Data Protection in Gibraltar

Transfer in Gibraltar

Transfers from Gibraltar

Transfers of personal data by a controller or a processor to third countries outside of Gibraltar are only permitted where the conditions laid down in Chapter V of the Gibraltar GDPR are met (Article 44).

Article45(1) allows transfers of personal data to:

  • third countries on the basis of UK adequacy regulations made  under  UK GDPR and Part 2 of the UK Data Protection Act 2018; and
  • to the United Kingdom.

Currently, the following countries or territories enjoy UK adequacy decisions (these have all essentially been ‘rolled over’, on a temporary basis, from the EU GDPR with some additions): Andorra, Argentina, Canada and Japan (with some exceptions), Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, Eastern Republic of Uruguay, South Korea and New Zealand. Also included are transfers to the USA, if covered under the UK extension to the EU-US Data Privacy Framework.

The UK is also currently treating all EU and EEA Member States as adequate jurisdictions.  Therefore transfers to any of the above  jurisdictions from Gibraltar will not require any additional safeguards Gibraltar GDPR.

Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor and on condition that enforceable data subject rights and effective legal remedies for the data subject are available (Article 46). The list of appropriate safeguards includes, amongst others, binding corporate rules and the use of standard contractual clauses with additional safeguards to guarantee an essentially equivalent level of protection to data subject’s and their personal data.

Section 128A of the DPA04 allows Gibraltar’s Information Commissioner to publish standard data protection clauses which comply with Article 46 requirements. To date, a bespoke International Data Transfer Agreement (“IDTA”) has been published for data exports from Gibraltar in addition to an International Data Transfer Addendum  (“Addendum”). Both the IDTA and Addendum can be used. Whereas the IDTA is a full-form standalone agreement, the Addendum is to be used along-side the EU Standard Contractual Clauses for use in the context of the Gibraltar GDPR.

Article 49 of the UK GDPR also includes a list of context specific derogations, permitting transfers to third countries where:

  • explicit informed consent has been obtained;
  • the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
  • the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject between
  • the controller and another natural or legal person;
  • the transfer is necessary for important reasons of public interest;
  • the transfer is necessary for the establishment, exercise or defence of legal claims;
  • the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
  • the transfer is made from a register which according to domestic law is intended to provide information to the public, subject to certain conditions.

There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data subject; notification to Gibraltar’s Information Commissioner and the data subject is required if relying on this derogation.

Transfers demanded by courts, tribunals or administrative authorities of countries outside Gibraltar t(Article 48) are only recognised or enforceable (within Gibraltar) where they are based on an international agreement which applies to Gibraltar such as a mutual legal assistance treaty in force between the requesting third country and Gibraltar ; a transfer in response to such requests where there is no other legal basis for transfer will infringe the Gibraltar GDPR.

Transfers from the UK to Gibraltar

Gibraltar and the UK enjoy the free flow of personal data without the need for any additional safeguards.

ibraltar is now a third country for the purposes of Chapter V of the EU GDPR. Unlike the UK, Gibraltar does not currently benefit from an EU adequacy decision. It is expected that Gibraltar will obtain EU adequacy with the conclusion of the UK-EU treaty on Gibraltar. Until then, alternative EU GDPR Chapter V safeguards are required to transfer personal data from the EU to Gibraltar.

Continue reading

  • no results

Previous topic
Back to top