In Jersey, processing personal data without JOIC registration is a criminal offence, as is not paying the fee.  

Under the Data Protection Authority (Jersey) Law 2018 (DPAJL), the following two offences must be noted.

• Registration with the Jersey Office of the Information Commissioner (JOIC) is required under the Data Protection Authority (Jersey) Law 2018 (DPAJL)
• Failure to pay the required registration fee (referred to as an "annual charge" in the legislation) is explicitly a criminal offence under Article 18(4) of the DPAJL.

 Under the DPAJL:-

• Controllers and processors in Jersey handling personal data must register with the JOIC and pay annual fees (£70–£1,600 based on size).
• Non-compliance, including failure to register or pay fees, is a criminal offence and may result in fines of up to £10,000, imprisonment for up to 12 months, removal from the register, and civil debt recovery.
• The JOIC may also impose administrative fines up to £10 million or 10% of global turnover for related breaches and has pursued legal actions against non-payers as of July 2025.
• Additional risks include reputational harm, public statements, and data subject claims.

Key consequences include:

• Criminal Penalties: Fines and/or imprisonment for processing data without registration.
• Fee Non-Payment: Debt recovery via courts and potential de-registration.
• Enforcement: Police investigations, prosecutions, and JOIC sanctions.

Key facts

1. Criminal Offence for Failure to Register

• Processing personal data without registration is a criminal offence under Article 17(1) of the DPAJL.
• Investigations are typically handled by the States of Jersey Police with JOIC assistance, and HM Attorney General brings prosecutions.

2. Penalties

• Fines: Offenders are liable to a fine up to level 5 on the Jersey standard penalty scale, currently £10,000.
• Imprisonment: Up to 12 months, or both fine and imprisonment, depending on the offence's severity under general provisions in Article 75 of the Data Protection (Jersey) Law 2018 (DPJL).
• Administrative Fines: In addition to criminal penalties, the JOIC may impose administrative fines for related breaches, up to £10 million or 10% of global annual turnover (whichever is higher), though these are for broader contraventions and must be proportionate.
• Removal from Register: For non-payment of fees or providing false information, the JOIC can remove the entity from the register, making continued processing illegal.

3. Enforcement Actions for Non-Payment of Fees

• Overdue fees are initially addressed through discussions and reminders.
• If unresolved, fees are recovered as a civil debt via the Jersey Petty Debts Court or Royal Court.
• The JOIC has initiated formal legal proceedings and debt recovery against non-compliant organisations, as announced in July 2025.

4. Additional Risks

• Public Statements: The JOIC may publish details of sanctions or issue public statements for serious breaches in the public interest.
• Broader Implications: Non-compliance can lead to data subject complaints, compensation claims, and reputational damage.

Recommendations

• Organisations should verify their registration status via the JOIC website and ensure timely payment of fees.
• For assistance, contact JOIC at enquiries@jerseyoic.org or +44 (0)1534 716530.

Part 2 Briefing Note: How to Register with the Jersey Office of the Information Commissioner (JOIC)

Purpose

• This briefing outlines the process for first-time registration on the JOIC register (initial registration as a data controller or processor under Jersey's data protection laws), including who must register, exemptions, fees, and step-by-step instructions.
• It also addresses the provided note on removal from the register for context. Information is based on official JOIC guidance and related sources.

Background

• Registration with the JOIC is required under the Data Protection Authority (Jersey) Law 2018 (DPAJL) for controllers and processors established in Jersey that process personal data.
• Failure to register is a criminal offence.
• The register is public (showing name, registration number, expiry/status, and business names), and registrations expire annually on December 31, requiring renewal by the end of February.

Who Must Register

• All data controllers (who determine the purposes and mean of processing personal data) and processors (who process data on behalf of controllers) established in Jersey must register if they handle personal data, unless exempted.
• "Established in Jersey" includes individuals’ resident in Jersey, Jersey-incorporated bodies, partnerships under Jersey law, those with an office/branch/agency in Jersey for processing, or those with stable processing arrangements in Jersey.

REGISTER AND PAY

• Failure to pay the required registration fee (referred to as an "annual charge" in the legislation) is explicitly a criminal offence under Article 18(4) of the DPAJL.
• This applies to registered controllers and processors who do not pay the charge in accordance with the Data Protection (Registration and Charges) (Jersey) Regulations 2018.
• The offence is punishable by a fine, as offences under the DPAJL are generally liable to fines.
• However, the JOIC's enforcement approach for non-payment typically begins with discussions and reminders to the controller or processor.
• If unresolved, outstanding fees are recovered as a civil debt through the Jersey Petty Debts Court or Royal Court, rather than immediate criminal prosecution.
• Persistent non-payment can also lead to
• Removal from the register under Regulation 7 of the Regulations,
• After which, continued processing of personal data without registration becomes a separate criminal offence under Article 17(6) of the DPAJL

Exemptions from Registration

Registration is not required if:

• The data is not personal (e.g., not relating to identifiable individuals, including pseudonymized data).
• Processing is by a natural person for purely personal/domestic purposes.
• Processing is solely for national security under Article 41 of the Data Protection (Jersey) Law 2018 (DPJL).

Exemptions from fees (but not registration) apply to public authorities, election candidates, provided schools, dissolved organisations retaining records as required by law, and non-profit organisations.

Fees

Fees are based on the Data Protection (Registration and Charges) (Jersey) Regulations 2018 and depend on full-time equivalent (FTE) employees, past-year revenue, JFSC registration status for financial services, processing of special category data, and additional charges for trust/fund services.

Fees are due 1 month after the new registration submission or by the end of February for renewals. Pay online or request an invoice.

Step-by-Step Process for Initial Registration

Registration is completed online via the JOIC portal. Follow these steps:

1. Determine if Registration is Required: Review if you are a controller/processor established in Jersey processing personal data (see above sections).
2. Create a User Account: Visit https://jerseyoic.org/register-renew. If new, click "Log in" under Manage Registration(s), then create a Kinde account using your email. This pre-populates some fields.
3. Access the Registration Portal: Log in with your new account to start the registration form.
4. Complete the Application: Provide details about your organisation (e.g., name, address, contacts, Data Protection Officer if applicable, nature of processing, FTE count, revenue, JFSC status, etc.).
5. Submit and Receive Confirmation: Upon submission, receive a registration number and security code immediately. Please keep these on file for future updates/renewals. The entry becomes searchable on the public Registry shortly after.
6. Pay the Fee: Pay online at submission or request an invoice (sent to billing contact)—fee due within one month.
7. Download Certificate: Log in to the portal to download your registration certificate.
8. Update as Needed: Notify JOIC of changes within 28 days via the portal (free). Failure to update is a criminal offence.

For assistance, contact JOIC at enquiries@jerseyoic.org or +44 (0)1534 716530.

Note on Removal from the Register

• As noted, the JOIC can remove an entity from the register for non-payment of fees or for providing false information.
• After that, continued processing of personal data becomes illegal (a criminal offence).
• Non-payment triggers reminders, a warning letter, and, if unresolved, removal.

Recommendations

Verify eligibility and register promptly online. If uncertain, use JOIC's resources or contact them directly.

SOURCES PART 1

• Registration Guidance: https://jerseyoic.org/guidance/data-protection/registration   
• Register/Renew Portal: https://jerseyoic.org/register-renew
• Jersey Business Guide: https://www.jerseybusiness.je/operations/technology-data-protection/data-protection-registration
• JOIC Homepage: https://jerseyoic.org/
• 6-Steps PDF: https://www.jerseybusiness.je/wp-content/uploads/2019/12/Data-Protection-JOIC-Registration-6-Steps.pdf

SOURCES PART 1

• JOIC Regulatory Action & Enforcement Policy: https://jerseyoic.org/media/pdfs/general/regulatory-action-and-enforcement-policy.pdf
• JOIC News on Legal Action for Failure to Pay: https://jerseyoic.org/news/JOIC%20to%20pursue%20legal%20action%20for%20failure%20to%20pay%20registration%20fee
• Data Protection Authority (Jersey) Law 2018: https://www.jerseylaw.je/laws/current/l_4_2018
• Data Protection (Jersey) Law 2018: https://natlex.ilo.org/dyn/natlex2/natlex2/files/download/109887/GBR109887.pdf
• Data Protection (Registration and Charges) (Jersey) Regulations 2018: https://www.jerseylaw.je/laws/current/ro_32_2018
• JOIC Facebook Post on Registration: https://www.facebook.com/JerseyOIC/posts/if-you-havent-yet-completed-your-joic-registration-or-registration-renewal-for-2/1477081257760059
• Data Guidance News: https://www.dataguidance.com/news/jersey-joic-pursue-legal-action-failure-pay
• BBC News Article: https://www.bbc.com/news/articles/c36xzdr7ypeo