Font size






The Gibraltar Regulatory Authority (the “Authority”), as the Information Commissioner, recognises the important and crucial role of data protection in today’s world. The EU General Data Protection Regulation 2016/679 (the “EU GDPR”) governed data protection law within Gibraltar from 25th May 2018 up to and including 31st December 2020. The EU GDPR was however superseded by the Gibraltar General Data Protection Regulation (the “Gibraltar GDPR”) following the UK’s, and consequently Gibraltar’s, exit from the EU and the end of the Brexit transition period (i.e. as of 1st January 2021).

Whilst largely the same, as of 1st January 2021, Gibraltar’s data protection law consists of both the Gibraltar GDPR and the Data Protection Act 2004 (the “DPA”).

Legislative Overview

Gibraltar implemented the Gibraltar GDPR by virtue of section 6 of the European Union (Withdrawal) Act 2019, which in effect made the previously applicable EU GDPR local law, but with some differences as set out in the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020.

Through the Gibraltar GDPR and the DPA, which must be read together, Gibraltar maintains the data protection standards that applied prior to 1st January 2021, when the EU GDPR and the EU Law Enforcement Directive 2016/680 were in force.

In addition, the Communications (Personal Data and Privacy) Regulations 2006 are applicable to electronic communications containing or making use of personal data, and, as the name suggests, the Data Protection (Search and Seizure) Regulations 2006 govern the rules surrounding search and seizure by the Information Commissioner.

What is Data Protection?

Data Protection relates to the processes and controls used to safeguard information about individuals and their privacy. The Gibraltar GDPR and the DPA govern how organisations (both private and public) process information about individuals, whether by automated means or not, including but not limited to the collection, recording, structuring, storage, use and disclosure or transfer of personal data to third parties.  

What is our role?

The DPA designates the Authority, as Information Commissioner, to be the supervisory authority in Gibraltar. The general functions conferred on the Information Commissioner in relation to the tasks and powers of the supervisory authority are assigned under Part V and VI of the DPA. 

The Authority is thereby the independent statutory body responsible for the enforcement of the Gibraltar GDPR and the DPA, and carries out the functions assigned to it, to uphold the rights of individuals and their privacy. Amongst other things, this includes the provision of advice on data protection related matters and the investigation of complaints, as well as raising awareness on privacy issues. The tasks conferred on the Information Commissioner are undertaken by the Information Rights Division.