Fair Processing Notice

Fair Processing Notice

 

The Guernsey Legal Resources website is run and maintained by the Royal Court and the Law Officers of the Crown. It is used to provide customers with the opportunity to view legal resource content as well as purchase enhanced content, for example, consolidated texts of legislation and Law Reports.

 

1.   The Data Protection Law

 

Definitions as defined by the Data Protection (Bailiwick of Guernsey) Law, 2017 (“the Law”):

Controller: “(a) means a person that, alone or jointly with others, determines the purposes and means of the processing of any personal data, and (b) for the avoidance of doubt, includes a processor or any other person, where the processor or other person determines the purposes and means of processing personal data”.

Processor: “(a) means an individual or other person that processes personal data on behalf of a controller, and (b) includes a secondary processor within the meaning of section 36(1)”.

Data Subject: “in relation to personal data, means the identified or identifiable individual to whom the personal data relates”.

The Law

The controller, HM Greffier, acknowledges its obligations under the Law which provides a number of requirements in terms of processing activities involving personal data. The controller further acknowledges the general principles of processing as well as the rights of a data subject. More information in relation to the relevant provisions are provided within this fair processing notice.

 

2.   The Principles of Processing

 

a. Lawfulness, fairness and transparency

Personal data must be processed lawfully, fairly and in a transparent manner.

In order to access the enhanced content, the controller collects personal data directly from data subjects who register for an account on the website. No personal data is collected from any third party or publicly available source. None of the personal data collected for this purpose is classified as “Special Category Data” (the most sensitive data as defined by data protection law). The personal data that is collected for this purpose includes:

·         The name of the data subject;

·         Email address;

·         Postal address;

·         The name of the organisation the data subject works for, if relevant to the subscription type; and,

·         Whether the data subject is seeking to subscribe as a law firm, business, private individual, Channel Island politician, member of the judiciary, civil servant, or academic or student).

 

The name of the data subject, the name of the organisation the data subject works for, and subscription type is required for verification that the correct rate is applied in relation to the product that has been purchased. The data subject’s email address is required in order to: create an account where their purchased documents are held; to provide an electronic receipt of the data subject’s purchase; to provide notice to the data subject when the subscription period is due to expire; and to provide updates on new items which have been added to the site.

 

In terms of the lawful basis for the processing of the above personal data; by providing this personal data with a view to acquiring an account, the data subject has given consent to the processing of the personal data for the purposes for which it will be processed. In addition, the personal data mentioned in the paragraph above is also processed on the basis that it is necessary for the conclusion or performance of the contract between the subscriber and the controller (the Royal Court). Should the data subject wish to withdraw their consent to the processing of their personal data in relation to the creation and ongoing maintenance of their account, this can be achieved by sending an email indicating their withdrawal of consent to: [email protected]

 

The email addresses of the data subjects may also be used by the controller to send news regarding website changes and updates to keep the customer informed of developments, to contact data subjects for market research purposes, or to offer other products and services. Data subjects will be required to provide their consent via the website in order to receive this service. No automated decision making will take place which involves the personal data of any data subject. Should the data subject wish to withdraw their consent with regards to the processing of their personal data for new updates, this can also be achieved by sending an email indicating their withdrawal of consent to: [email protected]. Withdrawal of consent would not affect the lawfulness of processing based on consent before its withdrawal.

 

When a purchase is made, personal data is collected by the billing service provider, Capita. Capita is a processor which provides a billing service for the Royal Court.
The lawful basis for the provision of this service, and the subsequent data that is accessible by Capita, is that the processing is necessary for the legitimate interests of the controller and in accordance with Schedule 2, Part 2(a) of the Law, the processing is necessary for the performance of a contract made between the controller and a third party in the interest of the data subject.. The personal data that is collected for this purpose includes the above as well as:

·         The data subject’s contact information, including email address; and

·         The data subject’s billing address and debit/credit card details

The billing address and debit/credit card details are required in order to bill the data subject for the purchasing of goods. The specific data types processed by Capita are necessary for the functioning of the billing process which is required for certain subscription and content types. The lawful basis for collecting and processing this personal data is that the processing is necessary for the conclusion or performance of a contract to which the data subject is party. The controller does not share any of the personal data that is collected via the website with any third party other than Capita for reasons stated above. The storage of credit/debit card data is in line with Payment Card Industry Data Security Standard (PCI DSS).

Personal data that may be collected includes:

·         Information regarding the purchases of specific items and/or types of products; and,

·         Other information relevant to customer surveys.

The controller may collect and process the above personal data in order to perform the functions of the website and to gather information to make future improvements to the service provided. Upon creating an account, data subjects can provide their consent to the processing of their personal data for the above-mentioned purposes and the lawful basis for the processing of this personal data is that the data subject has provided their consent. Should the data subject wish to withdraw this consent to this processing at any stage, this can be achieved by sending an email indicating their withdrawal of consent to: [email protected]

The Guernsey Legal Resources website may use “cookies” in this way to track your usage across the site so as to customise your experience and to record the number of users accessing the site as well as the pages viewed. You may disallow receiving cookies at any time through your web browser. It is not our intention to use cookies to retrieve information that is unrelated to our site or your interaction with our site.

 

b. Purpose limitation

Personal data must not be collected except for a specific, explicit and legitimate purpose and, once collected, must not be further processed in a manner incompatible with the purpose for which it was collected.

The controller acknowledges its responsibility with regards to this data protection principle and therefore the controller maintains that it will not further process personal data in a way which is incompatible with the original purpose for processing as specified in section 2a, unless the controller is required to do so by law. The personal data will not be transferred to a recipient in an unauthorised jurisdiction (as per the definition within data protection law).

 

c. Minimisation

Personal data processed must be adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed.

The controller maintains that it will only process the personal data which is detailed in section 2a, and will not process any further personal data that is not necessary in relation to the original purpose for processing personal data as specified in section 2a, unless the controller is required to do so by law.

 

d. Accuracy

Personal data processed must be accurate, kept up-to-date (where applicable) and reasonable steps must be taken to ensure that personal data that is inaccurate is erased or corrected without delay.

The controller will ensure that all personal data that it holds is accurate and kept up-to-date, and any personal data that is inaccurate will be erased or corrected without delay.

 

e. Storage limitation

Personal data must not be kept in a form that permits identification of a data subject for any longer than is necessary for the purpose for which it is processed.

Where a data subject provides personal data to the controller through the Guernsey Legal Resources website, the controller will maintain personal data of those individuals as required for their user accounts on the website. The controller will hold this personal data until such time as the data subject closes their account. Once an account has been closed, the controller will erase all personal data relating to that data subject.

 

f. Integrity and confidentiality

Personal data must be processed in a manner that ensures its appropriate security, including protecting it against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

The controller will process all personal data with appropriate levels of security. Personal data provided by data subjects using the Guernsey Legal Resources website is collected and stored online for a period in line with that outlined in the Royal Court Document and Record Retention and Destruction Schedule and, in order to prevent unauthorised or unlawful processing, the controller has put in place suitable physical, electronic, and managerial procedures to safeguard and secure the information that is collected.

In terms of payment information, all online payment transactions with the States of Guernsey are encrypted. The Guernsey Legal Resources website is managed and maintained by the controller. The controller has engaged with an additional processor in relation to the functioning of the website. The processor is Capita. This processor provides the billing service for the website.  

 

g. Accountability

The controller is responsible for, and must be able to demonstrate, compliance with the data protection principles.

The controller of the personal data is the Royal Court and the contact details of the controller are as follows:

The Offices of H.M. Greffier, H.M. Sheriff and Sergeant, and the Bailiff’s Office

Royal Court House
St James Street
St Peter Port
Guernsey
GY12NZ

Email: [email protected]

The Offices of H.M. Greffier, H.M. Sheriff and Sergeant, and the Bailiff’s Office Data Protection Officer contact details are as follows:

Data Protection Officer

Tel: 01481 220012

Email: [email protected]

 

3.  Data Subject Rights

Notwithstanding exemptions under The Data Protection (Bailiwick of Guernsey) Law, 2017, data subjects have the following rights:

a. Right of access

 A data subject has the right to be advised as to whether a controller is processing personal data relating to them and, if so, that individual is entitled to one free copy of their personal data (with further copies available at a fee prescribed by the controller). This is known as a Subject Access Request (SAR). Upon receipt of an SAR, the controller has a period of one month to adhere to the request (an extension of two further months can be sought by the controller depending upon the complexity and number of requests submitted by the data subject). In order to verify the data subject’s identity, the Controller may request the provision of any additional information that is reasonably necessary to confirm it.

 

b. Right to data portability

A data subject has the right to data portability, this means that an individual is able to arrange for the transfer of their personal data from one controller to another without hindrance from the first controller. This right can only be utilized where the processing is based on consent or for the performance of a contract. This right cannot be used for processing by a public authority.

Where a data subject invokes the right to data portability, the data subject has the right to be given their personal data in a structure, commonly used and machine-readable format suitable for transmission from one controller to another. Upon the request of a data subject, the controller must transmit their personal data directly to another controller unless it is technically unfeasible to do so.

 

c. Exception to right of portability or access involving disclosure of another individual’s personal data

A controller is not obliged to comply with a data subject’s request under the right of access or right to data portability where the controller cannot comply with the request without disclosing information relation to another individual who is identified or identifiable from that information.

 

d. Right to object to processing

A data subject has the right to object to a controller’s activities relating to the processing of personal data for direct marketing purposes, on grounds of public interest and for historical or scientific purposes.

 

e. Right to rectification

A data subject has the right to require a controller to complete any incomplete personal data and to rectify or change any inaccurate personal data.

 

f. Right to erasure

A data subject has the right to submit a written request to a controller regarding the erasure of the data subject’s personal data in certain circumstances. These include where:

·         The personal data is no longer required in relation to its original purpose for collection by the controller;

·         The lawfulness of processing is based on consent and the data subject has withdrawn their consent;

·         The data subject objects to the processing and the controller is required to cease the processing activity;

·         The personal data has been unlawfully processed;

·         The personal data must be erased in order to comply with any duty imposed by law; or,

·         The personal data was collected in the context of an offer from an information society service directly to a child under 13 years of age.

 

g. Right to restriction of processing

A data subject has the right to request, in writing, the restriction of processing activities which relate to the data subject’s personal data. This right can be exercised where:

·         The accuracy or completeness of the personal data is disputed by the data subject who wishes to obtain restriction of processing for a period in order for the controller to verify the accuracy or completeness;

·         The processing is unlawful, but the data subject wishes to obtain restriction of processing as opposed to erasure;

·         The controller no longer requires the personal data, however the data subject requires the personal data in connection with any legal proceedings; or

·         The data subject has objected to processing but the controller has not ceased processing operations pending determination as to whether public interest outweighs the significant interests of the data subject.

 

h. Right to be notified of rectification, erasure, and restrictions

Where any rectification, erasure or restriction of personal data has been carried out, the data subject has a right to ensure that the controller notifies any other person to which the personal data has been disclosed about the rectification, erasure, or restriction of processing. The controller must also notify the data subject of the identity and contact details of the other person if the data subject requests this information.

I. Right not to be subject to decisions based on automated processing

A data subject has the right not to be subjected to automated decision making without human intervention.

To exercise these data subject rights, please contact either the data protection officer or the controller (as per the contact details provided in 2g).

 

j. Right to make a complaint

An individual may make a complaint in writing to the Data Protection Authority under section 67 of the Data Protection (Bailiwick of Guernsey) Law, 2017 if the individual considers that a controller or processor has breached, or is likely to breach, an operative provision of that Law, and the breach involves affects or is likely to involve or affect any personal data relating to the individual or any data subject right of the individual (as listed above).

 

The Authority’s contact details are:

The Office of the Data Protection Authority

Block A, Lefebvre Court
Lefebvre Street
St Peter Port,
Guernsey,
GY1 2JP 

Email: [email protected]
https://www.odpa.gg/