Skip to main content
Link to Walkers homepage
Insights

Jersey Funds Law Series: Data Protection Requirements for Jersey Funds

Dec 19, 2024

Guide
Ethereal blue and green ink clouds swirl in the water, creating an abstract underwater dance of colours.

KEY TAKEAWAYS

  • Jersey's data protection regime broadly mirrors the EU's GDPR regime and imposes obligations on entities that collect or process data including requirements to register, comply with data subject rights (including access, rectification, data portability and erasure), and report personal data breaches within 72 hours of becoming aware of the breach
  • Funds will likely be considered data controllers and be subject to Jersey's data protection regime by virtue of collecting personal data (i.e. data relating to an identified or identifiable person) when investors subscribe for interests in the fund
  • Breaches of the data protection regime can result in significant fines, criminal charges and adverse outcomes for controllers of personal data such as funds

The Data Protection (Jersey) Law, 2018 (“DPJL”) was introduced to broadly mirror the EU General Data Protection Regulation, which came into force on 25 May 2018.

The DPJL introduced obligations on those that collect or process data, including:

  • disclosure obligations, including how and what data is processed;
  • maintaining safeguards and standards on processing and maintaining data, including actions to take in cases of a data breach; and
  • data subject rights, including objecting to data processing and the right to erasure (in certain circumstances).

Why is this relevant to funds?

Funds will likely be subject to the DPJL as:

  • personal data is likely collected when investors subscribe;
  • the fund will likely be considered a data controller; and
  • administrators or other service providers will likely be considered data processors.

Funds should be aware of their obligations as:

  • data controllers need to register with the Office of the Information Commissioner in Jersey;
  • data controllers are ultimately responsible for the processing of personal data in accordance with DPJL; and
  • breaching DPJL can in some cases result in significant fines, criminal charges and adverse outcomes for the owners of the personal data.

Funds should also consider what other personal data they collect, such as that of their directors, officers, representatives, etc.

Key definitions

  • Data subject: an identified or identifiable natural person.
  • Personal data: any data relating to data subjects.
  • Data controllers: those that determine, alone or jointly, the purposes and means of the processing of personal data.
  • Data processors: those that process data on behalf of a data controller (excluding employees of the controller).

What do data subjects need to know?

Data subjects must be informed about (among other things):

  • the identity and contact details of the data controller;
  • the purposes for which their personal data is processed and the legal basis for the processing;
  • the circumstances in which such data may be disclosed or transferred; and
  • data subject’s rights in respect of their personal data.

The legal basis for processing the personal data may include the following:

  • the processing is necessary for compliance with the data controller’s legal obligations;
  • the processing is necessary for the performance of a contract by the data controller or the taking of steps at the request of the data subject with a view to entering into a contract;
  • the processing is necessary for the purposes of legitimate interests pursued by the data controller; or
  • the data subject has consented to the processing of their data for a specific purpose (the data subject has the right to withdraw their consent at any time).

These disclosures are typically found in a privacy notice set out in the offering documents.

How must the data be treated?

The collection and treatment of data must adhere to 'good information handling'. It must be:

  • processed in a fair, lawful and transparent way;
  • collected for a specified and legitimate purpose;
  • adequate, relevant and necessary;
  • accurate and kept up to date;
  • stored only as long as necessary; and
  • processed in accordance with legislation to ensure security, integrity and confidentiality.

Unnecessary data should therefore not be collected and funds will need to ensure their relevant service providers adhere to the DPJL. Typically this would be covered in the agreements with those service providers.

Special category data

There are additional requirements should special category data be collected, such as race, ethnic background, political opinions, religious beliefs, trade union memberships, genetics, health, sexual orientation and criminal or alleged criminal records.

What rights do data subjects have?

  • to be informed about how their data is being used;
  • to access, amend and rectify their personal data;
  • to have incorrect or incomplete data updated;
  • to request erasure of personal information (in certain circumstances);
  • to restrict processing;
  • to data portability (in certain circumstances); and
  • to object to how their data is processed, such as marketing.

Data breaches

In cases where personal data is lost, corrupted, improperly disclosed, accessed or distributed, it is necessary to contact the Jersey Office of Information Commissioner within 72 hours. In some cases data subjects will need to be notified.

We would expect service providers to have appropriate plans in place in the event of a data breach, which should include informing the fund.

Next steps

Data protection is a complicated and potentially high risk area of law and this article only covers some of the relevant areas. Please reach out to one of the contacts below if you would like to learn more.

The information contained in this guide is necessarily brief and general in nature and does not constitute legal or taxation advice. Appropriate legal or other professional advice should be sought for any specific matter.
Asset Management & Investment FundsJersey

Related Links

Asset Management & Investment Funds

Key Contacts

Get in touch with our team

Tatiana Collins
Tatiana Collins

Tatiana Collins

Partner

Jersey

T

+44 (0) 1534 700 757

M

+44 (0) 7797 863 898

E

Email Tatiana Collins
View profile
Dilmun Leach
Dilmun Leach

Dilmun Leach

Partner, Walkers (CI) LP

Jersey

T

+44 (0) 1534 700 783

M

+44 (0) 7797 912 371

E

Email Dilmun Leach
View profile
Kirsten Faichnie
Kirsten Faichnie

Kirsten Faichnie

Senior Counsel

Jersey

T

+44 (0) 1534 700 733

M

+44 (0) 7797 913 957

E

Email Kirsten Faichnie
View profile
Sian Langley
Sian Langley

Sian Langley

Senior Counsel

Jersey

T

+44 (0) 1534 700 774

M

+44 (0) 7797 951 951

E

Email Sian Langley
View profile
Sarah Townsend
Sarah Townsend

Sarah Townsend

Senior Counsel

Jersey

T

+44 (0) 1534 700 736

M

+44 7797 936 737

E

Email Sarah Townsend
View profile

Get the latest insights and expertise in your inbox 

Fluid ink image
Sign up
logo footer

Connect with us

FacebookFacebook
InstagramInstagram
LinkedInLinkedIn

Employee login

Self Service Password ResetWalkers AnywhereWalkers Sharefile
Legal notices/Cookies policy

All rights reserved - © 2025 Walkers Global