Duties of Data Controllers

The Data Protection (Jersey) Law (DPJL) places direct personal information processing obligations on business and organisations. The Law states that an organisation can only process personal information under certain conditions. For instance, the processing should be fair, transparent, for a specified and legitimate purpose, and limited to the personal information necessary to fulfil this purpose.

The DPJL applies to both the public, private, charity and not-for-profit sectors;


The DPJL is based around six principles of ‘good information handling’.  These principles give people (the data subjects) specific rights in relation to their personal information and place certain obligations on those organisations that are responsible for processing it.

The DPJL applies to ‘controllers’ and ‘processors’. A controller determines the purposes and means of processing personal data and a processor is responsible for processing personal data on behalf of a controller and in accordance with the controller’s instructions.

Data controllers are subject to a number of statutory duties under the DPJL. This guidance sets out those general duties as part of an overall principle of accountability, helping organisations fully understand their obligations, as well as to promote good practice.