Law: The primary pieces of legislation are the Data Protection Act 2004 (as amended in 2021) ('the Act') and the Gibraltar General Data Protection Regulation ('Gibraltar GDPR')
Regulator: The Gibraltar Regulatory Authority ('GRA')
Summary: The Act was amended in 2019 to implement the EU General Data Protection Regulation (Regulation (EU) 2016/679) ('EU GDPR') and is enforced by the GRA. Following the end of the 11-month transitional Brexit period during which the UK and Gibraltar continued to be subject to EU rules, Gibraltar enacted the Gibraltar GDPR on 1 January 2021, which is essentially the EU GDPR read with minor modifications such as regarding territorial scope and the competent supervisory authority. The GRA has been particularly active in issuing guidance and has addressed topics including GDPR-compliant privacy notices, the relationship between emerging technologies, such as blockchain, and data protection, as well as general concerns such as data security. In addition, privacy regulation in Gibraltar has a particular focus on gambling operations due to prevalence of the industry in Gibraltar.