Accessibility

Font size

Filters

Highlight

Colour

Zoom

GUIDANCE NOTES

Welcome to the Information Commissioner’s General Data Protection Regulation (“GDPR”) guidance page.

Please note that, on 1st January 2021, the EU GDPR was superseded by the Gibraltar GDPR The legislation however remains largely the same, and therefore, the general principles relating to the EU GDPR as may be referenced within the below guidance, continue to apply to the current regime. 

The following list of documents that provide guidance on the GDPR are intended for individuals and organisations who have day-to-day responsibility for data protection. Some documents provide general guidance whilst others focus on specific topics. 

You may contact our office on privacy@gra.gi for further information if you are unable to find the guidance that you are looking for or require further assistance.

The Guidance Notes below are intended for individuals and organisations who have day-to-day responsibility for data protection

The General Data Protection Regulation (the “GDPR”) will come into force on the 25th May 2018, replacing the existing data protection framework under the EU Data Protection Directive.

The GDPR introduces new elements and significant enhancements which will require detailed consideration by all organisations involved in processing personal data. Some elements of GDPR will be more relevant to certain organisations than others, and it is important and useful to identify and map out those areas which will have the greatest impact on your organisation.

This guidance note sets out a general introduction to the GDPR. The aim is to provide guidance for businesses and public sector organisations, and facilitate a smooth transition to future data protection standards for data controllers and data subjects alike.

The General Data Protection Regulation (the “GDPR”) will come into force on the 25th May 2018, replacing the existing data protection framework under the EU Data Protection Directive.

This is the second document in a series of Guidance Notes that the Gibraltar Regulatory Authority (“GRA”), as the Data Protection Commissioner, will issue in the run up to the 25th May 2018.

This Guidance Note provides general advice on the Lead Supervisory Authority principle, which is introduced in the GDPR.

Currently, organisations who have establishments in one or more EU Member States may be subject to different data protection laws and enforcement approaches. Going forward, under the GDPR, organisations with several establishments in the EU can benefit from the Lead Supervisory Authority principle and only have to report to one
Supervisory Authority i.e. the Lead Supervisory Authority. This is also known as the “one-stop-shop” mechanism, which allows for a more cost-effective approach and is seen as a solution to the problems faced by organisations who operate across multiple EU Member States.

In the following, the GRA provides advice on the GDPR’s Lead Supervisory Authority principle.

The General Data Protection Regulation (the “GDPR”) will come into force on the 25th May 2018, replacing the existing data protection framework under the EU Data Protection Directive.

This is the third of a series of Guidance Notes that the Gibraltar Regulatory Authority (“GRA”), as the Data Protection Commissioner, will issue in the run up to the 25th May 2018.

This Guidance Note provides general advice on the GDPR’s requirement for organisations to appoint a Data Protection Officer (“DPO”).

Under the GDPR, it will be mandatory for some data controllers and data processors to appoint a DPO, for example, all public authorities (with some minor exceptions) and organisations which carry out regular and systematic monitoring of data subjects on a large scale.

The DPO requirement introduced by the GDPR is not a new concept. Although current data protection law under the EU Data Protection Directive 95/46/EC does not include a mandatory obligation for organisations to appoint a DPO, the practice of appointing a DPO has developed and been adopted by organisations throughout the EU to ensure compliance with data protection law. Prior to the GDPR, the Article 29 Working Party already considered the appointment of a DPO as a “cornerstone of accountability” that can facilitate compliance and also become a competitive advantage for business[1].

A DPO will act as an intermediary between its employer and relevant stakeholders, such as data subjects and regulators. Although appointing a DPO will facilitate compliance with the GDPR and its requirements, it is important to know that DPOs are not held personally responsible for non-compliance with the GDPR.It is clear, within the GDPR, that it is the data controller or the data processor who is required, at all times, to ensure and demonstrate that its data processing complies with the GDPR.

The GDPR recognises the DPO as an important player in the new data protection regime.

The aim of this guidance note is to provide advice on the GDPR’s requirement relating to the appointment of the DPO and also assist DPOs in their role.


[1]Annex to Letters from Art. 29 Working Party to MEP Jan Philipp Albrecht and to Commissioner Věra Jourová in view of the trilogue

<http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/files/2015/20150617_appendix_core_issues_plenary_en.pdf > Accessed 11 August 2017

The EU General Data Protection Regulation 2016/679 (the “GDPR”) came into force on 25th May 2018, replacing the existing data protection framework under the EU Data Protection Directive 95/46/EC (the "Directive"). Her Majesty’s Government of Gibraltar amended the Data Protection Act 2004 (the “DPA”) on 25th May 2018, in accordance with the introduction of the GDPR. The DPA complements the GDPR and also implements the Law Enforcement Directive 2016/680. Therefore, both pieces of legislation must be read side by side.

It is important to note that Data Protection Impact Assessments (“DPIAs”) are not a new concept, as these were recognised procedures that organisations used to comply with under the Directive. However, under the GDPR, conducting a DPIA is mandatory for all data processing that is “likely to result in a high risk to the rights and freedoms of natural persons” (see Article 35(1) of the GDPR).

Although undertaking a DPIA is not always compulsory, organisations may find it useful to conduct one as the procedure is designed to help identify and minimise the privacy risks of new projects or policies. Therefore, a DPIA is an important tool for accountability that will help organisations comply with GDPR/DPA requirements, including the requirement for organisations to demonstrate that appropriate measures have been implemented to ensure compliance with data protection.

Where the DPIA identifies risks which the organisation cannot fully mitigate, the organisation will be obliged to consult with the Lead Supervisory Authority before engaging in the process. For further information on when and how to consult the Information Commissioner, please see the guidance below titled, “‘Data Protection Impact Assessment – guidance on ‘prior consultation’”.

The aim of this webpage is to provide guidance on requirements relating to DPIAs and to assist data controllers with their role throughout this task, as they are ultimately responsible for ensuring that DPIAs are carried out according to GDPR/DPA requirements. 

The General Data Protection Regulation (the “GDPR”) will come into force on the 25th May 2018, replacing the existing data protection framework under the EU Data Protection Directive.

This is the fifth of a series of Guidance Notes that the Gibraltar Regulatory Authority (“GRA”), as the Data Protection Commissioner, will issue in the run up to the 25th May 2018.

This Guidance Note provides general advice on the GDPR’s right of data portability.

The GDPR creates a new right of data portability, which is closely related to the right of access but different in many ways. This new right will allow for data subjects to receive the personal data that they have provided to a data controller, in a structured, commonly used and machine-readable format, and have it transferred to another data controller. Under this new right, the data subject will have more power and control over their own personal data.


Individuals making use of their right of access under the Data Protection Act 2004 were constrained by the format chosen by the data controller when providing the requested information. The new right to data portability aims to empower data subjects regarding their own personal data, as it facilitates their ability to move, copy or transmit personal data easily from one IT environment to another (whether to their own systems, the systems of trusted third parties or those of new data controllers).

Data portability will be an important tool that will support the free flow of personal data between data controllers and therefore, data controllers should start developing and implementing methods which will contribute to answering a data portability request.

The aim of this guidance note is to provide advice on the GDPR’s requirement relating to data portability and assist data controllers to clearly understand their respective obligations. This guidance note includes recommendations on good practice and tools that support compliance with the right to data portability. It also aims to clarify the meaning of data portability in order to enable data subjects to efficiently use their new right.

The General Data Protection Regulation (the "GDPR") came into force on the 25th May 2018, replacing the existing data protection framework under the EU Data Protection Directive. This is the sixth of a series of Guidance Notes that the Gibraltar Regulatory Authority, as the Information Commissioner, has issued. To collect and use personal data legitimately under the GDPR and the Data Protection Act 2004, organisations need to have a 'lawful basis'. This Guidance Note provides general guidance on the lawful bases that are available for organisations to rely on, in a practical and concise manner.

The General Data Protection Regulation (the "GDPR") came into force on the 25th May 2018, and whilst it brought about changes that reflect the increased importance of data protection in society, many of the main concepts and principles remain the same as the existing data protection framework. The GDPR does however, introduce new elements and significant enhancements, which will require detailed consideration. The GDPR emphasises transparency, security and accountability by organisations, while at the same time standardising and strengthening the privacy rights of European citizens.

This is the seventh of a series of Guidance Notes that the Gibraltar Regulatory Authority, as the Information Commissioner, has issued.

This guidance note provides general guidance on how to help SMEs become GDPR-compliant. It includes a ‘Personal Data Inventory Tool, a ‘Readiness Assessment Checklist’ and a ‘Data Protection Policy Guide’ designed to assist, particularly the small and medium sized enterprises (SMEs), who may not have access to extensive planning and legal resources.

The General Data Protection Regulation (the "GDPR"), which came into force on the 25th May 2018 introduced new requirements in relation to the notification of data breaches to the Commissioner (and/or other data protection authorities) and individuals affected by a breach.

This guidance note provides general guidance on the GDPR’s data breach notification requirements, including –

  • examples to assist data controllers determine whether they need to notify a personal data breach;
  • a flowchart which illustrates the notification requirements under the GDPR; and
  • a data breach notification form for data controllers to use should they be required to notify a personal data breach. 

This guidance note provides guidance on the regulatory action that the Information Commissioner (the “Commissioner”) may take under the Data Protection Act 2004 (“DPA”) and the General Data Protection Regulation.

The guidance note provides information on how the Commissioner proposes to exercise his functions in connection with –

  • information notices;
  • assessment notices;
  • enforcement notices; and
  • penalty notices.

The GDPR imposes conditions on transfers of personal data to jurisdictions outside the European Economic Area (which includes the European Union). In the event of Brexit without a deal, transfers to Gibraltar would need to comply with said conditions.

Her Majesty’s Government of Gibraltar is planning to include mechanisms in law for the uninterrupted transfer of personal data between Gibraltar and the UK, so these data flows should not be affected.

This guidance note aims to provide organisations with advice and assistance on how organisations can ensure that data flows crucial to business and other activities are maintained in the event of a no deal Brexit.

The General Data Protection Regulation (the “GDPR”) imposes conditions on transfers of personal data to jurisdictions outside the European Economic Area (the “EEA”) (which includes the European Union).

The purpose of this document is to provide summary guidance on the provisions in Chapter V of the GDPR regarding transfers of personal data to third countries or international organisations. The guidance is useful to a data controller in Gibraltar, as a territory within the EU, to understand its obligations when transferring data outside of the EEA. In the event of a “no-deal” Brexit, this guidance will also be useful to a data controller or processor in Gibraltar as it identifies the mechanisms that may be used to maintain ongoing data flows from the EU/EEA, for example by using ‘ standard contractual clauses’ (“SCCs”).

SCCs are standard sets of contractual terms and conditions, which the sender and the receiver of the personal data both sign up to. They include contractual obligations which help to protect personal data when it leaves the EEA and the protection of the GDPR.

There are two different sets of SCCs, ‘controller to controller’ and ‘controller to processor’, which version to use depends on whether your organisation is receiving the data as a data controller or as a processor.

The template contracts are available below, these include more explanatory notes and guidance.

As per sections 39 and 40 of the Data Protection Act 2004 (the “DPA”), the processing of personal data by a Law Enforcement Authority (“LEA”) for “law enforcement purposes” is regulated by Part III of the DPA, not the General Data Protection Regulation.

This guidance note highlights the five steps LEAs can take to prepare for data protection compliance if Gibraltar leaves the EU without a deal.

If you are not an LEA, or you are an LEA processing for non-law enforcement purposes (e.g. HR records), refer above to our separate Guidance Note namely   "GDPR (10) Getting Ready for Brexit".

Consent is one of the lawful grounds for the processing of personal data under Article 6 of the General Data Protection Regulation. Explicit consent is one of the lawful bases that can be relied on to process special categories of personal data or personal data relating to criminal convictions and offences.

This Guidance Note provides information and guidance on the conditions for consent under the Data Protection Act 2004 and the General Data Protection Regulation. It is important to note that the concept of consent is not new, as its definition and role remain similar to that under the previous EU Data Protection Directive 95/46/EC. 

Closed Circuit Television (“CCTV”)is used by many, ranging from household setups, to workplace and business security and monitoring systems to large-scale public sector implementations, such as in city centres and travel control. The cost of basic CCTV cameras, including those with the ability to transmit captured data wirelessly, and to store and display it via internet services, is now well within the reach of ordinary members of the public. Further, although its usage is generally considered to be advantageous in the reduction and prevention of crime, there are concerns about their intrusion into the privacy of individuals, particularly when they are used without appropriate controls or where unnecessary.

This document provides good practice guidance for those involved in operating CCTV and other surveillance camera devices, to better understand their responsibilities and obligations in regard to data protection when using CCTV.

A significant number of the enquiries received, and investigations undertaken, by the Information Commissioner’s (the “Commissioner”) office relate to Subject Access Requests (“SARs”). For this reason, the Commissioner took the decision to publish further guidance on SARs, updating previous guidance published in 2007.

This new document sets out key points that organisations need to be mindful of when handling SARs and provides practical tips to assist organisations ensure that they comply with data protection law when responding to SARs. 

In view of the irrefutably growing impact of blockchain technology, and given that there are potential data protection risks, it is imperative that the interaction between blockchain and data protection are considered.

This discussion paper outlines key issues regarding the relationship between blockchain and the GDPR as understood by the Information Commissioner (the “Commissioner”). It reflects on the European Union’s general acceptance of this new technology, whilst highlighting both the potential risks as well as the opportunities that blockchain technology presents in relation to data protection.

The main purpose of this paper is to facilitate discussion and engagement with stakeholders in order to collaborate, examine and address data protection issues within blockchain.

To process personal data legitimately under the General Data Protection Regulation 2016/679 (“GDPR”) and the Data Protection Act 2004(“DPA”), you have to be transparent about when and how you use the personal data. This requires you to proactively provide respective individuals with certain information when collecting and processing their personal data. The notice that organisations use to provide this information to individuals is commonly referred to as a ‘Privacy Notice’.

A ‘Privacy Notice’ should not be confused with a ‘Privacy Policy’, which is a term commonly used to describe an internal document that details an organisation’s internal personal data handling arrangements to ensure compliance with data protection law.

This document provides guidance on the information that should be provided to individuals i.e. ‘transparency requirements’, when collecting and processing their personal data.

As electronic storage and processing becomes increasingly inexpensive and more accessible, larger amounts of information are being held and processed. This increase in personal data processing, particularly in the online environment, has given rise to new data security challenges, which pose a threat to individuals as well as organisations and society.

It is important to note that data security is important for all, not just big organisations, and that it concerns manual records as well as electronic records. The EU General Data Protection Regulation 2016/679 and the Data Protection Act 2004 require organisations to ensure the “appropriate security” of personal data. What is appropriate depends on the circumstances of the organisation and the data being processed (in particular, consideration should be given to the risks of the processing). The law is thereby flexible to accommodate different types of organisations but clear in that appropriate security measures must be implemented. Ultimately, each organisation is accountable for establishing security measures that are appropriate for their circumstances. In this regard, an evaluation of risks with regards the processing of personal data is important.

This Guidance Note provides information and guidance in respect of the rapid developments in the use of technology to support the fight against COVID-19, in particular technology to 1) trace contact amongst the population, and 2) map the spread of the virus.

As with any emerging technology, it is important to recognise the data protection and privacy risks that may arise as a result.

Applications should adopt robust security (including the use of encryption, and covering each stage of the data processing), data minimisation, transparency and user control, and any supporting technology, including centralised processing to support contact tracing, should follow the same principles.

The Information Commissioner’s office notes the rapid developments in the use of technology to support the fight against COVID-19. Amongst these developments is the use, or proposals to use, thermal imaging cameras to check the body temperature of individuals.

As with any emerging technology, it is important to recognise the data protection and privacy risks that may arise as a result from the use of technology. Data protection innovation by assuring the public that their data is protected.

Carrying out temperature checks is a privacy intrusion, which can only be justified in very limited circumstances. It is important to note that in the case of the COVID-19 pandemic, temperature checks could significantly impact the freedom of individuals, which are already limited due to government restrictions, and that temperature checks may not necessarily be reliable as there are a variety of reasons that may cause fever; further, COVID-19 infected individuals do not always have fever. The necessity of temperature checks and the proportionality of their intrusion should therefore be very carefully considered as there may be less intrusive and more appropriate alternatives.

In this Guidance Note the Commissioner identifies that there may be legal grounds for employers to check the temperature of their employees and for the authorities to carry out temperature checks at Gibraltar’s entry and exit points.

In this Guidance Note the Information Commissioner’s office provides information and guidance regarding the various exemptions that the Data Protection Act 2004 provides from particular provisions in the EU General Data Protection Regulation 2016/679 (the “GDPR”).

The exemptions relieve organisations from some obligations under the GPDR in certain situations, such as when it is necessary to safeguard the prevention and investigation of crime, management planning or to protect the rights of others. However, the exemptions can only be relied on where necessary. In each case organisations should justify and document the reasons for relying on an exemption.

In the wake of the COVID-19 pandemic, technology is helping us all stay connected. However, the increased use of Video Conferencing Applications ("VCAs") introduces risks to privacy and to the protection of personal data. It is important that individual users are aware of and fully understand the data protection and privacy risks that exist when VCAs are used, as well as the steps they can take to protect their privacy. Organisations that implement the use of VCAs into their operational arrangements should be aware of the risks to personal data and privacy and ensure that they adopt appropriate measures to protect individuals and their personal data.

In this Guidance Note, the Information Commissioner’s office provides information to individuals on how to protect their personal data and privacy when using VCAs; as well as guidance for organisations on data protection compliance when using VCAs.

This document provides detailed guidance on the rights of individuals under the Gibraltar General Data Protection Regulation (the “Gibraltar GDPR”) and the Data Protection Act 2004 (the “DPA”) in relation to the processing of their personal data.

The rights of individuals under the Gibraltar GDPR and/or the DPA include the following:

• Articles 13 and 14 - The right to be informed (section 53 of the DPA).

• Article 15 - The right of access (section 54 DPA).

• Article 16 - The right to rectification (section 55 of the DPA).

• Article 17 - The right to erasure (section 56 of the DPA).

• Article 18 - The right to restrict processing (section 56 of the DPA).

• Article 20 - The right to data portability.

• Article 21 - The right to object.

• Article 22 - Rights in relation to automated decision making and profiling (sections 58 and 59 of the DPA).

The Guidance Note aims to assist individuals in understanding these rights and providing key procedural information in respect of each. The guidance is equally useful for organisations, to assist them in determining how best to process personal data to ensure the rights afforded to individuals under the applicable data protection legislation are upheld.

A set of infographics, linked below, emphasise the main points relating to the data protection rights of individuals.

A series of short videos that further explain said rights can be viewed on the GRA’s YouTube channel.

This document provides detailed guidance on the concepts of ‘data controller’, ‘data processor’ and ‘joint controllers’ under the Gibraltar General Data Protection Regulation (“GDPR”) and the Data Protection Act 2004 (“DPA”). Further, guidance is provided in respect of the three concepts and the different roles and responsibilities relating to each, as well as information to assist organisations to achieve compliance with the relevant legislation.

Understanding the concepts of ‘data controller’, ‘data processor’ and ‘joint controllers’ is essential in the application of the GDPR and DPA, as such understanding allows organisations to determine their respective responsibilities with regards data protection and to recognise how data subjects can exercise their personal data rights.