Guernsey DPL

Data Protection (Bailiwick of Guernsey) Law 2017

Flag of GG
GuernseyOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
May 25, 2018
Enacted
January 1, 2017
Enforcing Authority
Office of the Data Protection Authority (ODPA)
Consent Model
Opt-in
Applies To
Organizations processing personal data in Guernsey

Overview

Guernsey's Data Protection Law 2017 provides a full GDPR-equivalent regime for this UK Crown Dependency. Guernsey has held EU adequacy since 2003 — one of the longest-standing adequacy decisions globally — with UK adequacy also granted.

What This Means for Your Website

  • GDPR-equivalent consent requirements apply for Guernsey visitors
  • Full data subject rights are provided
  • GDPR-equivalent penalty tiers apply
  • The ODPA provides independent oversight and enforcement

Key Requirements

The ODPA enforces the DPL with GDPR-equivalent penalty tiers. Guernsey's EU adequacy (since 2003) and UK adequacy facilitate smooth data transfers. The law provides comprehensive GDPR-aligned data protection requirements.

How ConsentStack Handles This

ConsentStack applies GDPR-compliant consent for Guernsey visitors, meeting all DPL requirements.

Penalties

GDPR-equivalent tiers.

Revenue-based
4% of annual revenue

Key Requirements

  • GDPR-equivalent consent and processing rules
  • Full data subject rights
  • Independent ODPA enforcement

Notable Provisions

  • EU adequacy since 2003 — one of longest-standing globally
  • UK adequacy also granted
  • Full GDPR-equivalent regime

Other Europe Regulations

GDPREuropean Union + EEA
The GDPR sets the global standard for data protection, requiring explicit opt-in consent before processing personal data of EU/EEA residents. For websites, non-essential cookies must be blocked until visitors actively consent. Pre-ticked boxes and implied consent are invalid.
PECRUnited Kingdom
PECR is the UK's cookie-specific law, requiring consent before storing or accessing cookies. The DUAA 2025 significantly increased penalties from GBP 500,000 to GBP 17.5 million and introduced analytics exceptions on an opt-out basis. Only strictly necessary cookies are exempt.
ePrivacy DirectiveEuropean Union + EEA
Article 5(3) of the ePrivacy Directive is the primary EU legal basis requiring cookie consent. It mandates prior informed consent before storing or accessing any information on a user's device, with narrow exceptions only for transmission necessity and explicitly requested services.
Loi Informatique et LibertésFrance
France has the most actively enforced cookie regime in Europe. CNIL issued 259 corrective decisions in 2025, with cookie-specific fines totaling EUR 486.8 million including EUR 325M against Google. A Refuse all button or Continue without accepting must appear on the first layer.
UK GDPRUnited Kingdom
The UK GDPR is the retained EU GDPR post-Brexit, with consent standards identical to the EU version. The UK adequacy decision was renewed December 2025, valid until December 2031. Combined with PECR, it forms the legal framework for cookie consent in the UK.
TDDDGGermany
Germany implements the ePrivacy Directive through Section 25 of TDDDG (renamed from TTDSG in May 2024). A Consent Management Ordinance (EinwV) became effective April 2025, establishing a voluntary framework for recognized consent management services. Cookie banners must not obscure website content.

Frequently Asked Questions

How long has Guernsey had EU adequacy?

Since 2003 — one of the longest-standing EU adequacy decisions globally. UK adequacy is also granted.

Does Guernsey follow GDPR?

Yes. Guernsey's DPL provides a full GDPR-equivalent data protection regime with GDPR-equivalent penalty tiers.

Who enforces data protection in Guernsey?

The ODPA (Office of the Data Protection Authority) provides independent enforcement.

Stay compliant with Guernsey DPL

ConsentStack helps you implement Opt-in consent for Guernsey automatically.

Get started