Schedule 1Data Protection Law, 2017
THE DATA PROTECTION PRINCIPLES AND THEIR INTERPRETATION
Part 1The Data Protection Principles
First principlePersonal data shall be processed fairly. In addition, personal data may be processed only if —
(a)in every case, at least one of the conditions set out in paragraphs 1 to 6 of Schedule 2 is met; and
(b)in the case of sensitive personal data, at least one of the conditions in paragraphs 1 to 10 of Schedule 3 is also met.
Second principlePersonal data shall be obtained only for one or more specified lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
Third principlePersonal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are collected or processed.
Fourth principlePersonal data shall be accurate and, where necessary, kept up to date.
Fifth principlePersonal data processed for any purpose shall not be kept for longer than is necessary for that purpose.
Sixth principlePersonal data shall be processed in accordance with the rights of data subjects under this Law.
Seventh principleAppropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Eighth principlePersonal data shall not be transferred to a country or territory unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Part 2Interpretation of Data Protection Principles
1
(1)In determining for the purposes of the first principle whether personal data are processed fairly, regard is to be had to —
(a)the method by which they are obtained, including in particular whether any person from whom they are obtained is deceived or misled as to the purpose or purposes for which they are to be processed; and
(b)whether the information contained in the personal data has previously been made public as a result of steps deliberately taken by the data subject.
(2)Subject to paragraph 2, for the purposes of the first principle, personal data are prima facie to be treated as obtained fairly if they consist of information obtained from a person who is required to supply it by or under an enactment or by a convention or other instrument imposing an international obligation on the Islands.
2For the purposes of the first principle personal data shall not be treated as processed fairly unless the data subject has, as soon as reasonably practicable, been provided with, at a minimum —
(a)the identity of the data controller; and
(b)the purpose for which the data are to be processed.
3If processing of personal data is carried out by a data processor on behalf of a data controller, the data controller shall not to be regarded as complying with the seventh principle unless the processing is carried out under a contract —
(a)that is made or evidenced in writing;
(b)under which the data processor is to act only on instructions from the data controller; and
(c)that requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle.
4For the purposes of the eighth principle, an adequate level of protection is one that is adequate in all the circumstances of the case, having regard, among other things, to —
(a)the nature of the personal data;
(b)the country or territory of origin of the information contained in the data;
(c)the country or territory of final destination of that information;
(d)the purposes for which and period during which the personal data are intended to be processed;
(e)the law in force in the country or territory in question;
(f)the international obligations of that country or territory;
(g)any relevant codes of conduct or other rules that are enforceable in that country or territory, whether generally or by arrangement in particular cases; and
(h)any security measures taken in respect of the data in that country or territory.
5The eighth principle does not apply to a transfer falling within Schedule 4, except in such circumstances and to such extent as may be prescribed by regulations.
6
(1)If in any proceedings under this Law a question arises as to whether the requirement of the eighth principle as to an adequate level of protection is met in relation to the transfer of any personal data to a country or territory outside the Islands which is a member state of the European Union or with respect to which a European Union finding has been made in relation to transfers of the kind in question, that question shall be determined in accordance with that finding.
(2)In this paragraph “European Union finding” means a finding of the European Commission, under the procedure provided for in Article 31(2) of Directive 95/46/EC or such other provision or instrument as may for the time being be in force on the protection of data subjects with regard to the processing of personal data and on the free movement of such data, that a country or territory outside the European Economic Area does, or does not, ensure an adequate level of protection within the meaning of Article 25(2) of the Directive or such other provision or instrument as may for the time being be in force for that purpose.