Duties of Data Controllers

The Data Protection (Jersey) Law (DPJL) places direct personal information processing obligations on business and organisations. The Law states that an organisation can only process personal information under certain conditions. For instance, the processing should be fair, transparent, for a specified and legitimate purpose, and limited to the personal information necessary to fulfil this purpose.

The DPJL applies to both the public, private, charity and not-for-profit sectors;

The DPJL is based around six principles of ‘good information handling’. These principles give people (the data subjects) specific rights in relation to their personal information and place certain obligations on those organisations that are responsible for processing it.

The DPJL applies to ‘controllers’ and ‘processors’. A controller determines the purposes and means of processing personal data and a processor is responsible for processing personal data on behalf of a controller and in accordance with the controller’s instructions.

Article 1 of the DPJL defines a controller as: “the natural or legal person, public authority, agency or other body that, whether alone or jointly with others, determines the purposes and means of the processing of personal data, and where those purposes and means are determined by the relevant law, the controller or the specific criteria for its nomination may be provided by law”.

Data controllers will usually be organisations, but can be individuals, for example self-employed consultants.

Data controllers are subject to a number of statutory duties under the DPJL. The guidance on this page titled 'Duties of Data Controllers' sets out those general duties as part of an overall principle of accountability, helping organisations fully understand their obligations, as well as to promote good practice.