Privacy Notice

Last updated: 14 April 2021

The Data Protection (Bailiwick of Guernsey) Law, 2017 requires us to provide certain information to you. We provide this via our Privacy Statement below. This applies to all personal data collected by the Office of the Data Protection Authority (ODPA) except for that relating to recruitment.

PLEASE NOTE: The Data Protection (Bailiwick of Guernsey) Law, 2017 requires us to provide certain information to you. We provide this via our Privacy Notice below. This applies to all personal data collected by the Office of the Data Protection Authority (ODPA) except for that relating to recruitment.

WHO ARE WE?

We are the Office of the Data Protection Authority for the Bailiwick of Guernsey (ODPA). Our legal identity and powers come from the Data Protection (Bailiwick of Guernsey) Law, 2017 (and associated statutory instruments) (the Law) where we are described as ‘the Authority’. Our contact details are here.

DATA PROTECTION OFFICER (DPO)

The Data Protection Officer for the ODPA is Rachel Masterton, who can be contacted by email (r.masterton@odpa.gg), telephone (+44 1481 742074) or in writing (contact details here).

WHEN PERSONAL DATA IS COLLECTED

Personal data is collected

HOW WE USE YOUR PERSONAL DATA

Data collected in relation to complaints submitted under the Law or other regulatory or enforcement action taken by the ODPA

All personal data collected for this purpose is processed under paragraphs 5 (exercise of functions by a public authority) and/or 8 (to exercise any right or power, or perform or comply with any duty, conferred or imposed on the controller by an enactment) of Schedule 1, Parts I and II of the Law. All special category data collected for this purpose is processed under paragraphs 8 (to exercise any right or power, or perform or comply with any duty, conferred or imposed on the controller by an enactment) and/or 12 (legal proceedings & establishing, exercising and defending legal rights) of Schedule 2, Part II of the Law.

This information is processed for the purpose of responding to or investigating your complaint. It is likely that we will need to provide some or all of this information to the controller or processor you have complained about to allow for further enquiry and investigation.  If there is information you do not wish to be passed on, please let us know.

In certain cases, it may not be possible to complete a full review of the circumstances surrounding the complaint/enquiry without disclosing some or all of the information you have provided, including your name. In such circumstances, we will discuss this in detail with you and agree on the next steps. Only in exceptional cases, where there is evidence of a serious compliance concern, would we consider pursuing an investigation where the complaint has been withdrawn. We will discuss this with you in detail should that situation arise.

We recognise that an enquiry or complaint may involve sensitive and confidential matters and will ensure we involve you in decisions made relating to the progress of the case and will keep you updated.

If you are concerned about providing information relating to a complaint or investigation, please discuss this with us.

We do compile and publish statistics relating to the number and nature of complaints received but never in a form that would identify any individual.

We may also make a public statement at the end of a case but you will by consulted if you could be idenitifable.

Data collected as part of the breach reporting process

All personal data collected for this purpose is processed under paragraph 8 (to exercise any right or power, or perform or comply with any duty, conferred or imposed on the controller by an enactment) of Schedule 2, Part II of the Law.

Breach reports will be reviewed and the ODPA may get in contact for further information or to assess compliance with the Law.

Data collected as part of the registration process

All personal data collected for this purpose is processed under paragraph 8 (to exercise any right or power, or perform or comply with any duty, conferred or imposed on the controller by an enactment) of Schedule 2, Part II of the Law.

Many businesses and organisations are required by law to register with the Office of the Data Protection Authority of the processing they carry out. This may contain personal information, for example where the business is a sole trader.

Details of a relevant member of staff are requested as part of this process as well as the DPO details and are used solely by the ODPA for administration purposes.

Data collected by email

Personal data collected for this purpose is processed under paragraphs 5 (exercise of functions by a public authority) and 8 (to exercise any right or power, or perform or comply with any duty, conferred or imposed on the controller by an enactment) of Schedule 2, Parts I and II of the Law. Special category data collected for this purpose is processed under paragraph 8 to exercise any right or power, or perform or comply with any duty, conferred or imposed on the controller by an enactment) of Schedule 2, Part II of the Law

We process information supplied by email using standard email applications, and we may also record it in our customer relationship management system if it relates to a complaint, breach, registration or other matter of significance.

When you interact with our online content via third parties
All personal data collected for this purpose is processed under paragraph 5 (necessary for the exercise or performance by a public authority of a task carried out in the public interest) of Schedule 2, Part I of the Law.

We process personal data when you interact with our content shared via third party services such as LinkedIn and Apple (based in USA and part of the EU-US Privacy Shield framework) and SoundCloud (based in Germany).

We use this data solely for monitoring how well our content is performing (how many views it has, who likes it, who shares it etc.) as an indicator of how well we are meeting our statutory obligations under section 61 of the Law (to promote public awareness of risks, rules, safeguards and rights in relation to processing, especially in relation to children, and to promote the awareness of controllers and processors of their duties under this Law).

Data collected as part of newsletter sign-up

We process your personal data (in this instance: email address only) in relation to our newsletter sign-up process under paragraph 1 (consent) of Schedule 2, Part I of the Law.

When completing our newsletter sign up form, you only need to provide your email address. We use your email address for the sole purpose of sending you the newsletter. During the sign-up process you will receive an email to verify your details and a confirmation email once sign-up has been completed.

We use the legal basis of ‘consent’ to process your data in this way, as such you are free to withdraw your consent at any time. An unsubscribe link is included in each newsletter email to enable you to unsubscribe. Or you can email communications@odpa.gg from the email address you are subscribed through and ask us to unsubscribe you.

We use Campaign Master to deliver our newsletter; they are a UK-based organisation.

Data collected as part of registering/attending an event

We process your personal data (in this instance: your name, mobile number and email address only) in relation to our event registration process under paragraph 2 (the entering into and performance of a contract) of Schedule 2, Part I of the Law.

When registering for an event with us, you only need to provide your name, mobile number and email address. We will use this information to facilitate the event and your attendance at it. We will be unable to manage your attendance at any event without your name, mobile number and email address. You will not receive any event specific communication other than for events you have signed up for.

When registering for an event with us, we will ask you to let us know if you are happy to be included in photographs that may be taken during the event that we may share online. This is processed under paragraph 1 (consent) of Schedule 2, Part I of the Law and as such you can decide whether you wish to be in photos or not. If you do not want to be photographed this will not impact on your experience of the event.  

We seek your job title so we can understand the make-up of an event’s audience, to tailor it accordingly. This is processed with your consent (Para. 1 of Schedule 2, Part I of the Law) and as such you do not have to tell us your job title if you don’t want to. Not providing it will not negatively impact your attendance or experience of the event.

On the odd occasion that we run events that are catered we will ask you to provide details of any specific dietary requirements so that we can try to cater to your need. This is processed with your explicit consent (Para. 18 of Schedule 2, Part III of the Law).

We use Ticket Tailor to manage our events registration, they are a UK-based organisation.

We use password-protected Zoom webinars to host our online events, which we record and post to our YouTube channel. Zoom and YouTube are US-based organisations - please refer to their privacy policies for details of what personal data they process. Your attendance at an online event is processed under paragraph 2 (the entering into and performance of a contract) of Schedule 2, Part I of the Law. Whilst the event will be recorded and subsequently posted, this will not include any reference or record of the attendees. Further, any online polls and Q&A sessions are anonymous and as such no personal data is processed. 

Data collected as a result of attendance at our drop-in sessions 

We process your personal data (in this instance: your name only) when you attend one of our drop-in  for fire-evacuation purposes under paragraph 8 (to exercise any right or power, or perform or comply with any duty, conferred or imposed on the controller by an enactment) of Schedule 2, Part II of the Law, and to understand how you came to hear of our drop-in sessions.

Data collected as a result of enquiries made by phone or in person

Personal data collected for this purpose is processed under paragraphs 5 (exercise of functions by a public authority) and/or 8 (to exercise any right or power, or perform or comply with any duty, conferred or imposed on the controller by an enactment) of Schedule 2, Parts I and II of the Law. Special category data collected for this purpose is processed under paragraph 8 (to exercise any right or power, or perform or comply with any duty, conferred or imposed on the controller by an enactment) of Schedule 2, Part II of the Law

We may record information in our customer relationship management system if the information relates to a complaint, breach or registration or other matter of significance.

YOUR RIGHTS

The Law provides you with a number of specific rights.

If you want to make a submission in respect of any one of these rights, please contact our data protection officer.

TRANSFERS OF DATA

The ODPA does not intend to transfer any personal data to authorised jurisdictions outside of the EU, or to unauthorised jurisdictions unless we are required to do so by Law. Please note that data processed in relation to our newsletter and events is hosted by UK-based organisation, deemed an authorised jurisdiction by Ordinance.

LINKS TO OTHER WEBSITES

This notice does not cover any third-party websites reached via links on this website. You are advised to read the data collection statements on the other websites you visit.

RETENTION OF DATA

The ODPA fulfils a statutory function as set out in the Law. All data is retained securely and only used for the purposes set out in the Law. Data is retained to comply with our statutory obligations and in accordance with the ODPA’s retention policy.

COMPLAINTS AND APPEALS

Section 67 of the Law provides for a right to complain to the Authority. Sections 82 and 83 of the Law provides for rights of appeal. Where that complaint relates to the processing of personal data by the ODPA, specific procedures are in place to ensure appropriate review.

Complaints can be lodged via our complaints page, or using our contact details.

COOKIES 

Our cookies policy is available here