Opening Times

The offices of the Gibraltar Regulatory Authority are open from 9:00am to 5:00pm Monday to Friday

COVID-19 MEASURES

OFFICES & PUBLIC COUNTERS
Further to the policy of HM Government of Gibraltar to increase social distancing and slow the spread of COVID-19, attendance at our offices and public counters is possible by prior appointment only. Although we aim to carry out all our regulatory duties electronically, we do understand that this may not be possible for everyone. In such cases, an appointment will be arranged. Please note that a face mask is compulsory when attending our public counter.

Please contact our offices by e-mailing info@gra.gi or call us on 200 74636. If you are unable to speak to our front desk staff, please leave a voicemail message. These are checked very regularly, and a member of our team will get back to you as soon as possible.

LICENCES
We accept requests for licence applications and renewals by e-mail, together with any necessary licence variations, if applicable. Payment for these may be effected, preferably, by bank transfer. If this is not possible, card payment via the telephone will also be accepted. Please contact our offices on licensing@gra.gi and a member of our team will direct you to the correct application form on our website. If a paper copy is required, this may also be arranged by calling us on 200 74636. Licences will be scanned and sent by e-mail together with a copy of the receipt. The originals can either be posted or can be held for collection at a prearranged date and time.

Please note that a face mask is compulsory when attending our public counter.

Welcome to the Gibraltar Regulatory Authority website

DATA PROTECTION COMPLAINTS

Gibraltar’s Information Commissioner has statutory functions in law, for which he must carry out certain tasks under the Data Protection Act 2004 (the “DPA”), the EU General Data Protection Regulation 2016/679 (“GDPR”) and/or other relevant data protection legislation. Amongst said tasks, the Information Commissioner is required to investigate complaints lodged or otherwise conduct investigations on the application of the GDPR and DPA.

Complaint form

Please use this form if you wish to submit a complaint to the Gibraltar Regulatory Authority, as the Information Commissioner.

Complaint procedure

An investigation is any process which sees the Information Commissioner conducting an investigation, either as the result of a complaint or as a result of information obtained, which raises compliance concerns in relation to the DPA, the GDPR, the Communications (Personal Data and Privacy) Regulations 2006 (the “Privacy Regs”) and/or other relevant data protection legislation.

1 General / Miscellaneous

  • (a) Each step must be satisfied before moving on to the next step i.e. Step One must be satisfied in order to progress to Step Two. This means that, at times, a step may need to be repeated. For example, a complainant should complete a complaint form and this request should be satisfied (and reiterated where necessary) before moving to the subsequent step in the process.
  • (b) Where considered necessary and appropriate by the Information Commissioner, an investigation may deviate from this procedure.
  • (c) This procedure includes specific timeframes for actions to be carried out. However, some cases may require extended timeframes for relevant tasks to be carried out due to the circumstances of the case, for example the case’s complexity or the number of parties involved. Further, an increase in the number of investigations conducted by the Information Commissioner or other workload may also affect timeframes. The timeframes are therefore flexible, and may vary depending on the case, however the Information Commissioner will aim to operate in accordance with the timescales referred to in this document.
  • (d) Enforcement action will be conducted in accordance with the Guidance on the Information Commissioner’s Regulatory Action.

2 STEP ONE. Data protection concern raised

The investigation procedure is triggered when a data protection concern is raised. This may be as a result of -

  • (a) a complaint;
  • (b) a referral from another data protection authority; or
  • (c) a concern identified by the Information Commissioner (for example when information is obtained, from a source other than a complaint or referral, which raises data protection compliance concerns).

In regard to complaints –

  • (b) when a complaint form is received, the Information Commissioner will aim to acknowledge receipt within 5 working days.

In regard to investigations initiated as a result of a referral from another data protection authority –

  • (a) Step Two will be skipped. The case will proceed to Step Three.

3 STEP TWO. Confirm attempts to raise the complaint with individual responsible or organisation

In the case of a complaint, the Information Commissioner’s complaint form asks complainants to provide copies of any correspondence (e.g. emails or letters) and/or other documentation that is relevant to the complaint. If such documentation is not available the Information Commissioner will ask the complainant to, in the first instance, engage with the individual responsible or organisation in writing and try to resolve the issue . If so, the Information Commissioner will aim to make this request within 10 working days from the receipt of the complaint form.

4 STEP THREE. Refer to individual responsible or organisation

When a complaint is referred to the Information Commissioner from another data protection authority or where the complainant has already engaged with the individual responsible or organisation but has been unable to resolve the matter, the Information Commissioner will intervene and engage with the individual responsible or organisation. In such cases, the individual responsible or organisation will be encouraged, and given an opportunity, to resolve the matter with the complainant.

This step will be undertaken within 10 working days from the receipt of information showing that the complainant has engaged with the individual responsible or organisation in writing to try and resolve the data protection concern (note: this may be 10 working days from the receipt of the complaint form i.e. Step One, where this information is included alongside the complaint form).

If the parties are unable to resolve the matter, the case will progress to the next step.

5 STEP FOUR. Case review

The Information Commissioner regulates data protection in the public interest and in a proportionate manner. A proportionate and balanced approach to regulation will ensure that resources are utilised as effectively as possible.

Complaints are investigated to the extent appropriate as per section 170 of the DPA. This means that the Information Commissioner may not progress all cases for further investigation. The Information Commissioner may at times determine that further investigation is not required e.g. where it is deemed that appropriate corrective action has been taken and further investigation and/or enforcement is not considered necessary. A person may nevertheless apply to the Magistrates’ Court to make an order to progress a complaint.

This step focuses on a review of all the documentation obtained to determine whether to progress the case further or not.

Step Four shall be completed within 15 working days from the receipt of information that completes Step Three.

6 STEP FIVE. Full investigation and information requests

Where a determination to progress a case is made, the Information Commissioner will consider whether further information is necessary. If so, the Information Commissioner will consider whether the use of an Information Notice is necessary or not, depending on the circumstances of the case.

When no further information is considered necessary, the case may proceed to step six i.e. a Proposed Determination. Requests for information i.e. Step Five, will be repeated until the information considered necessary has been obtained.

There may be cases where a party to an investigation has not provided all the information requested. However, a case may still be able to progress on to a Proposed Determination on the information available, taking into account that the accountability principle places the onus and the “burden of proof” on the data controller or processor to demonstrate compliance and that failure to do so may be a data protection breach.

Requests for information under Step Five shall be completed within 20 working days from the completion of Step Four.

7 STEP SIX. Proposed Determination

A Proposed Determination is a preliminary ruling that outlines the facts and understanding of the case and conclusions. The Proposed Determination is issued to the parties of the investigation for their consideration and final comments before the Information Commissioner issues his final Decision on the case. The Information Commissioner will ask the parties to the investigation to consider his Proposed Determination and revert with any further information or comments within 15 working days.

The Proposed Determination shall be issued within 20 working days from the completion of Step Five.

8 STEP SEVEN. Decision

Following the consideration of any responses to the Proposed Determination, the Information Commissioner will issue his final decision on the case.

Where appropriate, the decision will include any enforcement action that the Information Commissioner considers appropriate.

The Decision shall be issued within 20 working days from the deadline given to the parties of the investigation for the submission of further information or comments in response to the Proposed Determination.

Downloads