Welcome to the Gibraltar Regulatory Authority website

NEW BUSINESS REQUIREMENTS


What is registration with the Data Protection Commissioner all about?

For data controllers, registration is a simple process of setting out what kinds of personal information you process, for what purposes you keep it, to whom the information is disclosed, and related details. This information must then be submitted to the Data Protection Commissioner so that these practices can be made available for the public to see via the public register. It is your responsibility as the data controller to specify details about your own data protection practices

For data processors, registration is even simpler. You must notify the Data Protection Commissioner of your name, your address, and identify any countries outside of the State where you transfer personal data for processing.

We recommend that you register online as this will automatically generate the form necessary for you to sign and return to us. There is a small fee involved. Further information is given below.

Who Must Register?

Under Section 24 of the Data Protection Act 2004, all data controllers and data processors are under an obligation to register with the Data Protection Commissioner unless they fall into one of the categories outlined in s24(1) of the Act:

where [data controllers] carry out–

processing the sole purpose of which is the keeping, under any enactment, of a register that is intended to provide information to the public and is open to consultation either by the public in general or by any person demonstrating a legitimate interest;

processing of wholly manual data, other than such categories, if any, of such data as may be prescribed by regulation or Act; or

any combination of the foregoing categories of processing;

where the data controller is a body that is not established or conducted for profit and is carrying out processing only for the purposes of establishing or maintaining membership of or support for the body or providing or administering activities for individuals who are either members of the body or have regular contact with it;

What is the fee involved?

The fee for registration is a one-off payment of £20. The fee is the same for data processors. Payment should be made using a cheque (please avoid paying with cash if possible). Cheques etc. should be made payable to "Government General Account". Unfortunately, we are not yet in a position to accept electronic funds transfer or to accept payment by credit or debit card.

Do I need to renew my Registration?

No. The fee for registration is a one-off fee and will not have to be renewed. However, if the details contained in your register entry become out of date at any point you will need to apply to the Commissioner for the details to be amended. This is important because if you are engaging in data handling practices that are not in conformity with the details in your public register entry, you may be committing an offence.

To apply for an amendment to your public register details, you will need to access the on-line account created during the initial registration process if you applied online.

Can I process personal data while my application for registration is pending?

Yes. As stated above, if you are required to be registered, then, under section 24 of the Data Protection Act, it is an offence to keep personal data unless you are in fact registered. However, an exception is made in the case of data controllers whose application for registration is pending. Such data controllers may keep personal data and use it in ways consistent with the details set out in their application, while the application is being considered by the Commissioner.