Welcome to the Gibraltar Regulatory Authority website


The Data Protection Act

The Data Protection Act took effect on the 1st June and with it new rights were granted to individuals regarding how their personal data are collected and used by both private and public sector bodies.

People processing personal data (known as data controllers or data processors) are obliged to obey new rules governing how they collect and use data. Including these are the requirements to register with the Data Protection Commissioner. Registration on-line is now available at the GRA's website http://www.gra.gi.

Registration requirements

Most organisations (except those whose data processing is of a wholly manual data) are required to register with the Data Protection Commissioner setting out what kinds of personal information they process, for what purposes they keep it, to whom the information is disclosed, and related details.

It is recommended that registration is carried out online as this will automatically generate the form necessary for you to sign and return to the Data Protection Commissioner. There is a small one-off fee involved along with an on-going responsibility to maintain your registration updated. Although the Data Protection Commissioner is accepting manual registrations you are strongly advised to register on-line as from next week when on-line registration will be available.

What is registration with the Data Protection Commissioner all about?

For data controllers, registration is a simple process of setting out what kinds of personal information you process, for what purposes you keep it, to whom the information is disclosed, and related details. This information must then be submitted to the Data Protection Commissioner so that these practices can be made available for the public to see via the Data Protection Register. It is your responsibility as the data controller to specify details about your own data protection practices

For data processors, registration is even simpler. You must notify the Data Protection Commissioner of your name, your address, and identify any countries outside of the State where you transfer personal data for processing.

We recommend that you register online as this will automatically generate the form necessary for you to sign and return to us. There is a small fee involved. Further information is given below.

Who Must Register?

Under Section 24 of the Data Protection Act 2004, all data controllers and data processors are under an obligation to register with the Data Protection Commissioner unless they fall into one of the categories outlined in s24(1) of the Act:

where [data controllers] carry out

processing the sole purpose of which is the keeping, under any enactment, of a register that is intended to provide information to the public and is open to consultation either by the public in general or by any person demonstrating a legitimate interest;

processing of wholly manual data, other than such categories, if any, of such data as may be prescribed by regulation or Act; or

any combination of the foregoing categories of processing;

where the data controller is a body that is not established or conducted for profit and is carrying out processing only for the purposes of establishing or maintaining membership of or support for the body or providing or administering activities for individuals who are either members of the body or have regular contact with it;

What is the fee involved?

The fee for registration is a one-off payment of £20. The fee is the same for data processors. Payment should be made using a cheque (please avoid paying with cash if possible). Cheques etc. should be made payable to "Government General Account". Unfortunately, we are not yet in a position to accept electronic funds transfer or to accept payment by credit or debit card.

Do I need to renew my Registration annually?

No. The fee for registration is a one-off fee and will not have to be renewed annually. However, if the details contained in your register entry become out of date at any point you will need to apply to the Commissioner for the details to be amended. This is important because if you are engaging in data handling practices that are not in conformity with the details in your public register entry, you may be committing an offence.

To apply for an amendment to your public register details, you will need to access the on-line account created during the initial registration process if you applied online.

Can I process personal data while my application for registration is pending?

Yes. As stated above, if you are required to be registered, then, under section 24 of the Data Protection Act, it is an offence to keep personal data unless you are in fact registered. However, an exception is made in the case of data controllers whose application for registration is pending. Such data controllers may keep personal data and use it in ways consistent with the details set out in their application, while the application is being considered by the Commissioner.

Further information please contact the GRA.