The Data Protection (Bailiwick of Guernsey) Law, 2017 applies to data processing activities in the context of an establishment in Guernsey, extending its scope to controllers and processors established within the Bailiwick.

Text of Relevant Provisions

Data Protection Law Art.2(3)(a):

*"(3) Condition B is that – * (a) the processing is in the context of a controller or processor established in the Bailiwick, or "

Analysis of Provisions

The Data Protection Law of Guernsey extends its applicability to data processing activities that are conducted "in the context of a controller or processor established in the Bailiwick". This provision sets a clear territorial scope for the law, focusing on the establishment of the data controller or processor rather than the location of the actual data processing.

The use of the phrase "in the context of" is significant as it suggests that the law applies not only to processing activities directly carried out within Guernsey but also to those that are related to or connected with an establishment in the Bailiwick. This broad interpretation allows the law to cover a wide range of scenarios where there is a meaningful link between the data processing and a Guernsey-based establishment.

The term "established in the Bailiwick" is crucial for determining the law's applicability. While the provision does not provide a detailed definition of establishment, it likely encompasses entities with a registered office, branch, or other form of permanent presence in Guernsey.

Implications

This applicability factor has several important implications for businesses and organizations:

1. Local establishments: Companies with any form of establishment in Guernsey must comply with the Data Protection Law for their data processing activities, even if the actual processing occurs outside the Bailiwick.
2. Foreign entities: Organizations based outside Guernsey that have a branch, office, or other establishment in the Bailiwick may fall under the law's scope for processing activities related to that establishment.
3. Broad interpretation: The "in the context of" language allows for a potentially wide interpretation of what constitutes processing related to a Guernsey establishment, which may capture various business activities and data flows.
4. Compliance obligations: Entities meeting this criterion must ensure full compliance with Guernsey's data protection requirements, including principles of data processing, data subject rights, and potentially appointing a data protection officer.
5. Extra-territorial effect: This provision effectively gives the Guernsey Data Protection Law a degree of extra-territorial effect, as it can apply to processing activities that occur outside the Bailiwick but are connected to a local establishment.