GDPR Frequently Asked Questions

What is the GDPR?

The General Data Protection Regulation (“GDPR”) is a legislative regime that seeks to protect, and remove obstacles to the flow of, personal data, while imposing obligations on organisations that process such data. The EU GDPR came into effect across the European Union (“EU”) on 25 May 2018 and applied in Gibraltar from that date up to and including 31 December 2020.

On 1 January 2021, the EU GDPR was superseded in the United Kingdom (“UK”) by the UK GDPR and in Gibraltar by the Gibraltar GDPR after the UK’s, and consequently Gibraltar’s, exit from the EU and the end of the Brexit transition period (although the EU GDPR may continue to apply to UK and Gibraltar controllers and processors who have an establishment in the EU or who offer goods or services to data subjects in the EU or who monitor their behaviour in the EU).  

The UK GDPR remains in force in the UK and should be read in conjunction with the Data Protection Act 2018 “UK DPA”).  The Gibraltar GDPR remains in force in Gibraltar and should be read in conjunction with Gibraltar’s Data Protection Act 2004 (“Gibraltar DPA”).  

Each jurisdiction’s respective GDPR and DPA legislation govern how organisations process information about individuals, including but not limited to the collection, recording, structuring, storage, use and disclosure or transfer of personal data to third parties.  Further, they protect individuals with regard to the processing of data, in particular by: 

  1. requiring personal data to be processed lawfully, fairly and transparently, on the basis of the data subject’s consent or another specified basis; 
  2. conferring rights on the data subject to obtain information about the processing of personal data and to require inaccurate personal data to be rectified; and 
  3. conferring responsibility to monitor and enforce the UK/Gibraltar GDPR on the relevant Commissioner in each jurisdiction (the Information Commissioner’s Office (“ICO”) in the UK and the Gibraltar Regulatory Authority (“GRA”) in Gibraltar).  

What do the different terms mean?

The Gibraltar GDPR sets out a number of definitions, including the following:

  • personal data” is “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”;
  • processing” is “any operation or set of operation which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”;
  • controller” is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”; and
  • processor” is “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.

Who does the Gibraltar GDPR apply to?

The Gibraltar GDPR applies to the processing of personal data: 

  • in the context of the activities of an establishment of a controller or a processor in Gibraltar, regardless of whether the processing takes place in Gibraltar or elsewhere;
  • of data subjects who are in Gibraltar by a controller or processor not established in Gibraltar, where the processing activities relate to (a) offering goods or services to those data subjects in Gibraltar or (b) monitoring data subjects’ behaviour taking place in Gibraltar; and 
  • by a controller not established in Gibraltar but where Gibraltar law applies by virtue of public international law. 

LondonLink (GI) Limited (“LondonLink”) is incorporated in Gibraltar and is subject to the Gibraltar GDPR and the Gibraltar DPA.  

What responsibilities do companies have under the Gibraltar GDPR?

LondonLink and other companies must ensure that a data subject’s consent to the processing of personal data is clear, affirmative, and in plain language, and must make it easy for data subjects to withdraw consent at any time if they wish to do so.

Article 13 of the Gibraltar GDPR provides that at the time that personal data is obtained, controllers must provide data subjects with certain information, namely:

  • the identity and the contact details of the controller (and, where applicable, the controller’s representative);
  • the contact details of the Data Protection Officer (“DPO”), where applicable; 
  • the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; 
  • the legitimate interests pursued by the controller or by a third party (where the processing is necessary and permitted for the purposes of those interests); 
  • the recipients or categories of recipients of the personal data, if any;
  • where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and related information;
  • the period for which the personal data will be stored (or the criteria used to determine that period); 
  • the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
  • the existence of the right to withdraw consent at any time;
  • the existence of the right to lodge a complaint with the Commissioner (i.e. the GRA); 
  • whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data; and
  • the existence of automated decision-making, including profiling and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Are there any specific rules that businesses should follow to ensure compliance?

Article 5 of the Gibraltar GDPR provides that personal data must be:

  • processed lawfully, fairly and in a transparent manner;
  • collected only for specified, explicit and legitimate purposes;
  • adequate, relevant and limited to what is necessary;
  • accurate and, where necessary, kept up-to-date;
  • held only for the time necessary and no longer; and
  • processed in a manner that ensures appropriate security of the personal data.

What are the penalties for failing to comply with the Gibraltar GDPR?

The GDPR has introduced a tiered approach to fines, meaning that the severity of the breach will determine the fine imposed.

The maximum fine a company can face is 4% of their annual global turnover or £17.5 million, whichever is higher.

Less serious violations, such as having improper records, or failing to notify of any breaches, can be fined a maximum of 2% of their annual global turnover or £8.75 million, whichever is higher.

Do all organisations now have to appoint a DPO?

Article 37 of the Gibraltar GDPR provides that the controller and the processor shall appoint a DPO where:

  • the processing is carried out by a public authority or body (with the exception of courts acting in their judicial capacity);
  • the core activities of the controller or the processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale; or
  • the core activities of the controller or the processor consist of processing on a large scale special categories of data or personal data relating to criminal convictions and offences.

Where none of the above criteria apply, the relevant organisation is not required to appoint a DPO (although it may still wish to do so) but it must nevertheless ensure that it has sufficient staff and skills in place to be able to carry out its obligations under the Gibraltar GDPR.  

As none of the above criteria apply, LondonLink has not appointed a DPO.

What rights do individuals have under the Gibraltar GDPR?

The key rights of data subjects under the Gibraltar GDPR are:

  • the right to be informed - organisations must be completely transparent in how they are using personal data;
  • the right of access - i.e. to know exactly what information is held about them and how it is processed;
  • the right of rectification - i.e. to have personal data rectified if it is inaccurate or incomplete;
  • the right to erasure (or 'the right to be forgotten') - to have their personal data deleted or removed without the need for a specific reason as to why they wish to discontinue;
  • the right to restrict processing - i.e. to block or suppress processing of their personal data;
  • the right to data portability - i.e. to retain and reuse their personal data for their own purpose;
  • the right to object - i.e. in certain circumstances, to object to their personal data being used. This includes, if a company uses personal data for the purpose of direct marketing or for scientific and historical research;
  • the right to automated decision making and profiling - i.e. not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning, or significantly affecting, them.  This is intended to protect data subjects against the risk that a potentially damaging decision is made without human intervention; and
  • the right to complain to the Commissioner (i.e. the GRA) if they consider that the processing of their personal data infringes the Gibraltar GDPR.