Duties of a Data Processor

The Data Protection (Jersey) Law 2018 (DPJL) is based around six principles of ‘good information handling’. These principles give people (the data subjects) specific rights in relation to their personal information and place certain obligations on those organisations that are responsible for processing it.

The DPJL applies to ‘controllers’ and ‘processors’. A controller determines the purposes and means of processing personal data and a processor is responsible for processing personal data on behalf of a controller and in accordance with the controller’s instructions.

The DPJL now places specific legal obligations on processors. For example, they are required to maintain records of personal data and processing activities and will have legal liability if they are responsible for a breach. Controllers are not relieved of their obligations where a processor is involved however and the DPJL places further obligations on controllers to ensure that any contracts with processors comply with the law.

The concept of a data processor is not a new one, but under the DPJL (and GDPR), processors are now subject to direct compliance obligations and may be subject to serious penalties if they do not comply.

Art.1(1) of the DPJL defines a data processor as follows:

“…a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller, but does not include an employee of the controller.”

This is part of a series of guidance to help organisations fully understand their obligations, as well as to promote good practice.