Data Protection


What is data Protection Law


Your personal data is protected by law. Gibraltar has its own data protection law, called the Data Protection Act 2004. It came into force on 1 June 2006. The Act aims to make sure that personal data is:


·     accurate

·     kept up to date

·     used in a responsible and transparent way.


Who is responsible for Data Protection


The Data Protection Commissioner is the Gibraltar Regulatory Authority for data protection. The Commissioner is independent of the Government. See below for contact details of the Data Protection Commissioner.


What data is covered by Data Protection Act


The Act covers all types of personal data, including:

·     information held on computers

·     information held manually

·     information held by the police.


Personal data is information about people who can be identified. It can be any type of information - even something as simple as a name and address. The Act doesn't apply to information kept about companies. And it doesn't apply to information kept for purely personal, household purposes such as personal address books and diaries.


Who does the law apply to


The law applies to people about whom data is held. These people are called data subjects. For example, if a bank keeps information about Ms Gomez who is one of its clients, Ms Gomez will be the data subject. Almost everyone is a data subject. For example, if you are in work your employer will keep information about you. If you're a bank customer, the bank or credit card company will keep information about your account. If you're a student or the parent of a student, their school or college will keep information about you. As a data subject, you have the right to access data about yourself and have incorrect data about yourself corrected. You have the right to object to the use of personal data for the purpose of direct marketing (see below). If personal data about you is used improperly, you have the right to complain to the Data Protection Commissioner and also to take legal action against the person or organisation who acted improperly.


What is the duty of the person holding data on you


The person who has or controls the use of the data is called a data controller. In the case of Ms Gomez above, the bank is the data controller. A data controller must:


·     obtain data fairly and lawfully. For example, when your data is collected, you must be told the identity of the data controller and the purpose for which the data will be used

·     make sure the data is accurate and where necessary, kept up to date

·     make sure that the data is collected for a specific purpose. The data controller must not use the data for a wholly different purpose without making sure that this is allowed by the Act, for example, by asking for your consent. Some data can be used without obtaining your consent, for example, to prevent damage to your health. The data must not be kept for longer than necessary

·     make sure that data is kept confidential. Appropriate security measures must be taken to prevent unauthorised, or accidental access to data.


Personal data must not visible to the general public, so computer terminals must be carefully located so that casual visitors cannot read data from the computer screen. There should be procedures in place to verify the identity of someone seeking information. Manual records should be kept in a locked cabinet, and computer data protected by passwords. In general, it will be a criminal offence to obtain or disclose personal data to a person other than a person authorised to receive it. For example, someone who "hacks" into a company's customer records kept on computer is likely to be guilty of a criminal offence.


Registration of data controllers


Most data controllers who keep computerised records have to register with the Data Protection Commissioner. In general, data controllers don't need to register their processing operations if:


·     they only process data manually; or

·     they only process data for the purpose of a register, which is intended to provide information to the public and which is open to consultation


My brother runs a garage and has a mailing list of his customers. Can I use his list to write to his customers to promote my own shop


This is called direct marketing or cold calling. Your brother is a data collector and he has to follow the rules above. Data subjects, that is, his customers, have got the right to object to the use of their personal data for the purpose of direct marketing. Your brother must tell his customers that they have a right to object to their data being passed on this way and then he must respect their wishes. If they object but he still gives you their details, he has committed a criminal offence.


My insurance company has asked for very personal information about me. How can I be sure they won't tell anyone else

Some types of data are known as "sensitive personal data". These are things like:


·     data revealing racial or ethnic origin

·     data revealing political opinions

·     data revealing religious or philosophical beliefs

·     data revealing trade union membership

·     data concerning health or sex life

·     data concerning any criminal offences you may have committed


There are extra controls on the use of sensitive personal data. There are also special rules about the sharing of personal data for things like criminal investigations, tax collection and defence. Get advice from the Data Protection Commissioner if you're concerned about any of these issue.


Can my data be transferred outside Gibraltar


Data may be transferred out of Gibraltar to countries:


·     which are members of the European Economic Area (including the UK)

·     which ensure an adequate level of protection for the privacy and fundamental rights and freedoms of data subjects.


Personal data may be transferred to other countries but only if they are able to protect data subjects' rights, for example, by means of contractual clauses. The Data Protection Commissioner may prohibit the transfer of data from Gibraltar by issuing a "Prohibition Notice". It is an offence not to comply with this notice. However the notice may be appealed against.


How can I find out what information is held about me


For general information, write to the person or company who you believe is holding information about you. Within 21 days of your request, they must inform you in writing, in general terms, whether they do keep any data, and if so what type of data they keep. You don't have to pay a fee for this. Or for access to your personal information, write to the person or organisation who you believe processes information about you. They must respond in writing within 28 days. They may charge a fee for providing this information.


In rare cases, you won't have the right to access data about yourself, for example, in the case of a criminal investigation.


Can I get personal data about someone else


Generally data controllers are not allowed to provide personal data about anyone else. However there are exceptions. For example, there are special rules about getting references for work. Get further advice if this is an issue for you.


Dealing with problems


If the data held about you is found to be wrong, you have the right to get it changed or to have incorrect data destroyed. The data controller must do this within 28 days of you asking for this. The Data Protection Commissioner has powers to sort out problems about data protection. He can order compensation be paid to you in some cases if you have been financially harmed by incorrect processing of your personal data. If you aren't happy with the results of your complaint to the Data Protection Commissioner, you may be able to appeal to the courts. For more information, contact the Data Protection Commissioner for help.


Further help The Data Protection Commissioner can provide further information and help about data protection. Contact details are: Data Protection Commissioner GRA 2nd Floor, Eurotowers 4, 1 Europort Road Tel: 200 74636 Fax: 200 72166 Email:


How can I find out what information is held about me


What are my rights


Individuals have a right to obtain, from a data controller, a copy of the personal data relating to them which is either held on computer, in a relevant manual filing system or which forms part of an accessible record.


Which law permits this


The Data Protection Act 2004 gives individuals the right to obtain a copy of their personal data.

There is a process by which you can request copies of the personal data a data controller holds about you.


How can I access my personal data


The common term used for this process is a ‘ SAR'


Section 14 of the Act defines


• the personal data which can be released,

• the personal data which may be withheld,

• the time scales for complying with a request,

• the fees permitted for the provision of this data, and

• the penalties which can be imposed for failure to comply with a request.

(Subject Access Request)


Does it cost anything


The data controller may charge up to £10 to provide the personal data you have requested. If you request access to health records a fee of up to £20 may be charged.


How do I make a Subject Access Request


It is easy to make a SAR. All you need to do is write to the data controller and request it. It is strongly recommended that you keep a copy of the letter and send the request by recorded delivery.


If you wish to obtain the personal data held about you by a data controller you must:


1. send a request in writing to the data controller, and

2. enclose the appropriate fee.


In order for the request to be dealt with as quickly as possible you should provide the data controller with as much information as possible regarding the type of data you wish to see. For example, if you have an account number or customer reference this should be provided or if you only require specific personal data between two dates this should also be made clear.

Can the organisation ask for more details



This can be

• to enable the data controller to reasonably satisfy itself as to the identity of the person making the request, or

• to request further details to assist it to locate the personal data you require.


If requests for further identifying details or other information are made, you must provide these before the SAR can progress.


How long should it take


Once the data controller has received the fee and all other details requested, it has a maximum of 28 calendar days to respond to your request.


What will I get back


The data controller MUST

If they do not process any of your personal data they must advise you of the fact.

If they do process your personal data you are entitled to ask for and receive, a copy of it.


You can also request a description of


• the purposes for which this personal data is being processed

• the recipients, or classes of recipients, to which the personal data may be disclosed

reply to your request.


Will I understand what I receive


All details must be communicated to you in an intelligible form, with any coding or technical terms explained.

It must also be in a permanent form unless otherwise agreed, especially in the case where it would involve disproportionate effort on the part of the data controller to produce in a permanent form. If you and the data controller agree, the personal data may be supplied verbally.

You are also entitled to be informed of the logic involved in taking a decision if that decision has been made by automatic means, such as credit scoring or for job applications, unless it constitutes a trade secret.



Are there any exceptions to the right of access


Yes, the exemptions from disclosure are specified within the Data Protection Act as follows:


Where the data controller is the Crown acting in its executive capacity it is not obliged to disclose any personal data if the refusal to disclose is necessary in the interests of–

(i) public security;

(ii) the prevention, investigation, detection and prosecution of criminal offences or breaches of ethics for regulated professions;

(iii) an important economic or financial interest of Gibraltar or of the European Union including monetary, budgetary and taxation matters;

(iv) a monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority in cases referred to in (i), (ii) and (iii); or

(v) the protection of the data subject or of the rights and freedoms of others.

Can I make more than one SAR to an organisation

If you have previously made a similar or identical SAR, the data controller has the right to refuse to comply with the new request unless a reasonable interval has elapsed. This will depend upon the type of data, the purpose for which it is held and the frequency with which it changes or is amended.


Why have some of the details I received been blacked out


There are often occasions when supplying you with your personal data will also involve releasing the identity of a third party. The data controller must be extremely careful when this occurs and is not obliged to comply with the request unless


• The other individual has consented to them releasing their personal data

• It is reasonable in all the circumstances to comply without the consent of the third party.

If they do release personal data containing third party details, they may be blacked out in some way to prevent releasing the identity of the third party.


I haven’t received a response. What happens now


If you have not received a response by the end of the 28 day period, then the data controller will have committed a breach of the Data Protection Act.

You may complain to the Office of the Data Protection Commissioner to undertake an assessment to determine if the data controller has complied with your request. This will normally elicit a rapid response from the organisation without you resorting to legal action.


For further guidance please contact:

Data Protection Commissioner GRA

2nd Floor, Eurotowers 4

1 Europort Road

T - 20074636

F - 20072166

E -

For more information please visit the GRA Website :



Ensure that individuals do not suffer through lack of knowledge of their rights and responsibilities or of the services available to them or through an inability to express their needs effectively.