03
DAYS LEFT

Registration window open (1 Jan - end of Feb)

If you use personal data in your work you are legally obliged to register during January and February each year.
NEW REGISTRATION? View guidance and create new registration here
EXISTING REGISTRATION? Sign-in to Registrations Portal here
 

GUIDANCE ON REGISTRATION

If you are new to this, please do not worry. We have produced a range of resources to help you:
Please read the resources below and contact us if you need any clarification. 

Our regulated community* is incredibly diverse: anyone who is working with data about people is 'captured' by the local data protection law. So we have tried our best to keep our guidance as broad as possible, and as relevant as possible. 
 

* this includes entities like: landlords, taxi drivers, sports' clubs, builders, residents' associations, charities, schools, small businesses, government, to large multinational organisations (in short: anyone who works with personal data). 

Please note:
If you are brand new to all this you may find it helpful to keep this page open in a separate browser window in case you need to refer to it whilst you are in the Registrations Portal

 

  • If you want a detailed overview with all the key questions answered, please read this guide carefully and contact us if you have any follow up questions. 

    Here is a step-by-step video walkthrough of how to complete a new registration with us. 

  • Registration with us changed at the start of 2021, what is it all about and what does it mean for you?
    Listen to this podcast (recorded in late 2019) to hear the Bailiwick of Guernsey’s Data Protection Commissioner Emma Martins explain to Kirsty Bougourd the main changes to registration and how it’s really just the first step in a journey towards looking after personal data well.

  • Watch this step-by-step video of how to complete a new registration - it will guide you through some areas you may not be familiar with. 
  • 'Processing' refers to anything an entity does with personal data. It includes activities such as (but not limited to): collecting, storing, organising, using, holding, altering, disclosing, erasing and destroying personal data.

  • 'Personal data' has a very broad legal definition and refers to any information that relates to an identified or identifiable living individual. It includes data such as (but not limited to): names, physical addresses, phone numbers, email addresses, photographs of individuals, CCTV footage / recordings of individuals, medical data, political views and sexuality.

    The scope of what is considered ‘personal data’ expands even further when you consider that it includes both factual information about people as well as opinions about people. It also includes anonymised data that could identify people if it was combined with other information.

    Personal data does not include: any data about deceased persons; any information, facts or opinions that do not relate to, or identify people (e.g. employment statistics, or anything else that has been irreversibly anonymised).

    Please Note: additional safeguards apply where 'special category data' is processed. Please see the FAQ on special category data for further information.
     

  • "Special category data" is anything that reveals an individual's:

    1. racial or ethnic origin
    2. political opinion
    3. religious or philosophical belief
    4. trade union membership
    5. genetic data
    6. biometric data
    7. health data
    8. personal data concerning an individual's sex life or sexual orientation
    9. criminal data
    For information relating to the lawful processing conditions for special category data, please refer to this guidance.
     

  • Controller: any entity* who is responsible for the decisions made about why and how they use personal data about staff, customers, suppliers, or any other people. Note: if you are an individual employee of a organisation you would be usually considered to be part of the controller. 

    Processor: any entity* that is given the task of processing personal data by a controller. Processors do not determine the nature or the means of the processing, they just do what the controller tells them to do. If you are part of such an arrangement you need to have in place a Controller/Processor agreement. 

    * in either case, this entity would normally be an organisation, but it could be a specific human being (e.g. sole traders, landlords, elected officials etc).

    Note: you could be both
    It is not always straightforward to determine whether you are a controller or processor. For some processing you may be the controller (e.g. handling your own staff records), but you may be a processor for other processing (e.g. when another organisation instructs you to perform a task) – it all depends on who is making the decisions about how any given data is used.

    For a fuller explanation please see Question 9 in this Guide, or listen to this short podcast (14 mins).  
  • Your registration fee allows the ODPA to fulfil its legal and political requirements to operate independently of the States of Guernsey. 

    Ensuring our jurisdiction has a properly resourced and effective data protection regulator supports islanders’ rights, supports businesses to handle data properly and serves to underpin the Bailiwick’s digital strategy. On a practical level this means you benefit from free advice and guidance on matters related to the protection of people's data via:  
     

  • You are ‘established’ in the Bailiwick of Guernsey if you are a controller, processor or other person (including legal person) that: 

    • is a Guernsey person, Alderney person or Sark person,
    • maintains in the Bailiwick: 
      (i) an office, branch or agency through which the person carries on an activity, or
      (ii) a regular practice,
    • causes or permits any processing equipment in the Bailiwick to be used for processing personal data otherwise than for the purposes of transit through the Bailiwick, or
    • is engaging in effective and real processing activities through stable arrangements in the Bailiwick
       
    Please read this guidance document to help determine whether you are ‘established’ in the Bailiwick of Guernsey for the purposes of the Law, and therefore if you have to register or not. 

  • For reference, please see the definition within Schedule 1D of The Data Protection (General Provisions) (Bailiwick of Guernsey) Regulations, as follows:

    "Full time employee can mean either:

    a) an employee who works or who under a contract of service is required to work for the employer 27 hours or more per week, or

    b) a number of employees who do not individually fall within subparagraph (a) but who collectively work or who collectively under their contracts of service are required to work for the employer, 27 hours or more per week in the aggregate

    2. An individual who works or who under his contract of service is required to work for an employer is to be regarded as an employee of the employer whether the contract of service the individual has entered into or works under was made with the employer or, where the employer is a company, with an associated company of the employer.

    3. For the avoidance of doubt –

    (a) the hours worked by an employee includes any hours worked wholly or mainly outside the Bailiwick of Guernsey,

    (b) a director of the employer in his capacity as director is not to be regarded as a full time employee of that employer unless the director is, in that capacity, an employee within the meaning of paragraph 1 of this schedule."


    Please note: In respect of a non-Bailiwick entity which maintains a branch or regular practice in the Bailiwick without separate legal personality, the registration fee to be paid would be determined by the total number of FTE employees of the entity, regardless of their location not only those who may be located in the Bailiwick.

    Please note: In respect of an entity that is established in the Bailiwick who employs FTE employees internationally the registration fee to be paid will be determined by the total number of FTE employees of the entity, regardless of their location not only those who may be located in the Bailiwick.
     

  • All registered controllers and processors must notify the ODPA of any changes to their registration within 28 days, but preferably as soon as is practicable.

    To amend your registration, you will need to log into your ODPA account, select the relevant registration and edit the required details, saving these changes once complete.

    To cancel your registration, you will need to log into your ODPA account, select the relevant registration and select the “Cancel Registration” option from the menu bar, selecting the reason for the cancellation accordingly.

    If you need to transfer your registration to a new email address, please see the FAQ below titled “How do I transfer my registration to someone else?

    If you experience any issues accessing your account, please contact us and our registrations team can amend or cancel the registration on your behalf.

     

  • Transferring your registration to someone else is very straightforward, please watch this 145 second video which walks you through the steps. 

    If the current account holder has already left your organisation, please contact us and we can transfer it for you.

  • This depends on whether you are working with people's data, please see our 'I don't think I need to register' page for further details

  • If you only have data for your own personal use, for things such as sending Christmas cards or taking pictures for your own enjoyment, the Law does not apply to your processing. 

    If you are uncertain about whether your processing falls within this personal/household definition, we have published this short guidance note with some criteria which may assist you in working out whether you are exempt. 

  • These are organisations registered with and/or regulated by the Guernsey Financial Services Commission (GFSC) who are authorised to declare, and pay the levies for, other controllers or processors.

    To find out more about paying your fee via an LCA (or becoming one yourself) please read this guidance document. You can also watch this 3 minute video about LCAs

    If you are an established LCA and you just need a template Certificate of Exemption on its own you can find one here - please ensure you have read and understood the LCA guidance document before using this template.

  • If you rent out your property to tenants you have a legal obligation to maintain an annual registration with the Data Protection Authority under The Data Protection (Bailiwick of Guernsey) Law, 2017. Please read our guidance for private landlords here

  • If you are a sole trader or a small businesses ‘Established in the Bailiwick’, and you are doing anything with information about individuals (e.g. your customers) you are required to register with the Authority. Please read our registration guidance for sole traders and small businesses here.

  • This will depend on your specific circumstances, but to help you the Guernsey Investment & Funds Association (GIFA) produced this guidance note.

  • It depends on each administered entity's status, please refer to this detailed guidance note in the first instance. 
     

  • It depends on each administered entity's status, please refer to this guidance note, produced by the Guernsey Association of Trustees in the first instance. 

  • It is highly likely that a company would be required to register with the Authority. The vast majority of company records will hold personal data, such as (but not limited to) the identities of Directors contained within the Directors' Register.

    The only exception to the obligation of a company which is “established in the Bailiwick” to register with the Authority would be if the company’s directors were all corporate directors and no other processing of personal data was taking place.

    Please Note: the above guidance applies to all companies and is not limited solely to companies which have been set up for a commercial purpose. This would include (but not be limited to) companies which have been set up for the purposes of asset holding / personal investment and companies which are currently dormant / non-trading.
     

  • In cases where a branch of an organisation is operating within the Bailiwick of Guernsey, it would be likely that either the parent organisation alone or both the branch and parent organisation would be required to register with the Authority.

    If the parent organisation is a controller and/or processor that “maintains in the Bailiwick – (i) an office, branch or agency through which the person carries on an activity, or (ii) a regular practice” it would be “established in the Bailiwick” under the definition contained within Section 111 of The Data Protection (Bailiwick of Guernsey) Law, 2017. Registration with the Authority would therefore be required. This would remain the case regardless of whether the Bailiwick-based branch is a controller and/or processor in its own right.

    If the Bailiwick-based branch is a controller and/or processor, in its own right, it will also be required to maintain its own registration with the Authority. If the Bailiwick-based branch is not a controller and/or processor, in its own right, then it will not be required to maintain a separate registration with the ODPA.
     

  • If a non-Bailiwick based controller or processor uses the services of a Bailiwick-based processor to process personal data, on its behalf, then it will also be “established in the Bailiwick” under the definition contained within Section 111 of The Data Protection (Bailiwick of Guernsey) Law, 2017. This is because it would either be causing or permitting any processing equipment in the Bailiwick to be used for processing personal data otherwise than for the purposes of transit through the Bailiwick or be engaging in effective and real processing activities through stable arrangements in the Bailiwick. 

    If this is the case, registration with the ODPA would be required for the non-Bailiwick based controller or processor, in addition to that of the Bailiwick-based processor.

    Examples of using a Bailiwick-based processor may include (but not be limited to) the outsourcing of the following functions: company administration, payroll, employment services, rental property management, archiving/storage, accountancy, HR, IT support, marketing and web hosting.

    Please Note: the above guidance would be inclusive of the outsourcing of functions to Bailiwick-based contractors and/or sole traders who are acting as processors, in addition to organisations.

     

  • There is no exemption within The Data Protection (Bailiwick of Guernsey) Law, 2017 which would exempt companies which are in the process of closure or potential closure from the requirement to maintain a registration with the Authority. 

    The requirement to maintain a registration with the Authority would still be applicable for these companies, assuming that they are still processing personal data during this process, such as the holding of a Directors’ Register which identifies individual persons acting as Directors.

    If an application for voluntary strike off or a voluntary winding up submission has been made with the Guernsey Registry between 1st March and 31 December you are still required to maintain a registration with the Authority in the current year, up until the point of closure, but will not be required to maintain one in the subsequent year.

    Please Note: if the administrator / liquidator themselves have taken controllership of the company as part of the administration/liquidation process, the company’s registration would be covered by the administrator/ liquidator’s own registration.