Opening Times

The offices of the Gibraltar Regulatory Authority are open from 9:00am to 5:00pm Monday to Friday


Further to the policy of HM Government of Gibraltar to increase social distancing and slow the spread of COVID-19, attendance at our offices and public counters is possible by prior appointment only. Although we aim to carry out all our regulatory duties electronically, we do understand that this may not be possible for everyone. In such cases, an appointment will be arranged. Please note that a face mask is compulsory when attending our public counter.

In the first instance, please contact our offices by e-mailing or call us on 200 74636 and leave a voicemail message if you are unable to get through and speak to our front desk staff. Voicemail messages are checked very regularly, and a member of our team will get back to you as soon as possible.

We accept requests for licence applications and renewals by e-mail, together with any necessary licence variations if applicable. Payment for these may be effected, preferably, by bank transfer. If this is not possible, card payment via the telephone will also be accepted. Please contact our offices on and a member of our team will direct you to the correct application form on our website. If a paper copy is required, this may also be arranged by calling us on 200 74636. Licences will be scanned and sent by e-mail together with a copy of the receipt. The originals can either be posted or can be held for collection at a prearranged date and time.

Please note that a face mask is compulsory when attending our public counter.

Welcome to the Gibraltar Regulatory Authority website


Along with the UK, Gibraltar has left the EU, with a transition period in place until the end of 2020. This below intends to respond to some of the most pressing questions that the Information Commissioner anticipates organisations may have regarding the data protection regime in Gibraltar as a result of the end of the transition period.

What happens during the transition period?

During the transition period, the EU General Data Protection Regulation 2016/679 (the “GDPR”), will continue to apply in Gibraltar. Organisations should continue to follow existing guidance on the GDPR, given that it still remains in place in Gibraltar until the end of the transition period. However, organisations should monitor the Information Commissioner’s website for any developments in guidance during the remainder of the transition period.

Do organisations need a European representative during the transition period?

No, during the transition period you do not need to appoint a representative in the European Economic Area (“EEA”). The EEA consists of EU member states plus Norway, Liechtenstein and Iceland. However, organisations may need to appoint a representative from the end of the transition period if they are offering goods or services to individuals in the EEA or monitoring the behaviour of individuals in the EEA. For more information, read section 3.1 of our guidance note on ‘Getting ready for a no-deal Brexit’.

Will the GDPR still apply when we leave the EU?

The GDPR is an EU Regulation and, in principle, it will no longer apply to Gibraltar from the end of the transition period. However, if an organisation operates inside Gibraltar, they would need to comply with Gibraltar’s data protection laws. In this regard, Gibraltar intends to maintain the GDPR’s high standards and transpose the GDPR into Gibraltar’s data protection law from the end of the transition period, so in practice there will be little change to the core data protection principles, rights and obligations currently found in the GDPR.

The GDPR itself may also still apply directly to organisations if they operate in Europe e.g. offering goods or services to individuals in Europe, or monitoring the behaviour of individuals in Europe. It will also still apply to any organisations in Europe who send data to organisations in Gibraltar, so organisations in Gibraltar may need to help their EU counterparts decide how to transfer personal data to Gibraltar in line with the GDPR. The Gibraltar Regulatory Authority, acting as Information Commissioner, will not be the regulator for any European-specific activities caught by the GDPR after the transition, but will continue to work closely with European supervisory authorities.

What will Gibraltar’s data protection law be?

The Data Protection Act 2004 (the “DPA”), which currently supplements and tailors the GDPR within Gibraltar, will continue to apply. As stated, the provisions of the GDPR will be incorporated directly into Gibraltar law from the end of the transition period. In essence, a “Gibraltar GDPR” will be implemented.

What role will the Information Commissioner have?

The Information Commissioner will remain the independent supervisory body regarding Gibraltar’s data protection legislation after the transition period.

During the transition period the Information Commissioner will continue to regulate the GDPR, as well as engage in the co-operation and consistency mechanisms under the GDPR where relevant, if cases involve cross border processing within the EU. For further information on these mechanisms, please refer to our guidance note ‘Lead Supervisory Authority.’

The Information Commissioner will continue to work towards maintaining close working relationships with EEA supervisory authorities once the transition period ends. Close working relationships with non-EEA supervisory authorities will also be maintained and developed.

Is the GDPR guidance still relevant?

Yes. Gibraltar’s data protection law, after the transition period, will essentially be aligned with the GDPR, so organisations should continue to use the Information Commissioner’s existing guidance. Following the approach in our guidance will help organisations comply now and after the end of the transitional period.

The Information Commissioner will continue to keep guidance under review and update it where necessary.

Can organisations still transfer data to and from Europe if we leave without a deal?

Transfers of data from Gibraltar to the EEA or the UK will not be restricted. However, from the end of the transition period, unless the EU Commission makes an adequacy decision in favour of Gibraltar under Article 45 of the GDPR (please see below), the GDPR’s rules on international transfers under Articles 46-49 of the GDPR, will apply to any data coming from the EEA into Gibraltar. Organisations will therefore need to consider what safeguards found in the GDPR can be put in place to ensure that data can continue to flow into Gibraltar after the transition period.

For more information, read our guidance on ‘International Transfers’ as well as ‘Getting ready for a no-deal Brexit’.

What about law enforcement processing?

The data protection regime set out in Part III of the DPA will still apply to competent authorities processing personal data for law enforcement purposes. These rules derive from an EU directive but are now set out in Gibraltar law and will continue to apply after the end of the transition period (with some minor technical changes to reflect our status outside the EU).

For more information, read our guidance on ‘Data Protection and Brexit for law enforcement processing.’

What does Adequacy mean?

The GDPR primarily applies to data controllers and data processors in the EEA. Once the transition period ends, Gibraltar will become a “third country”. Third countries are states that fall outside of the jurisdiction of the GDPR. The GDPR restricts transfers of personal data to third countries, unless personal data is protected in another way or an exception applies.

The EU Commission has the power to determine whether a third country has an adequate level of data protection. The effect of an adequacy decision is that personal data can be sent from an EEA state to a third country without any further safeguards being necessary under the GDPR.

Adequacy decisions from the EU Commission under both the GDPR and Law Enforcement Directive are being sought, which, if secured by the end of the transition period, will allow for the free flow of personal data to Gibraltar from the EU to continue uninterrupted. We will update our guidance to reflect any developments in this area. In the meantime, there are steps that organisations can take to ensure that personal data can continue to flow after the transition period ends. These are primarily found under Article 46 to 49 of the GDPR. For more information, read our guidance on ‘International Transfers’ as well as ‘Getting ready for a no-deal Brexit’.

Do the Communications (Personal Data and Privacy) Regulations 2006 (the “Privacy Regs”) still apply?

Yes. The current rules cover marketing and electronic communications. They derive from EU law but are set out in Gibraltar law. They will continue to apply at the end of the transition period. The EU is replacing the current e-privacy law with a new e-privacy Regulation. This has not yet been agreed. However, we will continue to monitor developments in this area and shall advise and engage with HM Government on Gibraltar in accordance with a policy of alignment with EU Law and/or maintaining and developing high data protection standards.

For further information, please contact the Gibraltar Regulatory Authority on +350 200 74636 or