Enforcement Order issued to Watches of Switzerland Company Limited (“WoS”) regarding the handling of a Data Subject Access Request (“DSAR”)

The Data Protection (Bailiwick of Guernsey) Law, 2017 (“the Law”)
The Data Protection Authority (“The Authority”)
Issued: 3pm, 20 August 2025
Controller: Watches of Switzerland Company Limited (“WoS”)

What happened?

In November 2024, the Authority received a complaint from an individual in relation to a Data Subject Access Request (“DSAR”) they submitted to Mappin & Webb (part of the WoS group).

The DSAR included a request for material specifically relating to a decision made by WoS, involving the Complainant, and the withdrawal of certain customer services by Mappin & Webb.

WoS responded to the DSAR, providing a pack of material. However, the Complainant noted some information was missing, including any items relating to the aforementioned decision-making process.

The Complainant raised concerns with WoS who advised they had provided all the information they held.

During the Authority’s investigation, WoS located additional material relating to the Complainant which they had failed to identify during the initial DSAR process. The newly identified information included material relating to the decision-making process.

Through the Authority’s review of the identified material, concerns were raised that WoS’s search process was not sufficiently extensive and did not consider appropriate sources of personal data, such as local branch staff or historic/archived material.

As a result, the additional material was not captured during the original DSAR process.

It was also apparent, through discussions with WoS, that clarification was needed regarding what information may constitute a customer’s personal data and therefore be captured through a DSAR.

Why was that a problem?

Under section 15 of the Law, the right of access, individuals are entitled to a copy of the personal data processed by the controller (in this case, WoS). Controllers must take reasonable steps to facilitate the exercise of data subject rights, including conducting appropriate searches to capture the relevant information.

Failing to do so can lead to important personal data being overlooked and excluded from an individual’s disclosure.

What has happened as a result?

The Authority determined that WoS had breached an operative provision of the Law, namely section 15 relating to Right of Access as follows:

• WoS failed to comply with the Complainant’s DSAR in that they did not provide personal data the Complainant was entitled to.

In this case, some of the material withheld had been directly sought by the Complainant in their original request. This was partly due to WoS’s DSAR process failing to locate certain relevant material containing the Complainant’s personal data.

The Authority has issued WoS with an enforcement order, requiring that they take certain steps to comply with the Law, including:

• Performing a further search for relevant material and providing the Complainant with all information to which they were entitled in their original DSAR.
• Reviewing their systems/internal DSAR process to ensure all relevant personal data is captured in future DSARs.

What can be learned from this?

Organisations must ensure reasonable steps are taken to facilitate a DSAR: this includes ensuring internal processes and policies are in place to capture any relevant personal data processed by the organisation.

They must ensure they fully understand the information they hold and what may or may not constitute personal data. The search process should take into account all potential locations of personal data, processed by the organisation. It is important to not unnecessarily restrict the search process and to take reasonable steps to identify any information that may be relevant to the DSAR. When dealing with a large organisation, it is often best practice to liaise with the relevant branch, department or member of staff to confirm whether they hold or are aware of any material that would otherwise not have been captured through the standard process.

Organisations should properly consider any concerns raised by an individual (post-disclosure) and, if necessary, review their DSAR process, in combination with the information provided to the individual, to ensure no personal data was missed.

The Authority does wish to highlight that, following notification of the Authority’s proposed determination, WoS took proactive steps to address our concerns and ensure the final order could be actioned as soon as practicable. This included drafting an update to their internal DSAR process. The Authority commends this action, which demonstrates positive engagement with the regulator and a desire to support data subject rights.