The General Data Protection Regulation (the “GDPR”) will come into force on the 25th May 2018, replacing the existing data protection framework under the EU Data Protection Directive.

The GDPR introduces new elements and significant enhancements which will require detailed consideration by all organisations involved in processing personal data. Some elements of GDPR will be more relevant to certain organisations than others, and it is important and useful to identify and map out those areas which will have the greatest impact on your organisation.

This guidance note sets out a general introduction to the GDPR. The aim is to provide guidance for businesses and public sector organisations, and facilitate a smooth transition to future data protection standards for data controllers and data subjects alike.

The General Data Protection Regulation (the “GDPR”) will come into force on the 25th May 2018, replacing the existing data protection framework under the EU Data Protection Directive.

This is the second document in a series of Guidance Notes that the Gibraltar Regulatory Authority (“GRA”), as the Data Protection Commissioner, will issue in the run up to the 25th May 2018.

This Guidance Note provides general advice on the Lead Supervisory Authority principle, which is introduced in the GDPR.

Currently, organisations who have establishments in one or more EU Member States may be subject to different data protection laws and enforcement approaches. Going forward, under the GDPR, organisations with several establishments in the EU can benefit from the Lead Supervisory Authority principle and only have to report to one
Supervisory Authority i.e. the Lead Supervisory Authority. This is also known as the “one-stop-shop” mechanism, which allows for a more cost-effective approach and is seen as a solution to the problems faced by organisations who operate across multiple EU Member States.

In the following, the GRA provides advice on the GDPR’s Lead Supervisory Authority principle.

The General Data Protection Regulation (the “GDPR”) will come into force on the 25th May 2018, replacing the existing data protection framework under the EU Data Protection Directive.

This is the third of a series of Guidance Notes that the Gibraltar Regulatory Authority (“GRA”), as the Data Protection Commissioner, will issue in the run up to the 25th May 2018.

This Guidance Note provides general advice on the GDPR’s requirement for organisations to appoint a Data Protection Officer (“DPO”).

Under the GDPR, it will be mandatory for some data controllers and data processors to appoint a DPO, for example, all public authorities (with some minor exceptions) and organisations which carry out regular and systematic monitoring of data subjects on a large scale.

The DPO requirement introduced by the GDPR is not a new concept. Although current data protection law under the EU Data Protection Directive 95/46/EC does not include a mandatory obligation for organisations to appoint a DPO, the practice of appointing a DPO has developed and been adopted by organisations throughout the EU to ensure compliance with data protection law. Prior to the GDPR, the Article 29 Working Party already considered the appointment of a DPO as a “cornerstone of accountability” that can facilitate compliance and also become a competitive advantage for business^[1].

A DPO will act as an intermediary between its employer and relevant stakeholders, such as data subjects and regulators. Although appointing a DPO will facilitate compliance with the GDPR and its requirements, it is important to know that DPOs are not held personally responsible for non-compliance with the GDPR.It is clear, within the GDPR, that it is the data controller or the data processor who is required, at all times, to ensure and demonstrate that its data processing complies with the GDPR.

The GDPR recognises the DPO as an important player in the new data protection regime.

The aim of this guidance note is to provide advice on the GDPR’s requirement relating to the appointment of the DPO and also assist DPOs in their role.

[1]Annex to Letters from Art. 29 Working Party to MEP Jan Philipp Albrecht and to Commissioner Věra Jourová in view of the trilogue

<http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/files/2015/20150617_appendix_core_issues_plenary_en.pdf > Accessed 11 August 2017

The aim of this subsection is to provide guidance on requirements relating to Data Protection Impact Assessments (“DPIAs”) and to assist data controllers with their role throughout this task, as they are ultimately responsible for ensuring that DPIAs are carried out according to data protection law. 

It is important to note that DPIAs are not a new concept, as these were recognised procedures that organisations used to comply with under the EU Data Protection Directive 95/46/EC and the EU General Data Protection Regulation 2016/679 (“EU GDPR”), prior to the introduction of the Gibraltar General Data Protection Regulation (“Gibraltar GDPR”) on 1^st January 2021.

Conducting a DPIA is however mandatory under the Gibraltar GDPR for all data processing that is “likely to result in a high risk to the rights and freedoms of natural persons” (see Article 35(1) of the GDPR).

Although undertaking a DPIA is not always compulsory, organisations may find it useful to conduct one as the procedure is designed to help identify and minimise the privacy risks of new projects or policies. Therefore, a DPIA is an important tool for accountability that will help organisations comply with the GDPR and/or the Data Protection Act 2004 requirements, including the requirement for organisations to demonstrate that appropriate measures have been implemented to ensure compliance with data protection laws.

The controller shall consult the Information Commissioner prior to processing where a DPIA indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.

For further information on when and how to consult the Information Commissioner, please see the guidance below titled, “‘DPIA – GUIDANCE ON PRIOR CONSULTATION”.

_{Please note that on 1^st January 2021, the EU GDPR was superseded by the Gibraltar GDPR. However, the legislation remains largely the same, and therefore, the general principles relating to the EU GDPR as may be referenced within the resources provided below, continue to apply to the current regime.} 

The General Data Protection Regulation (the “GDPR”) will come into force on the 25th May 2018, replacing the existing data protection framework under the EU Data Protection Directive.

This is the fifth of a series of Guidance Notes that the Gibraltar Regulatory Authority (“GRA”), as the Data Protection Commissioner, will issue in the run up to the 25th May 2018.

This Guidance Note provides general advice on the GDPR’s right of data portability.

The GDPR creates a new right of data portability, which is closely related to the right of access but different in many ways. This new right will allow for data subjects to receive the personal data that they have provided to a data controller, in a structured, commonly used and machine-readable format, and have it transferred to another data controller. Under this new right, the data subject will have more power and control over their own personal data.

Individuals making use of their right of access under the Data Protection Act 2004 were constrained by the format chosen by the data controller when providing the requested information. The new right to data portability aims to empower data subjects regarding their own personal data, as it facilitates their ability to move, copy or transmit personal data easily from one IT environment to another (whether to their own systems, the systems of trusted third parties or those of new data controllers).

Data portability will be an important tool that will support the free flow of personal data between data controllers and therefore, data controllers should start developing and implementing methods which will contribute to answering a data portability request.

The aim of this guidance note is to provide advice on the GDPR’s requirement relating to data portability and assist data controllers to clearly understand their respective obligations. This guidance note includes recommendations on good practice and tools that support compliance with the right to data portability. It also aims to clarify the meaning of data portability in order to enable data subjects to efficiently use their new right.

The General Data Protection Regulation (the "GDPR") came into force on the 25th May 2018, replacing the existing data protection framework under the EU Data Protection Directive. This is the sixth of a series of Guidance Notes that the Gibraltar Regulatory Authority, as the Information Commissioner, has issued. To collect and use personal data legitimately under the GDPR and the Data Protection Act 2004, organisations need to have a 'lawful basis'. This Guidance Note provides general guidance on the lawful bases that are available for organisations to rely on, in a practical and concise manner.

The General Data Protection Regulation (the "GDPR") came into force on the 25th May 2018, and whilst it brought about changes that reflect the increased importance of data protection in society, many of the main concepts and principles remain the same as the existing data protection framework. The GDPR does however, introduce new elements and significant enhancements, which will require detailed consideration. The GDPR emphasises transparency, security and accountability by organisations, while at the same time standardising and strengthening the privacy rights of European citizens.

This is the seventh of a series of Guidance Notes that the Gibraltar Regulatory Authority, as the Information Commissioner, has issued.

This guidance note provides general guidance on how to help SMEs become GDPR-compliant. It includes a ‘Personal Data Inventory Tool, a ‘Readiness Assessment Checklist’ and a ‘Data Protection Policy Guide’ designed to assist, particularly the small and medium sized enterprises (SMEs), who may not have access to extensive planning and legal resources.

The General Data Protection Regulation (the "GDPR"), which came into force on the 25th May 2018 introduced new requirements in relation to the notification of data breaches to the Commissioner (and/or other data protection authorities) and individuals affected by a breach.

This guidance note provides general guidance on the GDPR’s data breach notification requirements, including –

• examples to assist data controllers determine whether they need to notify a personal data breach;
• a flowchart which illustrates the notification requirements under the GDPR; and
• a data breach notification form for data controllers to use should they be required to notify a personal data breach. 

This guidance note provides guidance on the regulatory action that the Information Commissioner (the “Commissioner”) may take under the Data Protection Act 2004 (“DPA”) and the General Data Protection Regulation.

The guidance note provides information on how the Commissioner proposes to exercise his functions in connection with –

• information notices;
• assessment notices;
• enforcement notices; and
• penalty notices.

The GDPR imposes conditions on transfers of personal data to jurisdictions outside the European Economic Area (which includes the European Union). In the event of Brexit without a deal, transfers to Gibraltar would need to comply with said conditions.

His Majesty’s Government of Gibraltar is planning to include mechanisms in law for the uninterrupted transfer of personal data between Gibraltar and the UK, so these data flows should not be affected.

This guidance note aims to provide organisations with advice and assistance on how organisations can ensure that data flows crucial to business and other activities are maintained in the event of a no deal Brexit.

The Gibraltar General Data Protection Regulation (the “Gibraltar GDPR”) imposes conditions on transfers of personal data to jurisdictions outside Gibraltar.

The purpose of this document is to provide summary guidance on the provisions in Chapter V of the Gibraltar GDPR, regarding such transfers. The guidance is useful to a data controller in Gibraltar, to understand their obligations when transferring data outside of Gibraltar, including the mechanisms that may be used to transfer such data.  

The mechanisms include Standard Contractual Clauses (“SCCs”). SCCs are standard sets of contractual terms and conditions, which the sender and the receiver of the personal data both sign up to.

The Information Commissioner has published SCCs which senders of personal data can now rely on as a transfer tool to comply with Gibraltar’s data protection regime.

They are the International Data Transfer Agreement (the “IDTA”) and the International Data Transfer Addendum to the European Commission’s standard contractual clauses for international data transfers (the “Addendum”). The latter document is an addendum to the new standard contractual clauses issued by the European Commission under the EU General Data Protection Regulation 2016/679 (“the EU GDPR”), on 4 June 2021 (the “New EU SCCs”). The New EU SCCs are not valid for restricted transfers under the Gibraltar GDPR on their own, but using the Addendum allows you to rely on the New EU SCCs for your transfers under the Gibraltar GDPR.

A template of the IDTA and the Addendum are available below.

Before relying on the templates as an appropriate safeguard to make a restricted transfer, senders must undertake a risk assessment. Please refer to the transfers risk assessment document below.

As per sections 39 and 40 of the Data Protection Act 2004 (the “DPA”), the processing of personal data by a Law Enforcement Authority (“LEA”) for “law enforcement purposes” is regulated by Part III of the DPA, not the General Data Protection Regulation.

This guidance note highlights the five steps LEAs can take to prepare for data protection compliance if Gibraltar leaves the EU without a deal.

If you are not an LEA, or you are an LEA processing for non-law enforcement purposes (e.g. HR records), refer above to our separate Guidance Note namely   "GDPR (10) Getting Ready for Brexit".

Consent is one of the lawful grounds for the processing of personal data under Article 6 of the General Data Protection Regulation. Explicit consent is one of the lawful bases that can be relied on to process special categories of personal data or personal data relating to criminal convictions and offences.

This Guidance Note provides information and guidance on the conditions for consent under the Data Protection Act 2004 and the General Data Protection Regulation. It is important to note that the concept of consent is not new, as its definition and role remain similar to that under the previous EU Data Protection Directive 95/46/EC. 

Closed Circuit Television (“CCTV”)is used by many, ranging from household setups, to workplace and business security and monitoring systems to large-scale public sector implementations, such as in city centres and travel control. The cost of basic CCTV cameras, including those with the ability to transmit captured data wirelessly, and to store and display it via internet services, is now well within the reach of ordinary members of the public. Further, although its usage is generally considered to be advantageous in the reduction and prevention of crime, there are concerns about their intrusion into the privacy of individuals, particularly when they are used without appropriate controls or where unnecessary.

This document provides good practice guidance for those involved in operating CCTV and other surveillance camera devices, to better understand their responsibilities and obligations in regard to data protection when using CCTV.

A significant number of the enquiries received, and investigations undertaken, by the Information Commissioner’s (the “Commissioner”) office relate to Subject Access Requests (“SARs”). For this reason, the Commissioner took the decision to publish further guidance on SARs, updating previous guidance published in 2007.

This new document sets out key points that organisations need to be mindful of when handling SARs and provides practical tips to assist organisations ensure that they comply with data protection law when responding to SARs. 

In view of the irrefutably growing impact of blockchain technology, and given that there are potential data protection risks, it is imperative that the interaction between blockchain and data protection are considered.

This discussion paper outlines key issues regarding the relationship between blockchain and the GDPR as understood by the Information Commissioner (the “Commissioner”). It reflects on the European Union’s general acceptance of this new technology, whilst highlighting both the potential risks as well as the opportunities that blockchain technology presents in relation to data protection.

The main purpose of this paper is to facilitate discussion and engagement with stakeholders in order to collaborate, examine and address data protection issues within blockchain.

To process personal data legitimately under the General Data Protection Regulation 2016/679 (“GDPR”) and the Data Protection Act 2004(“DPA”), you have to be transparent about when and how you use the personal data. This requires you to proactively provide respective individuals with certain information when collecting and processing their personal data. The notice that organisations use to provide this information to individuals is commonly referred to as a ‘Privacy Notice’.

A ‘Privacy Notice’ should not be confused with a ‘Privacy Policy’, which is a term commonly used to describe an internal document that details an organisation’s internal personal data handling arrangements to ensure compliance with data protection law.

This document provides guidance on the information that should be provided to individuals i.e. ‘transparency requirements’, when collecting and processing their personal data.

As electronic storage and processing becomes increasingly inexpensive and more accessible, larger amounts of information are being held and processed. This increase in personal data processing, particularly in the online environment, has given rise to new data security challenges, which pose a threat to individuals as well as organisations and society.

It is important to note that data security is important for all, not just big organisations, and that it concerns manual records as well as electronic records. The EU General Data Protection Regulation 2016/679 and the Data Protection Act 2004 require organisations to ensure the “appropriate security” of personal data. What is appropriate depends on the circumstances of the organisation and the data being processed (in particular, consideration should be given to the risks of the processing). The law is thereby flexible to accommodate different types of organisations but clear in that appropriate security measures must be implemented. Ultimately, each organisation is accountable for establishing security measures that are appropriate for their circumstances. In this regard, an evaluation of risks with regards the processing of personal data is important.

This Guidance Note provides information and guidance in respect of the rapid developments in the use of technology to support the fight against COVID-19, in particular technology to 1) trace contact amongst the population, and 2) map the spread of the virus.

As with any emerging technology, it is important to recognise the data protection and privacy risks that may arise as a result.

Applications should adopt robust security (including the use of encryption, and covering each stage of the data processing), data minimisation, transparency and user control, and any supporting technology, including centralised processing to support contact tracing, should follow the same principles.

The Information Commissioner’s office notes the rapid developments in the use of technology to support the fight against COVID-19. Amongst these developments is the use, or proposals to use, thermal imaging cameras to check the body temperature of individuals.

As with any emerging technology, it is important to recognise the data protection and privacy risks that may arise as a result from the use of technology. Data protection innovation by assuring the public that their data is protected.

Carrying out temperature checks is a privacy intrusion, which can only be justified in very limited circumstances. It is important to note that in the case of the COVID-19 pandemic, temperature checks could significantly impact the freedom of individuals, which are already limited due to government restrictions, and that temperature checks may not necessarily be reliable as there are a variety of reasons that may cause fever; further, COVID-19 infected individuals do not always have fever. The necessity of temperature checks and the proportionality of their intrusion should therefore be very carefully considered as there may be less intrusive and more appropriate alternatives.

In this Guidance Note the Commissioner identifies that there may be legal grounds for employers to check the temperature of their employees and for the authorities to carry out temperature checks at Gibraltar’s entry and exit points.

In this Guidance Note the Information Commissioner’s office provides information and guidance regarding the various exemptions that the Data Protection Act 2004 provides from particular provisions in the EU General Data Protection Regulation 2016/679 (the “GDPR”).

The exemptions relieve organisations from some obligations under the GPDR in certain situations, such as when it is necessary to safeguard the prevention and investigation of crime, management planning or to protect the rights of others. However, the exemptions can only be relied on where necessary. In each case organisations should justify and document the reasons for relying on an exemption.

In the wake of the COVID-19 pandemic, technology is helping us all stay connected. However, the increased use of Video Conferencing Applications ("VCAs") introduces risks to privacy and to the protection of personal data. It is important that individual users are aware of and fully understand the data protection and privacy risks that exist when VCAs are used, as well as the steps they can take to protect their privacy. Organisations that implement the use of VCAs into their operational arrangements should be aware of the risks to personal data and privacy and ensure that they adopt appropriate measures to protect individuals and their personal data.

In this Guidance Note, the Information Commissioner’s office provides information to individuals on how to protect their personal data and privacy when using VCAs; as well as guidance for organisations on data protection compliance when using VCAs.

This document provides detailed guidance on the rights of individuals under the Gibraltar General Data Protection Regulation (the “Gibraltar GDPR”) and the Data Protection Act 2004 (the “DPA”) in relation to the processing of their personal data.

The rights of individuals under the Gibraltar GDPR and/or the DPA include the following:

• Articles 13 and 14 - The right to be informed (section 53 of the DPA).

• Article 15 - The right of access (section 54 DPA).

• Article 16 - The right to rectification (section 55 of the DPA).

• Article 17 - The right to erasure (section 56 of the DPA).

• Article 18 - The right to restrict processing (section 56 of the DPA).

• Article 20 - The right to data portability.

• Article 21 - The right to object.

• Article 22 - Rights in relation to automated decision making and profiling (sections 58 and 59 of the DPA).

The Guidance Note aims to assist individuals in understanding these rights and providing key procedural information in respect of each. The guidance is equally useful for organisations, to assist them in determining how best to process personal data to ensure the rights afforded to individuals under the applicable data protection legislation are upheld.

A set of infographics, linked below, emphasise the main points relating to the data protection rights of individuals.

A series of short videos that further explain said rights can be viewed on the GRA’s YouTube channel.

This document provides detailed guidance on the concepts of ‘data controller’, ‘data processor’ and ‘joint controllers’ under the Gibraltar General Data Protection Regulation (“GDPR”) and the Data Protection Act 2004 (“DPA”). Further, guidance is provided in respect of the three concepts and the different roles and responsibilities relating to each, as well as information to assist organisations to achieve compliance with the relevant legislation.

Understanding the concepts of ‘data controller’, ‘data processor’ and ‘joint controllers’ is essential in the application of the GDPR and DPA, as such understanding allows organisations to determine their respective responsibilities with regards data protection and to recognise how data subjects can exercise their personal data rights. 

This Guidance Note aims to assist in ensuring data protection compliance in the employment context, as required by the Gibraltar General Data Protection Regulation and the Data Protection Act 2004.

The document provides general guidance on the legitimate expectations of employees with regards the processing of their personal data by employers, as well as the legitimate interest of employers in deciding how best, within the boundaries of data protection law, to run their organisations.

The guidance provided therein is intended to serve as a reference document, to be consulted as and when necessary, alongside relevant legislation. Importantly, data protection obligations will vary according to the size and nature of the business. Organisations are responsible for assessing what aspects are relevant to their personal data processing activities, and for introducing reasonable and appropriate measures, as applicable.

Credential stuffing is a cyber-attack method that exploits people’s tendency to use the same username and password combination across multiple online accounts. These attacks are automated and often large scale, using stolen, legitimate credentials obtained from unrelated data breaches to access people’s accounts across websites.

These documents outline the risks posed by such cyber-attacks to personal data and the recognised security measures organisations and the general public may use to prevent, detect and mitigate the risk of such attacks.

The guidance has been published by a sub-working group of the Global Privacy Assembly’s International Enforcement Working Group, which comprises of the Gibraltar Regulatory Authority and data protection authorities from Canada, Jersey, Switzerland, Turkey, and the UK.

The guidance reports that credential stuffing is a significant and growing cyber threat to personal information and it provides a list of measures that organisations should implement, and practices the general public should adopt, in order to protect against such attacks.

Among the security measures listed, the Global Privacy Assembly’s guidance notes that multi-factor authentication is considered to be the most effective measure in securing online accounts against credential stuffing.

The guidance published is intended to serve as reference, and should be consulted as and when necessary, alongside relevant legislation.

This Guidance Note provides information and guidance on the disclosure of personal data to authorities who are discharging their statutory law enforcement functions (known under data protection law as “competent authorities”).

The Gibraltar General Data Protection Regulation (“Gibraltar GDPR”) and the Data Protection Act 2004 (“DPA”) allow for this type of sharing where it is reasonable, necessary and proportionate.

This document provides detailed guidance regarding the requirements that must be considered by an organisation before it decides to disclose personal data to a competent authority. This includes identifying a lawful basis under Article 6 of the Gibraltar GDPR for the sharing of data, as well as conditions for the sharing of special category data or data relating to criminal convictions and offences. Guidance is also provided in relation to compliance with the data protection principles at Article 5 of the Gibraltar GDPR, the rights of individuals, and relevant exemptions under the DPA that may be relied on by an organisation for the disclosure of personal data.

The Guidance Note is intended to serve as a reference document, to be consulted as and when necessary, alongside relevant legislation. Organisations are responsible for assessing compliance, and for introducing reasonable and appropriate measures, as applicable.

This Guidance Note provides information and guidance on the use of cookies, including the rules for setting cookies, and how to ensure compliance with these rules.

Although cookies are not explicitly referred to in the Communications (Personal Data and Privacy) Regulations 2006 (the "Privacy Regs"), Regulation 5 nevertheless sets out the rules regarding cookies. The Privacy Regs sit alongside the Gibraltar General Data Protection Regulation and the Data Protection Act 2004, and they provide individuals with specific privacy rights in relation to electronic communications. This includes cookies and similar tracking technologies.

This Guidance Note sets out the key points that organisations should consider when setting cookies, in order to comply with the relevant legislation.

This Guidance Note is intended to serve as a reference document, to be consulted as and when necessary, alongside relevant legislation. Organisations are responsible for assessing compliance, and for introducing reasonable and appropriate measures, as applicable.