Accessibility

Font size

Filters

Highlight

Colour

Zoom

Transition Period FAQ

Along with the United Kingdom, Gibraltar has now left the EU, with the Brexit transition period having ended on 31st December 2020. The below intends to respond to some of the questions organisations may have regarding the data protection regime in Gibraltar as a result of the end of the Brexit transition period.

For further information please contact our office at privacy@gra.gi

During the transition period, the EU General Data Protection Regulation 2016/679 (the “GDPR”), will continue to apply in Gibraltar. Organisations should continue to follow existing guidance on the GDPR, given that it still remains in place in Gibraltar until the end of the transition period. However, organisations should monitor the Information Commissioner’s website for any developments in guidance during the remainder of the transition period.

No, during the transition period you do not need to appoint a representative in the European Economic Area (“EEA”). The EEA consists of EU member states plus Norway, Liechtenstein and Iceland. However, organisations may need to appoint a representative from the end of the transition period if they are offering goods or services to individuals in the EEA or monitoring the behaviour of individuals in the EEA. For more information, read section 3.1 of our guidance note on ‘Getting ready for a no-deal Brexit’.

The GDPR is an EU Regulation and, in principle, it will no longer apply to Gibraltar from the end of the transition period. However, if an organisation operates inside Gibraltar, they would need to comply with Gibraltar’s data protection laws. In this regard, Gibraltar intends to maintain the GDPR’s high standards and transpose the GDPR into Gibraltar’s data protection law from the end of the transition period, so in practice there will be little change to the core data protection principles, rights and obligations currently found in the GDPR.

The GDPR itself may also still apply directly to organisations if they operate in Europe e.g. offering goods or services to individuals in Europe, or monitoring the behaviour of individuals in Europe. It will also still apply to any organisations in Europe who send data to organisations in Gibraltar, so organisations in Gibraltar may need to help their EU counterparts decide how to transfer personal data to Gibraltar in line with the GDPR. The Gibraltar Regulatory Authority, acting as Information Commissioner, will not be the regulator for any European-specific activities caught by the GDPR after the transition, but will continue to work closely with European supervisory authorities.

The Data Protection Act 2004 (the “DPA”), which currently supplements and tailors the GDPR within Gibraltar, will continue to apply. As stated, the provisions of the GDPR will be incorporated directly into Gibraltar law from the end of the transition period. In essence, a “Gibraltar GDPR” will be implemented.

The Information Commissioner will remain the independent supervisory body regarding Gibraltar’s data protection legislation after the transition period.

During the transition period the Information Commissioner will continue to regulate the GDPR, as well as engage in the co-operation and consistency mechanisms under the GDPR where relevant, if cases involve cross border processing within the EU. For further information on these mechanisms, please refer to our guidance note ‘Lead Supervisory Authority.’

The Information Commissioner will continue to work towards maintaining close working relationships with EEA supervisory authorities once the transition period ends. Close working relationships with non-EEA supervisory authorities will also be maintained and developed.

Yes. Gibraltar’s data protection law, after the transition period, will essentially be aligned with the GDPR, so organisations should continue to use the Information Commissioner’s existing guidance. Following the approach in our guidance will help organisations comply now and after the end of the transitional period.

The Information Commissioner will continue to keep guidance under review and update it where necessary.

Transfers of data from Gibraltar to the EEA or the UK will not be restricted. However, from the end of the transition period, unless the EU Commission makes an adequacy decision in favour of Gibraltar under Article 45 of the GDPR (please see below), the GDPR’s rules on international transfers under Articles 46-49 of the GDPR, will apply to any data coming from the EEA into Gibraltar. Organisations will therefore need to consider what safeguards found in the GDPR can be put in place to ensure that data can continue to flow into Gibraltar after the transition period.

For more information, read our guidance on ‘International Transfers’ as well as ‘Getting ready for a no-deal Brexit’.

The data protection regime set out in Part III of the DPA will still apply to competent authorities processing personal data for law enforcement purposes. These rules derive from an EU directive but are now set out in Gibraltar law and will continue to apply after the end of the transition period (with some minor technical changes to reflect our status outside the EU).

For more information, read our guidance on ‘Data Protection and Brexit for law enforcement processing.’

The GDPR primarily applies to data controllers and data processors in the EEA. Once the transition period ends, Gibraltar will become a “third country”. Third countries are states that fall outside of the jurisdiction of the GDPR. The GDPR restricts transfers of personal data to third countries, unless personal data is protected in another way or an exception applies.

The EU Commission has the power to determine whether a third country has an adequate level of data protection. The effect of an adequacy decision is that personal data can be sent from an EEA state to a third country without any further safeguards being necessary under the GDPR.

Adequacy decisions from the EU Commission under both the GDPR and Law Enforcement Directive are being sought, which, if secured by the end of the transition period, will allow for the free flow of personal data to Gibraltar from the EU to continue uninterrupted. We will update our guidance to reflect any developments in this area. In the meantime, there are steps that organisations can take to ensure that personal data can continue to flow after the transition period ends. These are primarily found under Article 46 to 49 of the GDPR. For more information, read our guidance on ‘International Transfers’ as well as ‘Getting ready for a no-deal Brexit’.

A list of jurisdictions found “adequate” by the EU Commission is available here.

 

The UK’s Information Commissioner’s Office confirms that “the UK government will allow transfers to Gibraltar to continue" here

No. Adequacy relates to requirements that aim to ensure that personal data transferred outside the EEA by controllers/processors remains adequately protected. Requirements relating to the representative aim to facilitate the engagement of data subjects and EEA Supervisory Authorities with the controller or processor represented. Examples of said engagement are a data subject contacting the representative to exercise their data protection rights and/or an EEA Supervisory Authority contacting the representative in accordance with regulatory action to ensure compliance with the GDPR.

 

Article 27(1) of the GDPR refers to “the controller or the processor” as having to designate a representative in the EU. Therefore, a representative is required for each controller or processor. A multinational consisting of a group of companies with several companies targeting the EU are likely to need a representative for each EU facing company if they are separate controllers or processors.

The Guidelines 3/2018 on the territorial scope of the GDPR published by the European Data Protection Board (“EDPB”) state that the EDPB “does not consider the function of representative in the Union as compatible with the role of an external data protection officer (“DPO”) which would be established in the Union. Article 38(3) establishes some basic guarantees to help ensure that DPOs are able to perform their tasks with a sufficient degree of autonomy within their organisation. In particular, controllers or processors are required to ensure that the DPO “does not receive any instructions regarding the exercise of [his or her] tasks”. Recital 97 adds that DPOs, “whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner”. Such requirement for a sufficient degree of autonomy and independence of a data protection officer does not appear to be compatible with the function of representative in the Union.

The UK’s data protection regime will require Gibraltar controllers and processors to appoint a UK representative – and vice versa (see Article 27 of the UK’s GDPR Keeling schedule here. Gibraltar’s data protection regime will likely be the same or largely similar to the UK). 

Yes. The current rules cover marketing and electronic communications. They derive from EU law but are set out in Gibraltar law. They will continue to apply at the end of the transition period. The EU is replacing the current e-privacy law with a new e-privacy Regulation. This has not yet been agreed. However, we will continue to monitor developments in this area and shall advise and engage with HM Government on Gibraltar in accordance with a policy of alignment with EU Law and/or maintaining and developing high data protection standards.

Organisations should be aware that Article 71(1) of the Withdrawal Agreement contains provisions that continue to apply EU data protection law to certain ‘legacy’ personal data in the event that Gibraltar has not been granted a full adequacy decision by the end of the transition period.

Legacy data comprises personal data of individuals outside the UK (including Gibraltar), whether in the EEA or not, which is processed in the UK (including Gibraltar), where:

- it was acquired before the end of the transition period and processed under EU data protection law; or

- it is processed on the basis of the Withdrawal Agreement after the end of the transitionperiod, for example if personal data is processed under a provision of EU law that applies in the UK (including Gibraltar) by virtue of the Withdrawal Agreement.

At the end of the transition period, EU data protection law will be converted into Gibraltar domestic law. Therefore, Gibraltar and EU data protection law will be aligned at the end of the transition period. Organisations are therefore unlikely to need to do anything significant, in practice, to accommodate the Withdrawal Agreement’s requirements. It is nevertheless important to be aware of the Withdrawal Agreement’s requirements, and resulting applicability of EU Law to legacy personal data, if Gibraltar is not granted with a full adequacy decision.