Data protection & privacy laws in Jersey (2026)

The Data Protection (Jersey) Law 2018 (L-03-2018) mirrors the GDPR's structure: six lawful bases for processing, data minimisation, purpose limitation, storage limitation, and accountability obligations for controllers and processors.

The Data Protection Authority (Jersey) Law 2018 (L-04-2018) established the JOIC as an independent regulator. The Commissioner may issue information notices, conduct audits, execute search warrants, restrict processing, and levy administrative fines.

The European Commission's January 2024 review (COM/2024/7) reaffirmed Jersey's adequacy decision first granted under Directive 95/46/EC in 2008, finding that the 2018 law modernisation closely aligns Jersey with GDPR and that no amendments or withdrawal are required.

The UK recognised Jersey as adequate for UK GDPR transfers via The Data Protection (Law Enforcement) (Adequacy) (Bailiwick of Jersey) Regulations 2023 (SI 2023/1221), enabling lawful data flows from the UK post-Brexit.

Individuals hold rights of access (subject access requests), rectification, erasure, restriction, and objection. Controllers must notify the JOIC of personal data breaches within 72 hours and, where high risk, notify affected individuals without undue delay.

The JOIC's 2026–2028 Strategic Plan signals proactive, swift enforcement. Priority themes include children's privacy, responsible AI governance, and mandatory annual registration renewal for data controllers (renewal window: January–February each year).