All questions

Intellectual property and data protection

Jersey has had data protection legislation since 2005. Following the introduction of the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED), Jersey brought in two pieces of legislation to ensure that the Jersey data protection regime maintains equivalence with the EU data protection laws. The legislation is:

  1. the Data Protection (Jersey) Law 2018 (DPJL); and
  2. the Data Protection Authority (Jersey) Law 2018 (DPAJL).

The DPJL deals with duties of data controllers (including the data protection principles), duties of data processors, conditions for processing, obligations to appoint data protection officers, rights of data subjects, exemptions to parts of the law, cross-border transfers and exemptions to the adequacy requirements and remedies and enforcement. Although largely consistent with the GDPR, there are some differences, for example, the period for complying with data subject rights requests is four weeks rather than one month (as is the case in the GDPR) and the right of further extension is eight weeks rather than two months (as is the case in the GDPR).

The DPAJL establishes the data protection authority in Jersey, and includes powers allowing it to investigate complaints and undertake inquiries along with granting it powers of sanction following a finding of a breach (including fines).