several rights under the law. These are set out in Part 6 of the DPJL 2018. Their rights are:

Right to be informed (Art.12)
Right to subject access (Art.28)
Right to rectification (Art.31)
Right to erasure (Art.32)
Right to restriction of processing (Art.33)
Right to data portability (Art.34)
The right to object to processing for the purpose of public functions or legitimate interests (Art.35), for direct marketing purposes (Art.36) and for historical or scientific purposes (Art.37)
Right regarding automated individual decision-making and profiling (Art.38).

Your obligations

As data controller, you are responsible for ensuring that you are able to give effect to the various rights of data subjects.

Time limits for responding to requests

For each of the rights listed above at paras.13(b) – (h) you must respond to requests without undue delay and, in any event, within four (4) weeks from receipt of the request (Art.27(1)). You may extend the original time period by a further eight (8) weeks (up to a total of twelve (12) weeks) but only if you can evidence that you need extra time because of:

The complexity of the request; and/or
The number of requests received.

Any extension must be necessary (Art.27(2)).

If you wish to extend the time period for response beyond the initial four (4) weeks, you must tell the data subject about the extension before the end of that initial period and you must also tell them the reasons for the delay. This means you must be able to justify why you think you are going to take longer to respond to their request and you should provide them with an anticipated timeframe for response. In the event any complaint is made to us about your response to an individual’s request you will be asked to explain why any extension was necessary and you will be asked to provide evidence in support. You should keep detailed records about the reason for the extension e.g. why the request was considered complex.

Example

Jane sends a Subject Access Request asking for three years of emails mentioning her, HR meeting notes, records of any complaints, and CCTV footage of her entering and leaving the building. When the organisation starts processing the request, they find that it involves thousands of emails, multiple departments, and documents containing other employees’ personal data, all of which require careful review and redaction. The CCTV files also need manual checking and blurring of other individuals who appear.

Because of this complexity, the organisation realises it cannot complete the request within the initial four weeks. Before that period ends, they contact Maria to explain the delay noting the volume and complexity of the information involved (including number of results/documents, the fact it covers records held in email archives, HR files, and CCTV footage requiring redaction) and explaining that they need more time to complete our response. They say that because of the complexity they are extending the timeframe and give a new date they believe they will be able to respond by.

The organisation keeps detailed internal records showing why the extension was necessary, including the searches undertaken, the number of emails/documents located, the need for redaction, and the involvement of several departments.

When is a request complex?

A request is considered complex only where the particular circumstances make it genuinely difficult to handle, and this will vary from one organisation to another depending on their size, systems and resources. You must assess complexity on a case-by-case basis and be able to justify why it applies. Factors that may contribute to complexity include

Technical challenges in retrieving information (such as archived electronic data).
Applying exemptions to large volumes of highly sensitive material.
Addressing issues around disclosures involving children or medical confidentiality.
Completing specialist work to obtain or present information in an understandable form, or needing specific legal advice that is not routinely sought.

Searching extensive unstructured manual records may also add complexity for public authorities. While large volumes of information can make a request harder to manage, volume alone does not make a request complex, and neither does the fact that you rely on a processor to supply data.

Proof of identity

Art.27(7) of the DPJL 2018 says that if you have** reasonable doubts** about the identity of the individual making the request, you may ask them to provide enough additional information to confirm who they are. This should only be done where genuinely necessary and you must not use identity verification as a means to delay or obstruct a data subject’s request when you can already identify them from information you hold. The response timeframe does not begin until you have received the further details needed to verify their identity. If you need to request this information, you must do so promptly; for instance, it would not be appropriate to wait several weeks before asking.
There may also be situations where someone submits a request on behalf of the data subject, such as a lawyer, friend, or relative. This is acceptable as long as you are satisfied that the representative has the data subject’s authority to act for them.

Can we charge a fee?

In most cases, no. You are expected to handle requests without charging the individual. A fee can only be applied in limited situations where the request is considered manifestly vexatious, unfounded, or excessive (in particular because it is repetitive). In those circumstances you can either refused to act on the request or may charge a fee.
The responsibility for showing that a request meets this threshold rests with you and any fee that is charged must be reasonable and proportionate to the work involved.

Can we refuse to comply with a request?

Art.27(6)(b) of the DPJL 2018 says that you can refuse to comply with a request which is manifestly vexatious, unfounded or excessive, in particular because of their repetitive character.
The DPJL 2018 does not define the terms “manifestly vexatious”, “unreasonable” or “excessive” (nor does the GDPR) but the threshold for relying on any of these grounds is very high. If you decide to refuse a request for one of these reasons, you must tell the individual that you are applying the exemption and clearly explain to then why it applies in their particular case. They should be able to understand the decision you have made and why you consider the request is vexatious, unreasonable or excessive, as the case may be.
A request may be manifestly vexatious if it can be shown that the request is intended to harass, disrupt, or place pressure on an organisation rather than to genuinely access personal data. For example, a request may be manifestly vexatious if:

The tone or purpose is clearly malicious or abusive.
The individual has a history of making deliberately hostile or harassing communications.
The request is being used to pursue a personal grievance or to “punish” the organisation.
The individual openly states they want to cause inconvenience or extra work.

The meaning of 'vexatious' was considered in the case of Information Commissioner v. Devon County Council & Dransfield [2012] UKUT 440 (an appeal under the Freedom of Information Act 2000) where the Tribunal held that “vexatious” could be defined as the “…manifestly unjustified, inappropriate or improper use of a formal procedure”. On appeal, the Court also observed that: '…the emphasis should be on an objective standard and that the starting point is that vexatiousness primarily involves making a request which has no reasonable foundation, that is, no reasonable foundation for thinking that the information sought would be of value to the requester or to the public or any section of the public… ‘The decision maker should consider all the relevant circumstances in order to reach a balanced conclusion as to whether a request is vexatious.'
You must be able to point to objective evidence of vexatious behaviour, not simply that the request is inconvenient or time-consuming.
A request may be considered unreasonable where it is clearly disproportionate in relation to the purpose of the right of access. This might include situations where:

The individual demands action that is impossible or goes far beyond what the law requires.
The request includes conditions that make it unworkable (e.g., demanding a response within an unrealistic timeframe).
The individual refuses to engage in essential steps, such as confirming identity, yet insists the request be completed.

A request may be excessive where it goes well beyond what is necessary to fulfil the individual’s access rights. Examples might include:

Repeated requests for the same information when you have already provided it and nothing has changed.
A request so wide-ranging that it would require disproportionate effort compared to the benefit to the individual.
Multiple overlapping requests submitted in a short timeframe without any clear reason or new justification.

However, simply being 'large' or 'difficult' does not make a request excessive. You must be able to show that the volume or repetition is genuinely disproportionate. If the request is repeated you need to consider the interval that has elapsed between the requests and whether there has been any alteration to the data of the individual during that time.
Where you refuse to respond to a request, you must explain why to the individual, informing them of their right to complain to us and to seek a judicial remedy without delay and at the latest within 4 weeks of receipt of the request (Art.27(4)).

Right to be informed

Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the DPJL 2018 and is set out at Art.12.
Getting this right can help you to comply with other aspects of the DPJL 2018 and build trust with people. Getting it wrong can leave you open to fines and/or other enforcement action and lead to reputational damage.
You must provide individuals with information including:

Your purposes (reasons) for processing their personal data;
Your retention periods for that personal data; and
Who it will be shared with.

This is called the 'specified information'.

When should the information be provided?

If you collect personal data directly from the data subject, you must provide the specified information to (or make it readily available) to them at the time you collect their personal data from them (Art.12(1)).
If, however, you obtain personal data from other sources, you must provide individuals with the specified information before the “relevant time” (Art.12(2)). Art.12(3) says that this is either: within a reasonable period of obtaining the data and no later than 4 weeks;

No later than the time of the first communication with the data subject (if the personal data is to be used for communication with that individual); or
No later than the point at which the individual’s personal data are first disclosed, if disclosure to another recipient is planned.

You must actively provide the specified information to individuals. You can meet this requirement by putting the information on your website, but you must make individuals aware of it and give them an easy way to access it.

How should the information be provided?

Art.12(5)(a) of the DPJL 2018 says that for all data subjects the specified information must be provided to them:

In intelligible form.
Using clear language.

This means that it should be presented to them in a way that is easily accessible, concise, and using language they will understand.
It is often most effective to provide privacy information to people using a combination of different techniques including:

A layered approach - short notices containing key privacy information that have additional layers of more detailed information.
Dashboards - preference management tools that inform people how their data is used and allow them to manage what happens with it.
Just-in-time notices - relevant and focused privacy information delivered at the time individual pieces of information about people are collected.
Icons - small, meaningful, symbols that indicate the existence of a particular type of data processing.
Mobile and smart device functionalities – including pop-ups, voice alerts and mobile device gestures or QR codes.

You should think about intended audience when providing the specified information. If you collect or obtain children’s personal data, you must take particular care to ensure that the information you provide them with is appropriately written, using clear and plain language. User testing is a good way to get feedback on how effective the delivery of your privacy information is.

Does the specified information always have to be provided? Are there any exceptions?

There are a few circumstances when you do not need to provide people with the specified information.
When collecting personal data directly from individuals, you do not need to provide them with any information that they already have and if nothing has changed.
When obtaining personal data from other sources, you do not need to provide individuals with the specified information if:

The individual already has the information;
Providing the information to the individual would be impossible;
Providing the information to the individual would involve a disproportionate effort;
Providing the information to the individual would render impossible or seriously impair the achievement of the objectives of the processing;
You are required by law to obtain or disclose the personal data; or
You are subject to an obligation of professional secrecy regulated by law that covers the personal data.

There are some other exemptions that may apply. They are set out in our section exemptions below.

What information needs to be provided to the data subject?

Art.12(4) of the DPJL 2018 sets out the specified information that must be provided to the data subject. Certain of the information must always be provided whereas some information only needs to be provided in certain circumstances (i.e. there are some requirements that may not be applicable to your organisation or you may not process the individual’s data in that particular way).

What the law says needs to be provided	What you need to say	When
The identity and contact details of your organisation together with contact details of your representative (if applicable)	Who you are (name) How individuals can contact you (address, telephone, email) Not all organisations need a representative, but if you do: The name of the representative How individuals can contact the representative (address, telephone, email)	Always Before you start processing When applicable Before you start processing
The contact details of the data protection officer (if any)	Not all organisations need a data protection officer, but if you do: How individuals can contact the data protection officer (address, telephone, email)	When applicable Before you start processing
The purposes for which the data are intended to be processed and the legal basis for the processing	Why you need the information and what you are going to use it for	Always Before you start processing
An explanation of the legitimate interests pursued by you or by a third party for the processing (if processing is based on those interests)	This will only be applicable where you are relying on legitimate interests as a lawful basis for processing personal data (not special category data) (Sched 2 Part 1 Para 5 DPJL 2018). If you are, you need to say: What your legitimate interests are or what the legitimate interests are of the third party.	When applicable Before you start processing
The recipients or categories of recipients of the personal data (if any)	Who you are sharing the individual’s personal data with (name, what they do). This includes anyone outside your organisation that processes personal information on your behalf e.g. IT service providers.	Always Before you start processing
The details of transfers of the personal data to any third countries or international organisations and whether or not there is an adequate level of protection for the rights and freedoms of data subjects (if applicable)	Which country/organisation the information is being sent to if outside Jersey or the European Union/EEA. If the transfer is being made on the basis of: an adequacy decision (Art.66(2)(a) DPJL 2018) there being appropriate safeguards in place (Art.66(2)(b) DPJL 2018); or the transfer falls within the exceptions set out in Schedule 3 DPJL 2018 (Art.66(2)(c) DPJL 2018)	When applicable Before you start processing
The period for which the personal data will be stored (or if that is not possible, the criteria used to determine that period)	How long you are going to keep the personal data for. If you don’t have a specific set retention period, you need to explain what criteria you will use to decide how long the information will be kept for.	Always Before you start processing
Information concerning the rights of data subjects under Part 6 (to the extent they apply)	What rights individuals have about your use of their personal data e.g. access, rectification, erasure, restriction, objection, and data portability Who they need to write to	Always Before you start processing
Where processing is based on consent, the right to withdraw consent under Art.11(3)(e)	If processing of personal data is based on consent, you need to tell the individual: That they can withdraw their consent at any time How they can withdraw their consent	When applicable Before you start processing
Details about the existence of automated decision-making, and any meaningful information about the logic involved in such decision-making as well as the significance and envisaged consequences of such processing for the data subject (if applicable)	Whether you make decisions based solely on automated processing, including profiling, that have legal or similarly significant effects on individuals. Explain what information you use, the logic involved in the process, the significance and envisaged consequences.	When applicable Before you start processing
A statement regarding the right to lodge a complaint with the Authority	Tell individuals that if they have concerns about your compliance with the law, that they can make a complaint to the Authority Provide contact details for the JOIC	Always Before you start processing
The details of whether individuals are under a statutory or contractual obligation, or requirement necessary to enter into a contract to provide the personal data and the possible consequences of failing to provide such data	If you need to process information because of a legal requirement or a contract you need to say what those requirements are Explain what the consequences are for the individual if they don’t provide that information to you (what will the impact be)	Always Before you start processing
The source of the personal data (if the personal data is not obtained from the individual it relates to)	Where did you get the information from if you didn’t obtain it directly from the data subject?	When applicable Before you start processing
Any further information that is necessary, having regard to the specific circumstances in which the data are or are to be processed to enable fair processing. How should the information be provided	Anything else not covered by above that you think data subjects need to know to ensure compliance with the transparency requirements.	When applicable Before you start processing

We often see privacy notices that have not been properly tailored to the organisation and do not fully set out all of the required information. Before you can create any data protection statement/privacy notice you need to have identified each and every data flow within your organisation. In short, you ned to be able to explain where you are getting information from, what you are doing with it and who you are giving it to.
We have a checklist to help you make sure you’ve thought about everything you need to and a template data protection statement here that you can adapt for your own needs.

Review

You must regularly review, and where necessary, update your privacy information and you must bring any new uses of an individual’s personal data to their attention before you start processing for the new activity.

Right of Access (Art.28 DPJL 2018)

What is a right of access?

The right of access is commonly referred to as a “subject access request” or “data subject access request” (DSAR). In essence, it gives individuals the right to obtain a copy of their personal data from you, as well as other supplementary information. It is a fundamental right for individuals and it helps them understand how and why you are using their data and check you are doing it lawfully.

What is an individual entitled to?

Art.28(1) of the DPJL 2018 says that an individual has the right to obtain from the data controller:

Confirmation as to whether or not their personal data is being processed;
To be given information as to:
The purposes for which their information is being processed by or on behalf of the controller;

The categories of personal data concerned;
The recipients or classes of recipients to whom the information is or may be disclosed (including recipients in third countries or international organisations);
The retention period (or, if not possible, the criteria used to determine the retention period);
The existence of the data subject’s rights of rectification, erasure or restriction or processing or the right to object to such processing;
The right to lodge a complaint with the Authority;
Information as to the source of personal data if not collected directly from the data subject; and
The existence of automated decision-making (including meaningful information about the logic involved).

You may be providing much of this information already in your privacy notice as it broadly corresponds to the information which data controllers must provide under Art.12 of the DPJL 2018 (the right to be informed). When responding to a DSAR, you must remember to supply this information in addition to a copy of the personal data itself. If you provide this information in your privacy notice, you can include a link to or a copy of your privacy notice
Art.28(3) of the DPJL 2018 also says that an individual is entitled to obtain from a data controller the information constituting any personal data of which the individual is the data subject and a copy of that data in an intelligible format.
Requests made in relation to health records must also be dealt with in accordance with Art.29.

Are individuals only entitled to their own personal data?

Under a right of access, an individual is only entitled to their own personal data. They are not entitled to information about other people unless their data also relates to other individuals or they are accessing a right on behalf of someone else.
For information to be personal data, it must relate to a living person who is identifiable from that information (directly or indirectly). The context in which you hold information, and the way you use it, can have a bearing on whether it relates to an individual and therefore if it is the individual’s personal data.
The same information may be the personal data of two (or more) individuals. An exemption may apply, if responding to a DSAR involves providing information that relates to both the individual making the request and to another individual.

Can requests be made on behalf of others?

The DPJL 2018 does not prevent an individual making a subject access request via a third party (i.e. a lawyer on behalf of a client). In such cases, you must be satisfied that the third party making the request is entitled to act on behalf of the data subject and the burden rests with the third party to prove that they have the necessary consent of the data subject (e.g. a letter written and signed by the individual).
There are other individuals who can make requests on behalf of vulnerable individuals e.g. delegates/those with the benefit of a power of attorney and parents/guardians on behalf of minor children. In all circumstances you must be satisfied that the requester has the power to act on behalf of the individual and that they are acting in the individual’s best interests.
Even if a child is too young to understand the implications of subject access rights, data about them is still their personal data and does not belong, for example, to a parent or guardian. Therefore, it is the child who has a right of access to the information held about them, even though in the case of young children these rights are likely to be exercised by those with parental responsibility for them.
Before responding to a subject access request for information held about a child, you should consider whether the child is mature enough to understand their rights. If you are confident that the child can understand their rights, then you should respond to the child rather than a parent. What matters is that the child is able to understand (in broad terms) what it means to make a subject access request and how to interpret the information they receive as a result of doing so. When considering such requests, you should take into account, among other things:

The child’s level of maturity and their ability to make decisions like this;
The nature of the personal data;
Any court orders relating to parental access or responsibility that may apply;
Any duty of confidence owed to the child or young person;
Any consequences of allowing those with parental responsibility access to the child’s or young person’s information. This is particularly important if there have been allegations of abuse or ill treatment;
Any detriment to the child or young person if individuals with parental responsibility cannot access this information; and
Any views the child or young person has on whether their parents should have access to information about them.

Example

A GP surgery receives a subject access request from a non-resident parent, seeking access to all medical records relating to their 10-year-old child. The parents are involved in ongoing family court proceedings, and the surgery is aware of past concerns about the safety and wellbeing of the resident parent and the child. The child has previously told their GP about worries relating to contact with the non-resident parent and expressed a clear preference that certain conversations remain confidential.

Although the child is too young to fully manage their own medical records, the GP notes that the records belong to the child, not to either parent. The surgery therefore considers whether the child is mature enough to understand, in broad terms, what it means for someone to access their personal data. In this case, the child has shown a reasonable ability to understand who sees their information and why it matters to them.

The GP reviews several factors before responding: The maturity of the child and their ability to express informed views. The sensitive nature of the information, which includes confidential disclosures by the child about their home life. The existence of family court orders that limit aspects of parental contact and require caution in sharing information. The duty of confidence owed directly to the child, particularly in relation to conversations they asked to be kept private. The potential risk of harm or escalation of conflict if the non-resident parent is given access to all information. Whether refusing access may, in contrast, cause any significant detriment to the child. The child’s own stated views, which indicate they do not want certain information shared.

After taking these factors into account, the GP surgery concludes that disclosing the full medical record to the requesting parent would not be appropriate. They decide that the child is sufficiently mature for their views to be respected and that certain portions of the record must be withheld to protect the child’s safety and confidentiality. The surgery provides a carefully considered response to the non-resident parent, explaining that the child’s personal data can only be shared where it is lawful, safe, and in the child’s best interests, and that some information is withheld on this basis.

Art.11(4) of the DPJL 2018 refers to a child over the age of 13 being able to give valid consent for the purposes of an information society service. You must not confuse this provision as meaning that a child over the age of 13 is taken as being able to provide consent for any other of the other provisions contained in the DPJL 2018. The provisions of Art.11(4) relate solely to the obtaining of consent in respect of an information society service.
For those acting under a power of attorney type you need to check the type and circumstances of the particular power of attorney to determine whether the third party is authorised to make a DSAR (in Jersey an individual can be an attorney for health and welfare and/or property and financial affairs). The same is true if dealing with a court appointed delegate – you will need to check what the individual has been appointed as delegate for and what powers they have.

How should a request be made?

There is no specified format for a subject access request and an individual does not have to tell you their reason for making the request or what they intend to do with the information.
Any request in writing must be considered as a valid request, whatever the format. Requests may also be made verbally and can be made to any part of your organisation (including by social media) and does not have to be to a specific person or contact point. A request does not have to include the phrases “subject access request”, “right of access” or “Art.28 of the DPJL 2018” - it just needs to be clear that the individual is asking for their own personal data. Indeed, a request may be a valid DSAR even if it refers to other legislation, such as the Freedom of Information (Jersey) Law 2000 (FOIL).
Whilst many organisations produce subject access request forms, and that such can make it easier for you to recognise a subject access request and make it easier for the individual to include all the details you might need to locate the information they want, you cannot require individuals to use a specially designed form or refuse to act on a request unless the individual does so.
You must make it clear that use of your form is not compulsory and you must not try to use this as way of extending the time limit for responding.
We acknowledge that this may present a challenge as any of your employees could receive a valid request from an individual. However, you have a legal responsibility to identify that an individual has made a request to you and handle it accordingly. Therefore you may need to consider which of your staff who regularly interact with individuals may need specific training to ensure that they are able to identify a request if one is received.
Additionally, it is good practice to have a policy for recording details of the requests you receive, particularly those made by telephone or in person. You may wish to check with the requester that you have understood their request, as this can help avoid later disputes about how you have interpreted the request. We also recommend that you keep a log of verbal requests.

Can I ask for further information to verify their identity?

If you have reasonable doubts about the identity of the data subject, you can ask that additional information is provided by the data subject in order to confirm their identity and you are not obliged to respond to the request unless supplied with that further information3. This is to avoid personal data about one individual being sent to another accidentally or as a result of deception. The level of checks you should make may well depend on the possible harm and distress which inappropriate disclosure of the information could cause to the individual concerned.

Example

A GP practice receives a subject access request from someone claiming to be a former patient. The name on the request matches a record held by the practice, but there is nothing else in the request to enable the practice to be confident that the requestor is the patient to whom the record relates..

In this situation, it would be reasonable for the practice to ask for more information before responding to the request. The potential risk to the former patient of sending their health records to the wrong person is such that the practice is right to be cautious. They could ask the requestor to provide more information, such as a date of birth, a passport or a birth certificate.

Can I ask an individual to clarify their request?

If a request is unclear (e.g. when someone asks for “all the information you hold about me” but you process a large volume of data, you may ask the individual to clarify what specific information or time period they are interested in. You should explain why the clarification is needed and how it will help you locate the relevant material more efficiently. However, if the individual chooses not to clarify, they still have the right to all of their personal data, and you must carry out a reasonable search based on your understanding of the original request. The time for complying does not stop simply because you’ve asked for clarification so if you need to ask, you should do it as soon as you receive the DSAR.
It is unlikely to be reasonable or necessary to seek clarification if you process a large volume of information in relation to the individual but can obtain and provide the requested information quickly and easily.

Can I require an individual to make a subject access request?

Art.72 of the DPJL 2018 makes it a criminal offence to require an individual to exercise their subject access rights to gain access to information about their criminal convictions and cautions and provide that information to a person. This may be used, for example, to provide as supporting evidence regarding a job application or before entering into a contract for goods, facilities or services to the public.
A person who contravenes this provision is guilty of an offence and liable to a fine of level 3 on the standard scale.
There is an appropriate way of accessing an individual’s criminal records (when it is legitimate to do so) through the criminal records disclosure regime. Organisations can request basic checks which would divulge unspent convictions, or standard checks, which would include spent and certain unspent convictions, cautions, reprimands and final warnings (though details of the latter may be filtered out in some cases). Enhanced checks would disclose all of the information held in a standard check plus certain relevant information held by the police on an individual.
An individual providing the results of a subject access request, rather than using the appropriate channels, runs the risk of greater, and sometimes excessive disclosure. This is because a subject access request requires all personal information to be disclosed (subject to some exemptions), and does not distinguish, for instance, between spent and unspent convictions.

Examples

An individual applies for a position as a waiter at a restaurant but is told that they cannot be offered the position until they provide a copy of their criminal record. The employer states that they must make a subject access request in order to gain this information and they will only be appointed if it is supplied. The employer is likely to have committed an offence under subsection 72(1)(a) of the DPJL 2018.

An individual makes an application for insurance to an insurance provider. The individual wants to be provided with a service. The insurer agrees to insure the individual but explains that it is a condition of the insurance that the individual must make a subject access request for their criminal record. The insurance company is likely to have committed an offence.

Who is responsible for responding to a DSAR?

Responsibility for complying with a subject access request lies with the data controller, not processors. If you use a processor, you need to have contractual arrangements in place to guarantee that you can deal with DSARs properly, irrespective of whether they are sent to you or the processor. The processor must help you meet your obligations for DSARs and you should make this clear in the agreement between your two parties. Specifically, any contractual agreement (or other legal act) in place between a controller and processor must stipulate that the processor:

'19(4)…(e) taking into account the nature of the processing, assists the controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights set out in Part 6…'

The DPJL 2018 does not allow any extension to the relevant time limit in cases where a controller has to rely on a data processor to provide the information needed to respond to the request.
If you are a joint controller, you need to have a transparent arrangement in place with your fellow joint controller(s) which sets out how you deal with DSARs. You may choose to specify a central point of contact for individuals. However, individuals must still be able to exercise their rights against each controller. It is also good practice to make each joint controller aware of every DSAR.

Example

An employer is reviewing staffing and pay, which involves collecting information from and about a representative sample of staff. A third-party data processor is analysing the information. The employer receives a subject access request from a member of staff. To respond, the employer needs information held by the data processor. The employer is the data controller for this information and should instruct the data processor to retrieve any personal data that relates to the member of staff.

For more information about controllers, processors and joint controllers please see our guidance note here.

Preparing for DSARs

Before a DSAR arrives, you should prepare ahead so you can respond efficiently and in full. Begin by ensuring you have a clear process in place (who receives the request, how it is recorded, who leads the search). Make sure your staff know how to identify a request and who has responsibility for dealing with DSARs within your organisation, verify the requester’s identity or authority, and understand the timeframe for responding. Also check that you have good data-mapping and information-management systems so you can locate and retrieve records reasonably. Finally, ensure that you are ready to deliver the information in a safe and accessible format, and can deal with requests involving children, third parties or large volumes of data.
Subject access has been part of Jersey’s data protection regime since 1987, so organisations are expected to have systems that support efficient searching, retrieval and redaction of personal data. If your information management tools or processes make it difficult to locate records, trace correspondence or separate third-party information, you will struggle to meet your obligations. Any new systems should be designed with data protection in mind from the outset, ensuring they can handle DSARs sensibly and securely. Good records management also plays a key role: a clear file structure, consistent naming conventions and a retention schedule that sets out when information must be kept or deleted. These measures strengthen accountability and make DSAR handling more straightforward.
See our flowchart to help you through the process.

Carrying out reasonable and proportionate searches

You are expected to make sensible, reasonable and proportionate efforts to find the personal data you hold about an individual, wherever it is stored. This may involve checking electronic systems, email accounts, shared drives, archived files, or paper records that form part of an organised filing system. While you are not required to carry out searches that would be clearly unreasonable or disproportionate, the responsibility is on you to justify the approach you take. You should be able to explain what searches were carried out, why they were appropriate in the circumstances, and why any further searches would have been unreasonable. Good record-keeping and clear information-management processes will make these decisions easier to evidence and support.

Do we need to include deleted information?

You are not required to recover information that has been genuinely deleted from your systems, provided it can no longer be accessed or reconstructed in the normal course of business. If personal data has been securely erased in line with your retention schedule or routine housekeeping processes, you do not need to restore it from backups or specialist recovery tools. However, you must be able to explain and evidence that the information is no longer held, cannot be retrieved using your standard systems, and was not deleted in order to avoid responding to a request. If data remains in live systems, accessible archives or active backups, it is still considered “held” and must be searched.

Do I need to include business information held on personal devices?

You are only obliged to provide personal data in response to a DSAR if you are a controller for that data. In most cases, therefore, you do not have to supply personal data if someone else is storing it on their computer systems rather than your own (the exception being where that person is a processor). However, this may not be the case if the requester’s personal data is stored on equipment belonging to your staff (such as smartphones or home computers) or in private email accounts or private instant messaging applications.
Accordingly if you permit staff to use personal devices (such as mobile phones, laptops or messaging apps) for work purposes, any business-related information stored on those devices may fall within scope of a DSAR. In such instances, you must still take reasonable steps to locate and extract relevant personal data, even if the information is held in these environments. Organisations should have clear policies to manage this, including rules on storing work information on personal devices, using corporate accounts for communications, and transferring records back into official systems (although most organisations will likely prohibit the holding of personal data on equipment the organisation does not control). Good governance of “bring your own device” (BYOD) practices will make DSAR searches more reliable and reduce the risk of overlooking information that should lawfully be disclosed.

How should the information be provided?

If the request is made electronically, you must provide the information in a commonly used electronic format where possible, unless otherwise requested by the data subject (Art.27(3)). The DPJL 2018 does not define a “commonly used electronic format”. However, this means the format in which you supply the requester with their personal data. When determining what format to use, you should consider both the circumstances of the particular request and whether the individual has the ability to access the data you provide in that format.

Can fees be charged for dealing with a subject access request?

No. You must provide a copy of the information free of charge (Art.27(5)). However, you can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive (Art.27(6)).
You may also charge a reasonable fee to comply with requests for further copies of information that has already been provided in response to that particular request (Art.28(3)(b)). This does not mean that you can charge for all subsequent access requests. The fee must be based on the administrative cost of providing the information and you must be able to explain how you have calculated the cost.

How long do we have to comply?

As set out above, information must be provided without undue delay and at the latest within 4 weeks of receipt of the request. You may be able to extend the period of compliance by a further 8 weeks where requests are complex or numerous. If this is the case, you must inform the individual within 4 weeks of receipt of the request and explain why the extension is necessary.

What if sending out copies will be expensive or time consuming? Can a request be refused?

In some cases, dealing with a DSAR will be an onerous task. This might be because of the nature of the request, the amount of personal data involved or because of the way in which certain information is held. You cannot refuse to comply with a request simply because it relates to large amounts of data but you may be able to consider whether the request is manifestly vexatious, unfounded or excessive (in particular because they are repetitive). In such circumstances (which you will need to be able to prove) you can:

Charge a reasonable fee taking into account the administrative costs of providing the information; or
Refuse to respond (Art.27(6)).

Third Party Information

Personal data can relate to more than one person. Therefore, responding to a DSAR may involve providing information that relates to both the requester and another individual. Accordingly, a particular problem arises for data controllers who may find that in complying with a DSAR they will disclose information relating to that individual other than the data subject who can be identified from that information, including the situation where the information enables that third party to be identified as the source of the information. The DPJL 2018 recognises this problem and sets out only two circumstances in which the data controller is obliged to comply with the subject access request in such circumstances, namely:

Where the other individual has consented to the disclosure of the information to the person making the request; or
It is reasonable in all the circumstances to do so without the consent of the other individual (Art.28(4)).

So, although you may sometimes be able to disclose information relating to a third party, you need to decide whether it is appropriate to do so in each case. This decision involves balancing the data subject’s right of access against the other individual’s rights relating to their own personal data. If the other person consents to you disclosing the information about them, it is unreasonable not to do so. However, if there is no such consent, you must decide whether to disclose the information anyway.
In practice, it may sometimes be difficult to get third-party consent; for example, the third party might refuse or be difficult to find. If so, you must consider whether it is reasonable to disclose the information about the other individual anyway. In helping you to decide whether it is reasonable in all the circumstance to comply with the request without the consent of the third party, you must have regard to:

The type of information that you would disclose.
Any duty of confidentiality owed to the individual.
Any steps taken by the controller to seek the consent of the other individual.
Whether the other individual is capable of giving consent.
Any express refusal of consent by the other individual (Art.28(7)(a)-(d)).

Confidentiality is an important factor when deciding whether to disclose third-party information without their consent. A duty of confidence normally arises where someone shares information that is not publicly available and does so with a clear expectation it will be kept private. This may come from the nature of the information itself (for example, details of a disciplinary issue) or from the type of relationship involved, such as doctor–patient, employer–employee, lawyer–client, financial, counselling or trade union relationships. However, you should not assume all information is confidential simply because it is marked as such; the content may already be public, or wider public interest considerations may apply. Where a genuine duty of confidence exists, it will usually be reasonable to withhold the third-party information unless they have given permission for it to be shared.
When deciding whether it is reasonable to disclose third-party information you should also consider what the requester already knows and how important the information is to them. If the requester has previously seen the information, already knows the identity of the third party (including information about a staff member acting in the course of their duties), or the information is publicly available, disclosure is more likely to be reasonable. You should also weigh up how significant the information is to the requester’s understanding of their own situation; in some cases, the requester’s need to access information about their own life may outweigh the third party’s preference for confidentiality.
If you are satisfied that the data subject will not be able to identify the other individual from the information, taking into account any other information which, in the reasonable belief of the data controller, is likely to be in (or to come into) the possession of the data subject, then you must provide the information.
If you can protect the identity of the other individual by deleting/redacting names or other identifying information, you must provide the information in this way (Art.28(6)).

Example
An organisation is carrying out a disciplinary investigation into an employee, Alex, following several complaints made by colleagues about their behaviour. During the investigation, Alex submits DSAR asking for copies of all complaints, statements, and emails relating to them. The organisation identifies that many of the documents contain personal data about Alex, but they also include personal data about other employees, including the identities of the individuals who submitted complaints or provided information. Some complainants expressed concerns about retaliation and specifically asked that their names remain confidential.

The organisation must therefore consider whether it can disclose the information without revealing the identities of the colleagues involved. It works through the requirements of Arts.28(4) and (7) of the DPJL 2018:
First, it considers whether the colleagues have consented to disclosure of their identities. In this case, none have given consent; some have expressly refused.

It then assesses whether it is reasonable in all the circumstances to disclose the information without their consent. This involves considering:.

The type of information involved (complaint details and sensitive workplace statements).

The duty of confidentiality owed to complainants.

Whether the organisation attempted to seek consent.

Whether the colleagues are capable of giving consent.

Any potential risks or consequences for them.

Given these factors, disclosure would not be reasonable.

The organisation next considers whether the information can be disclosed in a way prevents the colleague(s) from being identified, taking into account what Alex already knows or is likely to discover. Some details (e.g., shift patterns, writing style, or specific incidents) could indirectly reveal the complainant’s identity even if names are removed.

The organisation provides Alex with the substance of the complaints, relevant dates, and factual details relating to their behaviour, but without disclosing the identities of the colleagues who submitted the information.

Health Records

Special rules apply where providing subject access to information about an individual’s physical or mental health would be likely to cause serious harm to them or to another person’s physical or mental health. These rules are set out at Art.29 of the DPJL 2018, and their effect is to exempt personal data of this type from subject access to the extent that its disclosure would be likely to cause such harm (see Art.61(2) of the DPJL 2018). To apply this exemption, there needs to be an assessment of the likelihood of the disclosure causing serious harm.
Unless you are a health professional, you must consult the appropriate health professional who is or was most recently responsible for the clinical care of the individual concerned before deciding whether the exemption applies. This requirement to consult does not apply if the individual has already seen or knows about the information concerned.
If you intend to rely upon an existing opinion obtained within the previous 30 weeks, you must consider whether it is reasonable in all the circumstances to consult the appropriate health professional again.

Right to Rectification (Art.31 DPJL 2018)

What is the right to rectification?

Under Art.31 of the DPJL 2018. individuals have the right to:

Have inaccurate personal data rectified; and
Incomplete personal data completed.

This right has close links to the accuracy principle of the DPJL 2018 (Art.8(1)(d)). Although you may have already taken steps to ensure that the personal data was accurate when you obtained it, this right imposes a specific obligation to reconsider the information’s accuracy upon request.

What do we need to do?

If you receive a request for rectification you should take reasonable steps to satisfy yourself that the data is accurate and, if not, to rectify the data if necessary. You should take into account any arguments and evidence provided by the data subject.
What steps are reasonable will depend on the nature of the personal data and what you are using it for. The more important it is that the personal data is accurate, the greater the effort you should put into checking its accuracy and, if necessary, taking steps to rectify it. For example, you should make a greater effort to rectify inaccurate personal data if it is used to make significant decisions that will affect an individual or others, rather than trivial ones. You may also take into account any steps you have already taken to verify the accuracy of the data prior to the challenge by the data subject.

When is data inaccurate?

The DPJL 2018 does not define the term “accuracy”. However, we consider that personal data is likely to be inaccurate if it is incorrect or misleading as to any matter of fact.

What should we do about data that records a mistake?

Determining whether personal data is inaccurate can be more complex if the data refers to a mistake that has subsequently been resolved. It may be possible to argue that the record of the mistake is, in itself, accurate and should be kept. In such circumstances the fact that a mistake was made and the correct information should also be included in the individuals’ data.

Example

If a patient is diagnosed by a GP as suffering from a particular illness or condition, but it is later proved that this is not the case, it is likely that their medical records should record both the initial diagnosis (even though it was later proved to be incorrect) and the final findings. Whilst the medical record shows a misdiagnosis, it is an accurate record of the patient's medical treatment. As long as the medical record contains the up-to-date findings, and this is made clear in the record, it would be difficult to argue that the record is inaccurate and should be rectified.

What should we do about data that records a disputed opinion?

It is also complex if the data in question records an opinion. Opinions are, by their very nature, subjective, and it can be difficult to conclude that the record of an opinion is inaccurate. As long as the record shows clearly that the information is an opinion and, where appropriate, whose opinion it is, it may be difficult to say that it is inaccurate and needs to be rectified.

What should we do while we are considering the accuracy?

Under Art.33(1)(a) of the DPJL 2018, an individual has the right to request restriction of the processing of their personal data where they contest its accuracy and for such period as it takes for you to check that it is accurate.

What should we do if we are satisfied that the data is accurate?

You should let the individual know if you are satisfied that the personal data is accurate, and tell them that you will not be amending the data. You should explain your decision, and inform them of their right to make a complaint to us; and their ability to seek to enforce their rights through a judicial remedy. You should also place a note on your system recording the fact that the individual challenged the accuracy of the data (and their reasons for doing so) and your decision recording your reasons as to why you refused their application.

Can We refuse to comply with the request for rectification for other reasons?

If an exemption applies, you can refuse to comply with an objection (wholly or partly). Not all of the exemptions apply in the same way, and you should look at each exemption carefully to see how it applies to a particular request. For more information, please see our guidance on exemptions.
You can also refuse to comply with a request for rectification if the request is manifestly vexatious, unfounded or excessive (in particular where the request is repetitive in nature). If you consider that a request is manifestly vexatious, unfounded or excessive you can:

Request a "reasonable fee" to deal with the request; or
Refuse to deal with the request.

You should base the reasonable fee on the administrative costs of complying with the request. If you decide to charge a fee you should contact the individual without undue delay and within 4 weeks. You do not need comply with the request until you have received the fee.

What should we do if we refuse to comply with a request for rectification?

You must inform the individual without undue delay and within 4 weeks of receipt of the request about:

The reasons you are not taking action.
Their right to make a complaint to us.
Their ability to seek to enforce this right through a judicial remedy.

Does the request need to be in a specified format?

No, the DPJL 2018 does not specify how to make a request for rectification. Therefore, an individual can make a request for rectification verbally or in writing. It can be made to any part of your organisation and does not have to be to a specific person or contact point.
Similarly, a request to rectify personal data does not need to mention the phrase ‘request for rectification’ or Art.31 of the DPJL 2018 to be a valid request. As long as the individual has challenged the accuracy of their data and has asked you to correct it, or has asked that you take steps to complete data held about them that is incomplete, this will be a valid request under Art.31. 70. This presents a challenge as any of your employees could receive a valid verbal request. However, you have the legal responsibility to identify that an individual has made a request to you and handle it accordingly. Therefore, you may need to consider which of your staff who regularly interact with individuals may need specific training so they know how to identify and deal with a request.
Additionally, it is good practice to have a policy for recording details of the requests you receive, particularly those made by telephone or in person. You may wish to check with the requester that you have understood their request, as this can help avoid later disputes about how you have interpreted the request.

Can we charge a fee?

No, in most cases you cannot charge a fee to comply with a request for rectification. However, as noted above, if the request is manifestly unfounded or excessive you may charge a “reasonable fee” for the administrative costs of complying with the request.

How long do we have to comply?

You must act upon the request without undue delay and at the latest within 4 weeks of receipt. You should calculate the time limit from the day after you receive the request (whether the day after is a working day or not) until the corresponding calendar date 4 weeks later.

Can we extend the time to respond to a request?

You can extend the time to respond by a further 8 weeks if the request is complex or you have received a number of requests from the individual. You must let the individual know without undue delay and within 4 weeks of receiving their request and explain why the extension is necessary.
The circumstances in which you can extend the time to respond can include further consideration of the accuracy of disputed data - although you can only do this in complex cases - and the result may be that at the end of the extended time period you inform the individual that you consider the data in question to be accurate.
However, it is the Commissioner's view that it is unlikely to be reasonable to extend the time limit if:

It is manifestly unfounded or excessive;
An exemption applies; or
You are requesting proof of identity before considering the request.

Can we ask an individual for ID?

If you have doubts about the identity of the person making the request, you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality. You should take into account what data you hold, the nature of the data, and what you are using it for.
You must let the individual know without undue delay and within 4 weeks that you need more information from them to confirm their identity. You do not need to comply with the request until you have received the additional information.

Do we have to tell other organisations if we rectify personal data?

Yes; if you have disclosed the personal data to others, Art.27(8) of the DPJL 2018 says that you must contact each recipient and inform them of the rectification or completion of the personal data - unless this proves impossible or involves disproportionate effort. If asked to, you must also inform the individual about these recipients.
Art.1(1) of the DPJL 2018 defines a recipient as 'any person to whom the data are disclosed, whether a third party or not but does not include a public authority to whom disclosure is or may be made in the framework of a particular inquiry in accordance with the relevant law'. In practice, this means a natural or legal person, public authority, agency or other body to which the personal data are disclosed. The definition includes controllers, processors and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
When deciding if the effort required is disproportionate you should take into account the number of data subjects, the age of the data, and the likely impact on the data subject were the third parties not advised.

Right to Erasure (Art.32 DPJL 2018)

What is the right to erasure?

Under Art.32 of the DPJL 2018 individuals have the right to have personal data erased. This is also known colloquially as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.

When does the right to erasure apply?

Individuals have the right to have their personal data erased if: The personal data are no longer necessary for the purpose which you originally collected or processed it for; You are relying on consent as your lawful basis for processing the data, and the individual withdraws their consent; You are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing; You are processing the personal data for direct marketing purposes and the individual objects to that processing; You have processed the personal data unlawfully (i.e. in breach of the lawfulness principle set out in Art.8(1)(a) of the DPJL2018; You have to do it to comply with a legal obligation; or You have processed the personal data to offer information society services to a child who is unable to give valid consent under Art.11(4) of the DPJL 2018.

How does the right to erasure apply to data collected from children?

There is an emphasis on the right to have personal data erased if the request relates to data collected from children who are unable to give valid consent. This reflects the enhanced protection of children’s information, especially in online environments, under the DPJL 2018. Therefore, if you process data collected from children, you should give particular weight to any request for erasure if the processing of the data is based upon consent given by a child – especially any processing of their personal data on the internet. This is still the case when the data subject is no longer a child, because a child may not have been fully aware of the risks involved in the processing at the time of consent.

Do we have to tell other organisations about the erasure of personal data?

if you have disclosed the personal data to others, Art.27(8) of the DPJL 2018 says that you must contact each recipient and inform them of the erasure of the personal data - unless this proves impossible or involves disproportionate effort. If asked to, you must also inform the individual about these recipients.
Art.1(1) of the DPJL 2018 defines a recipient as 'any person to whom the data are disclosed, whether a third party or not but does not include a public authority to whom disclosure is or may be made in the framework of a particular inquiry in accordance with the relevant law'. In practice, this means a natural or legal person, public authority, agency or other body to which the personal data are disclosed. The definition includes controllers, processors and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
When deciding if the effort required is disproportionate you should take into account the number of data subjects, the age of the data, and the likely impact on the data subject were the third parties not advised.
When deciding if the effort required is disproportionate you should take into account the number of data subjects, the age of the data, and the likely impact on the data subject were the third parties not advised.

When does the right to erasure not apply?

The right to erasure does not apply if processing is necessary for one of the following reasons:

To exercise the rights of freedom of expression and information
To comply with a legal obligation to which the data controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority
If the processing is necessary for public health purposes in the public interest (e.g. protecting against cross- border threats to health, and ensuring high standards of quality and safety of health care and of medicinal products or medical devices)
Where the processing is carried out for archiving or for statistical, scientific of historical research purposes in the public interest and where erasure is likely to render impossible or seriously impair the achievement of that processing; or for the establishment, exercise or defence of legal claims.

Can we refuse to comply with a request for other reasons?

If an exemption applies, you can refuse to comply with an objection (wholly or partly). Not all of the exemptions apply in the same way, and you should look at each exemption carefully to see how it applies to a particular request. For more information, please see our guidance on exemptions.
You can also refuse to comply with a request for rectification if the request is manifestly vexatious, unfounded or excessive (in particular where the request is repetitive in nature).

If you consider that a request is manifestly vexatious, unfounded or excessive you can:
request a "reasonable fee" to deal with the request; or
refuse to deal with the request.

You should base the reasonable fee on the administrative costs of complying with the request. If you decide to charge a fee you should contact the individual without undue delay and within 4 weeks. You do not need to comply with the request until you have received the fee.

What should we do if we refuse to comply with a request for erasure?

You must inform the individual without undue delay and within 4 weeks of receipt of the request about:

The reasons you are not taking action;
Their right to make a complaint to the Authority; and
Their ability to seek to enforce this right through a judicial remedy.

Does the request need to be in a specified format?

No; the DPJL 2018 does not specify how to make a request for erasure. Therefore, an individual can make a request for erasure verbally or in writing. It can be made to any part of your organisation and does not have to be to a specific person or contact point.
Similarly, a request to erase personal data does not need to mention the phrase ‘request for erasure’ or Art.32 of the DPJL 2018 to be a valid request. As long as the individual has identified the information they want erased, this will be a valid request under Art.32.
This presents a challenge as any of your employees could receive a valid verbal request. However, you have the legal responsibility to identify that an individual has made a request to you and handle it accordingly. Therefore, you may need to consider which of your staff who regularly interact with individuals may need specific training so they know how to identify and deal with a request.
Additionally, it is good practice to have a policy for recording details of the requests you receive, particularly those made by telephone or in person. You may wish to check with the requester that you have understood their request, as this can help avoid later disputes about how you have interpreted the request.

Can we charge a fee?

No, in most cases you cannot charge a fee to comply with a request for erasure. However, as noted above, if the request is manifestly unfounded or excessive you may charge a “reasonable fee” for the administrative costs of complying with the request.

How long do we have to comply?

You must act upon the request without undue delay and at the latest within 4 weeks of receipt. You should calculate the time limit from the day after you receive the request (whether the day after is a working day or not) until the corresponding calendar date 4 weeks later.

Can we extend the time to respond to a request?

You can extend the time to respond by a further 8 weeks if the request is complex or you have received a number of requests from the individual. You must let the individual know without undue delay and within 4 weeks of receiving their request and explain why the extension is necessary.
The circumstances in which you can extend the time to respond can include further consideration of the need to retain the data - although you can only do this in complex cases - and the result may be that at the end of the extended time period you inform the individual that you consider the data in question to be accurate.
However, it is the Commissioner's view that it is unlikely to be reasonable to extend the time limit if:

It is manifestly unfounded or excessive;
An exemption applies; or
You are requesting proof of identity before considering the request.

Can we ask an individual for ID?

If you have doubts about the identity of the person making the request you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality. You should take into account what data you hold, the nature of the data, and what you are using it for.
You must let the individual know without undue delay and within 4 weeks that you need more information from them to confirm their identity. You do not need to comply with the request until you have received the additional information.

Do we have to erase personal data from backup systems?

When you receive a valid request for erasure, you must take reasonable steps to remove the data from both live systems and backups, taking into account your technical setup and retention schedule. You should be transparent with individuals about what will happen to their data, including how backups are handled. In many cases, data can be deleted from active systems immediately, but may remain in backup files until those backups are routinely overwritten. The key requirement is that any remaining backup data is put “beyond use”: it must not be accessed, restored or processed for any other purpose, and should simply be allowed to expire in line with your established backup cycle. As long as these controls are in place, the temporary presence of data in backup systems is unlikely to create a significant risk, although this will depend on the context.

Do we have to tell other organisations if we erase personal data?

Yes. If you have disclosed the personal data to others, you must contact each recipient and inform them of the rectification or completion of the personal data - unless this proves impossible or involves disproportionate effort. If asked to, you must also inform the individual about these recipients.
Art. 1(1) of the DPJL 2018 defines a recipient as 'any person to whom the data are disclosed, whether a third party or not, but does not include a public authority to whom disclosure is or may be made in the framework of a particular inquiry in accordance with the relevant law'. In practice, this means a natural or legal person, public authority, agency or other body to which the personal data are disclosed. The definition includes controllers, processors and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Where personal data has been made public in an online environment reasonable steps should be taken to inform other controllers who are processing the personal data to erase links to, copies or replication of that data. When deciding what steps are reasonable you should take into account available technology, the cost of implementation, the age of the data, and the likely impact on the data subject were the third parties not advised.

Right to Restriction (Art.33 DPJL 2018)

Art.33 of the DPJL 2018 gives individuals the right to restrict the processing of their personal data in certain circumstances. This means that an individual can limit the way that an organisation uses their data. This is an alternative to requesting the erasure of their data.
Individuals have the right to restrict the processing of their personal data where they have a particular reason for wanting the restriction. This may be because they have issues with the content of the information you hold or how you have processed their data. In most cases you will not be required to restrict an individual’s personal data indefinitely, but will need to have the restriction in place for a certain period of time.

When does the right to restrict processing apply?

Individuals have the right to request you restrict the processing of their personal data in the following circumstances:

The individual contests the accuracy of their personal data and you are verifying the accuracy of the data.
The data has been unlawfully processed (i.e. in breach of the lawfulness principle) and the individual opposes erasure and requests restriction instead.
You no longer need the personal data but the individual needs you to keep it in order to establish, exercise or defend a legal claim.
The individual has objected to you processing their data under Art.35 and you are considering whether your legitimate grounds or reasons of public interest override those of the individual.

Although this is distinct from the right to rectification and the right to object, there are close links between those rights and the right to restrict processing:

If an individual has challenged the accuracy of their data and asked for you to rectify it (Art.31), they also have a right to request you restrict processing while you consider their rectification request.
If an individual exercises their right to object under Arts.35,36 or 37, they also have a right to request you restrict processing while you consider their objection request.

Therefore, as a matter of good practice you should automatically restrict the processing whilst you are considering its accuracy or the legitimate grounds for processing the personal data in question.

How do we restrict processing?

You need to have processes in place that enable you to restrict personal data if required. It is important to note that the definition of processing includes a broad range of operations including collecting, recording, organisation, structuring, dissemination and erasure of data. Therefore, you should use methods of restriction that are appropriate for the type of processing you are carrying out.
Whilst the DPJL 2018 is silent on the issue, Recital 67 to the GDPR suggests a number of different methods that could be used to restrict data, such as:

Temporarily moving the data to another processing system.
Making the data unavailable to users.
Temporarily removing published data from a website.

It is particularly important that you consider how you store personal data that you no longer need to process but the individual has requested you restrict (effectively requesting that you do not erase the data).
If you are using an automated filing system, you need to use technical measures to ensure that any further processing cannot take place and that the data cannot be changed whilst the restriction is in place. You should also note on your system that the processing of this data has been restricted.

Can we do anything with the restricted data?

You must not process the restricted data in any way except to store it unless:

You have the individual’s consent.
It is for the protection of the rights of another person (natural or legal).
It is for reasons of substantial public interest.

Do we have to tell other organisations about the restriction of personal data?

No; the DPJL 2018 does not state that if you have disclosed the personal data in question to others that you must contact each recipient and inform them of the restriction of the personal data.

When can we lift the restriction?

In many cases the restriction of processing is only temporary, specifically when the restriction is on the grounds that:

The individual has disputed the accuracy of the personal data and you are investigating this; or
The individual has objected to you processing their data on the basis that it is necessary for the performance of a task carried out in the public interest or the purposes of your legitimate interests, and you are considering whether your legitimate grounds override those of the individual.

Once you have made a decision on the accuracy of the data, or whether your legitimate grounds override those of the individual, you may decide to lift the restriction. If you do this, you must inform the individual before you lift the restriction.
As noted above, these two conditions are linked to the right to rectification (Art.31) and the right to object (Arts.35, 36 and 37). This means that if you are informing the individual that you are lifting the restriction (on the grounds that you are satisfied that the data is accurate, or that your legitimate grounds override theirs) you should also inform them of the reasons for your refusal to act upon their rights under Arts.31, 35, 36 or 37. You will also need to inform them of their right to make a complaint to us and their ability to seek a judicial remedy.

Can we refuse to comply with a request for restriction?

If an exemption applies, you can refuse to comply with a request for restriction (wholly or partly). Not all of the exemptions apply in the same way, and you should look at each exemption carefully to see how it applies to a particular request. For more information, please see our guidance on exemptions.
You can also refuse to comply with a request for restriction if the request is manifestly vexatious, unfounded or excessive (in particular where the request is repetitive in nature). If you consider that a request is manifestly vexatious, unfounded or excessive you can:

Request a "reasonable fee" to deal with the request; or
Refuse to deal with the request.

You should base the reasonable fee on the administrative costs of complying with the request. If you decide to charge a fee you should contact the individual without undue delay and within 4 weeks. You do not need to comply with the request until you have received the fee.

What should we do if we refuse to comply with a request for restriction?

You must inform the individual without undue delay and within 4 weeks of receipt of the request about:

The reasons you are not taking action;
Their right to make a complaint to us; and
Their ability to seek to enforce this right through a judicial remedy.

Does the request need to be in a specified format?

No; the DPJL 2018 does not specify how to make a request for restriction. Therefore, an individual can make a request verbally or in writing. It can be made to any part of your organisation and does not have to be to a specific person or contact point.
Similarly, a request to restrict personal data does not need to mention the phrase ‘request for restriction’ or Art.33 of the DPJL 2018 to be a valid request. As long as the individual has asked you for the restriction, this will be a valid request under Art.33.
This presents a challenge as any of your employees could receive a valid verbal request. However, you have the legal responsibility to identify that an individual has made a request to you and handle it accordingly. Therefore, you may need to consider which of your staff who regularly interact with individuals may need specific training so they know how to identify and deal with a request.
Additionally, it is good practice to have a policy for recording details of the requests you receive, particularly those made by telephone or in person. You may wish to check with the requester that you have understood their request, as this can help avoid later disputes about how you have interpreted the request.

Can we charge a fee?

No, in most cases you cannot charge a fee to comply with a request for restriction. However, as noted above, if the request is manifestly unfounded or excessive you may charge a “reasonable fee” for the administrative costs of complying with the request.

How long do we have to comply?

You must act upon the request without undue delay and at the latest within 4 weeks of receipt.
You should calculate the time limit from the day after you receive the request (whether the day after is a working day or not) until the corresponding calendar date 4 weeks later.

Can we extend the time to respond to a request?

You can extend the time to respond by a further 8 weeks if the request is complex or you have received a number of requests from the individual. You must let the individual know without undue delay and within 4 weeks of receiving their request and explain why the extension is necessary.

Can we ask an individual for ID?

If you have doubts about the identity of the person making the request you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality. You should take into account what data you hold, the nature of the data, and what you are using it for.
You must let the individual know without undue delay and within 4 weeks that you need more information from them to confirm their identity. You do not need to comply with the request until you have received the additional information.

Right to data portability (Art.34 DPJL 2018)

The right to data portability give individuals the right to receive personal data they have provided to the controller in a structured, commonly used and machine readable format. It is intended to allow individuals to obtain and re -use their data for their own purposes and across different services. It also gives them the right to request that a controller transmits this data directly to another controller.

When does the right apply?

Under Art.34 of the DPJL 2018, the right to data portability only applies:

To personal data an individual has provided to a controller.
Where the processing is based on the individual’s consent or for the performance of a contract.
When processing is carried out by automated means (i.e. excluding paper files).

What does the right apply to?

Information is only within the scope of the right to data portability if it is personal data of the individual that they have provided to you.
In most cases, this will be obvious (e.g. information submitted by a data subject to a controller via an online form). The Art.29 Working Party, however, considers that this definition extends also to data resulting from the observation of that individual’s activity. This might include:

History of website usage or search activities.
Traffic and location data.
'Raw’ data processed by connected objects such as smart meters and wearable devices.

In particular, the guidance referred to sets out the views of the Art.29 Working Party, as follows:
'A distinction can be made between different categories of data, depending on their origin, to determine if they are covered by the right to data portability. The following categories can be qualified as 'provided by the data subject':
- Data actively and knowingly provided by the data subject (for example, mailing address, user name, age, etc.)
- Observed data provided by the data subject by virtue of the use of the service or the device. They may for example include a person’s search history, traffic data and location data. It may also include other raw data such as the heartbeat tracked by a wearable device.
In contrast, inferred data and derived data are created by the data controller on the basis of the data 'provided by the data subject'. For example, the outcome of an assessment regarding the health of a user or the profile created in the context of risk management and financial regulations (e.g. to assign a credit score or comply with anti-money laundering rules) cannot in themselves be considered as 'provided by' the data subject. Even though such data may be part of a profile kept by a data controller and are inferred or derived from the analysis of data provided by the data subject (through his actions for example), these data will typically not be considered as 'provided by the data subject' and thus will not be within scope of this new right.'
It does not include any additional data that you have created based on the data an individual has provided to you. For example, if you use the data they have provided to create a user profile then this data would not be in scope of data portability. Nor will it apply to genuinely anonymous data. (However, pseudonymous data that can be clearly linked back to an individual (e.g. where that individual provides the respective identifier) is within scope of the right.)
You should note however that if this ‘inferred’ or ‘derived’ data is personal data, you will still need to provide it to an individual if they make a subject access request. Bearing this in mind, if it is clear that the individual is seeking access to the inferred/derived data, as part of a wider portability request, it would be good practice to include this data in your response.

How do I comply?

You must provide the personal data in a structured, commonly used and machine readable format. Machine readable means that the information is structured so that software can extract specific elements of the data. This enables other organisations to use the data.
The information must be provided free of charge.
If the individual requests it, you may be required to transmit the data directly to another organisation if this is technically feasible. However, you are not required to adopt or maintain processing systems that are technically compatible with other organisations.
If the personal data concerns more than one individual, you must consider whether providing the information would prejudice the rights of any other individual. Generally speaking, providing third party data to the individual making the portability request should not be a problem, assuming that the requestor provided this data to you within their information in the first place. However, you should always consider whether there will be an adverse effect on the rights and freedoms of third parties, in particular when you are transmitting data directly to another controller. If the requested data has been provided to you by multiple data subjects (e.g. a joint bank account) you need to be satisfied that all parties agree to the portability request. This means that you may have to seek agreement from all the parties involved.

What is a structured, commonly used and machine-readable format?

These terms are not defined in the DPJL 2018, but can be broadly understood as follows:

Structured data allows for easier transfer and increased usability. This means that software must be able to extract specific elements of the data. An example of a structured format is a spreadsheet, where the data is organised into rows and columns, i.e. it is ‘structured’. In practice, some of the personal data you process will already be in structured form. In many cases, if a format is structured it is also machine-readable.
Commonly used means that the format you choose must be widely-used and well-established. However, just because a format is ‘commonly used’ does not mean it is appropriate for data portability. You have to consider whether it is ‘structured’, and ‘machine-readable’ as well. Although you may be using common software applications, which save data in commonly-used formats, these may not be sufficient to meet the requirements of data portability.
‘Machine readable’ data is data in a data format that can be automatically read and processed by a computer.

You may already be using an appropriate format within your networks and systems, and/or you may be required to use a particular format due to the particular industry or sector you are part of. Provided it meets the requirements of being structured, commonly-used and machine readable then it could be appropriate for a data portability request. Where no specific format is in common use within your industry or sector, you should consider providing personal data using open formats such as CSV, XML and JSON.

How long do we have to comply?

You must act upon the request without undue delay and at the latest within 4 weeks of receipt. You should calculate the time limit from the day after you receive the request (whether the day after is a working day or not) until the corresponding calendar date 4 weeks later.

Can we extend the time to respond to a request?

You can extend the time to respond by a further 8 weeks if the request is complex or you have received a number of requests from the individual. You must let the individual know without undue delay and within 4 weeks of receiving their request and explain why the extension is necessary.

Can we refuse to comply with a request for restriction?

If an exemption applies, you can refuse to comply with a request for portability (wholly or partly). Not all of the exemptions apply in the same way, and you should look at each exemption carefully to see how it applies to a particular request. For more information, please see our guidance on exemptions.
You can also refuse to comply with a request for restriction if the request is manifestly vexatious, unfounded or excessive (in particular where the request is repetitive in nature). If you consider that a request is manifestly vexatious, unfounded or excessive you can:

Request a 'reasonable fee' to deal with the request.
Refuse to deal with the request.

You should base the reasonable fee on the administrative costs of complying with the request. If you decide to charge a fee you should contact the individual without undue delay and within 4 weeks. You do not need to comply with the request until you have received the fee.

What should we do if we refuse to comply with a request for restriction?

You must inform the individual without undue delay and within 4 weeks of receipt of the request about:

The reasons you are not taking action.
Their right to make a complaint to us.
Their ability to seek to enforce this right through a judicial remedy.

Does the request need to be in a specified format?

No; the DPJL 2018 does not specify how to make a request for portability. Therefore, an individual can make a request verbally or in writing. It can be made to any part of your organisation and does not have to be to a specific person or contact point.
Similarly, a request to restrict personal data does not need to mention the phrase ‘request for portability’ or Art.34 of the DPJL 2018 to be a valid request. As long as the individual has asked you for the restriction, this will be a valid request under Art.34.
This presents a challenge as any of your employees could receive a valid verbal request. However, you have the legal responsibility to identify that an individual has made a request to you and handle it accordingly. Therefore, you may need to consider which of your staff who regularly interact with individuals may need specific training so they know how to identify and deal with a request.
Additionally, it is good practice to have a policy for recording details of the requests you receive, particularly those made by telephone or in person. You may wish to check with the requester that you have understood their request, as this can help avoid later disputes about how you have interpreted the request.

Can we ask an individual for ID?

If you have doubts about the identity of the person making the request you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality. You should take into account what data you hold, the nature of the data, and what you are using it for. You must let the individual know without undue delay and within 4 weeks that you need more information from them to confirm their identity. You do not need to comply with the request until you have received the additional information.

Right to object (Arts.35, 36 and 37 DPJL 2018)

The DPJL 2018 gives individuals the right to object to the processing of their data in three specific circumstances and where processing is being carried out for the purpose of:

Public functions or legitimate interests
Direct marketing
Historical or scientific purposes.

These various grounds are discussed further below.

Right to object to processing for purpose of public functions or legitimate interests (Art.35 DPJL 2018)

Art.35 of the DPJL 2018 gives individuals the right to object to the processing of their personal data if the processing is necessary for:

The exercise of public functions (Schedule 2 Part 1 para.4) where the processing is necessary for:

The administration of justice;
The exercise of any functions conferred on any person by or under any enactment;
The exercise of any functions of the Crown, the States or any public authority; or
The exercise of any other functions of a public nature with a legal basis in Jersey law to which the controller is subject and exercised in the public interest by any person; or

Your legitimate interests (or those of a third party) (Schedule 2 Part 1 Para.5).

Where you process data exclusively for the exercise of public functions or on the basis of legitimate interests (or a combination of the two), the data subject has an absolute right to object to the processing (Art.35(1)(a)).

When do we need to tell individuals about the right to object?

Where processing is based exclusively on one of these conditions (or a combination of them) you must tell individuals that they have a right to object to the processing and you must inform individuals of their right to object “at or before the time of the controller’s first communication”, “explicitly” and 'separately from any other matters notified to the data subject' (Art.35(2)).

How should an objection be raised?

A data subject must raise the objection by way of written notice to the controller (Art.35(3)). A request does not necessarily have to include the phrase "objection to processing" or Art.35 of the DPJL 2018 - as long as it is clear that the individual wishes the processing to stop.

How should we respond to this objection?

Art.35(4) of the DPJL 2018 says that where you have received such written notice from the data subject you must stop processing the personal data unless you can demonstrate compelling legitimate or public interest grounds in continuing to process the data, that:

Outweigh the interests, rights and freedoms of the individual.
Are necessary for the establishment, exercise or defence of legal claims.

If you are deciding whether you have compelling legitimate grounds which override the interests of an individual, you should consider the reasons why they have objected to the processing of their data. In particular, if an individual objects on the grounds that the processing is causing them substantial damage or distress (e.g. the processing is causing them financial loss), the grounds for their objection will have more weight. In making a decision on this, you need to balance the individual’s interests, rights and freedoms with your own legitimate grounds. During this process you should remember that the responsibility is for you to be able to demonstrate that your legitimate grounds override those of the individual.
If you are satisfied that you do not need to stop processing the personal data in question you should let the individual know. You should explain your decision, and inform them of their right to make a complaint to the Authority and of their ability to seek to enforce their rights through a judicial remedy.
The burden is on you, the controller, to justify continuing the processing. You cannot rely on generic arguments or broad business needs. The justification must be specific, evidence-based and show why your interests override the individual’s rights and freedoms.

Right to object to processing for direct marketing purposes (Art.36 of the DPJL)

Art.36 of the DPJL 2018 gives individuals the right to object to the processing of their personal data for direct marketing purposes. Direct marketing includes any communication aimed at promoting goods, services, aims or ideals to individuals, whether by electronic means, post, telephone or any other method. This also covers any profiling carried out for the purpose of delivering or tailoring such marketing.
Where you process data for direct marketing, the data subject has an absolute right to object to the processing. Once an objection is received, you must stop the processing without exception.

When do we need to tell individuals about the right to object?

Where:

You process personal data for direct marketing purposes, or
You carry out profiling in connection with direct marketing, You must inform individuals of their right to object "at or before the time of the controller's first communication", "explicitly" and "separately from any other matters notified to the data subject".

How should an objection be raised?

A data subject must raise the objection by way of written notice to the controller (Art.36(2)). A request does not necessarily have to include the phrase "objection to processing for direct marketing" or Art.36 of the DPJL 2018 - as long as it is clear that the individual wishes the direct marketing to stop.

How should we respond to the objection?

Art.36(3) of the DPJL 2018 states that where a controller receives such written notice from the data subject, you must cease processing the personal data for direct marketing purposes. There is no balancing test, and you cannot demonstrate "compelling legitimate grounds" to continue. You must therefore:

Stop all direct marketing communications to the individual;
Stop any profiling related to direct marketing; and
Update your systems to ensure the objection is respected going forward.

You should inform the individual that you have stopped processing their data for direct marketing, and confirm that their objection has been actioned.

Right to object to processing for historical or scientific purposes (Art.37 DPJL 2018)

Art.37 of the DPJL 2018 says that a data subject has the right to object to any processing of personal data where the lawfulness of the processing is based solely on the processing being necessary for any of the purposes set out in paragraph 17 of Schedule 2 Part 2 of the DPJL 2018 (archiving and research).
However, the right to object is more restricted than for the other rights set out in Arts.35 and 36.. Art.37(2) says that:

'The controller must cease the processing unless – (a) the purpose for which the personal data is processed relates to an objective that is in the public interest; and (b) the public interest in the objective outweighs the data subject’s interests.'

This is a strict balancing test, and the burden is on you to demonstrate that the research or archiving activity serves a strong public interest objective and that this outweighs the individual’s rights and interests. You must assess the individual’s reasons for objecting and consider whether continuing the processing would cause them harm, distress or otherwise undermine their rights.
If you are satisfied that you do not need to stop processing, you should let the individual know. You should explain your decision and inform them of their right to make a complaint to the Authority and of their ability to seek a judicial remedy.
The justification must be specific and evidence-based. You must not rely on broad references to 'research value' or 'general public benefit'. Your reasoning must show why the particular research or archiving objective outweighs the individual’s interests in this case.

When do we need to tell individuals about the right to object?

You should inform individuals about the fact their information is being processed and their right to object to it in accordance with the provisions of Art.12 DPJL 2018.

How should an objection be raised?

A data subject must raise the objection in any way – it does not necessarily have to be in writing. A request does not necessarily have to include the phrase "objection to processing for historic or scientific purposes" or Art.37 of the DPJL 2018 - as long as it is clear that the individual wishes the processing to stop.
This presents a challenge as any of your employees could receive a valid verbal request. However, you have the legal responsibility to identify that an individual has made a request to you and handle it accordingly. Therefore, you may need to consider which of your staff who regularly interact with individuals may need specific training so they know how to identify and deal with a request. Additionally, it is good practice to have a policy for recording details of the requests you receive, particularly those made by telephone or in person. You may wish to check with the requester that you have understood their request, as this can help avoid later disputes about how you have interpreted the request.

Do we always need to erase personal data to comply with an objection?

Where you have received an objection to the processing of personal data and you have no grounds to refuse, you need to stop or not begin processing the data. This may mean that you need to erase personal data as the definition of processing under the DPJL 2018 is broad, and includes storing data. However, as noted above, this will not always be the most appropriate action to take. Erasure may not be appropriate if you process the data for other purposes as you need to retain the data for those purposes. For example, when an individual objects to the processing of their data for direct marketing, you can place their details onto a suppression list to ensure that you continue to comply with their objection. However, you need to ensure that the data is clearly marked so that it is not processed for purposes the individual has objected to.

Can we refuse to comply with any of the objections set out at Arts.35, 36 and 37 for other reasons?

If an exemption applies, you can refuse to comply with an objection (wholly or partly). Not all of the exemptions apply in the same way, and you should look at each exemption carefully to see how it applies to a particular request. For more information, please see our guidance on exemptions.
You can also refuse to comply with an objection if the request is manifestly vexatious, unfounded or excessive (in particular where the request is repetitive in nature). If you consider that a request is manifestly vexatious, unfounded or excessive you can:

Request a 'reasonable fee' to deal with the request.
Refuse to deal with the request.

You should base the reasonable fee on the administrative costs of complying with the request. If you decide to charge a fee you should contact the individual without undue delay and within 4 weeks. You do not need to comply with the request until you have received the fee.

What should we do if we refuse to comply with an objection?

You must inform the individual without undue delay and within 4 weeks of receipt of the request about:

The reasons you are not taking action.
Their right to make a complaint to us.
Their ability to seek to enforce this right through a judicial remedy.

Can we ask an individual for ID?

If you have doubts about the identity of the person making the request you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality. You should take into account what data you hold, the nature of the data, and what you are using it for. You must let the individual know without undue delay and within 4 weeks that you need more information from them to confirm their identity. You do not need to comply with the request until you have received the additional information.

How long do we have to comply?

You must act upon the objection without undue delay and at the latest within 4 weeks of receipt. You should calculate the time limit from the day after you receive the objection (whether the day after is a working day or not) until the corresponding calendar date 4 weeks later.

Can we extend the time to respond to a request?

You can extend the time to respond by a further 8 weeks if the objection is complex or you have received a number of objections from the individual. You must let the individual know without undue delay and within 4 weeks of receiving their objection and explain why the extension is necessary.

Right regarding automated individual decision-making (Art.38 DPJL 2018)

What rights do individuals have?

An individual has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significant effects concerning them (unless one of the criteria set out in Art.38(2) applies). The individual does not need to actively exercise this right. It is essentially an obligation placed on data controllers not to make such decisions in the manner described.
Solely automated individual decision-making, including profiling with legal or similarly significant effects is restricted.

What is automated individual decision-making and profiling?

340.a. Automated individual decision-making is a decision made by automated means without any human involvement. Examples of this include:

An online decision to award a loan; and
A recruitment aptitude test which uses pre-programmed algorithms and criteria.

Automated individual decision-making does not have to involve profiling, although it often will do.

340.b. Profiling analyses aspects of an individual’s personality, behaviour, interests and habits to make predictions or decisions about them. Art.1(1) of the DPJL 2018 defines profiling as meaning:

'…any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour or movements.'

Organisations obtain personal information about individuals from a variety of different sources. Internet searches, buying habits, lifestyle and behaviour data gathered from mobile phones, social networks, video surveillance systems and the Internet of Things are examples of the types of data organisations might collect.
Information is analysed to classify people into different groups or sectors, using algorithms and machine-learning. This analysis identifies links between different behaviours and characteristics to create profiles for individuals. Based on the traits of others who appear similar, organisations use profiling to:

Find something out about individuals’ preferences;
Predict their behaviour; and/or
Make decisions about them.

Profiling can use algorithms. An algorithm is a sequence of instructions or set of rules designed to complete a task or solve a problem. Profiling uses algorithms to find correlations between separate datasets. These algorithms can then be used to make a wide range of decisions, for example to predict behaviour or to control access to a service. Artificial intelligence (AI) systems and machine learning are increasingly used to create and apply algorithms.
You are carrying out profiling if you:

Collect and analyse personal data on a large scale, using algorithms, AI or machine-learning;
Identify associations to build links between different behaviours and attributes;
Create profiles that you apply to individuals; or
Predict individuals’ behaviour based on their assigned profiles.

Although many people think of marketing as being the most common reason for profiling, this is not the only application; it can be very useful for organisations and individuals in many sectors, including healthcare, education, and financial services.
Automated individual decision-making and profiling can lead to quicker and more consistent decisions. But if they are used irresponsibly there are significant risks for individuals. The DPJL 2018 provisions are designed to address these risks.

Examples

Local Retailer With Online Store – Marketing Profiling
A Jersey retailer operating an e-commerce website uses website analytics and cookies to monitor browsing behaviour. It builds profiles of users based on the categories of products viewed, time spent on pages, and previous purchases. The retailer uses these profiles to segment customers into groups (e.g. 'frequent buyer', 'high-value customer', 'local shopper') and deliver personalised adverts or promotional emails. This is profiling used for targeted marketing, although it may not amount to automated decision-making with significant effects.

Insurance Company – Automated Premium Setting

A Jersey-based insurance firm uses customer-submitted data (such as age, vehicle type, and claims history) alongside third-party datasets to automatically calculate an insurance premium. The system profiles each customer and sets a price without human involvement. Because the outcome directly affects the cost of obtaining insurance, this is automated decision-making with a significant effect.

Jersey Recruitment Agency – AI-Driven Candidate Screening

A Jersey recruitment agency uses an AI-powered platform to screen job applicants on behalf of its client companies. The system analyses CVs, application forms, and candidates’ answers to online questionnaires. It also uses machine-learning models trained on historic hiring data to predict which candidates are “most likely to succeed” in particular roles. The AI automatically generates a suitability score for each applicant and filters out those below a set threshold, meaning they are not progressed to interview unless a human later intervenes. This profiling leads to an automated decision that can have a significant effect on individuals, as it may determine whether they are considered for employment opportunities.

What does the DPJL 2018 say about automated individual decision-making and profiling?

The DPJL 2018 restricts you from making solely automated decisions (including those based on profiling) that have a legal or similarly significant effect on individuals:

What does the DPJL 2018 say about automated individual decision-making and profiling?

For something to be solely automated there must be no human involvement in the decision-making process. Automated decision-making often involves profiling, but it does not have to. These decisions can be based on factual data, as well as on digitally created profiles or inferred data. Examples of this include:

An online decision to award a loan; and
An aptitude test used for recruitment which uses pre-programmed algorithms and criteria.

Examples

Online Decision to Award a Loan A customer applies for a small loan through an online form. The lender’s system automatically checks whether the applicant meets a set of pre-programmed rules — such as minimum income level, confirmed identity, and no outstanding arrears with the lender. If all criteria are met, the loan is automatically approved; if not, it is automatically declined. No profiling or prediction takes place. This is automated decision-making based on fixed rules.

Aptitude Test Using Pre-Programmed Algorithms A recruitment agency requires candidates to complete an online aptitude test. The test system uses a pre-set scoring algorithm to mark answers and then automatically determines whether the candidate meets the minimum score to proceed to interview. The decision is made entirely by the system using fixed criteria. This is automated decision-making using pre-programmed algorithms and thresholds.

The restriction only covers solely automated individual decision-making that produces legal or similarly significant effects. These types of effect are not defined in the DPJL 2018 (or the GDPR), but the decision must have a serious negative impact on an individual to be caught by this provision.
A legal effect is something that adversely affects someone’s legal rights. Similarly significant effects are more difficult to define but is one which has a similar impact on an individual as one which affects an individual’s legal status or rights, for example, automatic refusal of an online credit application, and e-recruiting practices without human intervention.
The Art.29 Working Party (which has been replaced by the European Data Protection Board) adopted guidelines on automated individual decision-making and profiling. Whilst these guidelines are not directly binding in Jersey, they may provide useful guidance in this area.

When can we carry out this type of processing?

Solely automated individual decision-making (including profiling) with legal or similarly significant effects is restricted, although this restriction can be lifted in certain circumstances.
You can only carry out solely automated decision-making with legal or similarly significant effects if the decision is:

Necessary for entering into, or performance of, a contract between the data subject and controller;
Authorised by the relevant law to which the controller is subject and which also lays down suitable measures to safeguard the individual’s rights and freedoms and legitimate interests; or
Based on the individual’s explicit consent.

In the cases referred to in a. and c., you must implement suitable measures to safeguard the individual’s rights and freedoms and legitimate interests, In the cases referred to in a. and c., you must implement suitable measures to safeguard the individual’s rights and freedoms and legitimate interests, including the right to obtain human intervention on the part of the controller, so that the individual can express their point of view.
If you’re using special category data you can only carry out processing described in Art.38(4) if:

You have the individual’s explicit consent; or
The processing is necessary for reasons of substantial public interest.

What else do we need to consider?

Because this type of processing is considered to be high-risk the DPJL 2018 requires you to carry out a DPIA to show that you have identified and assessed what those risks are and how you will address them (please see our guidance on DPIAs here). As well as restricting the circumstances in which you can carry out solely automated individual decision-making, the DPJL 2018 also:

Requires you to give individuals specific information about the processing;
Obliges you to take steps to prevent errors, bias and discrimination; and
Gives individuals rights to challenge and request a review of the decision.

These provisions are designed to increase individuals’ understanding of how you might be using their personal data because profiling is often invisible to individuals and they may not expect their data to be used in this way nor understand how the process works and can affect them. Decisions taken may also lead to significant adverse consequences for some people. You must:

Provide meaningful information about the logic involved in the decision-making process, as well as the significance and the envisaged consequences for the individual.
Use appropriate mathematical or statistical procedures.
Ensure that individuals can:

Obtain human intervention.
Express their point of view.
Obtain an explanation of the decision and challenge it.
Put appropriate technical and organisational measures in place, so that you can correct inaccuracies and minimise the risk of errors.
Secure personal data in a way that is proportionate to the risk to the interests and rights of the individual, and that prevents discriminatory effects.

What if Art.38 doesn’t apply to our processing?

Art.38 applies to solely automated individual decision-making, including profiling, with legal or similarly significant effects. If your processing does not match this definition then you can continue to carry out profiling and automated decision-making. However, you must still comply with the principles set out in Art.8 of the DPJL 2018 in that:

You must identify and record your lawful basis for the processing.
You need to have processes in place so people can exercise their rights.
Individuals have a right to object to profiling in certain.

Individual Rights – what they are, how to exercise them and how to manage them

Individuals - What are my rights?

Right to be informed

What information needs to be provided?

How does the information need to be provided?

Should I always be given this information?

What if I have concerns about how my information is being used?

Right to subject access

How to make a request

Right to rectification

Right to erasure

Right to portability

Your rights

Right to restriction

Right to object

Right regarding automated individual decision-making and profiling

Organisations – what are the data subject rights and what do you need to do

What are individual rights?

Right to be informed

Right of Access (Art.28 DPJL 2018)

Right to Rectification (Art.31 DPJL 2018)

Right to Erasure (Art.32 DPJL 2018)

Right to Restriction (Art.33 DPJL 2018)

Right to data portability (Art.34 DPJL 2018)

Right to object (Arts.35, 36 and 37 DPJL 2018)

Right to object to processing for purpose of public functions or legitimate interests (Art.35 DPJL 2018)

Right to object to processing for direct marketing purposes (Art.36 of the DPJL)

Right to object to processing for historical or scientific purposes (Art.37 DPJL 2018)

Right regarding automated individual decision-making (Art.38 DPJL 2018)

What does the DPJL 2018 say about automated individual decision-making and profiling?

Related Downloads

Related Downloads

Section 1: General Overview

Section 2: Easy read information for general readers (including individuals)

Individuals - What are my rights?

Right to be informed

What information needs to be provided?

How does the information need to be provided?

Should I always be given this information?

What if I have concerns about how my information is being used?

Right to subject access

How to make a request

Right to rectification

Right to erasure

Right to portability

Your rights

Right to restriction

Right to object

Right regarding automated individual decision-making and profiling

Organisations – what are the data subject rights and what do you need to do

Section 3: Technical guide for data controllers/processors and practitioners

What are individual rights?

Right to be informed

Right of Access (Art.28 DPJL 2018)

Right to Rectification (Art.31 DPJL 2018)

Right to Erasure (Art.32 DPJL 2018)

Right to Restriction (Art.33 DPJL 2018)

Right to data portability (Art.34 DPJL 2018)

Right to object (Arts.35, 36 and 37 DPJL 2018)

Right to object to processing for purpose of public functions or legitimate interests (Art.35 DPJL 2018)

Right to object to processing for direct marketing purposes (Art.36 of the DPJL)

Right to object to processing for historical or scientific purposes (Art.37 DPJL 2018)

Right regarding automated individual decision-making (Art.38 DPJL 2018)

What does the DPJL 2018 say about automated individual decision-making and profiling?

Related Downloads

Related Downloads