Register of Data Protection Officers

The General Data Protection Regulation (“GDPR”) came in to force on the 25th May 2018. The GDPR places emphasis on transparency, security and accountability by data controllers. Its aim is to strengthen rights of individuals to data privacy.

With GDPR comes the newly amended Data Protection Act 2004 (“DPA”) to ensure that Gibraltar’s data protection law falls in line with the requirements of GDPR.

The requirement that existed under the previous legislative regime for data controllers to register their processing operation with the Data Protection Commissioner (“Commissioner”) no longer applies. Under the GDPR, “such indiscriminate general notification obligations should therefore be abolished and replaced by effective procedures and mechanisms which focus instead on those types of processing operations which are likely to result in a high risk to the rights and freedoms of natural persons by virtue of their nature, scope, context and purposes.”

Under the GDPR, certain organisations are required to appoint a designated Data Protection Officer (“DPO”). Organisations are also required to publish the details of their DPO and provide these details to their national supervisory authority.

An organisation is required to appoint a designated data protection officer where:

  • the processing is carried out by a public authority or body;
  •  the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale;
  • the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences;
  • it is a law enforcement entity and must therefore appoint a DPO as covered by the Law Enforcement Directive; or
  • it does not meet any of the above requirements, however they voluntarily wish to appoint a DPO.

For further guidance on the role of a DPO, please visit our website on
Under section 138 of the newly amended DPA, the Commissioner must establish a register of data protection officers, which shall be available to the public. This requirement falls in line with the requirement under the GDPR for data controllers to appoint a DPO and provide the contact details to the national supervisory authority.
To notify the Commissioner of your appointed DPO, please complete and submit the online form on

For further information please contact the GRA on +350 200 74636 or email