In a Judgment handed down on 23 December 2025 (the “Judgment”), the Royal Court dismissed an appeal brought by Advocates Mark Gerard Ferbrache, Paul Richardson and Robin John Reeves Cowling practising under the style and name of AFR Advocates (“AFR”) against a breach determination by the Data Protection Authority (the “Authority”) issued against AFR. AFR disagreed with the Authority’s determination and exercised its right of appeal. The appeal was heard before the Royal Court of Guernsey between January and March 2025.
This is the first time a controller has exercised its right of appeal pursuant to section 84 of the Data Protection (Bailiwick of Guernsey) Law, 2017 (the "Law"), against a breach determination issued by the Authority. As outlined in the Judgment, the appeal related to the investigation and determination of an incident occurring in 2022, where AFR Advocates hand-delivered a bundle of documents to the home address of an individual.
The bundle contained over 200 pages relating to a private legal claim brought by the individual against a third party. Among other items, the bundle, which was left on the individual's doorstep, contained various pages relating to the individual’s health data – defined in the Law as ‘special category data’. The bundle was in an ordinary ring binder folder and was not enclosed in an envelope, box or any other form of container. Nor was it delivered to a ‘safe place’ or out of sight of the road. The individual was not at home at the time of the delivery and considered that that had put their private and sensitive personal data at risk.
Following a formal complaint to the Authority by the individual, the Authority investigated the matter and concluded that a breach of the Law had occurred. Consequently, the Authority issued a determination finding that AFR had contravened section 6 (the principle of ‘Integrity and Confidentiality’) and section 41 of the Law (‘Duty to take reasonable steps to ensure security of personal data’). Alongside its determination, the Authority issued a reprimand.
“We welcome the court’s judgment that upholds our determination while confirming our proportionate approach to investigation. We further appreciate the awarding of costs, as our preferred approach continues to involve constructive engagement with organisations to help them “get it right” rather than to be brought into costly and lengthy litigation” said Commissioner Homan.
“There are also important lessons from the determination upheld by the Court. The Law requires anyone working with people’s data to take appropriate safeguard measures ensuring the security of personal data at all times. Special category data such as health data, requires additional measures to ensure confidentiality.”