Guidance Issued by the GRA

The Gibraltar Regulatory Authority (“GRA”), as the Information Commissioner (the “Commissioner”), is the nominated authority responsible for the enforcement of data protection law in Gibraltar and carries out the functions assigned to it to uphold the rights of individuals and their privacy.

As part of his efforts to promote data protection compliance and good practice, the Commissioner issues guidance notes aimed at helping organisations improve their data protection practices and comply with the law.

The GRA has published two guidance notes, one relating International Transfers of personal data under the General Data Protection Regulation (“GDPR”) and Gibraltar’s Data Protection Act 2004 (“DPA”) and one to assist Law Enforcement Authorities (“LEAs”) in relation to Brexit.

Guidance Note IR11/18 – International Transfers

The GDPR imposes conditions on transfers of personal data to jurisdictions outside the European Economic Area (the “EEA”) (which includes the European Union).

The purpose of this guidance note is to provide summary guidance on the provisions in Chapter V of the GDPR regarding transfers of personal data to third countries or international organisations. The guidance is useful to a data controller in Gibraltar, as a territory within the EU, to understand its obligations when transferring data outside of the EEA. In the event of a “no-deal” Brexit, this guidance will also be useful to a data controller or processor in Gibraltar as it identifies the mechanisms that may be used to maintain ongoing data flows from the EU/EEA, for example by using ‘standard contractual clauses’ (“SCCs”).

SCCs are standard sets of contractual terms and conditions, which the sender and the receiver of the personal data both sign up to. They include contractual obligations which help to protect personal data when it leaves the EEA.

To assist further, the Commissioner has produced template contracts to accompany the guidance note which include explanatory notes and additional guidance.

The guidance note is available on the data protection section of the GRA’s website –

Guidance Note IR12/18 – Data Protection and Brexit for Law Enforcement Authorities

As per sections 39 and 40 of the DPA, the processing of personal data by LEAs for “law enforcement purposes” is regulated by Part III of the DPA, not the GDPR. This guidance note highlights the five steps LEAs can take to prepare for data protection compliance if Gibraltar leaves the EU without a deal.

The relevant law enforcement processing regime in Part III of the DPA will continue to apply after Gibraltar leaves the EU.

The guidance note is available on the data protection section of the GRA’s website –

For further information please contact the GRA’s Information Rights Division on +350 200 74636 or email: