Opening Times

The offices of the Gibraltar Regulatory Authority are open from 9:00am to 5:00pm Monday to Friday


Further to the policy of HM Government of Gibraltar to increase social distancing and slow the spread of COVID-19, attendance at our offices and public counters is possible by prior appointment only. Although we aim to carry out all our regulatory duties electronically, we do understand that this may not be possible for everyone. In such cases, an appointment will be arranged. Please note that a face mask is compulsory when attending our public counter.

In the first instance, please contact our offices by e-mailing or call us on 200 74636 and leave a voicemail message if you are unable to get through and speak to our front desk staff. Voicemail messages are checked very regularly, and a member of our team will get back to you as soon as possible.

We accept requests for licence applications and renewals by e-mail, together with any necessary licence variations if applicable. Payment for these may be effected, preferably, by bank transfer. If this is not possible, card payment via the telephone will also be accepted. Please contact our offices on and a member of our team will direct you to the correct application form on our website. If a paper copy is required, this may also be arranged by calling us on 200 74636. Licences will be scanned and sent by e-mail together with a copy of the receipt. The originals can either be posted or can be held for collection at a prearranged date and time.

Please note that a face mask is compulsory when attending our public counter.

Welcome to the Gibraltar Regulatory Authority website


There are certain incidents that organisations need to tell us about.

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.

When a data breach has occurred, you need to establish the likelihood and severity of the resulting risk to peopleís rights and freedoms (Recital 85 of the GDPR). If itís likely that there will be a risk, then you must notify us, otherwise you donít have to report it. However, if you decide you donít need to report the breach, you need to be able to justify this decision, so you should document it.

In brief, below are five main points that organisations must consider:

  1. 1. The GDPR and Data Protection Act 2004 introduce a duty on all organisations to report certain types of personal data breaches to the Information Commissioner. You must do so within 72 hours of becoming aware of the breach, where feasible.
  2. 2. If the breach is likely to result in a high risk of adversely affecting individualsí rights and freedoms, you must also inform those individuals without undue delay.
  3. 3. You should ensure you have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not you need to notify the Information Commissioner and the affected individuals.
  4. 4. You must also keep a record of any personal data breaches, regardless of whether you are required to notify.
  5. 5. You do not need to report every data breach to the Information Commissioner.

To notify the Information Commissioner of a personal data breach, please use our Data Breach Notification Form shown below.

This form should be used by organisations that have become Ďawareí of a personal data breach and, having undertaken an assessment of the data breach, are required to notify the Information Commissioner, as the supervisory authority, in accordance with Article 33(1) of the GDPR or section 76 of the DPA.

For further guidance in relation to personal data breaches, please refer our Guidance on Personal Data Breach Notifications.