Data Protection Policy
The National Trust of Guernsey
1. Governance
Date: June 2026
The National Trust of Guernsey (“the NTG”) was founded in 1960 to preserve the Island’s natural beauty and historic buildings. In July 1967, Her Majesty the Queen ratified the National Trust of Guernsey (Incorporation) Law, 1967 (“the Law”), which gave the NTG legal authority to hold property in its own right and defined its broader purpose.
Section 3(1)(c) of the Law provided for the setting-up of a council (“the Council”) to act as the governing body of the NTG. Section 3(1) of the Law provides that the NTG may from time to time make all such rules as may be necessary or expedient with respect to the conduct and management of its affairs.
The content of this document is the joint responsibility of the Council, volunteers and employees of the National Trust of Guernsey, collectively the “Trust”, and must be reviewed at least annually.
2. Purpose
The Trust adopts this Policy in order to ensure its compliance with The Data Protection (Bailiwick of Guernsey) Law, 2017, the “DP Law”, aligned with the EU GDPR. This Policy is the Data Protection Policy of the Trust and is the mechanism by which it will provide the required information, being all personal data collected by the Trust.
3. Scope
The Data Protection Policy applies to the Council, employees, volunteers, contractors and members of the Trust who handle personal data.
4. Roles and Responsibilities
The Trust acts as a Controller under the DP Law. The Council and the Trust employees jointly oversee compliance with this Data Protection Policy and must adhere to this policy to the best of their abilities at all times.
5. Registration with the Office of the Data Protection Authority
The Trust is registered with the Office of the Data Protection Authority, the “ODPA”, under the number DPA5425.
6. Collection of Personal Data
All personal data must be processed according to the following principles:
- Lawfulness, Fairness & Transparency
- Purpose Limitation
- Data Minimisation
- Accuracy
- Storage Limitation
- Integrity & Confidentiality
- Accountability
In normal circumstances, the Trust will collect personal data relating, but not limited, to its members, tenants, employees, volunteers and contractors where necessary for the administration of the NTG and its properties.
The Trust processes personal data for the purposes of administering memberships, managing tenancy arrangements, communicating with members and tenants, collecting subscriptions and rental payments, complying with legal requirements and operating the NTG.
The lawful basis for processing is contractual necessity, legal obligation and/or pursuing the NTG’s legitimate interests.
7. Record of Processing Activities
The Trust will maintain a Record of Processing Activities, the “ROPA”, detailing:
- Categories of personal data that the Trust processes and retains
- The purpose for processing
- Data retention periods
- Any legal basis for processing
- Data sharing information
The ROPA will be reviewed at least annually, at the same time as the Data Protection Policy.
8. Data Subject Rights
The Trust undertakes that upon a request from a data subject with respect to personal data held by the Trust in respect of that person, it will respond within one month of receipt thereof to the data subject or to the ODPA.
This will apply in connection with, but not limited to:
- A request to access a member of the public’s personal data
- A request for rectification from a data subject in respect of an error in the record of their personal data
- The erasure of a member of the public’s personal data
- The restriction of access to a member of the public’s personal data
- An objection raised by a data subject in the sharing of their personal data
- The portability of personal data
9. Transfer of Data
The Trust will only transfer personal data to either an authorised or an unauthorised jurisdiction as part of its legitimate activities, for example, in order to collect member subscriptions, or unless required to do so by law.
10. Retention of Data
All data is retained securely and used only for the purposes set out above.
Membership records normally will be retained for up to seven years after membership ceases. Tenancy records and CDD/KYC documentation normally will be retained for between five and seven years after the tenancy or business relationship ends, unless a longer retention period is required by law.
11. Links to Other Websites
This Policy does not cover any third-party websites reached in links from this website. All members of the public are advised to read the data collection statements on those other websites when visited.
12. Data Security Measures
The Trust undertakes that it has implemented technical and organisational measures such as:
- Password protection of personal data files
- Encryption of personal data files
- Backups of personal data
- Access controls
- Confidentiality agreements where necessary
Access to tenant or employee identity documentation, financial information and CDD records is restricted to authorised individuals and stored securely using appropriate technical and organisational safeguards.
13. Data Breach Management
The Trust undertakes to assess any personal data breach and to report serious breaches to the ODPA within 72 hours where required by law.
Employees or members of the Council must report any serious data incident immediately to the Honorary Secretary or the President.
14. Third-Party Contracts
The Trust will ensure written contracts with data processors include confidentiality and data protection clauses.
15. Requirement to Appoint a Data Protection Officer
Because the Trust’s core activities do not involve the large-scale systematic monitoring of individuals, nor large-scale processing of “special category” personal data, and because it is not a public authority, it is not required to appoint a Data Protection Officer, or “DPO”.
However, the Trust’s point of contact for data protection matters is:
Martin Tolcher, Honorary Secretary
Email: [email protected]
16. Data Protection Impact Assessments
The Trust is required to conduct Data Protection Impact Assessments, or “DPIAs”, for high-risk processing activities such as:
- CCTV usage
- Processing sensitive data
- Profiling
However, the Trust is not currently processing sensitive data and therefore is not required to conduct a DPIA, though will do so should it be necessary at any time.
17. Training and Awareness
All staff, volunteers and Council members handling personal data will receive appropriate data protection awareness and training proportionate to their role, particularly where handling tenant, identity or financial information.