Data Protection in Gibraltar

Enforcement in Gibraltar

Fines

The Gibraltar GDPR empowers the Information Commissioner  to impose fines of up to 4% of annual worldwide turnover, or £17.5 million (whichever is higher).

It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of an economic undertaking rather than the revenues of the relevant controller or processor.

Fines are split into two broad categories.

The highest fines (Article 83(5)) of up to £17.5 million or, in the case of an undertaking, up to 4% of total worldwide turnover of the preceding year, whichever is higher, apply to infringement of:

  • the basic principles for processing including conditions for consent;
  • data subjects’ rights;
  • international transfer restrictions;
  • any obligations imposed by Member State law for special cases such as processing employee data; and
  • certain orders of a supervisory authority.

The lower category of fines (Article 83(4)) of up to EUR 10 million or, in the case of an undertaking, up to 2% of total worldwide turnover of the preceding year, whichever is the higher, apply to infringement of:

  • obligations of controllers and processors, including security and data breach notification obligations;
  • obligations of certification bodies; and
  • obligations of a monitoring body.

The Information Commissioner is not required to impose fines but must ensure in each case that the sanctions imposed are effective, proportionate and dissuasive (Article 83(1)).

Fines can be imposed in combination with other sanctions.

Investigative and corrective powers

The information Commissioner also enjoys a wide investigative and corrective powers (Article 58) including the power to undertake on-site data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.

Right to claim compensation

The Gibraltar GDPR makes specific provision for individuals to bring private claims against controllers and processors:

  • any person who has suffered "material or non-material damage" as a result of a breach of the Gibraltar GDPR has the right to receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
  • data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf (Article 80).

Individuals also enjoy the right to lodge a complaint with the Information Commissioner (Article 77). 

All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).

Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).

The DPA04 sets out the specific enforcement powers provided to the GRA pursuant to Article 58 of the GDPR, including:

  • information notices – requiring the controller or processor to provide the GRA with information;
  • assessment notices – permitting the GRA to carry out an assessment of compliance;
  • enforcement notices – requiring the controller or processor to take, or refrain from taking, certain steps; and
  • penalty notices – administrative fines.

The Information Commissioner has the power to conduct a consensual audit of a controller or a processor, to assess whether that organisation is complying with good practice in respect of its processing of personal data.

Under Schedule 15 of the DPA04 the Information Commissioner also has powers of entry and inspection. These will be exercised pursuant to judicial warrant and will allow the Information Commissioner to enter premises and seize materials.

The DPA04 creates two new criminal offences in Gibraltar law: the re-identification of de-identified personal data without the consent of the controller and the alteration of personal data to prevent disclosure following a subject access request under Article 15 of the GDPR. The DPA04 retains existing Gibraltar criminal law offences, e.g. offence of unlawfully obtaining personal data.

The DPA04 requires the Information Commissioner to issue guidance on its approach to enforcement, including guidance about the circumstances in which it would consider it appropriate to issue a penalty notice, i.e. administrative fine.

The DPA04 also allows the Information Commissioner to publish statutory codes of practice on direct marketing and data sharing.

Continue reading

  • no results

Previous topic
Back to top