1. You (whether you are a sole-trader, legal person, organisation, business, charity, landlord, business association etc) are established in the Bailiwick of Guernsey.
2. You are working with personal data (i.e. any information that may identify individual people, such as your staff members, your clients, your business contacts, your service users, your tenants etc.)
3. The activity you are performing is not part of your personal/household affairs.
You are considered ‘established’ in the Bailiwick of Guernsey if you are a controller, processor or other person (including legal person) that:
The data protection law only applies if you have any information about (or related to) identifiable people in:
If you only have data for your own personal use, for things such as sending Christmas cards or taking pictures for your own enjoyment, the Law does not apply to your processing.
If you are uncertain about whether your processing falls within this personal/household definition, we have published this short guidance note with some criteria which may assist you in working out whether you are exempt.
The process of registering with us changed at the start of 2021, so any registrations made prior to that date have not been carried over and you will need to complete a new registration.
The difference you need to be aware of is that under the previous registration and fees regime, you could register at any point in the year and your registration would then have been valid for 12 months from the date of registration. Whereas now, due to changes to the law, everyone must register/renew and pay their annual levy during January-February of each year.
If you do not have any personal data (don’t forget that includes information about staff and clients) in respect of your own organisation, but you do process it on behalf of another organisation, you are a 'processor' under the Law.
Although this means that you do not have many of the statutory obligations of a controller, you do still need to register and pay an annual levy.
If you have authorised an ODPA Levy Collection Agent (LCA) to pay your annual levy, you do not need to register directly with the ODPA.
But remember, you retain full legal responsibility for how you use people’s data, and you are still obliged to meet your legal duties under data protection law.
You do need to make sure that you have a valid Certificate of Exemption (which your LCA must provide you) which you may be asked to show to the ODPA.
Find out more about the role of an LCA here.
If you are a not-for-profit organisation (as defined in section 4(1) of The Charities and Non Profit Organisations (Enabling Provisions)(Guernsey and Alderney) Law, 2009 you do need to register with the ODPA and meet your legal duties under data protection law.
But you will not need to pay an annual levy.
The ODPA endeavours to support the regulated community in respect of their statutory registration duties.
Where an individual or organisation knowingly and wilfully fails to comply with any element of the Law, including registration and levy duties, this may be considered an offence and the ODPA has the power to take action and recover unpaid levies.
If you would like to know more about this approach please see: Registration and Levy Duties – Regulatory Approach Summary.