Administered Registrations

What is Personal Data?

The DPJL 2018 defines ‘personal data’ as: ‘Personal data means any data relating to a data subject. A data subject is an identified or identifiable, natural, living person who can be identified, directly or indirectly, by reference to (but not limited to) an identifier such as:

1. a name, an identification number or location data;
2. an online identifier; or
3. one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the person.’

Therefore, any data that can directly or indirectly identify a natural, living person is considered personal data. This could be a name, but whether any potential identifier actually identifies a person will depend on the context of the processing. A combination of identifiers without someone’s name could be enough to identify that person.

The information must be ‘about’ that person. It is not just enough to name them; it must concern them in some way.

Example: john.doe@info.com – you can ascertain that John Doe works for Info.com

Example: At 9:15 every day, an individual parks in car park space no.5 at Info.com and has a blue car.

What is Processing?

The DPJL 2018 defines ‘processing’ as: ‘any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction’.

Essentially, this means that any activity involving personal data will likely fall within the definition of ‘processing’. There is no minimum amount or de minimis level of processing. If you process any amount of personal data, no matter how small, you will fall within the scope of the DPJL 2018. There are no exceptions to this requirement.

Example: Q: Company A only holds statutory records for directors and shareholders and nothing else. Is this processing?

A: Yes

What is a Controller?

The DPJL 2018 defines ‘Controller’ as: “Controller” means the natural or legal person, public authority, agency or other body that, whether alone or jointly with others, determines the purposes and means of the processing of personal data, and where those purposes and means are determined by the relevant law, the controller or the specific criteria for its nomination may be provided for by such law.

The key phrase in this definition is ‘determines the purposes and means of processing of personal data’. This responsibility ultimately sits with the Controller. Even if they outsource the decision making to a data processor, the Controller remains responsible for the processing of the personal data and ultimately in charge of the processing.

The second part of the definition refers to ‘where those purposes and means are determined by the relevant law’. By way of example in this context, a Controller may be required to maintain a register of shareholders and/or directors, and in some cases, identify the ultimate beneficial owner because they are required to do so by some other law / enactment. These provisions would cover personal data processed in this context.

What is a Processor?

The DPJL 2018 defines ‘Processor’ as: “Processor” means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller, but does not include an employee of the controller.

In general terms, a Processor will perform a function on behalf of a Controller, but is not an employee of that Controller. It can only process data in accordance with the controller’s instructions. Examples of this could be where a function of the business is outsourced to another company, such as human resources, finance or IT support. In this context, the organisation will be providing services to the Controller, and thus processing personal data on behalf of the Controller as a ‘Processor’. The organisation remains the ‘Controller’. If a Processor deals with any of the information that has been provided by the Controller not in accordance with the Controller’s instructions, the Processor will become a Controller of that information in their own right. This is because it has added its own decision making into the process and is doing something with the information that it hadn’t been instructed to do by the Controller.

A Processor can sub-contract some or all of the work that it has been tasked with to a sub-processor. (It can only do this with the say so of the Controller.)

Relationship between a Controller and a Processor

Article 19 of the DPJL 2018 requires that where there is a Controller/Processor arrangement, the Controller must have a legal contract with the Processor setting out the nature and purpose of the processing activities to be undertaken, the duration of the processing, the type of personal data to be processed and the categories of data subjects. It should also set out the obligations and rights of the Controller.

TIP: In practice, every company will be a controller and/or processor.

Who does the DPJL 2018 apply to?

Article 4 of the DPJL 2018 sets out who falls within the scope of the Law, and defines the term ‘established’.

The DPJL 2018 applies to the processing of personal data:

(a) in the context of a controller or processor established in Jersey;

(b) by a controller or processor not established in Jersey but who uses equipment in Jersey for processing the data otherwise than for the purposes of transit through Jersey; or

(c) by a controller or processor not established in Jersey where the processing

(i) relates to data subjects who are in Jersey, and

(ii) is for the purpose of offering goods or services to persons in Jersey or monitoring the behaviour of such persons. (Article 4(2) of the DPJL 2018)

A Controller or Processor is ‘established’ if they are:

• A natural person ordinarily resident in Jersey;
• A body incorporated under the law of Jersey;
• A partnership or other unincorporated association formed under the law of Jersey;
• A person who maintains an office, branch or agency through which the person processes personal data in Jersey;
• A person who maintains a regular practice that carries on the processing of personal data in Jersey;
• Any person engaging in effective and real processing activities through stable arrangements in Jersey. (Article 4(4) of the DPJL 2018)

TIP: Companies registered in Jersey (so, registered with the JFSC) will always fall within the definition of ‘established’.

There may be instances whereby companies from jurisdictions outside Jersey (e.g. BVI, Cayman) also fall within the definition of ‘established’ because, for example, they are “engaging in effective and real processing activities through stable arrangements in Jersey”.

There is no definition of “regular practice” in the DPJL 2018 but when considering whether an entity’s operations are such as to bring them within the scope of the law, you should consider whether:

• The entity’s activities are coordinated from Jersey;
• The entity is required to and does demonstrate that it has economic substance in Jersey;
• It has employees physically present in Jersey.

Registrations of Controllers and Processors

Controllers and processors who are established in Jersey (see above) can only process data lawfully if they are registered with the Authority. They must also pay any applicable fee.

Articles 17 and 18 of the DPAJL 2018 state: 17 Registration of controllers and processors

1. A controller or processor established in Jersey must not cause or permit personal data to be processed without being registered as a controller or processor under this Article.

2. However, Regulations may make such exemptions from the requirements to register under this Article as the States think fit.

3. An application for registration made to the Authority must

(a) include the fee as specified by the Authority;

(b) be in a form and manner required by the Authority; and

(c) include any information required by the Authority.

4. Upon receipt of an application made in accordance with paragraph (3), the Authority must register the applicant as a controller or processor as the case may be.

5. The Authority must

(a) maintain a register of controllers for the purposes of this Law; and

(b) publish any such information as the Minister may by Order prescribe.

6. A person who contravenes paragraph (1) is guilty of an offence.

This means that any organisation captured by the definitions of Controller and/or Processor and that falls within the definition of ‘established’ must be registered with the Jersey Data Protection Authority. This may include foreign data Controllers or Processors being ‘administered’ by a trust company business (TCB)/funds services business (FSB) in Jersey and who are ‘engaging in effective and real processing activities through stable arrangements in Jersey’.

As previously stated, the Law does not provide any ‘de minimis’ level of processing, therefore it does not make any difference as to how much or how little personal data is processed. The Law applies equally to all Controllers and Processors established in Jersey and if personal information is being processed to any degree they need to register.

Some companies may be acting as both controller and processor depending on the personal data being processed and their role in those particular processing activities and so companies will need to register as both.

Relevant Charges

Every organisation that processes personal information needs to pay a charge to the Authority, unless they are exempt.

Being registered as either a controller or a processor or both does not have any impact on how the annual charge is calculated. The amount of the annual charge depends on:

• the size of the company (calculated by reference to its number of full-time equivalent employees);
• past year’s revenue¹; and
• what kind of personal data it processes.

Certain classes of processing are exempt from paying any charge if:

• they’re a public authority;
• they’re a candidate for election;
• they’re a provided school²;
• they’ve ceased to conduct business and only hold accounts and records for archiving; or
• they’re a non-profit association.

If a Controller/Processor’s registration has been effected by way of its being included on the list of administered organisations filed with the Authority by a trust company or fund services business as defined (see below), it will attract a reduced charge of £50 a year. However, there is no obligation for those controllers/processors to be registered by the TCB/FSB and they may go through a full registration process, if they so wish. If those entities do go through the full registration process, however, they will not be able to take advantage of the Reg.6B exemption and their annual registration charge will be calculated in the standard way and by reference to their size, revenue and type of data processed.

18 Registered controllers and processors to pay prescribed charges

(1) Regulations may require registered controllers, registered processors or both, to pay a charge to the Authority in order to pay for the remuneration, salaries, fees, allowances and other emoluments, costs and expenses of

(a) the establishment of the Authority; and

(b) the Authority’s operations, including the exercise or performance of any functions of the Authority.

(2) The Regulations must provide for

(a) the amount of the charge, or the basis on which the amount of the charge is to be calculated or ascertained;

(b) the periods in respect of which, and the times at which, the charge must be paid, or a means for ascertaining those periods and times; and

(c) the manner and form in which the charge must be paid.

(3) The Regulations may

(a) impose duties on the Authority, registered controllers, or registered processors in connection with the collection or payment of the charge;

(b) confer powers on the Authority in connection with the collection of the charge; and

(c) exempt any person from paying the charge.

(4) A person required by the Regulations to pay a charge must do so in accordance with the Regulations.

(5) The Authority may recover any charge due and payable by any person to the Authority under the Regulations as a debt owed by the person to the Authority. This means that all Controllers or Processors will need to pay a registration fee, unless a specific exemption applies to them and means that they do not have to pay a fee. The DPRCJR 2018 contains an exception which allows for Controllers or Processors administered by a TCB/FSB to pay a reduced fee of £50:

6B Exception for payer being administered by trust company businesses or fund services businesses

1. In this Regulation, “trust company business” and “fund services business” have the same meanings as in Article 1(1) of the Financial Services (Jersey) Law 1998.
2. Despite Regulation 6A, the amount of the annual charge for a registered controller or registered processor that is being administered by a trust company business or a fund services business is £50.
3. A registered controller or registered processor referred to in paragraph (2) is not eligible under Regulation 6(4) for an exemption from paying the annual charge.

What is meant by "Administered"?

The term ‘administered’ is not defined in the DPJL 2018, DPAJL 2018 or the DPRCJR 2018.

Reg 6B(2) of the DPRCJR 2018 provides that the amount of the annual charge for a registered controller or registered processor that is being administered by a trust company business or a fund services business is £50.

Reg.6B(1) stipulates that “trust company business” and “fund services business” have the same meanings as in Article 1(1) of the Financial Services (Jersey) Law 1998 (the FSJ Law 1998).

The rationale underpinning this provision in the Regulations was to avoid imposing a disproportionate administrative burden on financial services businesses registered with the Jersey Financial Services Commission that provide trust company and/or funds services business (including related services) to a large number of data controllers and processors processing a small amount of low risk data, who would otherwise have to register individually. The provision provides qualification in that the trust company business or fund service business involved must meet the definition of such in Article 1(1) of the FSJL 1998. These businesses may apply this provision with respect to any clients receiving any of the services listed in Article 2 of the FSJL 1998 including any other services that are wholly associated or allied to the licenced business.

It is for the administrator to determine whether they are providing relevant services for the purposes of the DPRCJR 2018 and whether that activity falls within the definitions as set out in the FSJ Law 1998.

Undertaking the Task of Data Protection Registration

The ultimate responsibility for registration lies with each separate Controller or Processor, NOT the administrator.

Registration Options:

A. The Controller or Processor undertakes their own individual data protection registration.

B. The Controller or Processor instructs the relevant TCB/FSB to deal with their data protection registration as part of the services provided:

1. If only 1 TCB/FSB is providing administration services to the Controller or Processor, the TCB/FSB should include the administered company within their registration under the ‘administered’ list.

2. If the Controller/Processor receives administration services from more than 1 TCB/FSB, the parties must be clear about who is undertaking the registration process for the relevant Controller / Processor. If they fail to do this, they may be registered and charged more than once.

Who has responsibility for the registration process should form part of the service contract or processing contract in order to make it clear which TCB/FSB has the responsibility for registering the administered Controller or Processor.

It is therefore important to determine with the client who is responsible for undertaking the data protection registration to ensure compliance with registration requirements and to avoid duplication.

Administered Controller/Processor registration update timeframes:

Newly formed controllers/processors

As per Article 17 of the DPAJL 2018, a Controller or Processor must not cause or permit personal data to be processed without being registered with the Authority. It is a criminal offence to process personal data without being registered. Therefore, any ‘new’ Controller or Processor must be registered in order to process personal data. They must register before any processing activity commences.

Accordingly, new controllers/processors must register at or before the point of incorporation, regardless of whether it is administered by a trust company or financial services business.

Changes – Name Change/Transfers (in and out)/Dissolution:

Article 4(1) of the DPRCJR 2018 states: 4 Requirement to notify changes to particulars (1) Registered controllers and registered processors must notify the Authority of any change in the particulars that they were required to provide to the Authority in respect of their application for registration as soon as practicable and in any event within 28 days of the change.

Therefore, any such changes should be notified to JOIC as soon as practicable and in any event within 28 days of the change.

Managing Administered Controller/Processor Registrations via the Administered Portal:

Once logged into the registration portal where you can see any linked registrations, in the Options column, you will see an ‘Administered’ button. This will take you through to the administered portal where you can manage the relevant administered registrations. If you cannot see the ‘Administered’ button, please contact our office for assistance.

From the administered registration portal page, you can export the active administered registrations to Excel. When making changes to administered registrations, you will be asked to confirm that all changes are true and correct to the best of your information, knowledge and belief. Details of the full declaration to which you are agreeing are detailed within the Declaration Reminder.

Additions (New or Transfers In)

• Click on the orange ‘+ Add Administered Registration(s)’ at the top of the page.

• Type or copy and paste the names of the new or transferred in administered registrations in the boxes provided (one administered registration per line).
• The ‘New’ box must be used for any administered controllers/processors not previously registered and payment made for the current year. Each new administered registration will be charged £50.
• The ‘Transferred In’ box must only be used for administered controllers/processors that are already registered and where the previous administrator (or the client themselves) has already paid for the current year. Transferred in administered registrations will not be charged for the current year. It is the responsibility of the new administrator to ensure that the transfer is effected correctly. If unsure, please contact us to confirm if the registration charge for the current year has already been paid.

Note: The JOIC will be undertaking checks on administered registrations being transferred in to ensure none are listed as transferred in if they have not already been registered and paid for in the current year.

• The basket will be updated accordingly.
• When you have finished adding administered registrations, click on ‘Next’. You will be taken to the declaration and payment page where you must sign the declaration, review the basket carefully, provide the billing contact details and select the payment method.

Renewing Administered Controller/Processor Registrations

Registrations must be renewed every year. Registrations will expire on 31 December each year. The renewal window will open on 1 January and all renewals must be completed by the last day of February. If the registration is not renewed by this deadline, the registration will expire.

Payment of the registration renewal fee is due by the last day of February each year. We would therefore recommend that this payment deadline be carefully considered if payment cannot be made online at the time of the renewal.

Before the administrator registration is renewed, the administrator must ensure their list of administered registrations are up-to-date. Any changes to administered registrations such as transfers in, transfers out, dissolutions and name changes must be undertaken via the administered portal before the administrator registration is renewed. Reminder: any changes to a registration entry should only be actioned once the relevant action has actually occurred and at the latest within 28 days of the change. If a controller/processor is due to be dissolved during 2021 but is still active as at 1st January, it must still be renewed and paid for because the charge falls due on 1st Jan (Reg 6(2) of the DPAJL 2018). It can be removed after renewal and after the dissolution takes place.

Changes to administered registrations cannot be made whilst the renewal process of the administrator registration is in progress. Whilst the list of active administered registrations being renewed for the current year can be reviewed during the registration renewal process, updates cannot be made. Therefore, updates to administered registrations must be made prior to the administrator undertaking its renewal.

A renewal charge of £50 for each active administered registration being renewed will then be applied to the administrator’s own renewal fee.

Any new administered registrations added between 1 January and the administrator registration being renewed will only be charged at the time they are added. They will not be charged again during the renewal process. They will be included within the list of active administered registrations to be reviewed. Once the renewal process has been completed, the administrator can continue using the administered portal to manage administered registrations.

All changes are recorded in the system and the JOIC reserves the right to undertake secondary checks/audits on registrations submitted at any time to ensure compliance with the law.

Publication of the Register

The Authority will publish limited details of registered controllers and processors on the JOIC website. It will only publish the relevant organisation’s name, any registered business names (if applicable), registration number and expiry date. No other information will be provided.

When a TCB/FSB submits its administered controllers/processors for inclusion on the Registry, the names of the administered controllers/processors will not be published in any way that links them back to the TCB/FSB. The only information that is published for an administered controller/processor is their name (no registration number) which, of itself, would confirm that the administered controller/processor is registered for data protection purposes. No other information will be provided.

Accountability of Controllers

Aside from the registration requirements under the DPAJL, every Controller established in Jersey must comply with all the provisions of the Law. In particular, the general duties and accountability of Controllers is set out in Article 6 of the DPJL 2018, which includes:

• Responsibility for, and demonstration of compliance with the Data Protection Principles;
• The requirement to be registered if established in Jersey;
• The requirement to pay a registration fee;
• Having appropriate safeguards in place to protect the rights of data subjects;
• Compliance with the record keeping requirements (if more than 250 employees);
• Appointing a Processor in compliance with Article 19;
• The obligation to report data breaches;
• When you need to appoint a data protection officer;
• Complying with requests and orders from the Authority;
• Compliance with the transparency requirements in Article 12.

All Controllers and Processors must comply with the Law.

Approach to Compliance

Whilst there are specific obligations for Controllers and Processors under the DPJL 2018 and DPAJL 2018, organisations are expected to apply these on a risk-based approach. This means that Controllers and Processors will need to understand the risks associated with the processing of personal data in the context in which they are using it. When assessing risk, Controllers and Processors should take account of the following:

• The nature of the personal data;
• The purpose for which the data is being used;
• Whether the data includes Special Category Data;
• The volume of data to be processed;
• How the data is stored, and whether the appropriate technical and organisational measures are in place to protect the data;
• To whom the data may be disclosed;
• The duration of the processing activity;
• The impact, or potential impact on the rights of individuals.

This is not an exhaustive list, and as such Controllers and Processors are expected to risk assess all personal data processing activities in order to comply with the applicable data protection principles.

In cases where the processing activities are likely to result in a high risk to the rights and freedoms of individuals, Controllers must carry out a Data Protection Impact Assessment.

The DPJL 2018 recognises that different organisations will have different levels of resources available to them and allows for a proportionate approach to be adopted towards compliance. Art.14(1) of the DPJL 2018 stipulates that “A controller is responsible for:

(a) Implementing proportionate technical and organizational measures to ensure processing is performed in accordance with this Law; and

(b) Demonstrating that those measures are in place so that processing is indeed performed in accordance with this Law

Further, Art.14(5) of the DPJL 2018 says: (5) In this Article “proportionate” means proportionate having regard to

(a) the nature, scope, context and purposes of processing;

(b) the risk and likelihood of prejudice to the rights of data subjects;

(c) best practices in technical and organizational measures;

(d) the state of technological development; and

(e) the costs of implementation.

Larger organisations may be able to put in place a more comprehensive framework than a smaller organisation and the DPJL 2018 does not explicitly set out a minimum level of compliance that the JOIC will consider is ‘sufficient’.

The DPJL 2018 does set out several different measures organisations can take towards achieving compliance. The approach you take will likely differ depending on what personal data you have and what you do with it. It is for each controller/processor to determine what is proportionate taking into account each of the factors set out above and you need to evidence and explain what steps have been taken towards compliance.

In order to demonstrate compliance with the accountability principle an organisation must:

• implement appropriate technical and organisational measures that ensure and demonstrate that you comply. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies
• maintain relevant documentation on processing activities
• where appropriate, appoint a data protection officer
• implement measures that meet the principles of data protection by design and data protection by default. Measures could include: » data minimisation » pseudonymisation » transparency » allowing individuals to monitor processing; and » creating and improving security features on an ongoing basis
• use data protection impact assessments where appropriate.

Appendix 1 - Example structures that may fall within the scope of the DPJL 2018

This Appendix has been put together as a result of collaborative efforts between the JOIC and an industry working group, coordinated by Jersey Finance.

The example structures referred to below have been provided by industry as standard examples which TCBs and FSBs are routinely tasked with administering.

The structures referred to are for illustrative purposes only: it is for controllers and processors to undertake the data mapping exercise referred to in the main body of this guidance note and understand whether their activities fall within the scope of the DPJL 2018 (and, therefore, subject to registration with JOIC).

The examples provided are not exhaustive and nothing in this Appendix (or the rest of the guidance note) should be construed as specific advice (legal or otherwise) about the processing activities of those structures. IF YOU ARE UNSURE AS TO WHETHER AN ENTITY FALLS WITHIN THE SCOPE OF THE DPJL 2018 YOU SHOULD TAKE SPECIFIC LEGAL ADVICE.

Company with Registered Office-only service provider

If a company’s registered office address is provided for it by a service provider that is a TCB/FSB, that company will likely fall within the scope of the DPRCJR 2018 and, as a result, its registration may be effected by being included on the list of administered entities that trust company businesses may register with the JOIC.

If a company is registered is this way, it will pay a flat fee of £50 a year.

Just because a company is administered by a TCB/FSB, it may choose to register itself, but the annual registration fee will be higher, calculated in accordance the method described at Art.6A of the DPRCJR 2018.

Administered entity with multiple service providers

If a number of TCB/FSBs provide administration services to a company and the company wishes to be registered by being included on the list filed by a TCB/FSB, the company should choose which of those service providers will do the listing to avoid duplicate registrations. Alternatively, the company may choose to register itself.

Family Office

If a Family Office is a limited company, it must register for data protection purposes like any other company unless it is being administered by a TCB/FSB in which case its registration may be submitted by its administrator and the standard £50 flat fee applies.

(If the registration is undertaken by the Family Office itself rather than via its administrator, consideration must be given as to whether that office is processing special category data as, if so, it must be stated on its registration.)

SPV

Sometimes, an entity may be used in a specific transaction or in a business structure just to do one thing (typically, to hold shares in another company or to hold a particular physical asset, such a building or other property). Such entities are often referred to as SPVs (or special purpose vehicles).

If a SPV is a limited company, it must register for data protection purposes like any other company unless it is being administered by a TCB/FSB in which case its registration may be submitted by its administrator.

Cell companies

If a company is a protected cell company, only the company itself need register for data protection purposes like any other company unless it is being administered by a TCB/FSB in which case its registration may be submitted by its administrator.

If a company is an incorporated cell company, each cell will need to register (or be registered) because each has separate legal identity.

Holding companies

A holding company is a type of SPV and it must register for data protection purposes like any other company unless it is being administered by a TCB/FSB in which case its registration may be submitted by its administrator.

JPUT

A JPUT (a Jersey property unit trust) is a property-holding structure and it typically consists of one or more companies or other entities and one or more trusts. Accordingly, each company or other entity – whether it is a property-holding vehicle or a trustee or whether it has some other role in the structure - must register for data protection purposes like any other company or other registerable entity (unless it is being administered by a TCB/ FSB in which case its registration may be submitted by its administrator). See below for the registration submitted in respect of partnerships and to trustees.

Partnerships

GP/LP structures

GP/LP structures, typically consisting of a general partner, in the form of a limited company, and one or more limited partners are commonly referred to as “funds” and would usually be referred to as something like “ABC GP Limited in its capacity as general partner of the ABC LP” or “The ABC LP, acting by its general partner, ABC GP Limited”.

For data protection purposes, all general partners must register, like any other controller/processor, whether by being included on a list filed by the administrator or by registering itself. If the general partner of a limited partnership is itself a limited partnership, then the general partner of that limited partnership must be the entity to register.

The registration of a general partner is to be in its own name only, and it need not name the limited partnership(s), and the relevant registration fee will be calculated accordingly.

LLPs

For data protection purposes all LLPs (limited liability partnerships) must register, like any other controller/ processor, whether by being included on a list filed by the administrator or by registering itself.

Foreign LPs

If a foreign limited partnership (for example, a Scottish limited partnership) or a foreign entity that is similar to a partnership, has corporate personality under the law of its registration or constitution, it must register, like any other controller/processor, whether by being included on a list filed by the administrator or by registering itself.

Trusts and Foundations

Trusts and Trustees

A trust arrangement will always involve one or more entities that is a trustee.

For data protection purposes, all trustees must register, whether they are corporate or other entities with legal personality, or whether they are individuals. Where a trustee is corporate or other entity administered by a TCB, it may be registered by being included on a list of administered entities filed by that TCB. Alternatively, it may register itself.

This registration by a trustee will cover its “own” processing (as, for example, XYZ Trustees Limited) and the processing it does in its capacity as trustee of any number of trusts of which it is a trustee, whether alone or as one of a number of trustees.

The registration of a trustee is to be in its own name only, and it will not be expected to name the trusts of which it is trustee, and the relevant registration fee will be calculated accordingly.

Private Trust Companies (PTCs)

A private trust company is a trustee in the form of a special purpose vehicle, and it must register for data protection purposes like any other company unless it is being administered by a TCB/FSB in which case its registration may be submitted by its administrator.

The registration of a trustee is to be in its own name only, and it will not be expected to name the trusts of which it is trustee, and the relevant registration fee will be calculated accordingly.

JPUT

A trustee within a Jersey property unit trust structure must be registered in its own name. It can submit its own registration, or it may be submitted by its administrator. The registration will be in its own name only and it will not be expected to name the trusts of which it is trustee.

Jersey Foundations

Jersey Foundations have corporate personality and it must - where it is required to be registered be registered in its own name. It can submit its own registration, or it may be submitted by its administrator.

Foreign entities

Any organisation captured by the definitions of Controller and / or Processor and that falls within the definition of ‘established’ must be registered with the Jersey Data Protection Authority. This may include foreign data Controllers or Processors being ‘administered’ by a TCB/FSB in Jersey and who are ‘engaging in effective and real processing activities through stable arrangements in Jersey’.

Appendix 2 - Financial Services & Data Protection Compliance FAQs

Data Processing by an Administered Data Controller or Processor

This Appendix has been put together as a result of collaborative efforts between the JOIC and an industry working group, coordinated by Jersey Finance. The FAQs provided are not exhaustive and nothing in this Appendix (or the rest of the guidance note) should be construed as specific advice (legal or otherwise). IF YOU ARE UNSURE AS TO WHETHER AN ENTITY FALLS WITHIN THE SCOPE OF THE DPJL 2018 YOU SHOULD TAKE SPECIFIC LEGAL ADVICE.

The following FAQs have been prepared to assist financial services businesses with their ongoing compliance requirements. Questions considered;

• Does the Data Protection (Jersey) Law 2018 exempt “de minimis” processing of personal data by administered entities from some or all of its requirements?
• Are there any activities which JOIC considers indicative of low risk processing on a small scale in the context of administered entities?
• If an administered controller/processor is only carrying out the types of activity set out in Appendix 1, what might constitute a proportionate approach to compliance with the requirements of the Law?
• Can administrators be controllers in their own right?

Data Processing by an Administered Data Processor or Controller

Does the Data Protection (Jersey) Law 2018 exempt “de minimis” processing of personal data by administered entities from some or all of its requirements?

The DPJL 2018 does not reference the term or concept of ‘de minimis’ processing of personal data. The law applies to all controllers and processors that are processing any amount of personal data.

Nevertheless, the law distinguishes high risk processing and processing on a large scale, for which imposes additional requirements. This means that processing that the controller/processor deems to be low risk or on a small scale does not give rise to the same level of obligations on processors and controllers.

The Jersey Office of the Information Commissioner (JOIC) adopts the standard international approach to data protection compliance. It expects organisations to adopt measures of protection that are proportionate to the size and nature of the organization and the processing, the risks to data subjects and the costs involved.

It is the understanding of the JOIC that many administered entities process only low risk personal data on a small scale, and, the relevant administrator would conduct the majority of the day-to-day processing. As a result, the JOIC expects the approach to compliance by the administrator to be proportionate to the limited nature of the relevant processing and the risk arising from it.

Are there any activities which JOIC considers indicative of low risk processing on a small scale in the context of administered entities?

As the circumstances of each data processor and controller will be specific to that entity, it is not possible to establish a general rule as to what constitutes small scale processing and what types of activities are low risk. It is for the relevant controller or processor to understand exactly what data it processes and the level of risk to data subjects, should that information be breached. The DPJL 2018 provides specific requirements for high risk processing, and processing conducted on a large scale. With this in mind, the JOIC expects the compliance burden to be proportionate to the processing being undertaken and the nature of the personal data being processed.

However, by way of guidance, for controllers/processors administered either by a Funds Services Business or by a Trust Company Business (as those terms are defined within the Financial Services (Jersey) Law 1998), the JOIC anticipates that if the relevant processing activities correspond to the example circumstances set out in Appendix 1 of this document, such would likely constitute low risk processing on a small scale.

It is important to note that this clearly would not be the case where the DPJL 2018 requires an entity to:

• appoint a Data Protection Officer under Article 24; or to
• undertake a Data Protection Impact Assessment under Article 16.

This is because these provisions only apply in the case of high-risk processing or processing of personal data on a large scale.

If an administered controller/processor is only carrying out the types of activity set out in Appendix 1, what might constitute a proportionate approach to compliance with the requirements of the Law?

All data controllers and processors must maintain the necessary records of processing activities in accordance with our guidance note and understand whether their activities and those of the entities they administer fall within the scope of the DPJL 2018 and are subject to registration.

If the DPJL 2018 applies to an administered controller/processor, it must comply with all the relevant provisions of the Law, bearing in mind the principle of proportionality. Controllers and Processors are responsible for "implementing proportionate technical organizational measures to ensure processing is performed in accordance with the DPJL 2018" (see Arts.14(1) and 21(1) of the DPJL 2018) and proportionate means proportionate having regard to:

1. the nature, scope, context and purposes of processing;
2. the risk and likelihood of prejudice to the rights of data subjects;
3. best practices in technical and organizational measures;
4. the state of technological development; and
5. the costs of implementation.

Therefore, in cases where administered controllers/processors have concluded that their processing activities are low risk and carried out on a small scale, the following actions would likely constitute a proportionate approach to that the relevant entity’s compliance with the DPJL 2018:

1. Establishing an administration agreement that satisfies the terms of Article 19 of the Data Protection (Jersey) Law 2018 where such an agreement is required¹;

2. Adopting data protection policies (for which the administrator may provide a standard template, where appropriate) dealing with:

9. Data protection compliance;

2. Data retention;
3. The exercise of data subject rights;
4. Information security; and
5. Personal data breach.

3. Issuing a privacy notice (for which the administrator may provide a standard template, where appropriate) to:

9. members of the board or the council (in the case of a foundation);

2. shareholders and other external stakeholders (including beneficiaries)².

4. Appointing the administrator to maintain any records of processing under Article 3(2) or 14(3) of the DPJL 2018.

Can administrators be controllers in their own right?

An administrator will be a controller in their own right in relation to data it holds and processes for its own purposes. Examples of the circumstances whereby an administrator would be a controller for the purposes of the DPJL 2018 include:

• Where the administrator determines the means and purposes of processing itself for the broader purposes of its own business this would particularly be the case in relation to processing personal data belonging to its own employees or where it processes personal data belonging to its clients for the purposes of contract managing, its own marketing purposes or for the purposes of billing.
• Where the relevant processing is mandated either by law or a regulatory obligation, an administrator will then generally act as controller in relation to such processing. Examples of such mandatory processing might include:
• The conducting of Customer Due Diligence as required by the Money Laundering (Jersey) Order 2008 (the "MLO") and the AML/CFT Handbook for regulated financial services business.
• The retention of records under the MLO and/or the Trust Company Business or Funds Services Business Codes of Practice.

It is important to distinguish between the above activities, and those activities the administrator undertakes on behalf of the administered company. In the latter case, where those activities entail the processing of personal data belonging to the administered company, the administrator will be a processor for the purpose of that function[^c].

What happens to the data protection obligations of an administered controller/processor, which has been dissolved?

Since a company ceases to have legal personality at the point of dissolution, it can no longer be a controller/ processor from that point on. Furthermore, a dissolved company has no assets with which to meet any fee obligations. As a result, the obligation to register and comply with the other obligations of the DPJL 2018 cannot rest on the dissolved company.

Nevertheless, where a company is dissolved, it important to identify any person(s) or entity(-ies) that continue to hold the dissolved company’s records³. Any such person/entity should consider the data protection obligations that might arise from that record keeping, where personal data is involved.

Where an administrator retains some records after the dissolution of a company which it previously administered, for instance in order to satisfy its regulatory obligations, that administrator would normally be considered to be acting in its own capacity as controller or processor in respect of the relevant data. It would not be expected to maintain the dissolved administered company on its list of administered entities as submitted to JOIC, nor would any fees be payable to JOIC in respect of that dissolved company.

Appendix 2.1 - Activities that may be indicative of low risk processing of personal data on a small scale

Limited Companies

• The maintenance of the statutory books of a Jersey company pursuant to the (e.g. the Register of Members, the Register of Directors and Secretaries and the Minute Books required to be kept under the Companies (Jersey) Law 1991) or the equivalent types of statutory books in relation to a foreign company;
• Records relating to holders of bonds or other securities of any kind;
• Records relating to distributions;
• Records which relate to the administration of the appointment and remuneration of: o Directors and secretaries; and o A money laundering reporting officer;
• Records relating to the ultimate beneficial owners of any corporate entities;
• Records relating to the appointment of and advice given by: o Administrators; and o Legal and other professional advisors;
• Records relating to security interests under either the Security Interests (Jersey) Law 1983 or under the Security Interests (Jersey) Law 2012;
• Any accounts maintained or tax returns submitted by the company;
• Any archives maintained in relation to the above; and
• The disclosure of any of the above in connection with a financial transaction or in connection with the issuing a prospectus under the Companies (Jersey) Law 1991 or any equivalent provisions under the law in the case of a foreign company).

Foundations

• The maintenance of any register required to be kept for the purposes of the Foundations (Jersey) Law 2009;
• Records which relate to the administration of council members or the guardian of a foundation;
• Records relating to beneficiaries of a foundation;
• Records relating to the appointment of and advice given by: o Administrators; and o Legal and other professional advisors;
• Records relating to security interests under either the Security Interests (Jersey) Law 1983 or under the Security Interests (Jersey) Law 2012;
• Any accounts maintained or tax returns submitted by the foundation; and
• Any archives maintained in relation to the above;
• The disclosure of any of the above in connection with a financial transaction.

Seperate Limited Partnerships and Incorporated Limited Partnerships

Where the administered controller or processor is either a Separate Limited Partnership or an Incorporated Limited Partnership, the law will consider them to be undertaking limited data processing activities by reference to the activities listed for foundations.