Blue Diamond Limited, which operates Le Friquet Garden Centre, has been sanctioned by the data protection office after asking for advice on how to respond to a data request - and then not following it.
The company has received a 'formal reprimand' from Guernsey's Office for Data Protection Authority.
The ODPA investigated the company following allegations that two right of access requests, submitted on 15 May 2020, had not been responded to within the month set out in law.
Blue Diamond did not communicate the reasons for this to the complainant, and the ODPA say an incomplete initial response was sent out on 21 June 2020. The company later wrote to the Data Protection Authority to express its belief that it had fulfilled the request.
Pictured: If a company has valid reasons for not fulfilling a data request within a month, they must communicate this to the subject and give its reasons for an extension to two months.
The authority, however, took a different view. "Whilst it is recognised that this was the first such request made of Blue Diamond Limited, it became apparent during the investigation that they did not have an appropriate understanding of the statutory obligations it had as a Controller under the Law.
"It was clear that this and the lack of established internal procedures, contributed to the failure to comply with the requests in the manner required by Law."
Blue Diamond was said to have "fully engaged and complied" with the investigation requests and deadlines set, "albeit much provided was in a confusing and disorganised manner."
The company accepted their failures in processing and complying with the Law, saying it had no intention to appeal the ruling, before admitting that this matter has been "a steep learning curve".
Pictured: The Bailiwick's Data Protection Commissioner Emma Martins said a company of Blue Diamond's size and scale should be fully aware of their data protection responsibilities.
Blue Diamond Limited had contacted the Authority for advice after receiving the right of access request and got "clear, unambiguous guidance" that the Authority said "was clearly not followed".
“We recognise that this is a challenging time for all organisations," said The Bailiwick’s Data Protection Commissioner, Emma Martins.
"We must also be mindful that where individuals seek to exercise their legal rights, there is an expectation that those rights will be respected. Early and positive engagement with individuals and with the ODPA will always contribute to more positive outcomes.
"We are pleased that the controller in this case has reflected on the lessons learned to ensure that they are better placed to respond in a timely matter to requests of this nature in the future.”
Comments
Comments on this story express the views of the commentator only, not Bailiwick Publishing. We are unable to guarantee the accuracy of any of those comments.