Gibraltar Regulatory Authority

Home / Membership / Members / Gibraltar




Country or territory: Gibraltar
Organisation: Gibraltar Regulatory Authority (GRA)
Chair: Paul Canessa (Chairman of the Board & CEO)
Location/address: 2nd floor
Eurotowers 4
1 Europort Road
GX11 1AA
Primary contact: (+350) 20074636
Number of staff: 5 staff members deal directly with Information Rights. The total staff of the GRA is 21.
Year established: 2004 was year Data Protection Act was passed in Parliament and established the GRA as the Data Protection Commissioner.
Founding Act or Law: Gibraltar Regulatory Authority Act 2000 & Data Protection Act 2004.
Online profile (website, social media, etc.): Website:
Twitter: @GibRegAuthority
General description of activities: Provide advice on data protection matters, investigation of complaints, inspection of public and private organisations, awareness raising, maintenance of a register of data controllers and involvement in international projects.
General description of enforcement actions (powers of investigation, inspection and/or sanction): Powers to carry out investigations and inspections to ensure compliance with the Data Protection Act 2004, issuing of Information or Enforcement Notices, Court Proceedings, Penalties and Compensation Orders.
Number of decisions, opinions, recommendations in previous year: 133 Advices, 23 Investigations, 15 Inspections.
Significant decisions, opinions or recommendations: Decision

(1.) A decision was made in relation to an incident where an individual had available to him unsupervised access to an unlocked computer and documentation in the reception desk of a public authority in Gibraltar that processed a significant amount of health related personal data.

An investigation concluded that the public authority failed to have appropriate organisational and technical security measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access and against all other unlawful forms of processing. They were required to review their organisational and technical security measures to ensure the protection of personal data that it processed and document such measures in a written policy.

(2.) A complaint was received on a matter where an employee had used her position in an organisation to, without authorisation, make copies of documents containing personal data of other employees and third parties pertaining to the organisation, for the purposes of a personal pay claim. It was concluded that the employee had become a data controller and obtained the personal data in a manner that was not fair or lawful, and without satisfying any condition that would make the processing legitimate. The employee was ordered to destroy all copies of the personal data that were in her possession.

(3.) A complaint was received by an individual against a local gymnasium (the “Gym”) who implemented a biometric data system (the “System”) for entry to the Gym. It was determined that whilst the Gym had been unsuccessful at using alternative methods to control access following incidents of unauthorised access resulting in unfair costs, less intrusive methods could still be effective. Therefore, the System appeared to be excessive and disproportionate, and did not meet the criteria for the legitimate processing of personal data.

Following the determination, the Gym modified and replaced the System as the only means of access to the Gym by introducing an alternative method of entry.


(1.) Advice was provided to a government department (the “Department”) that intended to obtain and process personal data to assess moneys owed to the Government of Gibraltar (“GoG”), by obtaining personal data from other government departments.

The Department were advised about the need for data controllers to be transparent about the processing of their personal data, and process personal data for a specific purpose, without any further processing. They were therefore advised that GoG departments each collect and process personal data independently and for distinct specific purposes. Therefore, in the first instance, it appeared that the sharing of personal data between GoG departments as described would lead to a contravention.

However, the Department were further advised that an exemption could apply to the disclosure of personal data, namely where personal data is being processed for the purpose of assessing or collecting any tax, duty or other moneys owed or payable to the Crown or a person conducting a relevant function.  It was advised that on the information available, it could not be concluded that the exemption would apply.

Lastly, the Department were also advised that the exemption would not relieve a data controller of the need to satisfy a legitimate condition for processing. It appeared, however that the proposed sharing of information would not be legitimate, as there were no appropriate mechanisms to monitor and control disclosures.

(2.) Advice was provided to a law enforcement authority (“LEA”) in relation an exemption within the Data Protection Act 2004 where processing of personal data is for the purposes of inter alia detecting, preventing, and investigating crime. The LEA were advised that the exemption does not oblige a data controller to release any personal data to the local LEA.  However, it ensures that the data controller may not be in breach if it decides to disclose information for the said purposes. Based on the information that was provided, in this instance it appeared that the exemption could be relied on.

(3) Our office engaged with a public authority that were seeking to establish an online database that contained the personal data of individuals who had initially provided their consent to a register that was held internally by the public authority.

The public authority were advised that whilst personal data can be legitimately processed if the data subject has unambiguously given his/her consent to the processing, individuals provided their personal data knowing that it would be placed on a register held internally, and not online. Consequently, it did not appear that producing the personal data online as intended would meet a condition to make processing legitimate.