Opening Times

The offices of the Gibraltar Regulatory Authority are open Monday to Friday, from 9:00 to 17:00.


Our public counter is open. At first instance, for all queries, please contact our offices by e-mailing or call us on 200 74636. If you are unable to speak to our front desk staff, please leave a voicemail message. These are checked very regularly, and a member of our team will get back to you as soon as possible.

We accept requests for licence applications and renewals by e-mail, together with any necessary licence variations, if applicable. Payment for these may be effected, preferably, by bank transfer. If this is not possible, card payment via the telephone will also be accepted. Please contact our offices on and a member of our team will direct you to the correct application form on our website. If a paper copy is required, this may also be arranged by calling us on 200 74636. Licences will be scanned and sent by e-mail together with a copy of the receipt. The originals can either be posted or can be held for collection at a prearranged date and time.

Welcome to the Gibraltar Regulatory Authority website


Along with the UK, Gibraltar has left the EU, with a transition period in place until the end of 2020. This below intends to respond to some of the most pressing questions that the Information Commissioner anticipates organisations may have regarding the data protection regime in Gibraltar as a result of the end of the transition period.

What happens during the transition period?

During the transition period, the EU General Data Protection Regulation 2016/679 (the “GDPR”), will continue to apply in Gibraltar. Organisations should continue to follow existing guidance on the GDPR, given that it still remains in place in Gibraltar until the end of the transition period. However, organisations should monitor the Information Commissioner’s website for any developments in guidance during the remainder of the transition period.

Do organisations need a European representative during the transition period?

No, during the transition period you do not need to appoint a representative in the European Economic Area (“EEA”). The EEA consists of EU member states plus Norway, Liechtenstein and Iceland. However, organisations may need to appoint a representative from the end of the transition period if they are offering goods or services to individuals in the EEA or monitoring the behaviour of individuals in the EEA. For more information, read section 3.1 of our guidance note on ‘Getting ready for a no-deal Brexit’.

Will the GDPR still apply when we leave the EU?

The GDPR is an EU Regulation and, in principle, it will no longer apply to Gibraltar from the end of the transition period. However, if an organisation operates inside Gibraltar, they would need to comply with Gibraltar’s data protection laws. In this regard, Gibraltar intends to maintain the GDPR’s high standards and transpose the GDPR into Gibraltar’s data protection law from the end of the transition period, so in practice there will be little change to the core data protection principles, rights and obligations currently found in the GDPR.

The GDPR itself may also still apply directly to organisations if they operate in Europe e.g. offering goods or services to individuals in Europe, or monitoring the behaviour of individuals in Europe. It will also still apply to any organisations in Europe who send data to organisations in Gibraltar, so organisations in Gibraltar may need to help their EU counterparts decide how to transfer personal data to Gibraltar in line with the GDPR. The Gibraltar Regulatory Authority, acting as Information Commissioner, will not be the regulator for any European-specific activities caught by the GDPR after the transition, but will continue to work closely with European supervisory authorities.

What will Gibraltar’s data protection law be?

The Data Protection Act 2004 (the “DPA”), which currently supplements and tailors the GDPR within Gibraltar, will continue to apply. As stated, the provisions of the GDPR will be incorporated directly into Gibraltar law from the end of the transition period. In essence, a “Gibraltar GDPR” will be implemented.

What role will the Information Commissioner have?

The Information Commissioner will remain the independent supervisory body regarding Gibraltar’s data protection legislation after the transition period.

During the transition period the Information Commissioner will continue to regulate the GDPR, as well as engage in the co-operation and consistency mechanisms under the GDPR where relevant, if cases involve cross border processing within the EU. For further information on these mechanisms, please refer to our guidance note ‘Lead Supervisory Authority.’

The Information Commissioner will continue to work towards maintaining close working relationships with EEA supervisory authorities once the transition period ends. Close working relationships with non-EEA supervisory authorities will also be maintained and developed.

Is the GDPR guidance still relevant?

Yes. Gibraltar’s data protection law, after the transition period, will essentially be aligned with the GDPR, so organisations should continue to use the Information Commissioner’s existing guidance. Following the approach in our guidance will help organisations comply now and after the end of the transitional period.

The Information Commissioner will continue to keep guidance under review and update it where necessary.

Can organisations still transfer data to and from Europe if we leave without a deal?

Transfers of data from Gibraltar to the EEA or the UK will not be restricted. However, from the end of the transition period, unless the EU Commission makes an adequacy decision in favour of Gibraltar under Article 45 of the GDPR (please see below), the GDPR’s rules on international transfers under Articles 46-49 of the GDPR, will apply to any data coming from the EEA into Gibraltar. Organisations will therefore need to consider what safeguards found in the GDPR can be put in place to ensure that data can continue to flow into Gibraltar after the transition period.

For more information, read our guidance on ‘International Transfers’ as well as ‘Getting ready for a no-deal Brexit’.

What about law enforcement processing?

The data protection regime set out in Part III of the DPA will still apply to competent authorities processing personal data for law enforcement purposes. These rules derive from an EU directive but are now set out in Gibraltar law and will continue to apply after the end of the transition period (with some minor technical changes to reflect our status outside the EU).

For more information, read our guidance on ‘Data Protection and Brexit for law enforcement processing.’

What does Adequacy mean?

The GDPR primarily applies to data controllers and data processors in the EEA. Once the transition period ends, Gibraltar will become a “third country”. Third countries are states that fall outside of the jurisdiction of the GDPR. The GDPR restricts transfers of personal data to third countries, unless personal data is protected in another way or an exception applies.

The EU Commission has the power to determine whether a third country has an adequate level of data protection. The effect of an adequacy decision is that personal data can be sent from an EEA state to a third country without any further safeguards being necessary under the GDPR.

Adequacy decisions from the EU Commission under both the GDPR and Law Enforcement Directive are being sought, which, if secured by the end of the transition period, will allow for the free flow of personal data to Gibraltar from the EU to continue uninterrupted. We will update our guidance to reflect any developments in this area. In the meantime, there are steps that organisations can take to ensure that personal data can continue to flow after the transition period ends. These are primarily found under Article 46 to 49 of the GDPR. For more information, read our guidance on ‘International Transfers’ as well as ‘Getting ready for a no-deal Brexit’.

Adequacy – what jurisdictions have been found to be “adequate” by the EU Commission?

A list of jurisdictions found “adequate” by the EU Commission is available at

Will transfers of personal data from the UK to Gibraltar be allowed without restrictions?

The UK’s Information Commissioner’s Office confirms that “the UK government will allow transfers to Gibraltar to continue” at

Does adequacy dispense with the need to have a representative?

No. Adequacy relates to requirements that aim to ensure that personal data transferred outside the EEA by controllers/processors remains adequately protected. Requirements relating to the representative aim to facilitate the engagement of data subjects and EEA Supervisory Authorities with the controller or processor represented. Examples of said engagement are a data subject contacting the representative to exercise their data protection rights and/or an EEA Supervisory Authority contacting the representative in accordance with regulatory action to ensure compliance with the GDPR.

Legal representative - do multinationals need one for each of its companies (where they have several companies to serve the EU market)?

Article 27(1) of the GDPR refers to “the controller or the processor” as having to designate a representative in the EU. Therefore, a representative is required for each controller or processor. A multinational consisting of a group of companies with several companies targeting the EU are likely to need a representative for each EU facing company if they are separate controllers or processors.

Legal representative - can a Data Protection Officer act as the legal representative?

The Guidelines 3/2018 on the territorial scope of the GDPR published by the European Data Protection Board (“EDPB”) state that the EDPB “does not consider the function of representative in the Union as compatible with the role of an external data protection officer (“DPO”) which would be established in the Union. Article 38(3) establishes some basic guarantees to help ensure that DPOs are able to perform their tasks with a sufficient degree of autonomy within their organisation. In particular, controllers or processors are required to ensure that the DPO “does not receive any instructions regarding the exercise of [his or her] tasks”. Recital 97 adds that DPOs, “whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner”. Such requirement for a sufficient degree of autonomy and independence of a data protection officer does not appear to be compatible with the function of representative in the Union.

Legal representative - will Gibraltar controllers need a UK representative if they operate but don’t have an establishment in the UK (and vice versa)?

The UK’s data protection regime will require Gibraltar controllers and processors to appoint a UK representative – and vice versa (see Article 27 of the UK’s GDPR Keeling schedule here. Gibraltar’s data protection regime will likely be the same or largely similar to the UK). 

Do the Communications (Personal Data and Privacy) Regulations 2006 (the “Privacy Regs”) still apply?

Yes. The current rules cover marketing and electronic communications. They derive from EU law but are set out in Gibraltar law. They will continue to apply at the end of the transition period. The EU is replacing the current e-privacy law with a new e-privacy Regulation. This has not yet been agreed. However, we will continue to monitor developments in this area and shall advise and engage with HM Government on Gibraltar in accordance with a policy of alignment with EU Law and/or maintaining and developing high data protection standards.

What is Legacy Data?

Organisations should be aware that Article 71(1) of the Withdrawal Agreement contains provisions that continue to apply EU data protection law to certain ‘legacy’ personal data in the event that Gibraltar has not been granted a full adequacy decision by the end of the transition period.

Legacy data comprises personal data of individuals outside the UK (including Gibraltar), whether in the EEA or not, which is processed in the UK (including Gibraltar), where:

- it was acquired before the end of the transition period and processed under EU data protection law; or

- it is processed on the basis of the Withdrawal Agreement after the end of the transitionperiod, for example if personal data is processed under a provision of EU law that applies in the UK (including Gibraltar) by virtue of the Withdrawal Agreement.

At the end of the transition period, EU data protection law will be converted into Gibraltar domestic law. Therefore, Gibraltar and EU data protection law will be aligned at the end of the transition period. Organisations are therefore unlikely to need to do anything significant, in practice, to accommodate the Withdrawal Agreement’s requirements. It is nevertheless important to be aware of the Withdrawal Agreement’s requirements, and resulting applicability of EU Law to legacy personal data, if Gibraltar is not granted with a full adequacy decision.

For further information, please contact the Gibraltar Regulatory Authority on +350 200 74636 or email: