Welcome to the Gibraltar Regulatory Authority website


Data Protection Register

With the Data Protection Act 2004 (the "Act") having now been in force for almost 2 years, the Data Protection Commissioner is to become stricter in enforcing the requirement for data controllers to register on the Data Protection Register.

The Commissioner is required under the Act to maintain a register of data controllers who process personal data about individuals. Whilst much of the effort to enforce the registration requirement has been to ensure that the public sector is fully registered, the Commissioner is now putting procedures in place to ensure the private sector follows. It is likely that many of the businesses in Gibraltar will receive a letter from the Commissioner's Office advising them that they should consider whether they are required to be on the Register.

The Register is a public record of organisations which by virtue of their function have the need to keep personal data about individuals. Obvious examples are public sector offices such as the Income Tax Office as well as health institutions such as the GHA. However, under the provisions of the Act, organisations who maintain records about employees (such as contact details, financial details, medical and health information etc) are required to be on the Register too. This means that all private companies and organisations (except certain non-profit making ones) which keep records about their employees will need to appear on the register in order to be fully compliant with the Act. Additionally, if personal data about other individuals are processed by the organisation (for example personal data about customers) this fact must be included in their register entry. It is important to note that by registering, data controllers are simply stating that they process personal data - no personal data held by the data controller is to be disclosed during the registration process.

Application for entry into the register carries a one-off £20 fee. There are no additional charges unless changes are made to the register entry in the future. The Commissioner recommends registration is carried out online via [www.gra.gi.] Finally data controllers should note that in order to be fully compliant with the Act, they must register with the Data Protection Commissioner.