Reprimand issued to Blue Diamond Limited over a breach determination made by the Authority

1. This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).
    
2. The Law seeks to ‘…protect the rights of individuals in relation to their personal data and provide for the free movement of personal data…’, and the Authority is the independent regulatory body responsible for overseeing it.

3. Following an investigation under section 68 of the Law, the Data Protection Authority for the Bailiwick of Guernsey (the Authority) has determined that Blue Diamond Limited (the Controller), breached an operative provision of the Law, namely section 27 relating to “Compliance with request to exercise data subject right”. Blue Diamond Limited is a garden and living retail company.

4. Blue Diamond Limited received two right of access requests made under section 15 of the Law (“the requests”) on 15 May 2020. A request of this nature entitles an individual to, amongst other things, copies of personal data processed by the Controller.

5. Following a complaint made under section 67 of the Law, an investigation was conducted under section 68 of the Law. The Complaint related to the alleged non-compliance with the request. Certain responses provided by Blue Diamond Limited following questions raised by the Authority were also considered.

6. In most cases, Controllers are required to comply with requests of this nature within the designated period of one month from the date of the request (“designated period”). In the event a Controller is unable to fulfil a request within the designated period, section 27(2) and (3) dictate that the Controller must notify the requestor, within the designated period, of their reasons for not complying, their right to complain to the Authority under section 67 and their rights of appeal under sections 82 and 83 of the Law. Furthermore, where a Controller determines that the request is complex and requires further time to collate the response, section 27(4) provides for the application of a 2-month extension on the condition that such an application is communicated to the requestor along with the reasons for the extension. This must be done within the designated period.

7. It was shown that Blue Diamond Limited had not responded to the requests within the designated period. An initial response was sent by Blue Diamond Limited to the Complainants on 21 June 2020, however this was not deemed to be a complete response. Blue Diamond Limited wrote to the Authority on 30 October 2020 to state their belief that they had now responded in full to the requests.

8. Whilst it is recognised that this was the first such request made of Blue Diamond Limited, it became apparent during the investigation that they did not have an appropriate understanding of the statutory obligations it had as a Controller under the Law. It was clear that this and the lack of established internal procedures, contributed to the failure to comply with the requests in the manner required by Law.

9. As a result of the above, the Authority determined that Blue Diamond Limited failed to comply with section 27 of the Law in relation to ‘Compliance with request to exercise data subject right’.

10. Blue Diamond Limited had the right to appeal this determination but chose not to.

11. Where organisations process personal data in a manner which breaches operative provisions of the Law the Authority will consider taking action to address those breaches and the imposition of appropriate sanction(s), which can include the issuance of an administrative fine.

12. Following the determination by the Authority that Blue Diamond Limited had breached an operative provision of the Law it proceeded to consider whether to impose sanctions under the Law for the breach and, if sanctions were to be imposed, what the most appropriate sanctions would be.

13. In this case, the Authority identified the following factors –

Mitigating Factors;

• Blue Diamond Limited has fully engaged and complied with the investigation requests and deadlines set, albeit much provided was in a confusing and disorganised manner.
• This is the first such case requiring the Authority to investigate Blue Diamond Limited.
• Blue Diamond Limited has openly accepted their failures in processing and complying with the Law and has admitted that this matter has been a steep learning curve from which lessons have been learnt.
• It is accepted by the Authority that operational matters have been impacted during the public health crisis.

Aggravating factors;

• The Controller in this case, whilst being a well-respected local company, is also a UK-wide organisation – employing some 3300 staff, and an organisation of that size should be fully aware of data protection issues relating to their business.
• During the very early stages of this matter, Blue Diamond Limited contacted the Authority for advice as to how to deal with a right of access request as they had not received one before. Clear, unambiguous guidance was given which was clearly not followed.
• Whilst this may have been the first request of this nature received by Blue Diamond Limited, it is clear that they did not engage in a positive and timely manner. Further, it is apparent that the relationship with the Complainants detrimentally affected the process and their engagement with it.

14. The Authority, in consideration of the aforementioned failures has decided to impose a formal reprimand.
     
15. The Bailiwick’s Data Protection Commissioner, Emma Martins, commented:
    “We recognise that this is a challenging time for all organisations. We must also be mindful that where individuals seek to exercise their legal rights, there is an expectation that those rights will be respected. Early and positive engagement with individuals and with the ODPA will always contribute to more positive outcomes. We are pleased that the Controller in this case has reflected on the lessons learned to ensure that they are better placed to respond in a timely matter to requests of this nature in the future.”

• This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).
• The Authority may conduct an investigation (under section 68 of the Law) following a complaint, into whether a controller or processor has breached or is likely to breach an operative provision of the Law.
• In this case, the controller is Blue Diamond Limited.
• Section 72 of the Law requires the Authority to determine whether or not there has been a breach of an operative provision of the Law.
• Section 73 of the Law sets out the sanctions that are available to the Authority where a breach determination has been made.
• Having considered the details of this case, the Authority has imposed a reprimand.
• Section 84 of the Law provides for an appeal by the controller to the Court against a determination made by the Authority. Any such appeal must be made within 28 days. The Controller chose not to appeal the determination.