Fine issued to Sure over directory inaccuracies

The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law)
Public Statement
Issued: 09:00 2 September 2020
Controller: Sure (Guernsey) Limited

1. This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).

2. The Law seeks to ‘…protect the rights of individuals in relation to their personal data, and provide for the free movement of personal data…’, and the Authority is the independent regulatory body responsible for overseeing it.

3. Following an inquiry conducted under section 69 of the Law, the Authority determined that Sure (Guernsey) Limited breached the Law in relation to its collation and publication of The Bailiwick of Guernsey Telephone Directory 2019/2020.

4. The Authority has fined Sure (Guernsey) Limited £80,000 for a lack of transparency as to how personal data was to be processed and for publishing personal data which contained inaccuracies and in some cases was contrary to subscribers’ wishes.

5. Sure (Guernsey) Limited has the right to appeal this fine.

6. The Authority confirmed that the Law requires all fine monies to be paid to the States of Guernsey’s general revenue account.

7. Chairman of the Authority, Richard Thomas CBE, commented:

“This is the first fine that the Data Protection Authority has imposed under the new Law. It was unanimously agreed by all members of the Authority. Although this fine is substantially lower than the maximum which the Law permits, we hope it will bring home the importance of taking great care with people’s personal information.”

8. The Bailiwick’s Data Protection Commissioner, Emma Martins, commented:

“The data protection law provides organisations with a range of accountability tools to ensure appropriate technical and organisational measures are in place including being prepared to deal swiftly and effectively with any breach. In taking this action, the Authority has responded appropriately and proportionately to the evidenced compliance failures. We welcome the positive steps Sure have taken since this incident to ensure better data governance of the personal data in their care.”

For more information please refer to the administrative fine order.

Legal Framework

1. This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).

2. The Authority may conduct an Inquiry on its own initiative (under section 69 of the Law) into whether a controller or processor has breached or is likely to breach an operative provision of the Law.

3. In this case, the controller is Sure (Guernsey) Limited.

4. Section 72 of the Law requires the Authority to determine whether or not there has been a breach of an operative provision of the Law.

5. Section 73 of the Law sets out the sanctions that are available to the Authority where a breach determination has been made.

6. Having considered the details of this case, the Authority has imposed an administrative fine order under section 73(2)(g) and 74 of the Law.

7. Section 84 of the Law provides for an appeal by the controller to the Court against a determination made by the Authority. Any such appeal must be made within 28 days.