Under section 138 of the Data Protection Act 2004 (the “DPA”), the Information Commissioner must establish a register of DPOs, which shall be available to the public. This requirement falls in line with the requirement under the Gibraltar GDPR for data controllers to appoint a DPO and provide the contact details to the national supervisory authority.

Under the Gibraltar GDPR, certain organisations are required to appoint a designated DPO. Organisations are also required to publish the details of their DPO and provide these details to their national supervisory authority.

An organisation is required to appoint a designated DPO where:

• the processing is carried out by a public authority or body;
• the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale
• the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences;
• the organisation is a law enforcement entity and must therefore appoint a DPO as covered by the Law Enforcement Directive; or
• finally, an organisation does not meet any of the above requirements, however they voluntarily wish to appoint a DPO

Further guidance on the DPO role is available HERE.

Explanatory Notes 

Complete the below online form to inform the Information Commissioner of the details of your Data Protection Officer, or change/update your Data Protection Officer details.

Please note the following before submitting your completed form: 

• Some of the information you provide in your notification will be made publicly available on our website. 
• This will include the name and address of your organisation. As a controller, you are required to make an address available for data subjects to easily contact you in the event that they want to exercise their rights or ask you questions. 
• If you are a sole trader or small organisation, we understand that the address you use in the course of your business might be a domestic address. If this is the case, and you do not want the address to be made public on the register, please provide a PO Box or alternative address instead. 
• If you provide DPO details, we will publish their contact details. We do however ask whether we can publish their name. If you select ‘yes’, their name will be published. You are encouraged to be transparent about the identity of your DPO. Please note that if their email is one from which their identity can be established (e.g. john.smith@gra.gi), you may wish to provide a generic address instead such as dpo@gra.gi.

Under section 138 of the Data Protection Act 2004 (the “DPA”), the Information Commissioner must establish a register of DPOs, which shall be available to the public.

The Register can be found below.

Please note that in some cases, the data controller may not wish to provide their data protection officer's personal data and in such circumstances, this has been omitted. The Register is updated on a weekly basis.

The Information Commissioner organises periodic data protection workshops for Data Protection Officers (“DPOs”) in Gibraltar, as part of his efforts to promote awareness amongst data controllers of their data protection obligations and provide assistance.

During the workshops, particular topics are discussed, and guidance provided to assist in ensuring compliance. As well as an opportunity for data controllers to obtain further support, the workshops also provide our office with an opportunity, as regulator, to learn about, and obtain a better understanding of the common issues/challenges faced by data controllers and processors. The workshops help create synergies by facilitating collaboration between DPOs on issues that are common to all data controllers.

1. DPOs must have data protection knowledge.

Data protection officers should have expert knowledge of data protection law and practices (see Article 37(5) of the Gibraltar General Data Protection Regulation (“Gibraltar GDPR”) and section 78(2) of the Data Protection Act 2004 (the "DPA")). Participation in these workshops will likely contribute to a DPO’s knowledge of data protection law and thereby be beneficial to DPOs and controllers/processors.

2. Data controllers and processors must help DPOs maintaining data protection knowledge.

Data controllers and processors are obliged to support the DPO to maintain his or her expert knowledge (see Article 38(2) of the Gibraltar GDPR and section 79(2) of the DPA). Encouraging and supporting the DPO’s attendance in these workshops can therefore help data controllers and processors meet their obligations.

3. Cooperating with the supervisory authority.

A DPO’s and/or an organisation’s participation in the DPO workshops help demonstrate an individual/organisation’s commitment to data protection, and their interaction with the Information Commissioner’s office.

In addition to the workshop reports, please find below a general register of attendance for DPOs and organisations, sorted by order of attendance.

For more information regarding the DPO Workshops, please email dpoworkshops@gra.gi