Opening Times

The offices of the Gibraltar Regulatory Authority are open Monday to Friday, from 9:00 to 17:00.


Our public counter is open. At first instance, for all queries, please contact our offices by e-mailing or call us on 200 74636. If you are unable to speak to our front desk staff, please leave a voicemail message. These are checked very regularly, and a member of our team will get back to you as soon as possible.

We accept requests for licence applications and renewals by e-mail, together with any necessary licence variations, if applicable. Payment for these may be effected, preferably, by bank transfer. If this is not possible, card payment via the telephone will also be accepted. Please contact our offices on and a member of our team will direct you to the correct application form on our website. If a paper copy is required, this may also be arranged by calling us on 200 74636. Licences will be scanned and sent by e-mail together with a copy of the receipt. The originals can either be posted or can be held for collection at a prearranged date and time.

Welcome to the Gibraltar Regulatory Authority website

GDPR Guidance (3) Data Protection Officer

The General Data Protection Regulation (the “GDPR”) will come into force on the 25th May 2018, replacing the existing data protection framework under the EU Data Protection Directive.

This is the third of a series of Guidance Notes that the Gibraltar Regulatory Authority (“GRA”), as the Data Protection Commissioner, will issue in the run up to the 25th May 2018.

This Guidance Note provides general advice on the GDPR’s requirement for organisations to appoint a Data Protection Officer (“DPO”).

Under the GDPR, it will be mandatory for some data controllers and data processors to appoint a DPO, for example, all public authorities (with some minor exceptions) and organisations which carry out regular and systematic monitoring of data subjects on a large scale.

The DPO requirement introduced by the GDPR is not a new concept. Although current data protection law under the EU Data Protection Directive 95/46/EC does not include a mandatory obligation for organisations to appoint a DPO, the practice of appointing a DPO has developed and been adopted by organisations throughout the EU to ensure compliance with data protection law. Prior to the GDPR, the Article 29 Working Party already considered the appointment of a DPO as a “cornerstone of accountability” that can facilitate compliance and also become a competitive advantage for business[1].

A DPO will act as an intermediary between its employer and relevant stakeholders, such as data subjects and regulators. Although appointing a DPO will facilitate compliance with the GDPR and its requirements, it is important to know that DPOs are not held personally responsible for non-compliance with the GDPR.It is clear, within the GDPR, that it is the data controller or the data processor who is required, at all times, to ensure and demonstrate that its data processing complies with the GDPR.

The GDPR recognises the DPO as an important player in the new data protection regime.

The aim of this guidance note is to provide advice on the GDPR’s requirement relating to the appointment of the DPO and also assist DPOs in their role.

[1]Annex to Letters from Art. 29 Working Party to MEP Jan Philipp Albrecht and to Commissioner Věra Jourová in view of the trilogue

< > Accessed 11 August 2017