Guidance on Sanctions

The Data Protection (Jersey) Law 2018 is based on principles of ‘good information handling’. These principles give people (the data subjects) specific rights in relation to their personal information and place certain obligations on those organisations that are responsible for processing it.

This guidance explains about the various sanctions an Authority can take and when they may take them and who may be subject to them.

This guidance applies to data controllers (and in certain circumstances, processors), as defined under Art.1 (1) of the DPJL. It focuses on the various sanctions available to the Data Protection Authority.

The purpose of sanctions is to control and manage breaches and potential breaches of personal data with the aim of protecting data subjects from harm and/or further harm.

This guidance will seek to explain what sanctions the Authority has available in law, when the Authority may apply them and who is subject to them. The guidance will also explain how a recipient of a sanction(s) will need to handle such circumstances and what they are required to do.