Opening Times

The offices of the Gibraltar Regulatory Authority are open Monday to Friday, from 9:00 to 17:00.


Our public counter is open. At first instance, for all queries, please contact our offices by e-mailing or call us on 200 74636. If you are unable to speak to our front desk staff, please leave a voicemail message. These are checked very regularly, and a member of our team will get back to you as soon as possible.

We accept requests for licence applications and renewals by e-mail, together with any necessary licence variations, if applicable. Payment for these may be effected, preferably, by bank transfer. If this is not possible, card payment via the telephone will also be accepted. Please contact our offices on and a member of our team will direct you to the correct application form on our website. If a paper copy is required, this may also be arranged by calling us on 200 74636. Licences will be scanned and sent by e-mail together with a copy of the receipt. The originals can either be posted or can be held for collection at a prearranged date and time.

Welcome to the Gibraltar Regulatory Authority website

GDPR Guidance (4) Data Protection Impact Assessment

The EU General Data Protection Regulation 2016/679 (the “GDPR”) came into force on 25th May 2018, replacing the existing data protection framework under the EU Data Protection Directive 95/46/EC (the "Directive"). Her Majesty’s Government of Gibraltar amended the Data Protection Act 2004 (the “DPA”) on 25th May 2018, in accordance with the introduction of the GDPR. The DPA complements the GDPR and also implements the Law Enforcement Directive 2016/680. Therefore, both pieces of legislation must be read side by side.

It is important to note that Data Protection Impact Assessments (“DPIAs”) are not a new concept, as these were recognised procedures that organisations used to comply with under the Directive. However, under the GDPR, conducting a DPIA is mandatory for all data processing that is “likely to result in a high risk to the rights and freedoms of natural persons” (see Article 35(1) of the GDPR).

Although undertaking a DPIA is not always compulsory, organisations may find it useful to conduct one as the procedure is designed to help identify and minimise the privacy risks of new projects or policies. Therefore, a DPIA is an important tool for accountability that will help organisations comply with GDPR/DPA requirements, including the requirement for organisations to demonstrate that appropriate measures have been implemented to ensure compliance with data protection.

Where the DPIA identifies risks which the organisation cannot fully mitigate, the organisation will be obliged to consult with the Lead Supervisory Authority before engaging in the process. For further information on when and how to consult the Information Commissioner, please see the guidance below titled, “‘Data Protection Impact Assessment – guidance on ‘prior consultation’”.

The aim of this webpage is to provide guidance on requirements relating to DPIAs and to assist data controllers with their role throughout this task, as they are ultimately responsible for ensuring that DPIAs are carried out according to GDPR/DPA requirements.