Data Protection Guide 2023: Isle of Man

Collecting personal information

Article 13 of the Applied GDPR states that the data controller has an obligation at the time when the data is collected from the data subject, to provide the following information:

• the identity and the contact details of the controller and, where applicable, of the controller’s representative;
• the contact details of the data protection officer, where applicable;
• the purposes of the processing for which the personal data are collected, as well as the legal basis for the processing;
• where the processing is based on the legitimate interests pursued by the controller or by a third party, details of these interests;
• the recipients or categories of recipients of the personal data, if any;
• where applicable, the fact that the controller intends to transfer personal data outside of the Isle of Man and/or the EEA.

Further to this, the controller shall inform the data subject as to:

• the period for which the personal data will be stored or if that is not possible, the criteria used to determine the retention period;
• the existence of the rights to access, rectification or erasure, or restriction of processing and the right to data portability;
• the right to withdraw consent at any time;
• the right to lodge a complaint with a Supervisory Authority;
• whether the provision of personal data is a contractual or statutory requirement;
• the existence of automated decision-making, including profiling.

Where the controller intends to process personal data for a purpose other than that for which it was collated, the controller has to provide the data subject with information regarding that further purpose.

Article 14 deals with the information that has to be provided where personal data have not been obtained from the data subject.

What constitutes valid consent?

Article 6(1)(a) of the Applied GDPR states that consent to processing shall be one of the lawful conditions for processing. Article 9 of the Applied GDPR deals with the processing of special category personal data and requires “explicit consent.” to be in place.

Article 7 of the Applied GDPR sets out the conditions for valid consent:

• where processing is based on consent, the controller must be able to demonstrate that the data subject has consented to processing of his or her personal data;
• if the consent is given in writing which also concerns other matters, the consent must be presented in a way that distinguishes it from the other matters and in an intelligible and easily accessible form and using clear and plain language;
• the data subject has the right to withdraw the consent at any time; and
• when assessing whether consent is freely given, utmost account will be taken of whether or not consent has been made a condition of the performance of a contract or service.

In the context of processing childrens’ data for information society services, a child is defined by reference to the age of 13, rather than 16 (regulation 11 of the Implementing Regulations).

The IC would expect Isle of Man controllers to take recognition of the guidelines issued by the European Data Protection Board.

Processing and retention of personal data

Alongside consent, Article 6 of the Applied GDPR provides the lawful bases for processing, namely where it is necessary:

• for the performance of a contract, to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract;
• for compliance with any legal obligation to which the data controller is subject;
• in order to protect the vital interests of the data subject or of another natural person;
• for the performance of tasks carried out in the public interest or in the exercise of official authority vested in the controller. This includes data processing necessary for (a) the administration of justice; (b) the exercise of any function of Tynwald (the Manx parliament) or its branches; (c) the exercise of a function conferred on a person by an enactment; or, (d) the exercise of a function of the Crown, a department of the Isle of Man Government or an Isle of Man statutory body. Substantial public interest conditions are also set out in Part 2 of Schedule 2 of the Implementing Regulations regarding processing special category data and that related to criminal convictions;
• for the purposes of legitimate interest pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection, in particular where the data subject is a child. This condition is not applicable to processing carried out by a public authority.

In addition, the Council of Ministers may by order specify particular circumstances in which the foregoing is taken to be satisfied.

Decisions of the Court of Justice of the European Union regarding the interpretation of the term “necessary” would be persuasive in an Isle of Man court and the IC would require the term to be interpreted narrowly by controllers.

Accessing Personal Information

Individuals are entitled to be informed whether their personal data is being processed by or on behalf of a data controller. If so, the individual is entitled to a description of:

(i) the personal data,

(ii) the purposes for which it is being or is to be processed, and

(iii) the recipients or classes of recipient to whom the data may be disclosed.

The individual is also entitled to a copy of their data. The right is subject to certain limitations (such as the rights of third parties whose personal data is “mixed” with that of the data subject). The individual must send a data subject access request to the data controller, who must respond within one month. Data subjects can also request that their data is corrected where it is not accurate, or that it be erased (in limited circumstances).

Controllers are expressly required to bring the right of access to the attention of data subjects and to take steps to facilitate the exercise of that right.

Law Enforcement

The LED deals solely with personal data being processed for the purposes of the prevention, detection or prosecution of criminal offences, including the safeguarding against and the prevention of threats to public security.

Are there any other exemptions?

The main exemptions relate to processing for specific purposes and are not a blanket exclusion of the Applied GDPR’s rights and obligations. The purposes for processing personal data determine the provisions from which an organisation can claim exemption. Data controllers should only depart from the Implementing Regulations to the extent necessary to protect the purposes for which the exemption is claimed.

Regulation 8 of the Implementing Regulations provides further details on the jurisdictional scope of the regulations.

The main exemptions include:

• manual unstructured data held by Freedom of Information (FOI) public authorities;
• manual unstructured data used in longstanding historical research;
• insurance;
• legal proceedings;
• protection of the rights of others;
• national security;
• crime and taxation;
• legal professional privilege;
• trusts;
• health, education and social work;
• regulatory activity;
• journalism, literature and academic purposes;
• research, history and statistics;
• Tynwald privilege; and
• domestic purposes.

Schedule 9 also contains miscellaneous exemptions in relation to the following: confidential references given by the data controller; armed forces; immigration control; judicial appointments and honours; crown employment and appointments; management forecasts; corporate finance; negotiations; examination marks and scripts; legal matters and self- incrimination.

International transfers of personal information

Part 5 of the Implementing Regulations deals with transfers of personal data to third countries.  Regulation 68 states that a controller or processor must not transfer personal data for processing to a third country or an international organisation unless that country or organisation ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.  The level of protection is adequate if:

• the European Commission has made an adequacy decision under Article 45 of the GDPR;
• there are safeguards in place that meet the requirements of Article 46 of the Applied GDPR (see further below);
• the transfer falls within the exceptions set out in Schedule 10 of the Implementing Regulations.

Schedule 10 of the Implementing Regulations provides exceptions to the adequacy requirements and these are as follows:

• the transfer is specifically required by an order or judgment of a court or tribunal having the force of law in the Isle of Man or having force of law in the Isle of Man based on an international agreement or obligation on the Isle of Man or a decision of a public authority on the Island that is based on such an international agreement (paragraph 1 of Schedule 10);
• the data subject has explicitly consented to the transfer after being informed of the possible risk of the transfer (paragraph 2 of Schedule 10);
• the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request (paragraph 3 of Schedule 10);
• the transfer is necessary for the conclusion or performance of a contract between the controller and a person other than the data subject (paragraph 4 of Schedule 10);
• the transfer is necessary for reasons of substantial public interest which only applies in certain circumstances (paragraph 5 of Schedule 10);
• the transfer is necessary (a) for the purposes of, or in connection with, any legal proceedings (including prospective legal proceedings); (b) for the purposes of obtaining legal advice; or (c) is otherwise necessary for the purposes of establishing, exercising or defending legal rights (paragraph 6 of Schedule 10);
• the transfer is necessary in order to protect the vital interests of the data subject or other persons where (a) the data subject is physically or legally incapable of giving consent; (b) the data subject has unreasonably withheld consent; or (c) the controller or processor cannot reasonably be expected to obtain the explicit consent of the data subject (paragraph 7 of Schedule 10);
• the transfer is made from a public register in certain circumstances (paragraph 8 of Schedule 10).

Paragraph 9 of Schedule 10 provides that where a transfer cannot be based on any other provision of the Implementing Regulations, a transfer to a third country or international organisation can only take place if:

• the transfer is not repetitive;
• the transfer concerns only a limited number of data subjects;
• the transfer is necessary for the purposes of the compelling legitimate interests of the controller (which are not overridden by the interests of rights and freedoms of the data subject); and,
• the controller has assessed all the circumstances and/or the basis of such provided suitable safeguards.

If a transfer is to take place under paragraph 9, the controller must inform the IC and the data subjects of the transfer as soon as practicable and confirm the compelling legitimate interest being pursued. In addition, the controller or processor must document the assessment and safeguards it is putting in place.

Paragraphs 2, 3, 4 and 9 of Schedule 10 do not apply to the activities carried out by public authorities in the exercise of their public powers.

Under regulation 69 of the Implementing Regulations, transfers can be undertaken subject to other appropriate safeguards, but these are subject to approval by the IC.

The safeguards specified in Article 46(2) of the Applied GDPR are as follows:

• legally binding and enforceable instrument between public authorities or bodies;
• adoption of the Commission’s standard data protection clauses (or those of an EU Supervisory Authority);
• an approved code of conduct or certification, together with binding and enforceable commitments to apply those safeguards, including the rights, is followed.

Note that binding corporate rules in accordance with Article 47 of the GDPR are not part of the Isle of Man law as the Isle of Man is not part of the EU.

The EU has approved standard contractual clauses for the transfer of personal data to data controllers and data processors in countries outside of the EEA which do not have an adequacy decision from the European Commission.

Data transfer agreements are sufficient to legitimise transfers, however, the transfer must also meet the requirements of the Applied GDPR and the Implementing Regulations.

How is direct marketing regulated?

Article 21 of the Applied GDPR gives an individual the right to prevent their personal data being processed for direct marketing, irrespective of the medium being used to send the marketing materials.

The Unsolicited Communications Regulations 2005 (2005 Regulations), restrict the making of unsolicited marketing communications to individuals by telephone calls, fax messages, email communications and automated calling systems.

Under the 2005 Regulations, unsolicited electronic mail to an individual should only be sent with the recipient’s consent. There is however an exception where the sender has obtained the recipient’s details in the course of a sale (or negotiations for the sale) of a product or service the sender offered; the messages promote similar goods or services from the sender and the recipient is given a simple opportunity to opt-out of receiving such materials. Senders of electronic marketing messages must provide the recipient with the name of the organisation sending or authorising the materials and a valid contact address. It should be noted that different rules apply to marketing by telephone and facsimile.

Regulation 11 allows a person who suffers damage by reason of contravention of the 2005 Regulations to bring proceedings in the High Court in the Isle of Man for compensation. The Data Protection (Application of GDPR) (Amendment) Order 2019 granted the IC a range of investigatory and corrective powers against those breaching the 2005 Regulations in accordance with Articles 57 and 58 of the Applied GDPR.

Is the use of Internet cookies regulated?

The 2005 Regulations implement Article 13 of the Privacy and Electronic Communications Directive, 2002/58/EC of the European Parliament.  The 2002 Directive was amended in 2009 (as reflected by the United Kingdom’s Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011) in particular with respect to cookies and similar technology. These amendments have not been made to the 2005 Regulations however, they are considered good practice and may be voluntarily adopted by organisations in the Isle of Man. As a matter of good practice, data controllers in the Isle of Man should provide users with clear and comprehensive information about the purposes for which data collected by cookies, or similar technologies, are stored and will be accessed, and should obtain the user’s consent to such processing.

What rules apply to the monitoring of employees in the workplace?

Article 88 of the Applied GDPR states that the Island may, by law or collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the context of employment. In particular, these rules may be provided for the purposes of:

• recruitment;
• performance of the employment contract (including discharge of obligations laid down by law or collective agreements);
• management, planning and organisation of work;
• equality and diversity in the workplace;
• health and safety at work;
• protection of an employer’s or customer’s property;
• exercise and enjoyment (on an individual basis) of rights and benefits related to employment; and
• termination of the employment relationship.

Such rules should include suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, transfers of data within a group of undertakings or enterprises, and the use of monitoring systems in the workplace.

There are no specific restrictions on employee monitoring under the Applied GDPR, however the IC has issued guidance. Employers should carry out a Data Protection Impact Assessment and evaluate less intrusive approaches to achieving the monitoring objectives. Employers should explain the monitoring purposes and the personal information being collected.  Employee data may often include special category data, so additional considerations around how such processing might lawfully be effected are required.

The employer has an important obligation to appropriately inform employees about what information about them can be processed at work, how the information will be processed, why this is necessary, and what rights the employees have to protect their privacy. This can be achieved through communication of an internal privacy statement or privacy policy. This policy must be announced in a clear way and should be easily accessible to employees. For example, distributing the policy to each new employee and including it within the employee portal, so that it can be accessed and downloaded at any time. When the policy is updated, it is also important that employees are informed and materials updated accordingly.

The policy must include at least:

• whether and when employee monitoring is applied;
• the purposes of data processing and means used for processing;
• an overview of the data that is kept, along with the corresponding retention period;
• who has access to what data, and in what circumstances;
• how data is protected; and
• the rights of the employee.

Covert monitoring can rarely be justified, unless for example, there are real grounds for believing that criminal activity or equivalent malpractice is occurring and that telling people about the monitoring would prejudice the effective detection of such wrongdoing.

Can telephone calls be recorded?

As personal information may be collected during the call, the caller needs to be notified at the start that the conversation may be recorded.

Best practice is that the caller should have the opportunity to review the organisation’s privacy policy before the call proceeds. This can best be achieved by recording a copy of the privacy policy and directing the caller to listen to the policy before the call is connected.

What rules apply to the recording of CCTV footage?

To the extent that CCTV may capture personal information, its use will be regulated by the Applied GDPR.

To ensure that any personal information collected via CCTV is not excessive and does not go beyond the purpose for which it was collected, consideration will need to be given to the cameras’ location and recording angles.

Particular care should also be taken if CCTV is used as part of any employee monitoring process. Any monitoring should generally be disclosed to the employees in advance.

Under Article 5 of the Applied GDPR, appropriate technical and organisational measures must be taken by the data controller against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, the personal data. Where a third party is processing personal data on behalf of a data controller (i.e. a data processor), the data controller must ensure that it has a written contract with the data processor that includes contractual obligations to only process the relevant personal data on the instructions of the data controller and obliges the data processor to comply with obligations equivalent to those imposed on the data controller under Article 5.

Article 32 also requires that, in assessing the appropriate level of security, a controller or processor must not only take into account the risk to the individual posed by the intended processing, but also the risk posed by accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the personal data transmitted, stored or otherwise processed.

Who needs to be notified in the event of a data breach?

All personal data breaches must be recorded by data controllers, however, only breaches that pose any risk to the rights and freedoms of individuals must be reported to the IC. This must be done within 72 hours of becoming aware of the breach.

In addition, if there is a high risk to the rights and freedoms of individuals, the controller must notify the individuals concerned without undue delay. Data processors are also under an obligation to notify the data controller without undue delay if they become aware of a data breach.

Other regulators, such as financial services regulators, may require as part of their licence conditions that licence holders also report security breaches to them.