Data Protection Presentation for Landlords by ODPC

Data Protection Reform
Rachel Masterton
Deputy Data Protection Commissioner
Office of the Data Protection Commissioner (ODPC) in Guernsey

New Data Protection Law
Data Protection (Bailiwick of Guernsey) Law, 2017
Came into force on 25 May 2018
Aligns with the EU GDPR

Key changes
Strengthened rights for individuals
Breach reporting

Data Protection Principles
Lawfulness, fairness and transparency
Purpose limitation
Data minimisation
Storage limitation – retention of data
Integrity & confidentiality – security of data
Accountability – embrace principles & demonstrate compliance

What personal data do you hold?
Do you hold any special category data?
Where is it from?
Where is it sent?
Why is it processed?
For what purpose?
How is the processing fair & lawful?
Which of the lawful processing conditions is met?

Lawful processing
Consent                          Made public
Contract                         Required by law/court
Vital Interests               Health and social care
                                         Legal proceedings
Public authority            Function of Crown
Required by Law          Law enforcement
Legitimate interests     Not for profit
Historic, scientific

Data controllers must be able to show consent was given
Consent as a basis for processing gives individuals stronger rights
Consent must be
   1 Freely given
   2 Specific
   3 Informed
   4 Unambiguous
Has to be a positive indication of agreement

Special Category Data
Race or ethnic origin
Political opinion
Religious beliefs or similar
Trade union membership
Physical or mental health
Sexual life
Offences, alleged offences

Lawful processing – special category data
Made public                            Explicit consent
Required by law/court          Vital interests
Health and social care
Legal proceedings
Function of Crown
Law enforcement
Not for profit
Historic, scientific

Privacy Notices
The following should be given to individuals at time of data collection :-
    Purpose & legal basis for processing
    Recipients of the data
    Any third countries data are transferred to & safeguards in place
    Data retention periods
    The existence of individual’s rights
    Right to withdraw consent, where provided
    Whether provision has a statutory or contractual basis
    Details where legitimate interests have been relied upon

Individual’s Rights
Individuals will have the right to :
    Subject access
    Have inaccuracies corrected
    Have information erased (“right to be forgotten”)
    Prevent direct marketing
    Prevent processing based on public interest
    Prevent automated decision making & profiling
    Seek compensation
    Data portability (from 25 May 2019)

Subject Access Requests (SARs)
In most circumstances no fee can be charged
Response provided within 1 month
Provide both the personal data & a copy of the privacy information

Breach reporting
Data breaches must be reported to Commissioner within 72 hours of discovery
Individuals impacted should be told where there exists a high riskto their rights and freedoms eg identity theft, personal safety
Breaches, their impact & any remedial action must be fully documented

Controllers responsible for the processing of personal data need to notify with our Office
This is an annual process and costs £50.
Exemption from this where processing only for :-
    Accounts and records
    Staff matters
    Advertising own goods & services
    Small landlords can probably claim this exemption
        But, if CCTV is used, the landlord must be notified

Useful Guidance
Conditions for Lawful Processing 
Information to be Given – Transparency (privacy notices) 
Breach Reporting
Notification and Registration

The Office of the Data Processing Commissioner
St Martin’s House, Le Bordage, St Peter Port, GY1 1BR
Telephone: (01481) 742074
Office email: