Data Protection in Gibraltar

Data protection laws in Gibraltar

Following the UK’s exit from the European Union, Gibraltar ceased to be a territory within the European Union as of midnight 31st December 2020. As a consequence, the Gibraltar Government transposed the General Data Protection Regulation (Regulation (EU) 2016/679) into Gibraltar national law (thereby creating the “Gibraltar GDPR”). In so doing, Gibraltar made  number of technical changes to the GDPR to account for its status as a national law of Gibraltar. The Gibraltar GDPR replaces EU terminology with domestic equivalents (e.g. references to “Member State law” become references to “Gibraltar law” and references to “a third country” to “a country or territory outside of Gibraltar”. These changes were made under Gibraltar’s Data Protection, Privacy and Electronic Communications (Amendments Etc) (EU) Exit Regulations 2019.

All material GDPR obligations on controllers and processors remain the same under the Gibraltar GDPR.

Additionally, Gibraltar’s Data Protection Act 2004 (“DPA04) remains in place as a national data protection law, and supplements the Gibraltar GDPR. It deals with matters that were previously permitted derogations and exemptions from the EU GDPR (for example substantial public interest bases for the processing of special category data, and context-specific exemptions form parts of the GDPR such as subject rights).

In addition:

  • Part III of the DPA04 transposes the Law Enforcement Directive ((EU) 2016/680) into Gibraltar law, creating a data protection regime specifically for law enforcement personal data processing: and
  • Parts V and VI set out the scope of the Information Commissioner's mandate and his enforcement powers, and creates a number of criminal offences relating to personal data processing.

Territorial Scope

Primarily, the application of the Gibraltar GDPR turns on whether an organization is established in GibraltarAn 'establishment' may take a wide variety of forms, and is not necessarily a legal entity registered in Gibraltar.

However, the Gibraltar GDPR also has extra-territorial effect. An organization that it is not established within Gibraltar will still be subject to the Gibraltar GDPR if it processes personal data of data subjects who are in Gibraltar where the processing activities are related "to the offering of goods or services" (Article 3(2)(a)) (no payment is required) to such data subjects in Gibraltar or "the monitoring of their behaviour" (Article 3(2)(b)) as far as their behaviour takes place within Gibraltar.

Continue reading

  • no results

Back to top