Registration & Charges FAQs

Registration and Charges - Frequently Asked Questions (FAQs)

CHARGES

Q: Who sets the charges?
A: The charges were set by the States Assembly following a process of public consultation and discussion with industry body representatives.

Q: Do I have to pay a charge?
A: If you are a controller and / or processor you will have to pay a charge unless a fee exemption applies.

Q: How often do I have to pay the data protection charge?
A: Registrations must be renewed annually so the relevant charge will also have to be paid annually.

Q: When do I have to pay the charge?
A: The charge is due one calendar month after registration if it is a new registration, for example; a business start-up. For renewals, the charge is due as of 1st January every year and you have until the last day of February to make payment.

Q: How much do I have to pay?
A: The charges range from £70 to £1,600. The charge depends on the number of full-time equivalent employees, past-year revenue and the type of personal data being processed. It is structured like this out of fairness and takes into account the risk profile of the controller / processor.

 

Full-Time Employees

Full-Time Employees Charge

Proceeds of Crime Charge

Special Category Data Charge

Less than 10

£70

£50

£50

Between 10 and 50 inclusive

£90

£150

£150

More than 50

£500

£600

£350

 

Past-Year Revenues

Less than £100k

£0

Between £100k and £5m inclusive

£0

More than £5m but £20m or less

£150

More than £20

£500

 

Administered Controllers/Processors
In this Regulation, “trust company business” and “fund services business” have the same meanings as in Article 1(1) of the Financial Services (Jersey) Law 1998. The amount of the annual charge for a registered controller or registered processor that is being administered by a trust company business or a fund services business is £50.
£50 per administered controller/processor

Q: Are registration fees exempt from GST?
A: Yes, fees are exempt from GST as the Jersey Office of the Information Commissioner (JOIC) is an independently audited States body.

Q: What is the data protection fee for?
A: We use the data protection fee to fund our data protection work. We do not keep any money we receive in administrative fines, but pass it directly to the Government of Jersey.

Q: What do I get in return for paying the fee?
A: Our mission is to provide the people of Jersey with the highest level of data protection. The data protection fee allows the JOIC to effectively and efficiently regulate and enforce the Data Protection (Jersey) Law 2018. This in turn supports the free flows of data between Jersey and the UK, EU and adequate jurisdictions, and helps to ensure the Island’s reputation for good regulation, and a safe place to live and do business. The fee also allows access to practical data protection toolkits providing guidance and direction on how to comply with the Law and exercising your data protection rights.

Q: Why is my fee more than £1,600?
A: £1,600 is the maximum fee per controller/processor. If the controller/processor also includes administered registrations, these will be charged at an additional £50 fee per administered registration.

Q: What happens if I register in, for example, August of the current year? Will I be charged in full then and then in full again during the renewal period in January - February or will the fee be pro-rata?
A: You will be charged in full and will have to pay in full again in the following January – February when renewing. The JOIC does not have any power to pro-rata fees.

Q: Do you issue refunds?
A: Only in exceptional circumstances. Please get in touch with us as soon as possible.

Q: What happens if I don’t pay my fee?
A: The JOIC has the power to remove a registration from the Register if the relevant charge is not paid. It is a criminal offence to process personal data without being registered with the JOIC.

 

PAYMENT

Q: What payment methods do we offer?
A: CityPay (online via debit or credit card), BACS or Cheque.

Q: If I pay via card, will I be sent a receipt?
A: The JOIC use the CityPay platform for card payments. CityPay will send a transaction notice to the billing contact's email address.

Q: How long do I have to pay?
A: If a renewal, the payment window opens 1st January and closes on the last day of February.
If a new registration, the payment window is one calendar month. The JOIC has the power to remove a registration from the Register if the relevant charge is not paid. It is a criminal offence to process personal data without being registered with the JOIC.

 

REGISTRATIONS

Q: How long will the registration last?
A: If a new registration, the registration will expire on 31st December of the year initially registered. If a renewal, the fee covers a 12-month period from 1st January, which expires 31st December.


Q: When does the registration expire?
A: All registrations will expire on 31 December regardless of their initial registration date.

Q: What happens if I do not register?
A: Failure to register with the Authority is a criminal offence.

 

PUBLIC REGISTRY

Q: When will organisations be added to the registry? When they have registered / renewed or when they have paid?
A: Registrations will appear on the registry as soon as they have been registered / renewed. The expiry date will display as 'pending' if payment is awaited or the expiry date (31/12/202X) if paid (unless fee exempt when the expiry date is default). Registrations will be removed from the registry if payment is not made within the required timeframe.

Q: What information will be displayed on the website registry?
A: Name, registration number, expiry date, registered business names (if any). Administered registrations will also be searchable but will not show any link back to the administrator.

 

RENEWAL

Q: When do I need to renew my registration(s)?
A: The renewal period opens on the 1 January and closes on the 28 (or 29) February each year. You will be sent an email reminder before the renewal period opens so please ensure your registration details, especially your correspondence email address, is kept up-to-date.

 

GENERAL GUIDANCE

Q: What is a data controller?
A: The data controller determines the purposes for which and the means by which personal data is processed. If your company / organisation decides ‘why’ and ‘how’ the personal data should be processed it is the data controller.

Q: What is a data processor?
A: The data processor processes personal data only on behalf of and in accordance with the specific written instructions of the controller. The data processor is usually a third party external to the controller.

Q: What is an appointed DPO?
A: An appointed Data Protection Officer refers to someone who has been appointed to that role as per Article 24 of the Data Protection (Jersey) Law 2018.

Q: Class of Processing - What is a Public Authority?
A: Public Authority means:
- the States Assembly including the States Greffe;
- a Minister;
- a committee or other body established by a resolution of the States or by, or in accordance with, standing orders of the States Assembly;
- an administration of the States;
- a Department referred to in Article 1 of the Departments of the Judiciary and the Legislature (Jersey) Law 1965;
- any court or tribunal;
- the States of Jersey Police Force;
- a parish;
- the holder of a public office;
- in relation to any country other than Jersey, any person exercising or performing functions or holding any office similar or comparable to any of the persons described in sub-paragraphs (a) to (i); and any other person or body (whether incorporated or unincorporated) that exercises functions of a public nature.

Q: Class of Processing - What is a Candidate for Election?
A: Candidate for Election means an individual who has been admitted as a candidate for a public election of an officer in a constituency under Article 18 of the Public Elections (Jersey) Law 2002.

Q: Class of Processing - What is a Provided School?
A: Provided School means a school listed at Schedule 1, Part 1 of the Education (Jersey) Law 1999.

Q: Class of Processing - What is a business that has ceased trading?
A: An organisation that has ceased to conduct business but continues processing solely for retention purposes as required by law.

Q: Class of Processing - What is a non-profit association?
A: Non-Profit Association means any body, or association that is not established or conducted for profit.

Q: What is an FTE?
A: One element of the annual charge is calculated based on an organisation’s number of full-time equivalent employees (FTE).

- A FTE means a person employed for more than 27 hours a week;
- If an individual is working no more than 9 hours a week they are treated as 25% of a FTE employee;
- If an individual is working more than 9 hours but no more than 18 hours a week they are treated as 50% of a FTE employee; and
- If an individual is working more than 18 hours but not more than 27 hours a week they are treated as 75% of a FTE employee.

The determination of FTEs must be calculated on the basis of the highest number of posts existing at any time during the past 12 months, ignoring any vacancies.

Q: What is past-year's revenue?
A: Past-year revenues means a payer’s gross revenues that are generated by or on behalf of that part of their business that is established in Jersey for the year before the year to which an annual charge relates.

Q: Who is subject to Proceeds of Crime (Jersey) Law 1999?
A: An organisation that is registered with the Jersey Financial Services Commission and is carrying on a financial services business as specified in Schedule 2 to the Proceeds of Crime (Jersey) Law 1999 (other than in paragraphs 6, 8 and 10 of Part B) which includes (subject to any exemptions that may apply) such as:

• Business that is regulated by the Jersey Financial Services Commission under regulatory laws;
• Lawyers;
• Accountants;
• Estate agents;
• High value dealers;
• Casinos;
• Acceptance of deposits and other repayable funds from the public;
• Lending, including consumer credit, mortgage credit, factoring, financing of commercial transactions;
• Financial leasing;
• Issuing and administering means of payment;
• Guarantees and commitments;
• Trading for the account of third parties in money market instruments, foreign exchange, futures and options, exchange, interest rate and index instruments, transferable securities;
• Participation in securities issues;
• Advice to undertakings on capital structure, industrial strategy and related questions and advice as well as services relating to mergers and the purchase of undertakings;
• Money broking;
• Portfolio management and advice;
• Safekeeping and administration of securities;
• Safe custody services;
• Otherwise investing, administering or managing funds or money on behalf of third parties; and
• Virtual currency exchange

Q: What is special category data?
A: Special category data means:
- data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership;
- genetic or biometric data that is processed for the purpose of uniquely identifying a natural person;
- data concerning health;
- data concerning a natural person’s sex life or sexual orientation; or
- data relating to a natural person’s criminal record or alleged criminal activity.

This may include the processing of special category data relating to employees such as sickness absence records, accident report books, allergies, health declarations, criminal record checks, finger prints for ID purposes etc.

Q: What does “established” mean?
A: The Data Protection (Jersey) Law 2018 defines “established” as follows:
(4)   For the purposes of paragraphs (2) and (3), each of the following is to be treated as established in Jersey –

(a)  a natural person who is ordinarily resident in Jersey;
(b)  a body incorporated under the law of Jersey;
(c)  a partnership or other unincorporated association formed under the law of Jersey;
(d)  any person who does not fall within sub-paragraph (a), (b) or (c) but maintains in Jersey –

(i)  an office, branch or agency through which the person carries on any processing of personal data, or
(ii)  a regular practice that carries on any processing of personal data; or

(e)  any person engaging in effective and real processing activities through stable arrangements in Jersey.

Q: Is the organisation a “trust company business” or a “fund services business” that administers controllers / processors?
A: A “trust company business” and “fund services business” are as defined in the Financial Services (Jersey) Law 1998 as follows:

Article 1 “trust company business” has, subject to any Order under Article 4, the meaning given to that expression by Article 2(3);

Article 2(3) A person carries on trust company business if the person carries on a business that involves –
(a)  the provision of company administration services;
(b)  the provision of trustee or fiduciary services;
(c)  the provision of services to foundations; or
(d)  the provision of services to partnerships not being services described in sub-paragraph (a), (b) or (c),

Article 1 “fund services business” has, subject to any Order under Article 4, the meaning given to that expression by Article 2;

Article 2(10) A person carries on fund services business if by way of business the person is –
(a)  a manager, manager of a managed entity, administrator, registrar, investment manager or investment adviser;
(b)  a distributor, subscription agent, redemption agent, premium receiving agent, policy proceeds paying agent, purchase agent or repurchase agent;
(c)  a trustee, custodian or depositary; or
(d)  a member (except a limited partner) of a partnership, including a partnership constituted under the law of a country or territory outside Jersey, in relation to an unclassified fund or an unregulated fund.[32]

Q: How do I know if I need to include the names of the controllers / processors established in Jersey being administered by the “trust company business” or “fund services business”?
A: Controllers / processors are only required to be registered once. For example, you do not need to register the controller / processor as being administered by you if they have already completed their own registration. Therefore, please ensure the controller / processor being administered is not already registered. You should check whose responsibility it is to register the controller / processor.