Privacy Statement

Purpose of this notice

This privacy statement tells you about the information we collect from you when you use our website (www.gcra.gg (the “Site”)), and when you provide us with personal data in relation to our functions in economic regulation and administration and enforcement of competition law. In collecting this information, we are acting as a data controller and, by law, we are required to provide you with information about us, about why and how we use your data, and about the rights you have over your data.

This privacy statement describes how we will process stakeholder data. We have a separate privacy policy that covers prospective, current and former employees.

Who are we?

We are the Guernsey Competition and Regulatory Authority. Our address is Suite 4, 1st Floor, La Plaiderie Chambers, La Plaiderie, St Peter Port, Guernsey, GY1 1WG.

You can contact us by post at the above address, by email at info@gcra.gg or by telephone on 01481 711120.

Our Data Protection Officer is Sarah Livestro, and she can be contacted at the above addresses or phone numbers.

The GCRA carries out statutory functions of economic regulation and competition law enforcement. We process data for a ‘regulatory purpose’ under The Data Protection (Law Enforcement and Related Matters) (Bailiwick of Guernsey) Ordinance, 2018. We deal with confidential information in the normal course of our activities and the protection of this information is important to us.

Personal data is often included incidentally, but there are only limited contexts in which we use such information to make decisions or take actions directly related to individuals rather than businesses. These include, but are not limited to, involvement in complaints, certain licensing matters relating to owners and controllers, and other provisions of regulatory and competition law which relate to individuals and their actions. Your rights to access the data held by us and determine how it is used may be different from other situations as a result of its use in the context of these functions and/or because we are the sort of organisation we are.

The principles we follow in processing your data

The GCRA is committed to complying with the following core Data Protection Principles:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality
  • Accountability


Personal data we obtain from you

We may obtain your personal data, for example, when:

  • You use our website
  • You submit a request for alerts on our website
  • You use our website to enter Third party websites
  • You contact us by any means with an enquiry, complaint or information relevant to our functions
  • We carry out a consultation
  • We are recruiting


We usually collect this data directly from you but we may also obtain it from third parties.

Further information about this data gathering process is outlined below.

When you use our website

When you view information on our Site, we use cookies to allow the Site to function, to collect useful information and to help to make your user experience better. You can refuse to accept these cookies, but this may mean that some parts of the Site will not function properly.

We may collect non-personal identification information about users whenever they interact with our Site. Non-personal identification information may include the browser name, the type of computer and technical information about users’ means of connection to our Site, such as the operating system and the internet service providers utilised and other similar information.

For more information about our use of cookies, please see our cookie policy.

When you submit a request for alerts on our website

Our Site gives you the opportunity to subscribe for alerts when content is changed. The only information about you that we collect is your email address and the types of email you have asked to be sent. By requesting update emails from us, you consent to us using your email address for that purpose.  You may withdraw this consent at any time by clicking the ‘unsubscribe’ link in any email you have received. We will not use your email address for any other purpose than to send these emails, which are automatically generated. Your email address is stored and processed in Ireland and backups are held in Germany.

Third party websites

The information accessible from the site may be derived from a variety of sources, so despite our best efforts there may be inaccuracies. Links and references to other web-sites, organisations or people outside of the GCRA are provided for convenience only and should not be taken as an endorsement by the GCRA. Users may find content on our Site that links to the sites and services of others. We do not control the content or links that appear on these third party sites and are not responsible for the practices employed by websites linked to or from our Site. In addition, these sites or services, including their content and links, may be constantly changing. These sites and services may have their own privacy policies and customer service policies. Browsing and interaction on any other website, including websites which have a link to or from our Site, is subject to that website's own terms and policies.

When you contact us by any means with an enquiry, complaint or information relevant to our functions

When you contact us, we will record information about you in order to be able to deal with your enquiry, your complaint, or the information you provide.

We use this information in connection with exercising our duties and functions. Your personal data will not be used in connection with matters other than those related to the matter in relation to which it was originally provided. If we need to communicate with you in order to deal with the matter, we will do so, but we will not communicate with you for unrelated purposes.

When you provide us with information about yourself in relation to one of our functions, such as when you request a licence, we use the personal information in the exercise of the relevant function and any functions associated with them on which that information may have a bearing.

It is important that the information we hold about you is accurate. If you have provided us with information in the past and it changes, please ensure that you provide us with the new information.

Please note that our legal duties and functions may require information to be passed to other parties, such as or law enforcement bodies.

In some circumstances we may anonymise or pseudonymise the personal data so that it can no longer be associated with a data subject. Where we do this, we may use it without further notice to you.

If you refuse to provide us with certain information when requested, we may not be able to progress a matter further.

Consultation Process

We may collect and use personal data contained in responses to consultations that we publish. 

During our recruitment process

We may collect and use personal data during the recruitment process and for purposes related to employment. We have a separate privacy statement for employees.

Special Category Data

In some cases, we may also collect and use special category personal information such as biographical details, offences, criminal proceedings, outcomes and sentences, and licences or permits held. Such information will be used only for the purpose of carrying out our functions. We endeavour to ensure that all special category data is processed in a way that minimises the risk of a data breach.

Collection of personal information from sources other than the individual

There are circumstances where we may seek to obtain information about individuals from other sources than those individuals in order to exercise our functions appropriately. Such information will only be used for the purposes for which it was collected.

Automated Processing

We do not use automated means to process personal data.

Protection of information

We consider the security of all the information we hold as of paramount importance, and this includes any personal information we hold. We adopt appropriate collection, storage and processing practices and security measures to protect against unauthorised access, alteration, disclosure or destruction of all information we hold, including personal information.

Sharing of information with other parties

We will share your personal data with third parties where we are required by law, where it is necessary to administer the relationship between us or where we have another legitimate interest in doing so.

The following activities are carried out by third party service providers:

  • IT software and operational support providers
  • Professional advisory and consultancy services
  • Payroll software and operational support providers
  • Finance and accounting support
  • PR and Communications services
  • Company Secretarial Services
  • Human Resources support providers


We require all third party service providers that we engage to have appropriate security measures to protect your personal data. We only permit our third party service providers to process your personal data for specified purposes and in accordance with our instructions.

We do not transfer your data to any third party outside an authorised jurisdiction or the European Economic Area.

Retention of personal information

We will only retain your personal data for as long as we require it to meet the purposes it was collected for. We consider the following when setting our retention periods:

  • The legitimate interests of the GCRA;
  • The statutory or legal obligations of the GCRA;
  • The reasons the GCRA collected the personal data;
  • The lawful basis the GCRA based its processing on;
  • The categories of personal data the GCRA holds;
  • The volume of personal data held; and
  • Consideration of whether the GCRA’s processing needs could be fulfilled by other means.


Your rights as a data subject

Under certain circumstances, by law you have the right to:

  • Request access to your personal data. This enables you to receive details of the personal data we hold about you and to check that we are processing it lawfully.
  • Request correction of the personal data that we hold about you.
  • Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
  • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this basis. You also have the right to object where we are processing your personal information for direct marketing purposes.
  • Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Request the transfer of your personal data to you or another data controller if the processing is based on consent, carried out by automated means and this is technically feasible.


Please note (as stated above) that your rights as a data subject may differ from those you have in relation to a commercial entity, as a result of our status.

A Data Subject Access Request Form to allow you to make requests related to your rights as a data subject is provided in the publications page of our Site. To submit a request regarding your personal data by email, post or telephone, please use the contact information provided above in the "Who are we?" section of this privacy statement.

By law, you can ask us what information we hold about you, and you can ask us to correct it if it is inaccurate or out of date. Where the information is out of date, we may need to maintain a record of the old information as well.

We will need to verify your identity before we provide you with information about the data we hold on you.

We will not charge you a fee to access your personal data or to exercise your rights under relevant legislation. We do, however, reserve the right to charge a reasonable fee if we believe your request is excessive, or alternatively we may refuse to fulfil your request in such circumstances.

You may withdraw your consent for the use of your email address at any time by clicking the ‘unsubscribe’ link in emails sent to you, and your email address will be removed.

Right to withdraw consent

In circumstances where you have provided your consent to the collection, processing and transfer of your personal data for a specific purpose (for example, in relation to website alerts that you have indicated you would like to receive from us), you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please email our Data Protection Officer at info@gcra.gg.

Once we have received notification that you have withdrawn your consent, we will no longer process your personal data for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so under Data Protection Legislation.

Your right to complain

If you have a complaint about our use of your information, we would prefer you to contact us directly in the first instance so that we can address your complaint. However, you can also contact the Office of the Data Protection Authority in Guernsey by email at enquiries@odpa.gg or you can write to them at:

Office of the Data Protection Authority
St Martin’s House
Le Bordage
St. Peter Port
Guernsey, GY1 1BR

Updates to this privacy statement

the GCRA regularly reviews and, if appropriate, updates this privacy statement. We have the discretion to update it at any time. When we do, we will revise the updated date at the bottom of this page. You are encouraged to check this page for any changes to stay informed about how we are helping to protect the personal information we collect. It is your responsibility to review this privacy policy periodically and become aware of modifications.

We will update this document each time it is changed.

This document was last updated 18 June 2020