Reprimand issued to BWCI Pension Trustees Limited over failure to respond appropriately to a request for data

1. This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).
2. The Law seeks to ‘…protect the rights of individuals in relation to their personal data and provide for the free movement of personal data…’, and the Authority is the independent regulatory body responsible for overseeing it.
3. Following a complaint made to the Authority in November 2021 under section 67 of the Law, an investigation was conducted under section 68 of the Law. The complaint related to an alleged failure to respond to a data subject access request (the Request) within the designated period, as required by the Law.
4. Section 27 of the Law requires Controllers to comply with such a request made by a data subject, which must be complied within one calendar month.
5. Following the investigation, the Authority determined that the Controller breached the Law by failing to respond appropriately to the Complainant’s Request. The Controller initially cited concerns about the Request’s legitimacy, whilst acknowledging both a breakdown in its internal processes and a misunderstanding of the Request’s details which resulted in their failure to respond. Additionally, the Authority expresses its disappointment that attempts to resolve this matter informally for the benefit of both parties, proved unsuccessful largely due to the Controller’s lack of engagement over a protracted period of time. The Authority accepts that the Controller was not ill-intentioned, but nonetheless their process was flawed and their failure to engage was unhelpful.
6. The Authority issued a Reprimand to the Controller, reflecting the failures in the way the Complainant’s Request was handled.
7. The Controller had the right to appeal this determination but did not do so.
8. The Bailiwick’s Data Protection Commissioner, Emma Martins, commented:

“The right of access to data relating to ourselves is one of the pillars of the legislation. All organisations should ensure that they have robust and tested policies and procedures to recognise and respond to such requests. Engaging with complaints in a positive and timely manner will also reduce the likelihood of further, more formal action being required. I am confident that the Controller in this case has reflected on the opportunities to learn from and improve in these respects.”

1. This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).
2. The Authority may conduct an investigation (under section 68 of the Law) following a complaint, into whether a controller or processor has breached or is likely to breach an operative provision of the Law.
3. In this case, the Controller is BWCI Pension Trustees Limited.
4. Section 71 of the Law requires the Authority to determine whether or not there has been a breach of an operative provision of the Law following a complaint made by a data subject.
5. Section 73 of the Law sets out the sanctions that are available to the Authority where a breach determination has been made.
6. Having considered the details of this case, the Authority has imposed a Reprimand under section 73 of the Law.
7. Section 84 of the Law provides for an appeal by the Controller to the Court against a determination made by the Authority. Any such appeal must be made within 28 days. The controller has not made an appeal in this case.