JOIC logo

Transferring Personal Data Outside Jersey

  1. The DPJL 2018 primarily applies to controllers and processors located in Jersey (with some exceptions) but flows of personal data to and from the European Union (the EU) (including Iceland, Liechtenstein and Norway who are members of the European Economic Area (EEA)) and to other countries with an adequacy decision from the European Commission (including the UK) are essential for Jersey in terms of international trade and international co-operation.

  2. People risk losing the protection of the DPJL 2018 if their personal data is transferred outside Jersey.

  3. The DPJL 2018 contains rules about transfers of personal data from Jersey to those outside. This is because people’s rights about their personal data must be protected or one of a limited number of exceptions must apply and any transfers must comply fully with Part 8 of the DPJL 2018.

  4. The rules on transfer apply where the Receiver is a separate controller or processor and is legally distinct (separate) from the Sender. The Receiver can be a separate sole trader, partnership, limited company, public authority and includes separate companies within the same larger corporate group (i.e. different companies that are legally distinct but operate under the same overall corporate structure).

  5. The transfer of such personal data from Jersey to controllers and processors located in Third Countries must not undermine the level of protection of the individuals concerned as individuals risk losing the protection of Jersey’s data protection law if their personal data is transferred outside of Jersey.

  6. These types of transfer are commonly referred to as “Restricted Transfers” and these rules apply to all transfers no matter how much information is transferred or how often the transfer takes place.

  7. This guidance note provides summary guidance on the provisions in Part 8 of the DPJL 2018, as well as links to more detailed information and guidance, about what you must consider when deciding whether to make a Restricted Transfer. We also have related downloads available for you to use namely:

  • A Transfer Impact Assessment Checklist that will guide you through the questions you need to ask when deciding whether or not to make a restricted transfer and ensure you have all the relevant information needed for completing the TIA.
  • A Transfer Impact Assessment template which you can use to record your decision making process and document the risks, safeguards and your conclusions.
  • The Bailiwick of Jersey Addendum when you want to rely on Standard Contractual Clauses as your transfer mechanism.
Frequently used words used in this guidance note
Fequently used word(s) Definition/what it means
Adequacy A term that the EU uses to describe other countries, territories, sectors or international organisations that it deems to provide an 'essentially equivalent' level of data protection to that which exists within the EU.
Adequate jurisdiction A jurisdiction that has been awarded adequacy status by the European Commission (i.e. a jurisdiction that has been found to offer an equivalent level of protection to that afforded by European data protection legislation).
Authority The Jersey Data Protection Authority (JDPA) which is part of the Jersey Office of the Information Commissioner (JOIC).
BCRs Binding corporate rules (i.e. internal guidelines used by international companies setting out how the group will approach data protection matters and which have been approved by a data protection supervisory authority).
Exceptions These are the exceptions to the adequacy requirements or appropriate safeguards i.e. the other ways in which a controller is allowed to make a Restricted Transfer and as set out in Schedule 3 of the DPJL 2018.
Receiver (or Data Importer or Importer) The entity ultimately receiving the personal data from the Sender.
Restricted Transfer A transfer of personal data from Jersey to a third country that falls within scope of Art.66 of the DPJL 2018.
SCCs Standard contractual clauses issued by the European Commission.
Sender (or Data Exporter or Exporter) The entity sending/transferring the personal data.
Third Country A country outside of the EEA.

Sending Personal Information Outside Jersey

What is this about?

  1. Sometimes, businesses or individuals in Jersey need to send personal information (like names, contact details, or health records) to someone in another country – for example, to use an online tool or work with a partner abroad.

  2. This guide helps you understand what rules you must follow to keep that information safe.

Why does it matter?

  1. Jersey has strong data protection laws to keep people’s personal information safe. If you send information outside Jersey, those laws might not apply unless you follow certain rules (we refer to them as transfer rules). That means people could lose some of their rights.

  2. We refer to countries outside Jersey and the EEA (which includes the 27 European Union states plus Norway, Liechtenstein and Iceland) as “Third Countries”. This includes places like the UK, Guernsey, the Isle of Man, Australia, India and China for example.

  3. The transfer rules are set out in the DPJL 2018 (Art.66, Art.67 and Schedule 3). Different rules apply depending on which Third Country (or international organisation) the information is being sent to, and in some cases, the reason you are sending the information.

  4. You must be transparent with people about where you are sending your information and why, so it is really important that when you are sending information off-island, that you really understand where it is going.

  5. You must keep people’s information safe and that includes making sure that anyone you’re sending information to will also keep it safe and what can be done about it if something goes wrong.

When do the transfer rules apply?
  1. The rules apply if:
  1. You're sending personal information to someone in a Third Country.
  2. The person or company receiving the data is separate from you (like a client, partner, or supplier).
  3. The country you’re sending it to is outside Jersey.
  1. If you want to send information to someone in a Third Country we call this a “Restricted Transfer”. Here are some examples of what a Restricted Transfer might look like in context:

Examples

  • A Jersey marketing consultant wants to use an email platform based in the US. That platform stores customer data on American servers.
  • A Jersey trust company needs some legal advice from a lawyer in India. The Indian lawyer has asked for information about the relevant client file, which will include information about the beneficiaries and has asked that to be sent using a file exchange programme.
  • A Jersey HR Consultancy is helping a client look for a job in China. This includes sending the client’s CVs to companies with vacancies. The client secures an interview and is liaising with the Chinese company about interview dates via the Jersey HR Consultancy.
  • A Jersey hair and beauty clinic are putting in a new client database and booking system. They have found a new supplier that hosts the information in the cloud and provides bookings via an app. The new supplier is based in the UK.
  • A Jersey sole trader runs a marketing consultancy supporting local businesses. They collect and manage personal data on behalf of clients, such as email subscriber lists, website engagement data, and advertising performance reports. To operate efficiently, the consultant uses several online platforms (including those that store data on servers outside Jersey, including: -An email marketing service to send newsletters and promotions -A project management tool to track client deliverables and timelines -A cloud storage and document editor to draft reports and store campaign materials
What do I need to do before sending personal data to a Third Country?
  1. Ask yourself:
  1. Do I really need to send the data abroad?
  2. Can I use a Jersey-based supplier instead?
  3. Can I remove personal details (anonymise the data)?

When is it OK to send the data?

  1. You can send personal data to the Third Country if:
  1. The Third Country has its own strong data protection laws that have been deemed as being essentially equivalent to (i.e. they’re very similar to) the EU GDPR by the European Commission (the country has something called an adequacy decision).

If the Third Country has an adequacy decision (and you can check the current list of adequate jurisdictions on the European Commission’s website here) then you don’t need to put anything else in place before you send the information (see Art.66(2)(a) of the DPJL 2018).

  1. The third country doesn’t have Adequacy, but you have put in place appropriate safeguards (that don’t need any authorisation from us). There are five (5) appropriate safeguards that can be relied on (there is more information in the technical part of this guidance and in Art.67(2) of the DPJL 2018)) but the ones most appropriate for small organisations (including sole traders) would be for you and the other party to sign special contracts that contain data protection provisions issued by the European Commission (called Standard Contractual Clauses) plus a special Jersey Addendum (you must have both documents in place).

  2. It’s a one-off situation and you’ve got a specific reason to transfer the information, which can include where you have explicit consent from the person, or there’s a legal reason (like a contract, court order, or emergency) (see Schedule 3 of the DPJL 2018).

What else should I do?

  1. If the country doesn’t have Adequacy, when deciding where you want to sent the information, you should carry out a risk assessment. We refer to this as a transfer impact assessment (TIA) but it’s just like any other risk assessment where you are setting out what you want to do, why, what the risks and benefits are and coming to a conclusion.

  2. We have a checklist to help you think things through, and we also have a TIA template. The template may need to be adapted for the size of your organisation but it should give you the starting point to record your thought process in decisions.

  3. Individuals have a right to know where their information is being processed (e.g. where it is sent to or stored) and who has access to or sight of that information. It ties into the transparency requirements and you must tell individuals where their information goes (Art.12).

General

  1. The DPJL 2018 restricts the transfer of personal data from Jersey to a jurisdiction outside of Jersey or to an international organisation. This is because individuals whose personal data would usually be protected by the DPJL 2018, may not have access to the same level of protection when their personal data is processed outside Jersey.

  2. The DPJL 2018 does not prevent information from being processed outside Jersey, but what the law does say is that where that happens, individual’s rights still need to be protected and sets out what needs to be in place for those transfers to be lawful.

What is meant by Restricted Transfer?
  1. In data protection law, a Restricted Transfer of personal data should be given a broad interpretation and falls within the definition of ‘processing’ under the DPJL 2018:

“means any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”

  1. It essentially means making that data available to someone in another country in any way. This includes:
  • Sending personal data directly to someone outside Jersey, e.g. by email or uploading to a server overseas.
  • Allowing access to personal data from outside Jersey, even if the data stays on a Jersey server.

Example

  • A trust company based in St Helier, Jersey administers a discretionary trust for a high-net-worth individual. The trust includes investments in multiple jurisdictions, including the United States and Switzerland. To manage the trust’s investment portfolio, the Jersey trust company appoints a portfolio manager based in New York and a Swiss tax adviser to provide annual compliance advice. The Jersey trust company shares.
  • Beneficiary details (names, addresses, tax IDs)
  • Settlor’s financial profile and investment history
  • Trust deeds and bank account information
  • Transaction records and annual trust accounts
  • This data is emailed or uploaded to secure portals managed by the New York investment adviser and the Swiss adviser.

Example

  • A financial services company based in Jersey is part of an international group with entities in several countries. One of the group companies (located in India) provides centralised IT and client support services for the whole group.
  • A financial services company based in Jersey is part of an international group with entities in several countries. One of the group companies (located in India) provides centralised IT and client support services for the whole group.

Example

  • A law firm based in St Helier is working with another law firm based in Kazakhstan. The Jersey law firm shares client documents with the Kazach lawyer so that they can provide advice to the Jersey-based client.
  1. A Restricted Transfer does not include circumstances in which the Receiver is an employee of the Sender, or the Sender and Receiver are part of the same legal entity.

Examples

  • A global bank headquartered in Jersey has branches in London and Singapore.
  • A Jersey-based compliance officer shares internal audit reports with colleagues in the Singapore office for review.
  • A Jersey-based IT engineer travels to Canada for business. While there, they log into the company’s secure system and access client data stored in Jersey.
  • A Jersey HR team emails payslips and employment contracts to a remote employee working in South Africa.
  1. These rules apply to all transfers when information is sent outside of Jersey/the EEA no matter how small the amount of information that is transferred or even if it happens infrequently. There is no de minimis amount of data required.
What is a “Third Country”?

  1. For the purposes of the DPJL 2018, a “third country” is any country outside Jersey, the European Union (EU) or the European Economic Area (EEA). The EU is currently composed of 27 member states and the EEA includes the 27 EU states plus Norway, Iceland and Liechtenstein.

  2. Any country outside Jersey that is not included in the EU or EEA is considered a third country. This means that when personal data is transferred from Jersey to a country outside of these areas, it is considered a transfer to a third country.

  3. When transferring personal data to a third country, the DPJL 2018 says that the transfer is only allowed if the third country provides an adequate level of protection for the personal data, or if appropriate safeguards are in place. This ensures that the data receives similar protection to what it would have within Jersey.

  4. The European Commission can make decisions (called Adequacy Decisions) that declare certain third countries to have an adequate level of data protection. In such cases, data can be transferred to those countries without any additional safeguards.

Do I need to make a Restricted Transfer?

  1. One question to ask before making any Restricted Transfer under Art.66 of the DPJL 2018 is whether there are any alternatives to sending the data out of Jersey. Do you need to send the data outside of Jersey? Transferring personal data outside of Jersey is a processing activity in its own right and it must be necessary.

  2. A controller/processor engaging in an international transfer must always be able to demonstrate why they consider it necessary to deal with data in a particular way and so will need to justify why personal data needs to be sent off-island. This decision making should be carefully documented.

  3. Before sending data out of Jersey, you may wish to consider the following alternatives:

  • Can you anonymise the data before it is sent? If that is possible, then the data to be transferred will no longer fall within the definition of ‘personal data’ and so the DPJL 2018 will not apply to it. (You must be able to anonymise the data completely; if it can only be pseudonymized the DPJL 2018 will continue to apply to it and you will need to comply with the requirements of Art.66.)
  • Do you actually need to transfer the data at all? The DPJL 2018 requires controllers to apply to the principle of data minimization i.e. to minimize the extent to which personal data is processed and to have processes in place that are proportionate for the purposes of processing.
  • Could you use a supplier based in Jersey instead?

Am I making a Restricted Transfer?

  1. You will be making a Restricted Transfer if:
  • The DPJL 2018 applies to the processing of the personal data you are transferring;
  • You will be sending personal data, or making it accessible, to an entity (the Receiver) which is located in a third country (including by allowing the Receiver remote access to your systems/storage locations in Jersey); and
  • The Receiver is legally distinct from you i.e. it is a separate company (including a company within the same corporate group), organisation or individual.

  1. Only the Sender (i.e. the controller/processor who initiates and makes the Restricted Transfer) is responsible for complying with the transfer provisions and the restrictions apply to transfers from both controllers and processors and both to an initial transfer, and to any onward transfers i.e. it applies if personal data is transferred from Jersey to a country in the EEA and then onward transferred to a further recipient in a third country.

  2. If you are sending data to someone employed by your organisation, this will not count as a Restricted Transfer even if they are situated in a so-called third country.

  3. If information simply transits through a third country (e.g. passes through servers to an end recipient), so long as the end recipient is not in a third country, this will not count as a Restricted Transfer. For data to be classed as ‘in transit’ only, it must not be accessed or manipulated in any way whilst in transit.

Example

  • Jersey Company A has an employee in located in America. The employee logs onto Jersey Company A’s cloud servers that are hosted in Jersey. This is not a Restricted Transfer.

Example

  • Jersey Company A owns Company B, which is incorporated in Australia. They each have their own servers in their respective jurisdictions. Company A has a client who wants to do some work with Company B and so Company A needs to send certain information about that client to Company B. Even though Company A and Company B are part of the same corporate group, because Company A is a separate legal entity in a third country, any transfer of the client’s information would be classed as a Restricted Transfer.

Example

  • Jersey Company A needs to send some information to Guernsey Company A and is going to route the information through its servers in China. This is not a Restricted Transfer.

  1. If you are a processor and want to send information to a sub-processor located outside of Jersey you will be responsible for the transfer to that sub-processor, which can only be done in accordance with the transfer rules. This is because it is you who have initiated and agreed to send the data to your sub-processor.

  2. If you are a processor and your controller is situated outside of Jersey, it is not a Restricted Transfer if you are simply returning data to your controller who provided it to you.

Example

  • A data analytics company based in Jersey is contracted by a retail business in Canada to analyse customer purchase patterns. The Canadian company (the controller) sends customer data to the Jersey company (the processor) for analysis. After completing the work, the Jersey company: Compiles a report Returns the original and processed customer data back to the Canadian company via secure transfer
  1. If the transfer rules do not apply to you (because you are not actually sending the data outside Jersey) you will still need to do checks on anyone you will be sharing data with even if they’re in Jersey (e.g. a local service provider you outsource certain functions to).You will need to have appropriate contractual arrangements in place and the scope of checks you do need to be reasonable and proportionate to the risks posed by you sharing the data with that other party.

How can personal data be transferred outside of Jersey?

  1. There are various ways in which personal data can be legitimately transferred outside of Jersey and are set out in Art.66 of the DPJL 2018. There are three ways data controllers can make a Restricted Transfer;
  • Adequacy.
  • Appropriate safeguards (See Art.67 of the DPJL 2018) without the need for approval for the Authority
  • Schedule 3 exceptions (see Schedule 3 of the DPJL 2018).
Transfers on the basis of an adequacy decision – Art.66 DPJL 2018
  1. An adequacy decision means that the European Commission has decided that a third country ensures an adequate level of data protection to those within the European Union. Jersey is a third country itself (being a Crown Dependency territory outside the EEA) and it enjoys its own ‘adequacy’ status as a result of a decision of the European Commission dated 8 May 2008. On 15 January 2024 the Commission published its Report on the first review of the functioning of the eleven adequacy decisions adopted pursuant to Directive 95/46/EC which upheld Jersey’s adequacy status and confirmed that data transfers to Jersey (and the other adequate jurisdictions) can continue to take place without any additional requirements.

(Jersey also has its own adequacy finding from the UK.)

  1. When assessing adequacy and level of protection afforded by the third country territory, the European Commission takes into account elements such as the laws, respect for human rights and freedoms, national security, data protection rules, the existence of a data protection authority and binding commitments entered into by the country in respect of data protection. The adoption of an adequacy decision involves.
  • A proposal from the European Commission.
  • An opinion of the European Data Protection Board (EDPB).
  • An approval from representatives of EU countries.
  • The adoption of the decision by the European Commissioners.

  1. The effect of such a decision is that personal data can flow from the EEA to that third country, or vice versa, without any further safeguard being necessary. In other words, it’s as if the transfer was carried out within the EU itself.

  2. A list of countries with an adequacy decision can be found here. The European Commission can revoke adequacy decisions, and the European Court of Justice can also strike down adequacy decisions previously granted so it is important to check the list of adequate jurisdictions, in case of any changes.

  3. You need to be aware that not all countries have full adequacy findings and will need to check what type of entity you want to send information to in the third country, to make sure it is actually covered by the adequacy assessment.

  4. Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Republic of Korea, Switzerland, United Kingdom and Uruguay have full findings of adequacy.

  5. The countries with partial findings of adequacy are:

  1. If a jurisdiction is “adequate” for the purposes of Art.66 of the DPJL 2018 you can make the transfer without putting in place any of the other safeguards mentioned in that article.

  2. However, you must remember that even if you are sharing data to an entity in a country with adequacy, you must still comply with the DPJL 2018. You must:

  • Think about whether the sharing of the data in this way is actually necessary (or could you achieve the same outcome without transferring the data?)
  • Make sure that you have a lawful basis for the data sharing
  • Be transparent about the data sharing (you may need to review your privacy policy, for example)
  • Consider whether a formal data sharing agreement is necessary/desirable and if you already have such an agreement in place, check whether it needs updating
  • Make sure the data sharing takes place in a safe and secure way (including being satisfied that the data will be dealt with securely by the Receiver).
Transfers subject to appropriate safeguards – Art.67 DPJL 2018

  1. In the absence of an adequacy decision, the DPJL 2018 also allows a Restricted Transfer to take place if the controller or processor has provided ‘appropriate safeguards’ and on condition that enforceable data subject rights and effective legal remedies for data subjects comparable to those under the DPJL 2018 are available in that third country or organisation.

  2. In practice, this means that data subjects should have essentially equivalent protection in the country to which the data is being transferred i.e. the ability to enforce their rights and have access to a regulatory authority and a court system.

  3. There is a list of appropriate safeguards set out at Art.67(2) of the DPJL 2018:

  • A legally binding and enforceable instrument between public authorities;
  • Binding corporate rules approved by the Authority as complying with Schedule 4 or approved by another competent supervisory authority under Article 46 of the GDPR, or equivalent statutory provisions;
  • Standard data protection clauses (SCCs) adopted by the Authority or by a competent supervisory authority and approved by the Commission in accordance with the examination procedure referred to in Article 93(2) of the GDPR;
  • A code or any other code approved by another competent supervisory authority under Article 40 of the GDPR or equivalent statutory provisions, together with binding and enforceable commitments of the controller, processor or recipient in the third country or international organization to apply the appropriate safeguards, including as regards data subjects’ rights; or
  • The controller, processor or recipient in the third country having been certified in accordance with a certification mechanism either provided for in Regulations under Article 80 or approved by another competent supervisory authority under Article 42 of the GDPR

  1. Under Art.67(3) of the DPJL 2018, transfer can also take place where the Receiver and Sender have entered into bespoke contractual arrangements that have been authorised by the Authority or where there are administrative arrangements in place between public authorities.

  2. Before you can rely on any of the transfer mechanisms set out under Art.67 DPJL 2018, you must be satisfied that the relevant protections in the DPJL 2018 are not undermined for people whose data is transferred. You can do this by undertaking a transfer impact assessment, which takes into account the protections contained in your selected transfer mechanism and the data protection rights afforded to data subjects in the receiving country.

  3. An example Transfer impact assessment checklist can be found here and more information can be found in the TIA section below. We also have a template TIA you can use and adapt for your own needs.

  4. If your assessment is that the transfer mechanism does not provide the required level of protection, before making the transfer you must take extra steps and precautions so that it does provide the right level of protection.

  5. The above methods of transfer do not require any specific authorisation from the Jersey Authority at point of transfer.

A legally binding and enforceable instrument between public authorities (Art.67(2)(a))

  1. You can make a Restricted Transfer if it is covered by a legal instrument between any public authorities containing appropriate safeguards. This means that any agreement must include enforceable rights and effective remedies for people whose personal data is to transferred. You do not need to be a party to that agreement, and you do not need to be a public authority yourself provided there are appropriate safeguards in the legal instrument that apply to the transferred data.
Binding corporate rules ‘BCRs’ (Art.67(2)(2))

  1. BCRs form a legally binding internal code of conduct operating within a multinational group, which applies to transfers of personal data from the group’s Jersey entities to the group’s non-EEA entities. This group may be a corporate group, or a group of undertakings engaged in a joint economic activity, such as franchises, joint ventures or professional partnerships. Both the Sender and Receiver (or all the relevant group entities if more than two) need to have signed up to the BCRs and they must be legally binding and apply to and be enforced by every member of the group, included their employees.

  2. BCRs need to be approved by the Jersey Data Protection Authority or another competent supervisory authority under Article 46 of the GDPR. When BCRs are submitted to the Authority for approval, it will consider whether the relevant requirements are met and may require adjustments to be made where they are not, prior to granting approval.

  3. There are two types of BCRs which can be approved – BCRs for Controllers which are used by the group entity to transfer data that they have responsibility for such as employee or supplier data; and BCRs for Processors which are used by entities acting as processors for other controllers and are normally added as an addendum to the Service Level Agreement or Processor contract.

  4. Further provisions on the use of BCRs as an appropriate safeguard for personal data transfers are set out in Schedule 4 of the DPJL 2018.

Standard data protection clauses (Art.67(2)(c))

  1. You can make a Restricted Transfer if you and the Receiver have entered into a contract incorporating ‘Standard Contractual Clauses’ or ‘SCCs’. These are model data protection clauses that have been adopted by the Authority or by another competent supervisory authority and approved by the European Commission.

  2. SCCs impose contractual obligations on the Sender and the Receiver and grant rights to the individuals whose personal data is transferred. Individuals must be able to directly enforce those rights against the Sender, Receiver or both.

  3. If you are making a Restricted Transfer from a controller to a processor, you also need to comply with the DPJ 2018 requirements about using processors.

  4. The Authority has formally adopted the updated SCCs issued by the European Commission but these are not valid to use on their own; you must use a Jersey addendum as well. Using the SCCs and the Addendum will allow you to rely on the EU SCCs for transfers under Art.67 of the DPJL 2018.

Example

  • A trust and company services provider based in Jersey outsources part of its client due diligence (CDD) processing to a specialist compliance firm located in South Africa. The South African firm verifies identity documents and screens clients against global sanctions and PEP lists. The Jersey firm has carried out a TIA and decided that it needs to send the Personal Data sent to the South African firm, including: Client names and dates of birth Passport and ID scan images Residential addresses Source of wealth details As the South African firm has access to the personal data it will be an export of the personal data from Jersey to South Africa. As South Africa is not an adequate jurisdiction, the parties agree to incorporate the SCCs and Jersey Addendum into their contractual arrangements to make sure that transfer takes place in accordance with the DPJL 2018.

  1. Similarly you can’t use the Jersey Addenum on its own, it must be appended to the SCCs. Neither the Jersey Addendum nor the SCCs can be used in isolation from one another.

  2. When you are entering into a contract on the basis of the SCCs and Jersey Addendum you must carry out a transfer impact assessment.

  3. Please note that **UK International Data Transfer Agreements do not fall within the scope of Art.66 **and are not recognised by the Authority as an ‘appropriate safeguard’ in this context.

Approved Codes of Conduct (Art.67(2)(d))

  1. You can make a Restricted Transfer if the Receiver has signed up to a code of conduct that has been approved by another data protection supervisory authority. This is set out in Art.67(d) of the DPJL 2018.

“(d) A code or any other code approved by another competent supervisory authority under Article 40 of the GDPR or equivalent statutory provisions, together with binding and enforceable commitments of the controller, processor or recipient in the third country or international organization to apply the appropriate safeguards, including as regards data subjects’ right.”

  1. Codes are voluntary and set out specific data protection rules for categories of controllers and processors. They can be a useful and effective accountability tool, providing a detailed description of what is the most appropriate, legal and ethical behaviour within a sector. They must include appropriate safeguards to protect the rights of people whose personal data is transferred, with a binding and enforceable commitment by the Receiver to apply those appropriate safeguards.

  2. From a data protection viewpoint, codes can therefore operate as a rulebook for controllers and processors who design and implement compliant data processing activities that give operational meaning to the principles of data protection set out in local, European and national law.

  3. The EDPB has published guidelines on Codes of Conduct as tools for transfers. This applies to the EU GDPR but is included here as useful reference.

Approved certification mechanisms (Art.67(2)(e))

  1. You can make a transfer if the Receiver has a certification either under a scheme approved by us (under Art.80 of the DPJL 2018) or approved by another data protection supervisory authority under Art.42 of the EU GDPR. This certification scheme must include appropriate safeguards to protect the rights of people whose personal data is transferred, with a binding and enforceable commitment by the receiver to apply those appropriate safeguards.

  2. There is no definition of certification in the DPJL 2018, but Art. 80 of the DPJL 2018 says that:

“(1) Regulations may provide for the establishment of mechanisms, seals or marks to certify or signify – (a) that particular processing operations by controllers or processors comply with this Law; or (b) the existence of appropriate safeguards for the protection of personal data provided by controllers or processors established in a third country for the purposes of personal data transfers to third countries or international organisations as provided for by Article 66.”

  1. Therefore, as introduced in Art.80 of the DPJL 2018, certification mechanisms may be developed to demonstrate the existence of appropriate safeguards provided by controllers and processors in third countries, but no Regulations have yet been put in place by the States of Jersey.

Contractual clauses authorised by the Authority (Art.67(3)(a))

  1. You can make a Restricted Transfer if the Sender and the Receiver have entered into a bespoke contract governing the Restricted Transfer, and that contract has been individually authorised by us for the Restricted Transfer.

  2. The contractual arrangements must include appropriate safeguards that have been put in place to protect the personal data of the people whose personal data is to be transferred. The appropriate safeguards must include effective and enforceable rights for the people whose personal data is transferred against the controller, processor or recipient of that personal data in the jurisdiction concerned

  3. There may still be a requirement for separate transfer impact assessments, depending on the form and context of the bespoke contract.

Administrative arrangements between public authorities (Art.67(3)(b))

  1. You can make a Restricted Transfer if it is covered by an administrative arrangement between public authorities (usually a document, such as a memorandum of understanding).

  2. The administrative arrangement must set out the appropriate safeguards that have been put in place to protect the personal data of the people whose personal data is to be transferred. The appropriate safeguards must include effective and enforceable rights for the people whose personal data is transferred against the controller, processor or recipient of that personal data in the jurisdiction concerned.

  3. The administrative arrangement must be individually authorised by us, and you may still need to do a separate transfer impact assessment, depending on the form and content of the administrative arrangement.

What do I need to do if I want to rely on an ‘appropriate safeguard’? 64. Before you can rely on any of the above appropriate safeguards, you must be satisfied that the data subjects of the data you want to transfer continue to have a level of protection in the country of the anticipated recipient which is essentially equivalent to the DPJL 2018.

  1. You should work this out by carrying out TIA. A TIA will help you ensure that when you make a Restricted Transfer, you do so in a way that provides appropriate safeguards in respect of individual’s data and provides them with effective and enforceable rights.

  2. By completing a TIA, this will help you to consider all the circumstances of the Restricted Transfer, the apparent risks that present in the country to which you are transferring the data and what safeguards will be in place to protect the interests of affected data subjects and the information being transferred.

How do I undertake a transfer impact assessment?

  1. We have produced a TIA checklist to help you focus on the things you need to consider when deciding whether to make a Restricted Transfer and a template TIA you can adapt for your own needs.

  2. You will need to consider:

  1. Risks to individual’s rights in the importing country including whether their information could be subject to access by third parties e.g. government agencies or police authorities;

  2. Risks to individuals regarding their ability to effectively enforce their rights e.g. access to legal advice, an effective court/tribunal system etc.

  1. You should go through each of the questions to assess the risk of transferring the data to the third country and once you’ve assessed the level of risk, you should consider whether there are any additional safeguards that need to be put in place to reduce the risks you’ve identified.

  2. You should document your analysis and make sure that you keep details of this should you ever need to explain to us why you sent information to a particular place. Whilst we may not ultimately agree that a transfer should have been made, the fact that you carried out a thorough and careful risk analysis would be taken into account by us when deciding upon any enforcement action.

  3. The EDPB has published a document on supplementary measures which deals with transfers, transfer impact assessments and supplementary measures you may wish to consider putting in place.

What other safeguards can I put in place?

  1. Any safeguards should address and be able to minimise the risks identified: what is the worst that could happen if the data is breached and what can be put in place to either reduce the chances of a breach occurring or to ensure that if a breach does occur, any impact on affected data subjects are minimised?

  2. The type of safeguard that is appropriate will depend on the nature of the data being transferred i.e. basic information such as a name and an email address may not need the same level of protection as full identifying and financial details about an individual, or medical records.

  3. You could deploy additional technical controls e.g. password protection of the data (keeping password separate to the data itself), encryption or pseudonymisation and/or you could put in place additional contractual obligations such as mandating that the importer submit to regular testing from a third party.

So, can I make the Restricted Transfer?

  1. Ultimately, you can make the Restricted Transfer if:

  2. You’re satisfied that the third country/international organisation offers data subjects an essentially equivalent level of protection to their rights under Jersey law;

  1. The transfer is not high risk/complex;
  2. You’re satisfied that you will be able to enforce any contractual provisions against the Receiver, should you need to and will have access to a legal system that allows this and to courts that can make appropriate orders/give appropriate remedies;
  3. Any identified risks have been identified and minimised to the extent possible and any residual risks to data subjects are low.

What if the Restricted Transfer is not covered by appropriate safeguards? 77. If the Restricted Transfer is not covered by appropriate safeguards, then you need to consider whether the Restricted Transfer is covered by an exception set out in Schedule 3 of the DPJL 2018.

Exceptions to adequacy requirements – Schedule 3 DPJL 2018

  1. Schedule 3 of the DPJL 2018 provides exceptions from the general principle that personal data may only be transferred to a third country if an adequate level of protection is provided for in that third country.

  2. A Sender should first endeavour to frame transfers with one of the mechanisms guaranteeing adequate safeguards listed above, and only in their absence seek to utilise one of the exceptions provided in Schedule 3 of the DPJL 2018.

  3. These exceptions allow transfers in specific situations and should not be used routinely for transfers of personal data. The nine exceptions are:

  • The transfer is specifically required by an order or judgment of a court or tribunal having the force or law in Jersey or by a court or tribunal other than Jersey or decision of a public authority of such a country having the force of law in Jersey that is based on an international agreement imposing an international obligation on Jersey; or a decision of a public authority in Jersey that is based on such an international agreement.
  • You have the explicit consent of the person the transferring data is about.
  • You have a contract with the person the transferring data is about and the Restricted Transfer is necessary so you can carry out your obligations in that contract, or the Restricted Transfer is necessary so you can carry out pre-contract steps as requested by that person.
  • The Restricted Transfer is necessary for you to enter for you to enter into a contract or carry out your obligations under a contract. The contract is for the benefit of the person the transferring data is about, but the contract is not between you and them; it’s between you and a third party.
  • The Restricted Transfer is by or on behalf of the Jersey Financial Services Commission (JFSC) and is necessary for reasons of substantial public interest.
  • The Restricted Transfer is necessary to establish whether you or someone else has a legal claim or defence, to make or defend a legal claim, for or in connection with any legal proceedings (actual or prospective) or because you need to take legal advice.
  • The Restricted Transfer is necessary to protect someone’s vital interests (which may be the data subject but could be other persons) and either the person is physically or legally incapable of giving consent, they’ve unreasonably withheld consent or you cannot be reasonably expected to obtain the data subject’s explicit consent.
  • The Restricted Transfer is made from a public register and meets the relevant legal requirements relating to that public register.
  • The Restricted Transfer cannot take place based on any other provision of the DPJL 2018, but it is a one-off, concerns limited data subjects, and is necessary to meet your compelling legitimate interests.

  1. Exceptions c, d, e, f and g contain the word “necessary”. This does not mean that the transfer must be absolutely essential, but it must be more than merely useful or standard practice. It must be a targeted and proportionate way of achieving a specific purpose. These exceptions will not apply if you can reasonably achieve the same purpose by other means.

  2. You cannot argue that a transfer is “necessary” purely on the basis that you have structured your business operations in a particular way (e.g. you’ve chosen to use a service provider in a third country because it’s cheaper). The key question is whether the transfer is objectively necessary and proportionate for the stated purposes – not whether it is necessary for your own purposes – and balancing this against any complexities that arise in terms of transferring personal data to a third country.

  3. To show why transfer is both necessary and proportionate you must be able to evidence and explain:

  1. The reason why the transfer needs to take place;
  2. Whether there are any alternatives available (and, if so, why they were discounted);
  3. The potential harms to people; and
  4. The protections that are/will be put in place to protect the data subject’s rights.

Court Order, or order from a Public Authority outside of Jersey (Schedule 3 paragraph 1)

  1. You can make a transfer under this exception if the transfer is specifically required by:
  1. An order or judgment of a court or tribunal having the force or law in Jersey;
  2. An order or judgment or by a court or tribunal other than Jersey or decision of a public authority of such a country having the force of law in Jersey that is based on an international agreement imposing an international obligation on Jersey; or
  3. A decision of a public authority in Jersey that is based on such an international agreement.

  1. In these circumstances you must satisfy yourself that the request is genuine. Is it valid and does it comply with any applicable legal requirements (such as compliance with domestic and international laws)? Is the request a legal compulsion or is it merely an informal request? Has the request been made officially and can you easily verify the identity of the requester?

  2. You should ask to see a copy of the relevant Court Order, judgment or decision and ensure that what has been asked for actually falls within the scope of what has been ordered (so you only transfer the minimum information that is actually required). You should also consider whether there any issues that arise including in terms of legal privilege or confidentiality obligations.

  3. You should also consider whether disclosure of information in response to requests from certain countries could lead to harm to the data subject (including by way of human rights violations or other adverse outcomes).

Explicit consent from data subject (Schedule 3 paragraph 2)

  1. Valid consent must be freely given, specific and informed. That means that a data subject must be given explicit and precise details about the intended Restricted Transfer – you cannot obtain valid consent for Restricted Transfers in general.

  2. Public authorities cannot rely on this exemption as a basis for transfer when exercising their public powers.

  3. To be able to rely on this exception you must tell the data subject:

  • Who will be receiving their information
  • Where the data is being transferred to and the risks of the receiving jurisdiction in relation to the provision of data protection (e.g. that their data subject rights may not be exercisable in the receiving country, public authorities may be able to access personal data and are not subject to any judicial oversight or appropriate safeguards or there is no data protection supervisory authority in that country).
  • Why the Restricted Transfer needs to be made
  • What data is to be transferred
  • That they can withdraw their consent at any time (although this may mean that depending on the reason for the transfer, that consent is not an appropriate basis for making the Restricted Transfer).
  1. Our view is that consent is unlikely to be a common exception used for Restricted Transfers given the validity requirements coupled with the data subject’s right to withdraw their consent at any time and that its use is likely going to be limited to exceptional, one-off situations where no other basis for transfer is available.

Contract between a data subject and a controller (Schedule 3 paragraph 3)

  1. You can make this transfer if you have a contract with the person the transferring data is about, or you are about to enter into a contract with that person, and you need to make the transfer either so that you can:
  1. Carry out your obligations under the contract; or
  2. Carry out pre-contractual steps that the data subject has requested.

Example

  • A Jersey-based recruitment agency, Channel Island Tech Recruiters, is helping a local IT professional apply for a role with an Indian tech company. The candidate has signed up for the agency’s services and specifically asked them to apply for overseas jobs on their behalf
  • To carry out this request, the agency sends the candidate’s CV, qualifications, and references to the potential employer in India.
  • The agency informs the candidate that their data will be sent to India and explains that the country may not offer the same level of data protection as Jersey.
  1. Public authorities cannot rely on this exemption as a basis for transfer when exercising their public powers.

Third-party contract in the interest of the data subject (Schedule 3 paragraph 4)

  1. You can make this transfer if you have or you are about to enter into a contract with someone other than the data subject whose personal data you a transferring but the contract is in their interests, and you need to make the transfer either so that you can:
  1. Enter into the contract; or
  2. Carry out your obligations under the contract.

  1. Public authorities cannot rely on this exemption as a basis for transfer when exercising their public powers.

  2. The DPJL 2018 says that the transfer must be necessary. You need to show that unless you are able to make the Restricted Transfer, you will not be able to enter into or fulfil the obligations of the contract that would otherwise be in the interests of the data subject.

Example

  • Following on from the previous example, the employee has been offered the job in India, but before they finalise the arrangements, they want criminal records checks from any jurisdiction the employee worked in over the previous five (5) years. Before coming to Jersey the employee worked in South Africa. Channel Islands Tech Recruiters engaged a criminal background check provider in South Africa and provides them with the employee’s name, date of birth and a copy of their identity documents.
  • The transfer is necessary for the third party to provide Channel Islands Tech Recruiters with its services as per the contract that is in place between them and the transfer is in the interests of the data subject so that they can secure their new job in India.

Transfer on behalf of the JFSC (Schedule 3 paragraph 5)

  1. Either the JFSC (or someone working on their behalf) can make the Restricted Transfer if it is necessary for reasons of substantial public interest. This is taken to be the case if all the following circumstances apply:
  1. The transfer is a disclosure that is permitted or required under an enactment in force in Jersey;
  2. The transfer is made by or on behalf of the JFSC; and
  3. The JFSC has taken reasonable steps to ensure that the transferee will not transfer the personal data to another person except:
  • with the consent of the JFSC, or
  • in order to comply with an order of a court (whether or not a Jersey court) that directs the transferee to transfer the personal data to the other person.

Example

  • The JFSC is carrying out an investigation into the conduct of a regulated investment firm, that operates in multiple jurisdictions, including the UK.
  • As part of its statutory duties under the Proceeds of Crime (Supervisory Bodies) (Jersey) Law 2008, the JFSC is permitted to disclose relevant personal data to an overseas supervisory authority (in this case, the Financial Conduct Authority (FCA) in the UK).
  • This transfer meets the “substantial public interest” condition because:
  • The disclosure is permitted under Jersey law (the Proceeds of Crime legislation);
  • The transfer is made by the JFSC in the course of its supervisory duties;
  • The JFSC obtains assurance from the FCA that the personal data will not be shared further without the JFSC’s consent or a valid court order.
  • The transfer supports international cooperation on financial crime while ensuring that the personal data is protected against onward disclosure.

Transfers necessary for the purpose of legal proceedings, obtaining of legal advice and establishing, exercising or defending legal rights (Schedule 3 paragraph 5)

  1. You can rely on this exemption if it’s necessary to deal with a legal matter, for example:
  1. You need to send the data as part of a court case or because you're getting ready to start one.
  2. You need to share the data with a lawyer so they can give you legal advice.
  3. You need to send the data to protect your legal rights, to make a legal claim, or to defend yourself if someone is taking action against you

  1. You must show that transfer of the personal information is necessary. This means that there needs to be a close connection between the need for the personal data to be transferred and the relevant legal proceedings, rights or claims.

  2. If the transfer is required for the purpose of legal proceedings, those could be proceedings in any forum (e.g. civil or criminal courts, or tribunal) and they can be actual (i.e. in process) or prospective. You need to be able to show that legal proceedings are a realistic possibility and more than simply fanciful. You could have been served with pre-action correspondence or someone could have threatened you with legal proceedings but you cannot rely on this exception if there is only a remote possibility that a legal claim or other proceedings may be brought in the future.

Example

  • A Jersey-based investment firm is accused by a former overseas client of mishandling funds. The client threatens legal action from their home country (the Cayman Islands).
  • The firm sends transaction records and email correspondence to a Cayman law firm to prepare for potential legal proceedings.
  • At the same time, it shares internal compliance reviews with its Jersey lawyers to obtain legal advice.
  • To defend its legal rights, the firm also provides key client-related personal data to a third-party forensic accountant based in the Cayman Islands to investigate and respond to the allegations.

Transfers necessary to protect the vital interests of the data subject or any other person (Schedule 3 paragraph 7)

  1. You can rely on this exemption if the transfer is necessary to protect their life or the lives of others, and either: they can't give consent (because they're physically or legally unable), they've unreasonably refused to give consent, or it's simply not practical to ask them for consent.

  2. This is a specific exception to the general rule that consent is required for data processing. It is intended to be used in genuinely urgent situations where the data subject cannot consent or is unreasonably withholding consent, and the transfer is necessary to protect their life or health

  3. For a person to not be able to be physically or legally possible to give consent, this would include situations where:

  1. The person is unconscious
  2. You’ve taken reasonable and proportionate steps to try and contact the person, but you’ve not been able to speak to them. (In an emergency, there may not be enough time to try and contact them and it may be reasonable not to do so.)
  3. You do not have sufficient time to provide the person with all the information they would need in order to give their explicit consent
  4. The person may not have the mental capacity to make the relevant decision (for example, they are not capable of understanding the information needed for their consent to be valid).
  1. A transfer under this provision would usually only be appropriate in a medical emergency and where the imminent risk of serious harm outweighs the data protection rights of the individual. This covers situations where someone’s physical or mental health or well-being is at serious risk and the situation is urgent. This could also include where there is an urgent need for life-sustaining food, water, clothing, shelter or medication. The risk to the person’s life must be of such significance that it outweighs the data protection concerns.

Example

  • A Jersey resident is seriously injured while travelling in China on business. They were conscious for a while and told the paramedic that they had serious allergies. By the time the patient arrived at the hospital, they were unconscious. They were unable to provide consent for their medical records to be shared.
  • The hospital in China urgently requests the patient’s medical history and allergy information from their GP in Jersey to provide safe emergency treatment.
  • The patient is physically incapable of giving consent due to their condition.
  • The GP cannot reasonably be expected to obtain explicit consent in time without risking the patient’s health.
  • The GP therefore transfers the patient’s personal medical data to the hospital in China because it is necessary to protect the patient’s vital interests — in this case, to save their life and prevent them from any harm that could occur if the wrong treatment/medication is given.
  1. The term “unreasonably withheld” implies that there should be a valid reason for the individual's refusal, and so the situation must be carefully assessed to ensure that the transfer is truly necessary and proportionate to the risk if you are going to conclude that consent is being “unreasonably withheld”. While the data subject’s vital interests are paramount in this situation, it is still important to document the circumstances and the justification for the data transfer, including the lack of consent and the necessity of the transfer.

Transfers of information from a public register (Schedule 3 paragraph 8).

  1. A transfer of personal data from a public register is permitted if the register is intended to be publicly accessible and open for consultation by the general public or those with a legitimate interest, but only under the specific conditions of the relevant law governing the register.

  2. The transfer must not include the entire contents or categories of data from the register, and if the register is for those with a legitimate interest, the transfer can only happen at their request or if they are the intended recipients.

  3. Types of register covered by this exemption are things like company registries, land registers or public vehicle registers.

Other exceptions (Schedule 8 paragraph 9)

  1. There is one final exception available if the Restricted Transfer cannot take place under any other provision of the DPJL 2018. This exception should only be relied upon in truly exceptional circumstances and all of the following criteria must apply:
  1. You must be unable to rely on any of the other transfer mechanisms provided for in the DPJL 2018. You must be able to show why no other mechanisms or exemptions apply.
  2. The transfer cannot be repetitive. It can happen more than once, but must be occasional rather than routine – it cannot be predictable or systematic.
  3. The personal data you want to transfer can only relate to a limited number of data subjects. The DPJL 2018 does not set a threshold for what is classed as “limited” but the number of people involved should be part of the balancing exercise you carry out.
  4. The transfer must be necessary for purposes of your compelling legitimate interests which are not overridden by the interest rights and freedoms of data subjects. This is a high bar – you need to show that there are compelling reasons why you need to make the transfer e.g. there must be significant consequences to you if you are unable to make the transfer or, alternatively, significant benefits if you do.

You need to balance your compelling legitimate interests against people’s rights and freedoms and be able to demonstrate why your interests outweigh those individual rights.

  1. Once you’ve carried out your assessment, and where the transfer is to take place under this paragraph, you must inform us of the transfer as soon as practicable.

  2. We will ask to see full details of all the steps you have taken in deciding why it was necessary to make the Restricted Transfer under this provision, and this will include the details of the assessment you have made, including the balancing exercise you had carried out. We will want you to set out and explain to us:

  • What the consequences or benefits of the transfer are from your perspective ( including the purpose and duration of the proposed processing operation or operations)
  • The identified risks of harm to the data subjects in making the transfer (what is the situation in the country of origin, the third country and the country of final destination)
  • How you have balanced those competing rights (including setting out your conclusions)
  • What suitable safeguards are or will be put in place to protect the personal data (e.g. confidentiality agreements, technical controls, pseudonymisation)

  1. If we do not agree with your assessment, we may advise you that to make the transfer would contravene the DPJL 2018. We will consider if it is appropriate for us to use our regulatory powers and this could involve our issuing you with a formal warning and/or orders that you must not make the transfer.

  2. You must also tell the data subject about the transfer, and why you believe that your compelling legitimate interests outweighs any risk of harm to them.

  3. Public authorities cannot rely on this exemption as a basis for transfer when exercising their public powers.

  4. The EDPB has adopted Guidelines on derogations of Article 49 of the EU GDPR these guidelines apply to the EU GDPR regime, they are included as a useful reference.

Related Downloads