General Data Protection Regulation – the lawful basis

Today the Gibraltar Regulatory Authority (“GRA”), as the Information Commissioner, has published the sixth guidance note on the European Union’s General Data Protection Regulation (“GDPR”) and Gibraltar’s Data Protection Act 2004 (“DPA”).

The introduction of the GDPR in May this year represented a significant development  in data protection law, with new or revised requirements. To collect and use personal data legitimately under the GDPR, organisations need to have a ‘lawful basis’.

Identifying the lawful basis that an organisation relies on to process personal data is a fundamental step in ensuring data protection compliance.

The GDPR and the DPA list the lawful bases that organisations can rely on to process personal data. This guidance note aims to identify the lawful bases that are available for organisations to rely on, in a practical and concise manner.

The guidance note is available on the data protection section of the GRA’s website –

Other recent changes in the data protection law include the appointment of staff to ensure data protection compliance, easier rights of access to data and notification of data breaches to individuals. Organisations (both private and public) need to ensure that they comply with their data protection obligations.

The GRA is the nominated authority responsible for the enforcement of data protection law in Gibraltar and carries out the functions assigned to it to uphold the rights of individuals and their privacy. As part of his efforts to promote data protection compliance and good practice, the Information Commissioner issues guidance notes aimed at helping organisations improve their data protection practices and comply with the law.

For further information please contact the Information Rights Division of the GRA on +350 200 74636 or email