Data Processing Notice

PLEASE NOTE: The Data Protection (Bailiwick of Guernsey) Law, 2017 requires us to provide certain information to you. We provide this via our Data Processing Notice below. This applies to all personal data collected by the Office of the Data Protection Authority (ODPA) except for that relating to recruitment.

WHO ARE WE?

We are the Office of the Data Protection Authority for the Bailiwick of Guernsey (ODPA). Our legal identity and powers come from the Data Protection (Bailiwick of Guernsey) Law, 2017 (and associated statutory instruments) (the Law) where we are described as ‘the Authority’. Our contact details are here.

DATA PROTECTION OFFICER (DPO)

The Data Protection Officer for the ODPA is Thomas Elliott, who can be contacted by email (dpo@odpa.gg), telephone (+44 1481 742074) or in writing (contact details here).

WHEN PERSONAL DATA IS COLLECTED

Personal data is collected

• when complaints or enquiries are submitted via the How to Complain section of the website or by letter;
• when breaches are reported by controllers;
• as part of the registration process by organisations;
• when emails are sent to the enquiries@odpa.gg email address, the breach@odpa.gg email address, the communications@odpa.gg email address, the registrations@odpa.gg address and staff members’ email addresses;
• when you interact with our online content via third parties;
• as part of the sign-up process for our newsletter(s);
• as part of choosing to fill in one of our online forms;
• as part of registering to attend one of our events;
• as a result of attendance at our drop-in sessions;
• in some cases as a result of enquiries made by phone or in person.

HOW WE USE YOUR PERSONAL DATA

Data collected in relation to complaints submitted under the Law or other regulatory or enforcement action taken by the ODPA

All personal data collected for this purpose is processed under paragraphs 5 (exercise of functions by a public authority) and/or 8 (to exercise any right or power, or perform or comply with any duty, conferred or imposed on the controller by an enactment) of Schedule 2, Parts I and II of the Law. All special category data collected for this purpose is processed under paragraphs 8 (to exercise any right or power, or perform or comply with any duty, conferred or imposed on the controller by an enactment) and/or 12 (legal proceedings & establishing, exercising and defending legal rights) of Schedule 2, Part II of the Law.

This information is processed for the purpose of responding to or investigating your complaint. It is likely that we will need to provide some or all of this information to the controller or processor you have complained about to allow for further enquiry and investigation.  If there is information you do not wish to be passed on, please let us know.

In certain cases, it may not be possible to complete a full review of the circumstances surrounding the complaint/enquiry without disclosing some or all of the information you have provided, including your name. In such circumstances, we will discuss this in detail with you and agree on the next steps. Only in exceptional cases, where there is evidence of a serious compliance concern, would we consider pursuing an investigation where the complaint has been withdrawn. We will discuss this with you in detail should that situation arise.

We recognise that an enquiry or complaint may involve sensitive and confidential matters and will ensure we involve you in decisions made relating to the progress of the case and will keep you updated.

If you are concerned about providing information relating to a complaint or investigation, please discuss this with us.

During the course of an investigation, inquiry, or other regulatory action we may collect personal data relating to data subjects indirectly from other sources. This personal data will most often be provided by the Controller or Processor under investigation where deemed necessary, however may also be obtained from other sources including publicly available sources such as the media.

We do compile and publish statistics relating to the number and nature of complaints received but never in a form that would identify any individual.

We may also make a public statement at the end of a case but you will be consulted if you could be idenitifable.

Data collected as part of the breach reporting process

All personal data collected for this purpose is processed under paragraph 8 (to exercise any right or power, or perform or comply with any duty, conferred or imposed on the controller by an enactment) of Schedule 2, Part II of the Law.

Breach reports will be reviewed and the ODPA may get in contact for further information or to assess compliance with the Law.

Data collected as part of the registration process

All personal data collected for this purpose is processed under paragraph 8 (to exercise any right or power, or perform or comply with any duty, conferred or imposed on the controller by an enactment) of Schedule 2, Part II of the Law.

Many businesses and organisations are required by law to register with the Office of the Data Protection Authority of the processing they carry out. This may contain personal information, for example where the business is a sole trader.

Details of a relevant member of staff are requested as part of this process as well as the DPO details and are used solely by the ODPA for administration purposes.

In situations of non-payment of any levy due, the Law entitles the Authority to recover the levy due as a civil debt owed by the person. Where such civil proceedings are undertaken by the Authority, personal data is processed under paragraph 8 (to exercise any right or power, or perform or comply with any duty, conferred or imposed on the controller by an enactment) of Schedule 2, Part II of the Law, and under paragraph 12 (for the purpose of or in connection with any legal proceedings, including prospective legal proceedings) of Schedule 2, Part II of the Law.

It may be necessary for the Authority to process personal data relating to individuals where it is believed that they or their organisation are required to register but have not previously registered. The purpose of this processing is for administrative purposes, establishing whether registration is required, and where necessary taking regulatory or civil action as outlined above. Personal data obtained for this purpose will generally be collected from publicly available information such as telephone directories, publicly available websites, and public registers.
 

Data collected by email

Personal data collected for this purpose is processed under paragraphs 5 (exercise of functions by a public authority) and 8 (to exercise any right or power, or perform or comply with any duty, conferred or imposed on the controller by an enactment) of Schedule 2, Parts I and II of the Law. Special category data collected for this purpose is processed under paragraph 8 to exercise any right or power, or perform or comply with any duty, conferred or imposed on the controller by an enactment) of Schedule 2, Part II of the Law

We process information supplied by email using standard email applications, and we may also record it in our customer relationship management system if it relates to a complaint, breach, registration or other matter of significance.

When you interact with our online content via third parties
All personal data collected for this purpose is processed under paragraph 5 (necessary for the exercise or performance by a public authority of a task carried out in the public interest) of Schedule 2, Part I of the Law.

We process personal data when you interact with our content shared via third party services such as LinkedIn, YouTube, and  Apple (based in USA) and SoundCloud (based in Germany).

We use this data solely for monitoring how well our content is performing (how many views it has, who likes it, who shares it etc.) as an indicator of how well we are meeting our statutory obligations under section 61 of the Law (to promote public awareness of risks, rules, safeguards and rights in relation to processing, especially in relation to children, and to promote the awareness of controllers and processors of their duties under this Law).

Data collected as part of newsletter sign-up

We process your personal data (in this instance: email address only) in relation to our newsletter sign-up process under paragraph 1 (consent) of Schedule 2, Part I of the Law.

When completing our newsletter sign up form, you only need to provide your email address. We use your email address for the sole purpose of sending you the newsletter. During the sign-up process you will receive an email to verify your details and a confirmation email once sign-up has been completed.

We use the legal basis of ‘consent’ to process your data in this way, as such you are free to withdraw your consent at any time. An unsubscribe link is included in each newsletter email to enable you to unsubscribe. Or you can email communications@odpa.gg from the email address you are subscribed through and ask us to unsubscribe you.

We use Brevo to deliver our newsletter; they are based in France.

Data collected through an online form

From time to time we use Microsoft Forms to collect personal data. Your data is processed using explicit consent (Para. 18 of Schedule 2, Part III of the Law) as you make the decision to provide your information to us and you can withdraw your consent at any time.

When we publish an online form, we will always be clear what your data is being used for, and it will be limited to the purpose specified.

Note, we sometimes use Microsoft Forms for anonymous surveys, so no personal data is collected when we do this. 

 

Data collected as part of registering/attending an event

We process your personal data (in this instance: your name, mobile number and email address only) in relation to our event registration process under paragraph 2 (the entering into and performance of a contract) of Schedule 2, Part I of the Law.

When registering for an event with us, you only need to provide your name, mobile number and email address. We will use this information to facilitate the event and your attendance at it. We will be unable to manage your attendance at any event without your name, mobile number and email address. You will not receive any event specific communication other than for events you have signed up for.

When registering for an event with us, we will ask you to let us know if you are happy to be included in photographs that may be taken during the event that we may share online. This is processed under paragraph 1 (consent) of Schedule 2, Part I of the Law and as such you can decide whether you wish to be in photos or not. If you do not want to be photographed this will not impact on your experience of the event.  

We seek your job title so we can understand the make-up of an event’s audience, to tailor it accordingly. This is processed with your consent (Para. 1 of Schedule 2, Part I of the Law) and as such you do not have to tell us your job title if you don’t want to. Not providing it will not negatively impact your attendance or experience of the event.

On the odd occasion that we run events that are catered we will ask you to provide details of any specific dietary requirements so that we can try to cater to your need. This is processed with your explicit consent (Para. 18 of Schedule 2, Part III of the Law).

We use Ticket Tailor to manage our events registration, they are a UK-based organisation.

We use password-protected Zoom webinars to host our online events, which we record and post to our YouTube channel. Zoom and YouTube are US-based organisations - please refer to their privacy policies for details of what personal data they process. Your attendance at an online event is processed under paragraph 2 (the entering into and performance of a contract) of Schedule 2, Part I of the Law. Whilst the event will be recorded and subsequently posted, this will not include any reference or record of the attendees. Further, any online polls and Q&A sessions are anonymous and as such no personal data is processed. 

Data collected as a result of attendance at our drop-in sessions 

We process your personal data (in this instance: your name only) when you attend one of our drop-in  for fire-evacuation purposes under paragraph 8 (to exercise any right or power, or perform or comply with any duty, conferred or imposed on the controller by an enactment) of Schedule 2, Part II of the Law, and to understand how you came to hear of our drop-in sessions.

Data collected as a result of enquiries made by phone or in person

Personal data collected for this purpose is processed under paragraphs 5 (exercise of functions by a public authority) and/or 8 (to exercise any right or power, or perform or comply with any duty, conferred or imposed on the controller by an enactment) of Schedule 2, Parts I and II of the Law. Special category data collected for this purpose is processed under paragraph 8 (to exercise any right or power, or perform or comply with any duty, conferred or imposed on the controller by an enactment) of Schedule 2, Part II of the Law

We may record information in our customer relationship management system if the information relates to a complaint, breach or registration or other matter of significance.

YOUR RIGHTS

The Law provides you with a number of specific rights.

If you want to make a submission in respect of any one of these rights, please contact our data protection officer.

TRANSFERS OF DATA

As part of our newsletter and event administration, your personal data will be transferred to and stored in the UK.  See the relevant sections above for details of what is processed and why.  The UK is an authorised jurisdication for transfers as it has been deemed adequate by the European Commission. 

The ODPA does not intend to transfer any personal data to authorised jurisdictions outside of the EU, or to unauthorised jurisdictions unless we are required to do so by law, whether that be in accordance with our statutory functions or any other applicable legislation, or after consultation with you should cooperation with another regulator be necessary. 

LINKS TO OTHER WEBSITES

This notice does not cover any third-party websites reached via links on this website. You are advised to read the data collection statements on the other websites you visit.

RETENTION OF DATA

The ODPA fulfils a statutory function as set out in the Law. All data is retained securely and only used for the purposes set out in the Law. Data is retained to comply with our statutory obligations and in accordance with the ODPA’s retention policy.

COMPLAINTS AND APPEALS

Section 67 of the Law provides for a right to complain to the Authority. Sections 82 and 83 of the Law provides for rights of appeal. Where that complaint relates to the processing of personal data by the ODPA, specific procedures are in place to ensure appropriate review.

Complaints can be lodged via our complaints page, or using our contact details.

COOKIES 

The cookies we use do not directly identify individual people, and they are only used to keep our sites secure and working properly. Some third party services used by the ODPA (for example, Canva) also use cookies for analytical purposes, allowing us to monitor how well our content is performing. You cannot be identified by these cookies. Read our cookie policy here.