Data Protection

The Data Protection (Jersey) Law 2018 grants people a range of the specific rights they can exercise over their personal data, in certain circumstances (exemptions may apply). It also sets out the requirements for how organisations, businesses and the government use this personal information.

Download as PDF

Data Protection 01

What you need to know…

Key terms:

  • Data Subject: the individual whose data is being held and processed
  • Data Controller: determines the purposes and means of processing personal data
  • Data Processor: is responsible for processing personal data on behalf of a controller
  • More definitions can be obtained from the JOIC by clicking here


There is stronger legal protection for sensitive information which is also known as special category data, such as: race, ethnic background, political opinions, religious beliefs, trade union membership, genetics or biometrics (where used for identification), health, sex life or orientation, criminal record or alleged criminal activity.


  • Be informed about how your data is being used.
  • Access personal data.
  • Have incorrect data updated.
  • Have data deleted (in certain circumstances).
  • Limit or restrict the processing of your data (in certain circumstances).
  • Data portability (allowing individuals to obtain and reuse your data for different services).
  • Object to how your data is processed (in certain circumstances).


  • Anyone can put in a SAR and there is no charge. It must be in writing.
  • SARS must be responded to within four weeks. In complex cases, you may be able to apply for an extension.
  • The individual should specify exactly what information or processing activities their request relates to. If not, seek clarification.
  • If they request the SAR electronically, respond to them in a commonly used electronic form, unless the individual requests otherwise.
  • If a company does not comply, they may be faced with a fine.
  • Redact names where correspondence contains personal data relating to others.

What you need to do…

  • Data protection principles apply wherever you work.
  • Have a clear Data Protection policy in place and refresh.
  • Train employees regularly on what is acceptable and any new updates.
  • Don’t ignore SARs, action them immediately.
  • Remember they apply when working remotely!