Blue Diamond reprimanded over data protection breach

Blue Diamond Limited, who run Guernsey’s Le Friquet and Jersey’s St Peter’s garden centres, together with other garden centres in the UK, have been issued a formal reprimand under the Data Protection (Bailiwick of Guernsey) Law, 2017, section 68.

Blue Diamond received two right of access requests made under section 15 of the Law (the requests) on 15th May 2020.  A request of this nature entitles an individual to, amongst other things, copies of personal data processed by Blue Diamond.

In most cases, Controllers are required to comply with requests of this nature within of one month from the date of the request (designated period).  In the event that a Controller is unable to fulfil a request within the designated period, the Controller must notify the requestor, within the designated period, of their reasons for not complying, their right to complain to the Authority and their rights of appeal under sections of the Law.

Furthermore, where a Controller determines that the request is complex and requires further time to collate the response, the Law provides for the application of a two-month extension on the condition that such an application is communicated to the requestor along with the reasons for the extension. This must be done within the designated period.

It was shown that Blue Diamond had not responded to the requests within the designated period. An initial response was sent by Blue Diamond to the Complainants on 21st June 2020, however this was not deemed to be a complete response.  Blue Diamond wrote to the Authority on 30th October 2020 to state their belief that they had now responded in full to the requests.

Whilst it is recognised that this was the first such request made of Blue Diamond, it became apparent during the investigation that they did not have an appropriate understanding of the statutory obligations it had as a Controller under the Law. It was clear that this and the lack of established internal procedures, contributed to the failure to comply with the requests in the manner required by Law.

Following the determination by the GDPA that Blue Diamond had breached an operative provision of the Law it proceeded to consider whether to impose sanctions under the Law for the breach and, if sanctions were to be imposed, what the most appropriate sanctions would be

The GDPA, in consideration of the following has decided to impose a formal reprimand.

The GDPA identified the following mitigating factors:

• Blue Diamond fully engaged and complied with the investigation requests and deadlines set, albeit much provided was in a confusing and disorganised manner.
• This is the first such case requiring the GDPA to investigate Blue Diamond Limited.
• Blue Diamond Limited has openly accepted their failures in processing and complying with the Law and has admitted that this matter has been a steep learning curve from which lessons have been learnt.
• It is accepted by the GDPA that operational matters have been impacted during the public health crisis.

Despite the mitigating factors, there were also some aggravating factors;

• Blue Diamond in this case, whilst being a well-respected local company, is also a UK- wide organisation – employing some 3300 staff, and an organisation of that size should be fully aware of data protection issues relating to their business.
• During the very early stages of this matter, Blue Diamond contacted the GDPA for advice as to how to deal with a right of access request, as they had not received one before.  Clear, unambiguous guidance was given which was clearly not followed.
• Whilst this may have been the first request of this nature received by Blue Diamond, it is clear that they did not engage in a positive and timely manner. Further, it is apparent that the relationship with the Complainants detrimentally affected the process and their engagement with it.

The Guernsey Bailiwick’s Data Protection Commissioner, Emma Martins, commented: “We recognise that this is a challenging time for all organisations. We must also be mindful that where individuals seek to exercise their legal rights, there is an expectation that those rights will be respected. Early and positive engagement with individuals and with the ODPA will always contribute to more positive outcomes. We are pleased that the Controller [Blue Diamond Limited) in this case has reflected on the lessons learned to ensure that they are better placed to respond in a timely matter to requests of this nature in the future.”