Opening Times

The offices of the Gibraltar Regulatory Authority are open from 9:00am to 5:00pm Monday to Friday


Further to the policy of HM Government of Gibraltar to increase social distancing and slow the spread of COVID-19, our offices are closed to the public until further notice. We are working remotely and we will endeavour to assist you in as much as we are able to do so in the circumstances. Please email any enquiries to or call us on 200 74636, leave a voicemail message and a member of our team will get back to you.

We accept requests for licence applications and renewals by email, together with any necessary licence variations if applicable. Payment for these may be effected by bank transfer only. Licences will then be scanned and sent by e-mail together with a copy of the receipt. The originals will be held for collection at a later date when restrictions are lifted, or posted if required. For any queries regarding the renewal of your licence please send an e-mail to

Welcome to the Gibraltar Regulatory Authority website


What is my right?

Individuals have a right to obtain, from a data controller, a copy of the personal data relating to them which is either held on computer, in a relevant manual filing system or which forms part of an accessible record.

Which law permits this?

The Data Protection Act 2004 gives individuals the right to obtain a copy of their personal data.

Section 14 of the Act defines:

the personal data which can be released,

the personal data which may be withheld,

the time scales for complying with a request,

the fees permitted for the provision of this data, and

the penalties which can be imposed for failure to comply with a request.

How can I access my personal data?

There is a process by which you can request copies of the personal data a data controller holds about you.

The common term used for this process is a 'Subject Access Request' (SAR).

Does it cost anything?

The data controller may charge up to 10 to provide the personal data you have requested. If you request access to health records a fee of up to 20 may be charged.

How do I make a Subject Access Request?

It is easy to make a SAR. All you need to do is write to the data controller and request it. It is strongly recommended that you keep a copy of the letter and send the request by recorded delivery.

If you wish to obtain the personal data held about you by a data controller you must:

send a request in writing to the data controller, and

enclose the appropriate fee.

In order for the request to be dealt with as quickly as possible you should provide the data controller with as much information as possible regarding the type of data you wish to see. For example, if you have an account number or customer reference this should be provided or if you only require specific personal data between two dates this should also be made clear.

Can the organisation ask for more details?


This can be

to enable the data controller to reasonably satisfy itself as to the identity of the person making the request, or

to request further details to assist it to locate the personal data you require.

If requests for further identifying details or other information are made, you must provide these before the SAR can progress.

How long should it take?

Once the data controller has received the fee and all other details requested, it has a maximum of 28 calendar days to respond to your request.

What will I get back?

The data controller must reply to your request.

If they do not process any of your personal data they must advise you of the fact.

If they do process your personal data you are entitled to ask for and receive, a copy of it.

You can also request a description of

the purposes for which this personal data is being processed

the recipients, or classes of recipients, to which the personal data may be disclosed

Will I understand what I receive?

All details must be communicated to you in an intelligible form, with any coding or technical terms explained.

It must also be in a permanent form unless otherwise agreed, especially in the case where it would involve disproportionate effort on the part of the data controller to produce in a permanent form. If you and the data controller agree, the personal data may be supplied verbally.

You are also entitled to be informed of the logic involved in taking a decision if that decision has been made by automatic means, such as credit scoring or for job applications, unless it constitutes a trade secret.

Are there any exceptions to the right of access?

Yes, the exemptions from disclosure are specified within the Data Protection Act as follows:

Where the data controller is the Crown acting in its executive capacity it is not obliged to disclose any personal data if the refusal to disclose is necessary in the interests of:

public security;

the prevention, investigation, detection and prosecution of criminal offences or breaches of ethics for regulated professions;

an important economic or financial interest of Gibraltar or of the European Union including monetary, budgetary and taxation matters;

a monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority in cases referred to in (i), (ii) and (iii); or

the protection of the data subject or of the rights and freedoms of others.

Can I make more than one SAR to an organisation?

If you have previously made a similar or identical SAR, the data controller has the right to refuse to comply with the new request unless a reasonable interval has elapsed. This will depend upon the type of data, the purpose for which it is held and the frequency with which it changes or is amended.

Why have some of the details I received been blacked out?

There are often occasions when supplying you with your personal data will also involve releasing the identity of a third party. The data controller must be extremely careful when this occurs and is not obliged to comply with the request unless

The other individual has consented to them releasing their personal data

It is reasonable in all the circumstances to comply without the consent of the third party.

If they do release personal data containing third party details, they may be blacked out in some way to prevent releasing the identity of the third party.

I haven't received a response. What happens now?

If you have not received a response by the end of the 28 day period, then the data controller will have committed a breach of the Data Protection Act.

You may complain to the Office of the Data Protection Commissioner to undertake an assessment to determine if the data controller has complied with your request. This will normally elicit a rapid response from the organisation without you resorting to legal action.

For further guidance please contact the Data Protection Commissioner