Transition Period FAQ
Along with the United Kingdom, Gibraltar has now left the EU, with the Brexit transition period having ended on 31st December 2020. The below intends to respond to some of the questions organisations may have regarding the data protection regime in Gibraltar as a result of the end of the Brexit transition period.
For further information please contact our office at privacy@gra.gi
During the Brexit transition period (which ended on 31st December 2020), the EU General Data Protection Regulation 2016/679 (the “EU GDPR”), continued to apply to Gibraltar.
The EU GDPR was however superseded by the Gibraltar General Data Protection Regulation (the “Gibraltar GDPR”) at the end of the transition period, following the UK’s, and consequently Gibraltar’s exit from the EU. Therefore, as of 1st January 2021 (inclusive), Gibraltar’s data protection law consists of both the Gibraltar GDPR and the Data Protection Act 2004 (the “DPA”).
During the transition period, Gibraltar-based organisations were not required to appoint an EU representative under Article 27 of the EU GDPR.
However, as of 1st January 2021, such organisations may need to appoint an EU representative if they are offering goods or services to individuals in the EU or monitoring the behaviour of individuals in the EU. Organisations should refer to Article 27 of the EU GDPR in this regard.
Although the Information Commissioner no longer has remit over matters concerning the EU GDPR, his understanding of the matter is provided in further detail within the Information Commissioner’s guidance note on ‘(10) Getting ready for Brexit’.
The EU GDPR is an EU Regulation and, as of the end of the Brexit transition period (i.e., as of 1st January 2021), no longer forms part of Gibraltar law. However, Gibraltar maintains the EU GDPR’s high standards through the newly introduced Gibraltar GDPR. The Gibraltar GDPR, although superseding the EU GDPR, in effect largely mirrors the same. In practice there is little change to the core data protection principles, rights and obligations found in the EU GDPR as at 1st January 2021.
Notably however, the EU GDPR itself may also still apply to Gibraltar-based organisations operating within jurisdictions governed by the EU GDPR. This may be the case for example where they are offering goods or services to individuals in such jurisdictions or monitoring the behaviour of said individuals. It will also still apply to organisations established within the EU that wish to transfer personal data to Gibraltar as a third country.
As of 1st January 2021, the Gibraltar Regulatory Authority, as Information Commissioner, is no longer the regulatory body responsible for activities caught by the EU GDPR. Notwithstanding, the Information Commissioner will continue to work closely with foreign data protection supervisory authorities, as appropriate.
The EU GDPR was superseded by the Gibraltar GDPR following the UK, and consequently Gibraltar’s, exit from the EU.
As of 1st January 2021, Gibraltar’s data protection law consists of both the Gibraltar GDPR and the DPA.
The Information Commissioner will remain the independent supervisory body regarding Gibraltar’s data protection legislation and will continue to be responsible for the regulation of the same.
The Information Commissioner will also continue to engage with foreign supervisory authorities where appropriate, especially where cross-border processing is involved.
For the most part, yes. Although, the EU GDPR was superseded by the Gibraltar GDPR on 1st January 2021, the legislation remains largely the same. Therefore, the general principles relating to the EU GDPR, and guidance relating to the same, largely continue to apply to the current regime.
As of the end of the Brexit transition period (which ended on 31st December 2020), and pending any favourable adequacy decision by the EU Commission under Article 45 of the EU GDPR, the rules on international transfers under Articles 46-49 of the EU GDPR apply to personal data transferred from EU jurisdictions to Gibraltar.
Organisations that are subject to the EU GDPR will therefore need to consider what safeguards, as found within the EU GDPR, can be put in place to ensure that personal data can continue to flow to Gibraltar.
With regards transfers from Gibraltar-based organisations to the EU, it should be noted that jurisdictions that are subject to the EU GDPR are deemed adequate under Article 45 of the Gibraltar GDPR, and personal data can therefore continue to flow in the same way it did prior to Brexit.
For more information, please refer to the Information Commissioner’s guidance on ‘(10) Getting ready for Brexit’ and ‘(11) International Transfers’.
Provisions relating to competent authorities processing personal data for law enforcement purposes derive from the Law Enforcement Directive, or ‘LED’, a piece of EU legislation parallel to the EU GDPR, which also took effect in May 2018.
Relevant provisions in respect of the same continue to be set out in Gibraltar law, specifically within Part III of the DPA, and continue to apply following the Brexit transition period (with some minor technical changes to reflect Gibraltar’s status as a non-EU jurisdiction).
For more information, please refer to the Information Commissioner’s guidance on ‘(12) Data Protection and Brexit for law enforcement processing.’
‘Adequacy’ is a term used to describe countries, territories, sectors or organisations that are deemed to have an “essentially equivalent” level of data protection to that of the jurisdiction(s) granting said adequacy. For example, countries having ‘EU Adequacy’ would be deemed by the EU Commission to have an essentially equivalent level of data protection to that required under the EU GDPR.
At the end of the transition period, Gibraltar became a “third country” for the purposes of the EU GDPR. Third countries are non-EU Member States that have not been granted EU Adequacy, and for which there are specific provisions within the EU GDPR, in particular regarding transfers of personal data to the same.
The EU Commission has the power to determine whether a non-EU Member State has an equivalent level of data protection to that imposed by the EU GDPR. The effect of a favourable adequacy decision is that personal data can flow from jurisdictions governed by the EU GDPR to the relevant third country, without the requirement for any additional safeguards.
Gibraltar is currently seeking, but has not yet obtained, favourable adequacy decisions from the EU Commission under both the EU GDPR and the Law Enforcement Directive. The Information Commissioner’s guidance will be updated should there be any developments in this area.
For more information, please refer to the Information Commissioner’s guidance on ‘(11) International Transfers’ as well as ‘(10) Getting ready for Brexit’.
A list of jurisdictions found “adequate” by the EU Commission is available here.
Although, Gibraltar and the UK have separate data protection regimes, the UK’s Information Commissioner’s Office has confirmed that “the UK government will allow transfers to Gibraltar to continue" here.
No. EU adequacy requirements aim to ensure an appropriate level of protection of personal data transferred to “third countries” by controllers and/or processors established in the EU.
On the other hand, requirements relating to EU representatives aim to facilitate the engagement of data subjects and supervisory authorities within the EU, with controllers and/or processors based in a “third country”, whether the said country is deemed ‘adequate’ or not by the EU Commission. By means of their EU representatives, such organisations remain accountable to an EU supervisory authority.
The Information Commissioner no longer has remit over matters relating to the EU GDPR. However, the Information Commissioner understands that, under Article 27 of the EU GDPR a representative is required for each controller and/or processor falling within the remit of said provision. A multinational that is subject to Article 27 of the EU GDPR, is likely to be required to appoint a representative for each EU facing company if they are separate data controllers and/or processors.
With regards EU representatives, although the Information Commissioner no longer has remit over matters relating to the EU GDPR, he notes that the Guidelines 3/2018 on the territorial scope of the GDPR published by the European Data Protection Board (“EDPB”) state that the EDPB “does not consider the function of representative in the Union as compatible with the role of an external data protection officer (“DPO”) which would be established in the Union. Article 38(3) establishes some basic guarantees to help ensure that DPOs are able to perform their tasks with a sufficient degree of autonomy within their organisation. In particular, controllers or processors are required to ensure that the DPO “does not receive any instructions regarding the exercise of [his or her] tasks”. Recital 97 adds that DPOs, “whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner”. Such requirement for a sufficient degree of autonomy and independence of a data protection officer does not appear to be compatible with the function of representative in the Union.”
With regards Gibraltar representatives under Article 27 of the Gibraltar GDPR, the same principles apply.
Please note that the Information Commissioner has no remit over matters relating to the UK GDPR. However, the Information Commissioner understands that, in effect, the UK’s data protection regime requires Gibraltar controllers and processors to appoint a UK representative when falling within the remit of Article 27 of the UK GDPR.
Equally, Article 27 of the Gibraltar GDPR requires Gibraltar representatives to be appointed for organisations falling within the remit of the same, even if these are UK-based.
Do the Communications (Personal Data and Privacy) Regulations 2006 (the “Privacy Regs”) still apply?
Yes. The current rules cover marketing and electronic communications. Although originally deriving from EU law, the provisions form part of Gibraltar law.
Organisations should be aware that Article 71(1) of the EU Withdrawal Agreement contains provisions that continue to apply EU data protection law to certain ‘legacy’ personal data.
Legacy data comprises personal data of individuals outside the UK (including Gibraltar), whether in the EEA or not, which is processed in the UK (including Gibraltar), where:
- it was acquired before the end of the transition period and processed under EU data protection law; or
- it is processed on the basis of the EU Withdrawal Agreement after the end of the transition period, for example if personal data is processed under a provision of EU law that applies in the UK (including Gibraltar) by virtue of the EU Withdrawal Agreement.
Although now separate regimes, Gibraltar data protection law has continued to be aligned with that of the EU, and it will therefore be unlikely that relevant organisations will need to do anything significant, in practice, to accommodate the Withdrawal Agreement’s requirements. It is nevertheless important to be aware of the EU Withdrawal Agreement’s requirements and resulting applicability of EU Law to legacy personal data, especially whilst Gibraltar remains a “third country” pending any favourable EU adequacy decision.