• Our Cause
  • Places
  • Walks
  • Holiday & Hire
  • Events
  • Support
  • News
  • Contact
  • Our Cause
  • Places
  • Walks
  • Holiday & Hire
  • Events
  • Support
  • News
  • Contact

Data Protection Policy

The National Trust of Guernsey

1. Governance

Date: June 2026

The National Trust of Guernsey (“the NTG”) was founded in 1960 to preserve the Island’s natural beauty and historic buildings. In July 1967, Her Majesty the Queen ratified the National Trust of Guernsey (Incorporation) Law, 1967 (“the Law”), which gave the NTG legal authority to hold property in its own right and defined its broader purpose.

Section 3(1)(c) of the Law provided for the setting-up of a council (“the Council”) to act as the governing body of the NTG. Section 3(1) of the Law provides that the NTG may from time to time make all such rules as may be necessary or expedient with respect to the conduct and management of its affairs.

The content of this document is the joint responsibility of the Council, volunteers and employees of the National Trust of Guernsey, collectively the “Trust”, and must be reviewed at least annually.

2. Purpose

The Trust adopts this Policy in order to ensure its compliance with The Data Protection (Bailiwick of Guernsey) Law, 2017, the “DP Law”, aligned with the EU GDPR. This Policy is the Data Protection Policy of the Trust and is the mechanism by which it will provide the required information, being all personal data collected by the Trust.

3. Scope

The Data Protection Policy applies to the Council, employees, volunteers, contractors and members of the Trust who handle personal data.

4. Roles and Responsibilities

The Trust acts as a Controller under the DP Law. The Council and the Trust employees jointly oversee compliance with this Data Protection Policy and must adhere to this policy to the best of their abilities at all times.

5. Registration with the Office of the Data Protection Authority

The Trust is registered with the Office of the Data Protection Authority, the “ODPA”, under the number DPA5425.

6. Collection of Personal Data

All personal data must be processed according to the following principles:

  • Lawfulness, Fairness & Transparency
  • Purpose Limitation
  • Data Minimisation
  • Accuracy
  • Storage Limitation
  • Integrity & Confidentiality
  • Accountability

In normal circumstances, the Trust will collect personal data relating, but not limited, to its members, tenants, employees, volunteers and contractors where necessary for the administration of the NTG and its properties.

The Trust processes personal data for the purposes of administering memberships, managing tenancy arrangements, communicating with members and tenants, collecting subscriptions and rental payments, complying with legal requirements and operating the NTG.

The lawful basis for processing is contractual necessity, legal obligation and/or pursuing the NTG’s legitimate interests.

7. Record of Processing Activities

The Trust will maintain a Record of Processing Activities, the “ROPA”, detailing:

  • Categories of personal data that the Trust processes and retains
  • The purpose for processing
  • Data retention periods
  • Any legal basis for processing
  • Data sharing information

The ROPA will be reviewed at least annually, at the same time as the Data Protection Policy.

8. Data Subject Rights

The Trust undertakes that upon a request from a data subject with respect to personal data held by the Trust in respect of that person, it will respond within one month of receipt thereof to the data subject or to the ODPA.

This will apply in connection with, but not limited to:

  • A request to access a member of the public’s personal data
  • A request for rectification from a data subject in respect of an error in the record of their personal data
  • The erasure of a member of the public’s personal data
  • The restriction of access to a member of the public’s personal data
  • An objection raised by a data subject in the sharing of their personal data
  • The portability of personal data

9. Transfer of Data

The Trust will only transfer personal data to either an authorised or an unauthorised jurisdiction as part of its legitimate activities, for example, in order to collect member subscriptions, or unless required to do so by law.

10. Retention of Data

All data is retained securely and used only for the purposes set out above.

Membership records normally will be retained for up to seven years after membership ceases. Tenancy records and CDD/KYC documentation normally will be retained for between five and seven years after the tenancy or business relationship ends, unless a longer retention period is required by law.

11. Links to Other Websites

This Policy does not cover any third-party websites reached in links from this website. All members of the public are advised to read the data collection statements on those other websites when visited.

12. Data Security Measures

The Trust undertakes that it has implemented technical and organisational measures such as:

  • Password protection of personal data files
  • Encryption of personal data files
  • Backups of personal data
  • Access controls
  • Confidentiality agreements where necessary

Access to tenant or employee identity documentation, financial information and CDD records is restricted to authorised individuals and stored securely using appropriate technical and organisational safeguards.

13. Data Breach Management

The Trust undertakes to assess any personal data breach and to report serious breaches to the ODPA within 72 hours where required by law.

Employees or members of the Council must report any serious data incident immediately to the Honorary Secretary or the President.

14. Third-Party Contracts

The Trust will ensure written contracts with data processors include confidentiality and data protection clauses.

15. Requirement to Appoint a Data Protection Officer

Because the Trust’s core activities do not involve the large-scale systematic monitoring of individuals, nor large-scale processing of “special category” personal data, and because it is not a public authority, it is not required to appoint a Data Protection Officer, or “DPO”.

However, the Trust’s point of contact for data protection matters is:

Martin Tolcher, Honorary Secretary
Email: [email protected]

16. Data Protection Impact Assessments

The Trust is required to conduct Data Protection Impact Assessments, or “DPIAs”, for high-risk processing activities such as:

  • CCTV usage
  • Processing sensitive data
  • Profiling

However, the Trust is not currently processing sensitive data and therefore is not required to conduct a DPIA, though will do so should it be necessary at any time.

17. Training and Awareness

All staff, volunteers and Council members handling personal data will receive appropriate data protection awareness and training proportionate to their role, particularly where handling tenant, identity or financial information.

Sign up to
our news

Sign up for occasional updates and no spam!

  • Our Cause
  • Places
  • Walks
  • Holiday & Hire
  • Events
  • Support
  • News
  • Contact
  • Privacy Policy
  • Data Protection Policy

Our Patrons
H.E. The Lieutenant-Governor
The Bailiff of Guernsey
Become a member

  • Facebook
  • Instagram
  • Twitter
  • Become a member
Contact us

emc@nationaltrust.gg
07781 106461

Registered Office: 26 Cornet Street
St. Peter Port
GY1 1LF
Contact Guernsey

© 2026 | The National Trust of Guernsey | All Rights Reserved

Potting Shed | DEXM