Data & Privacy · Gibraltar
Data protection & privacy laws in Gibraltar (2026)
Gibraltar shaded by its data & privacy status
Gibraltar operates a comprehensive, GDPR-style data-protection regime. Since the end of the Brexit transition period (1 January 2021), its law consists of the Gibraltar GDPR (a domesticated version of the EU GDPR with EU terminology replaced by Gibraltar equivalents) and the Data Protection Act 2004, which supplements it on derogations and exemptions. The Gibraltar Regulatory Authority, as Information Commissioner, is the independent supervisory authority responsible for enforcement.
Key points
The EU GDPR applied directly from 25 May 2018 until 31 December 2020; from 1 January 2021 the substantively identical Gibraltar GDPR replaced it, retaining the EU GDPR's principles, lawful bases and structure with technical amendments for domestic application.
The Data Protection Act 2004 remains in force and supplements the Gibraltar GDPR, covering matters that were previously permitted derogations and exemptions and setting out the supervisory authority's role in Part V.
The Gibraltar Regulatory Authority (GRA), designated as Information Commissioner, is the independent statutory body that enforces the Gibraltar GDPR and the DPA, investigates complaints, issues guidance and exercises the powers under Article 58(1)-(2) of the Gibraltar GDPR.
Controllers and processors must observe GDPR principles, maintain lawful bases for processing, and notify personal-data breaches to the GRA within 72 hours where required.
Individuals enjoy the full suite of GDPR rights, including access, rectification, erasure, restriction, data portability and objection, which the GRA upholds through complaint investigation.
Gibraltar does not currently hold an EU adequacy decision, so EU-to-Gibraltar transfers rely on Article 46-49 safeguards; the UK has granted Gibraltar adequacy, and EU adequacy is anticipated alongside the UK-EU treaty on Gibraltar.
Timeline - major decisions & events
The Commission confirmed the UK continues to offer adequate protection under the new Data (Use and Access) Act, after extending existing adequacy decisions to 27 December 2025. Because Gibraltar's regime mirrors the UK's and data flows freely to the UK, this directly underpins Gibraltar's cross-border transfer position.
EDPB ↗The DUAA amended the UK GDPR regime and introduced a new third-country data-protection test. As Gibraltar law tracks the UK framework for adequacy purposes, the reform sets the direction for Gibraltar's own evolving standard.
Squire Patton Boggs (Global Privacy Blog) ↗The Information Commissioner imposed a £10,000 penalty on the RGP for violations of the DPA 2004 and Gibraltar GDPR involving the personal data of hundreds of serving and retired officers. It is the largest publicly reported Gibraltar data-protection fine and signalled enforcement against public bodies.
DataGuidance ↗At the end of the EU exit transition period, the EU GDPR was superseded domestically by the 'Gibraltar GDPR', sitting alongside the retained DPA 2004. This established the current two-pillar framework supervised by the GRA as Information Commissioner.
Gibraltar Regulatory Authority ↗The GRA fined the RGP £5,000 after pocketbook entries and witness accounts from an investigation were disclosed to the wrong recipient. It was one of the first significant public-sector enforcement actions under the Gibraltar regime.
Gibraltar Regulatory Authority ↗The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 transposed Regulation (EU) 2016/679 into Gibraltar national law so the standard would survive Brexit. This is the legal vehicle that produced the Gibraltar GDPR.
UK Government (DCMS adequacy framework) ↗As part of the EU via the UK, Gibraltar became subject to the directly applicable EU General Data Protection Regulation, modernising rights, accountability obligations and large fining powers. This set the substantive standard later retained as the Gibraltar GDPR.
Gibraltar Regulatory Authority ↗Gibraltar's foundational data-protection statute transposed the 1995 EU Data Protection Directive, establishing core processing principles, data-subject rights and a supervisory Commissioner (later the GRA). Brought into operation around 2006, the DPA 2004 remains in force as supplementary national law.
Laws of Gibraltar ↗Gibraltar - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →