Guidance on Criminal Offences & Civil Remedies

The Data Protection Authority (Jersey) Law 2018 (DPAJL) establishes the Data Protection Authority (the Authority). The Information Commissioner (the Commissioner) is the Chief Executive Officer of the Authority.

The DPJL gives data subjects rights to bring complaints and seek judicial remedies and it brings forward certain criminal offences. Similarly, the DPAJL places certain other obligations on controllers and processors bringing forward criminal offences in certain circumstances.

The offences the DPJL brings forward are:
a. Unlawfully obtaining personal data (Art.71 of the DPJL);
b. Requiring a person to produce certain records (Art.72 of the DPJL);
c. Providing false information (Art.73 of the DPJL); and
d. Obstruction (Art.74 of the DPJL). Under the DPJL, most of the offences are punishable by fine, except where expressly provided.

The offences the DPAJL brings forward are:
a. Failing to register with the Authority as a controller or processors (Art.17(6) of the DPAJL);
b. Failing to comply with an order made by the Authority following a breach determination (Art.25(8) of the DPAJL).

Under the DPAJL, the above offences are punishable by fine.

Individuals also have a number of civil remedies available to them under the DPJL namely: a. The right to lodge a complaint with the Authority where their data has been processed in a way that does not comply with the DPJL;
b. The right to bring civil proceedings against controllers in the Royal Court; and
c. The right to compensation from a relevant controller or processor for loss, damage or distress resulting from infringement of the DPJL.

This note deals with the right to issue civil proceedings and the right to compensation only. For information regarding the lodging of complaints with and enforcement by the Authority (including fining powers) please, see our separate guidance note.