www.visitguernsey.com is a website run and maintained by the States of Guernsey Committee for Economic Development (the controller) to provide customers with a newsletter and an electronic or physical brochure for the purpose of promoting events on the island.
1.The Data Protection Law
The controller acknowledges its obligations as per the data protection law, which provides a number of requirements in terms of processing activities involving personal data. The controller further acknowledges the general principles of processing as well as the rights of a data subject and more information in relation to these provisions are provided within this fair processing notice.
2.The Principles of Processing
Lawfulness, fairness and transparency
Personal data must be processed lawfully, fairly and in a transparent manner.
In order to provide these services, the controller collects personal data from data subjects who subscribe to the VisitGuernsey newsletter and or brochure either directly from the website or in response to electronic marketing. No personal data is collected from any third party or publically available source. None of the personal data collected for this purpose is classified as “Special Category Data” (the most sensitive data as defined by data protection law). The personal data that is collected for this purpose includes:
The data subject’s title
The data subject’s first name
The data subject’s last name
The data subject’s address and post code
The data subjects country and preferred language
The data subject’s email address
In terms of the lawful basis for processing this information, the controller would require the consent of the data subject to the processing of the personal data in this way. As per data protection law, the data subject has the right to withdraw their consent for the additional processing by third parties at any stage and this will not affect the general service that is offered by the www.visitguernsey.com website.
The controller is offering an information service to data subjects, however as the controller is a public authority (as defined by data protection law), the lawfulness of processing does not relate to the legitimate interests of the controller or third party.
The data subject’s title and first and last names is for the purposes of identification
The data subject’s postal address and post code is for the provision of the physical brochure
The data subject’s country is also collected as part of the address information for the provision of the physical brochure
The data subject’s preferred language is required for the purpose of providing the newsletter in the data subject’s preferred language whenever possible.
The data subject’s email address is for the provision of the newsletter and the electronic version of the brochure
The above information which may be processed is not necessary for the conclusion of any contract between the controller and a data subject consenting to receiving the newsletter. No automated decision making will take place which involves the personal data of any data subject.
A “cookie” is a piece of digital information that is placed onto a user’s electronic device to track their progress and viewing habits. The VisitGuernsey website may use “cookies” in this way to track your usage across the site so as to customise your experience and to record the number of users accessing the site as well as the pages viewed. We also use "cookies" to serve tailored advertising to you from both us and our partners. You may disallow receiving cookies at any time through your web browser. It is not our intention to use "cookies" to retrieve information that is unrelated to our site or your interaction with our site.
How we use advertising "cookies".
We and our partners display interest-based advertising using "cookie" data gathered about your use of our website. This includes ads served to your after you leave our website, encouraging you to return to either our site or our selected partner site. We might serve these ads, or third parties may serve ads.
An “IP (internet Protocol) Address” is a piece of digital information usually consisting of a unique string of numbers and full stops that identifies a particular electronic device. VisitGuernsey may collect your IP Address to help diagnose problems with our server, and to administer our site. This information does not contain any personally identifiable information about you. Your IP Address is also used to help identify you during a particular session and to gather broad demographic data.
Personal data must not be collected except for a specific, explicit and legitimate purpose and, once collected, must not be further processed in a manner incompatible with the purpose for which it was collected.
The controller acknowledges its responsibility with regards to this data protection principle and therefore the controller maintains that it will not further process that personal data in a way which is incompatible to its original reason for processing as specified in section 2a, unless the controller is required to do so by law. The personal data will not be transferred to a recipient in an authorised or an unauthorised jurisdiction (as per the definition within data protection law).
Personal data processed must be adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed.
The controller maintains that it will only process the personal data which is detailed in section 2a, and will not process any further personal data that is not necessary in relation to the original reason for processing personal data as specified in section 2a, unless the controller is required to do so by law.
Personal data processed must be accurate, kept up-to-date (where applicable) and reasonable steps must be taken to ensure that personal data that is inaccurate is erased or corrected without delay.
The controller will ensure that all personal data that it holds is accurate and kept up-to-date, and any personal data that is inaccurate will be erased or corrected without delay.
Personal data must not be kept in a form that permits identification of a data subject for any longer than is necessary for the purpose for which it is processed.
Where a data subject provides personal data to the controller through the www.visitguernsey.com website, the controller will hold that personal data until such time as the data subject withdraws their consent for the processing of their personal data in relation to these direct marketing activities. Where a data subject has consented for their personal data to be shared with third parties as detailed in section 2a of this notice, this personal data shall only be held until such time as the data subject withdraws their consent for the processing of their personal data by the third parties.
Integrity and confidentiality
Personal data must be processed in a manner that ensures its appropriate security, including protecting it against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The controller maintains to process all personal data with appropriate levels of security. Personal data provided by data subjects using the www.visitguernsey.com website is collected and stored online and, in order to prevent unauthorised or unlawful processing, the controller has put in place suitable physical, electronic and managerial procedures to safeguard and secure the information that is collected.
The www.visitguernsey.com website is managed and maintained by the controller. The controller has not engaged with any processors in relation to the functioning of the website.
The controller is responsible for, and must be able to demonstrate, compliance with the data protection principles.
The contact details of the controller are as follows:
VisitGuernsey Digital Marketing Team
Tel: 01481 234567
The contact details for the Data Protection Officer of the Committee for Economic Development are as follows:
Data Protection Officer, Committee for Economic Development
Tel: 01481 717000
Right of access
A data subject has the right to be advised as to whether a controller is processing personal data relating to them and, if so, that individual is entitled to one free copy of their personal data (with further copies available at a fee prescribed by the controller). This is known as a Subject Access Request (SAR). Upon receipt of an SAR, the controller has a period of one month to adhere to the request (an extension of two further months can be sought by the controller depending upon the complexity and number of requests submitted by the data subject).
Right to data portability
A data subject has the right to data portability, this means that an individual is able to arrange for the transfer of their personal data from one controller to another without hindrance from the first controller. This right can only be utilized where the processing is based on consent or for the performance of a contract. This right cannot be used for processing by a public authority.
Where a data subject invokes the right to data portability, the data subject has the right to be given their personal data in a structure, commonly used and machine-readable format suitable for transmission from one controller to another. Upon the request of a data subject, the controller must transmit their personal data directly to another controller unless it is technically unfeasible to do so.
Exception to right of portability or access involving disclosure of another individual’s personal data
A controller is not obliged to comply with a data subject’s request under the right of access or right to data portability where the controller cannot comply with the request without disclosing information relation to another individual who is identified or identifiable from that information.
Right to object to processing
A data subject has the right to object to a controller’s activities relating to the processing of personal data for direct marketing purposes, on grounds of public interest and for historical or scientific purposes.
Right to rectification
A data subject has the right to require a controller to complete any incomplete personal data and to rectify or change any inaccurate personal data.
Right to erasure
A data subject has the right to submit a written request to a controller regarding the erasure of the data subject’s personal data in certain circumstances. These include where:
The personal data is no longer required in relation to its original purpose for collection by the controller;
The lawfulness of processing is based on consent and the data subject has withdrawn their consent;
The data subject objects to the processing and the controller is required to cease the processing activity;
The personal data has been unlawfully processed;
The personal data must be erased in order to comply with any duty imposed by law; or
The personal data was collected in the context of an offer from an information society service directly to a child under 13 years of age.
Right to restriction of processing
A data subject has the right to request, in writing, the restriction of processing activities which relate to the data subject’s personal data. This right can be exercised where:
The accuracy or completeness of the personal data is disputed by the data subject who wishes to obtain restriction of processing for a period in order for the controller to verify the accuracy or completeness;
The processing is unlawful but the data subject wishes to obtain restriction of processing as opposed to erasure;
The controller no longer requires the personal data, however the data subject requires the personal data in connection with any legal proceedings; or
The data subject has objected to processing but the controller has not ceased processing operations pending determination as to whether public interest outweighs the significant interests of the data subject.
Right to be notified of rectification, erasure and restrictions
Where any rectification, erasure or restriction of personal data has been carried out, the data subject has a right to ensure that the controller notifies any other person to which the personal data has been disclosed about the rectification, erasure or restriction of processing. The controller must also notify the data subject of the identity and contact details of the other person if the data subject requests this information.
Right not to be subject to decisions based on automated processing
A data subject has the right not to be subjected to automated decision making without human intervention.
To exercise these data subject rights, please contact either the data protection officer or the controller (as per the contact details provided in 2g).
Right to make a complaint
An individual may make a complaint in writing to the supervisory authority (the Office of the Data Protection Commissioner) if the individual considers that a controller or processor has breached, or is likely to breach, an operative provision of the data protection law, and the breach involves affects or is likely to affect any personal data relating to the individual or any data subject right of the individual (as listed above).
Complainant may appeal failure to investigate or progress and may appeal determinations
An individual may appeal to the Court where:
The Supervisory Authority has failed to give the complainant written notice that the complaint is being investigated or not within two months of receiving the complaint;
The Supervisory Authority has failed to provide written notice of the progress and, where applicable, the outcome of the investigation at least once within three months of providing notice of the beginning of an investigation; or
Where the individual seeks to appeal against a determination of the Supervisory Authority
You may choose to have your name taken off the Guernsey e-mail list or have Guernsey not provide your information to others in the future by (1) contacting VisitGuernsey here (2) following instructions as provided in any e-mail message from VisitGuernsey.
Your Acceptance of this Policy