Exemptions

There are many exemptions and exceptions with the Law available to controllers/processors, below is a technical update on these and how they might be applied.
The Data Protection (Bailiwick of Guernsey) Law, 2017 provides individuals with a number of rights they can exercise about how and why their personal data is processed.  These rights apply generally across all personal data processed, embodying the concept of ‘human at the heart’

However, those processing personal data may, on occasions, encounter circumstances where it is not appropriate or possible to comply with these rights, usually due to the nature of the personal data or purpose of the processing.  To assist in those limited circumstances, the Law outlines a number of exemptions, that remove the requirements in relation to data subject rights.

What does this mean in practice for controllers/processors?  
This means that if you receive a 'Subject Access Request' (or another type of rights request) from someone, you may be able to use one or more of the exemptions/exceptions listed in Schedule 8 of the Law to legitimately withhold certain information - but only in limited circumstances.

Regardless of the specific exemption, certain key things need to be borne in mind and as such are listed below :-
  • Exemptions should be applied narrowly, to specific personal data in specific circumstances.  There should be no ‘blanket’ application of exemptions.  Consideration should be on a case-by-case basis taking into account the type of personal data, the purpose of the processing and any adverse impact of the application of the exemption on the data subject.
  • There are very few exemptions that absolutely must be applied in the circumstances described (paragraph 16A – Disclosures prohibited or restricted by enactments & 16D Serious harm to data subjects or other individuals) and even then only in certain circumstances.  As such, it is entirely possible that an exemption could be applied to the personal data but that the controller decides it does not wish to rely on that in the circumstances and will handle any rights request as if none applied, and in the spirit of the Law.
  • Exemptions should be carefully considered and their use fully justified.  In accordance with the accountability requirements of the Law and the expectations of the Authority, all decisions to rely on an exemption should be documented and controllers should be prepared to share that documentation with the Authority should they be asked.
  • Exemptions under the Law Enforcement Ordinance differ to those offered by the Law. When processing personal data for a Law Enforcement purpose under the Law Enforcement Ordinance please consult section 19 and Schedule 3 of the Ordinance.
Read technical update on exemptions here

Please contact us if you have any questions.