Data & Privacy · Gibraltar
Data & Privacy - Gibraltar
Gibraltar operates a comprehensive, GDPR-style data-protection regime. Since the end of the Brexit transition period (1 January 2021), its law consists of the Gibraltar GDPR (a domesticated version of the EU GDPR with EU terminology replaced by Gibraltar equivalents) and the Data Protection Act 2004, which supplements it on derogations and exemptions. The Gibraltar Regulatory Authority, as Information Commissioner, is the independent supervisory authority responsible for enforcement.
The EU GDPR applied directly from 25 May 2018 until 31 December 2020; from 1 January 2021 the substantively identical Gibraltar GDPR replaced it, retaining the EU GDPR's principles, lawful bases and structure with technical amendments for domestic application.
The Data Protection Act 2004 remains in force and supplements the Gibraltar GDPR, covering matters that were previously permitted derogations and exemptions and setting out the supervisory authority's role in Part V.
The Gibraltar Regulatory Authority (GRA), designated as Information Commissioner, is the independent statutory body that enforces the Gibraltar GDPR and the DPA, investigates complaints, issues guidance and exercises the powers under Article 58(1)-(2) of the Gibraltar GDPR.
Controllers and processors must observe GDPR principles, maintain lawful bases for processing, and notify personal-data breaches to the GRA within 72 hours where required.
Individuals enjoy the full suite of GDPR rights, including access, rectification, erasure, restriction, data portability and objection, which the GRA upholds through complaint investigation.
Gibraltar does not currently hold an EU adequacy decision, so EU-to-Gibraltar transfers rely on Article 46-49 safeguards; the UK has granted Gibraltar adequacy, and EU adequacy is anticipated alongside the UK-EU treaty on Gibraltar.
Machine-assisted translation · verified 5/23/2026 · orientation, not legal advice. English version →