Administrative Fines

The Data Protection (Jersey) Law 2018 (DPJL) is based around six principles of ‘good information handling’ (the Principles). These principles give people (the data subjects) specific rights in relation to their personal information and place certain obligations on those organisations that are responsible for processing it.

The Principles are at the core of the responsibilities placed upon controllers and processors. Whilst compliance with each Principle must be met, they are inextricably linked and therefore should not be read in isolation. A controller must ensure that the processing of personal information/data complies with the data protection principles (Article 8 DPJL);

• FAIR, LAWFUL and TRANSPARENT PROCESSING: Personal data are to be processed lawfully, fairly and in a transparent manner in relation to the data.
• PURPOSE LIMITATION: Personal data must be collected for specified, explicit and legitimate purposes and once collected, not further processed in a manner incompatible with those purposes.
• EXCESSIVE DATA COLLECTION: Personal data collected must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
• ACCURACY OF DATA: Personal data must be accurate and, where necessary, kept up to date, with reasonable steps being taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
• STORAGE LIMITATION: Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed.
• DATA SECURITY, INTEGRITY AND CONFIDENTIALITY: Personal data must be processed in a manner that ensures appropriate security of the data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

This guidance applies to data controllers (and in certain circumstances, processors), as defined in the DPJL. It sets out the circumstances in which the Data Protection Authority (Jersey) Law 2018 (DPAJL) will consider it appropriate to issue an administrative fine under the DPAJL. It also explains how the amount of the fine will be determined.

The Authority’s objective in imposing an administrative fine is to promote compliance with the DPJL and DPAJL and such must be sufficiently effective to act both as a sanction and as a deterrent to prevent non-compliance of similar seriousness in the future by the contravening person and by others..

The Authority will take into account the factors set out at Art.26(2) of the DPAJL including the nature, gravity and duration of the breach, the effect of the breach on the data subjects, and previous contraventions and the degree of cooperation with the Authority.

Where the Authority intends to issue an administrative fine it will first serve notice in writing stating that the Authority is proposing to make an order for the payment of an administrative fine. This will specify the proposed amount of the fine and allow the recipient a period of 28 days (beginning on the date of the notice) within which the recipient can make written representations to the Authority.

A data controller or processor on whom an administrative fine is served may appeal to the Royal Court of Jersey against that fine and/or the amount of the fine specified

The Commissioner will consider amending or replacing this guidance in light of further experience of its application.