You’re offline. This is a read only version of the page.
* this includes entities like: landlords, taxi drivers, sports' clubs, builders, residents' associations, charities, schools, small businesses, government, to large multinational organisations (in short: anyone who works with personal data).
If you want a detailed overview with all the key questions answered, please read this guide carefully and contact us if you have any follow up questions.
Here is a step-by-step video walkthrough of how to complete a new registration with us.
Registration with us changed at the start of 2021, what is it all about and what does it mean for you?
Listen to this podcast (recorded in late 2019) to hear the Bailiwick of Guernsey’s Data Protection Commissioner Emma Martins explain to Kirsty Bougourd the main changes to registration and how it’s really just the first step in a journey towards looking after personal data well.
'Processing' refers to anything an entity does with personal data. It includes activities such as (but not limited to): collecting, storing, organising, using, holding, altering, disclosing, erasing and destroying personal data.
'Personal data' has a very broad legal definition and refers to any information that relates to an identified or identifiable living individual. It includes data such as (but not limited to): names, physical addresses, phone numbers, email addresses, photographs of individuals, CCTV footage / recordings of individuals, medical data, political views and sexuality.
The scope of what is considered ‘personal data’ expands even further when you consider that it includes both factual information about people as well as opinions about people. It also includes anonymised data that could identify people if it was combined with other information.
Personal data does not include: any data about deceased persons; any information, facts or opinions that do not relate to, or identify people (e.g. employment statistics, or anything else that has been irreversibly anonymised).
Please Note: additional safeguards apply where 'special category data' is processed. Please see the FAQ on special category data for further information.
"Special category data" is anything that reveals an individual's:
Your registration fee allows the ODPA to fulfil its legal and political requirements to operate independently of the States of Guernsey.
Ensuring our jurisdiction has a properly resourced and effective data protection regulator supports islanders’ rights, supports businesses to handle data properly and serves to underpin the Bailiwick’s digital strategy. On a practical level this means you benefit from free advice and guidance on matters related to the protection of people's data via:
You are ‘established’ in the Bailiwick of Guernsey if you are a controller, processor or other person (including legal person) that:
For reference, please see the definition within Schedule 1D of The Data Protection (General Provisions) (Bailiwick of Guernsey) Regulations, as follows:
"Full time employee can mean either:
a) an employee who works or who under a contract of service is required to work for the employer 27 hours or more per week, or
b) a number of employees who do not individually fall within subparagraph (a) but who collectively work or who collectively under their contracts of service are required to work for the employer, 27 hours or more per week in the aggregate
2. An individual who works or who under his contract of service is required to work for an employer is to be regarded as an employee of the employer whether the contract of service the individual has entered into or works under was made with the employer or, where the employer is a company, with an associated company of the employer.
3. For the avoidance of doubt –
(a) the hours worked by an employee includes any hours worked wholly or mainly outside the Bailiwick of Guernsey,
(b) a director of the employer in his capacity as director is not to be regarded as a full time employee of that employer unless the director is, in that capacity, an employee within the meaning of paragraph 1 of this schedule."
Please note: In respect of a non-Bailiwick entity which maintains a branch or regular practice in the Bailiwick without separate legal personality, the registration fee to be paid would be determined by the total number of FTE employees of the entity, regardless of their location not only those who may be located in the Bailiwick.
Please note: In respect of an entity that is established in the Bailiwick who employs FTE employees internationally the registration fee to be paid will be determined by the total number of FTE employees of the entity, regardless of their location not only those who may be located in the Bailiwick.
All registered controllers and processors must notify the ODPA of any changes to their registration within 28 days, but preferably as soon as is practicable.
To amend your registration, you will need to log into your ODPA account, select the relevant registration and edit the required details, saving these changes once complete.
To cancel your registration, you will need to log into your ODPA account, select the relevant registration and select the “Cancel Registration” option from the menu bar, selecting the reason for the cancellation accordingly.
If you need to transfer your registration to a new email address, please see the FAQ below titled “How do I transfer my registration to someone else?”
If you experience any issues accessing your account, please contact us and our registrations team can amend or cancel the registration on your behalf.
Transferring your registration to someone else is very straightforward, please watch this 145 second video which walks you through the steps.
If the current account holder has already left your organisation, please contact us and we can transfer it for you.
This depends on whether you are working with people's data, please see our 'I don't think I need to register' page for further details.
If you only have data for your own personal use, for things such as sending Christmas cards or taking pictures for your own enjoyment, the Law does not apply to your processing.
If you are uncertain about whether your processing falls within this personal/household definition, we have published this short guidance note with some criteria which may assist you in working out whether you are exempt.
These are organisations registered with and/or regulated by the Guernsey Financial Services Commission (GFSC) who are authorised to declare, and pay the levies for, other controllers or processors.
To find out more about paying your fee via an LCA (or becoming one yourself) please read this guidance document. You can also watch this 3 minute video about LCAs.
If you are an established LCA and you just need a template Certificate of Exemption on its own you can find one here - please ensure you have read and understood the LCA guidance document before using this template.
If you rent out your property to tenants you have a legal obligation to maintain an annual registration with the Data Protection Authority under The Data Protection (Bailiwick of Guernsey) Law, 2017. Please read our guidance for private landlords here.
If you are a sole trader or a small businesses ‘Established in the Bailiwick’, and you are doing anything with information about individuals (e.g. your customers) you are required to register with the Authority. Please read our registration guidance for sole traders and small businesses here.
This will depend on your specific circumstances, but to help you the Guernsey Investment & Funds Association (GIFA) produced this guidance note.
It depends on each administered entity's status, please refer to this detailed guidance note in the first instance.
It depends on each administered entity's status, please refer to this guidance note, produced by the Guernsey Association of Trustees in the first instance.
It is highly likely that a company would be required to register with the Authority. The vast majority of company records will hold personal data, such as (but not limited to) the identities of Directors contained within the Directors' Register.
The only exception to the obligation of a company which is “established in the Bailiwick” to register with the Authority would be if the company’s directors were all corporate directors and no other processing of personal data was taking place.
Please Note: the above guidance applies to all companies and is not limited solely to companies which have been set up for a commercial purpose. This would include (but not be limited to) companies which have been set up for the purposes of asset holding / personal investment and companies which are currently dormant / non-trading.
In cases where a branch of an organisation is operating within the Bailiwick of Guernsey, it would be likely that either the parent organisation alone or both the branch and parent organisation would be required to register with the Authority.
If the parent organisation is a controller and/or processor that “maintains in the Bailiwick – (i) an office, branch or agency through which the person carries on an activity, or (ii) a regular practice” it would be “established in the Bailiwick” under the definition contained within Section 111 of The Data Protection (Bailiwick of Guernsey) Law, 2017. Registration with the Authority would therefore be required. This would remain the case regardless of whether the Bailiwick-based branch is a controller and/or processor in its own right.
If the Bailiwick-based branch is a controller and/or processor, in its own right, it will also be required to maintain its own registration with the Authority. If the Bailiwick-based branch is not a controller and/or processor, in its own right, then it will not be required to maintain a separate registration with the ODPA.
If a non-Bailiwick based controller or processor uses the services of a Bailiwick-based processor to process personal data, on its behalf, then it will also be “established in the Bailiwick” under the definition contained within Section 111 of The Data Protection (Bailiwick of Guernsey) Law, 2017. This is because it would either be causing or permitting any processing equipment in the Bailiwick to be used for processing personal data otherwise than for the purposes of transit through the Bailiwick or be engaging in effective and real processing activities through stable arrangements in the Bailiwick.
If this is the case, registration with the ODPA would be required for the non-Bailiwick based controller or processor, in addition to that of the Bailiwick-based processor.
Examples of using a Bailiwick-based processor may include (but not be limited to) the outsourcing of the following functions: company administration, payroll, employment services, rental property management, archiving/storage, accountancy, HR, IT support, marketing and web hosting.
Please Note: the above guidance would be inclusive of the outsourcing of functions to Bailiwick-based contractors and/or sole traders who are acting as processors, in addition to organisations.
Businesses will need to maintain their registration with the Authority until the point at which they are no longer processing personal data (processing includes the holding / retention of personal data).
For example, if your business retains the personal data of previous or current clients, customers or suppliers, such as for the purposes of accounting or to fulfil other legal obligations, it will be required to maintain a registration with the ODPA.
*** For guidance relating to Companies specifically, please see our FAQ below entitled "What does this mean for Companies which are in the process of closure or potential closure? (in administration, in liquidation, being struck-off, being wound up etc.)”
There is no exemption within The Data Protection (Bailiwick of Guernsey) Law, 2017 which would exempt companies which are in the process of closure or potential closure from the requirement to maintain a registration with the Authority.
The requirement to maintain a registration with the Authority would still be applicable for these companies, assuming that they are still processing personal data during this process, such as the holding of a Directors’ Register which identifies individual persons acting as Directors.
If an application for voluntary strike off or a voluntary winding up submission has been made with the Guernsey Registry between 1st March and 31 December you are still required to maintain a registration with the Authority in the current year, up until the point of closure, but will not be required to maintain one in the subsequent year.
Please Note: if the administrator / liquidator themselves have taken controllership of the company as part of the administration/liquidation process, the company’s registration would be covered by the administrator/ liquidator’s own registration.
The Bailiwick of Guernsey's independent supervisory authority which regulates data protection legislation. The ODPA protects people by driving responsible use of personal information through helping organisations get it right, deterring harmful information handling, and taking enforcement action against significant non-compliance
Receive regular information and statistics related to our activities and governance
Sign up now
The Office of the Data Protection Authority
+44 (0)1481 742074enquiries@odpa.gg
St Martin's House, Le Bordage, St. Peter Port, Guernsey GY1 1BR
Newsletters sign-up Data Processing Notice Careers Cookies
Website by
&
Indulge
© 2024 The Office of the Data Protection Authority.