Doing Business In... 2025

GIBRALTAR Law and Practice Contributed by: Emma Lejeune, Stuart Dalmedo, Nicholas Isola, James Castle and Louise Anne Turnock, ISOLAS LLP

secret holder has suffered, and any unfair profits made by the infringer; • elements other than economic factors, includ - ing the moral prejudice caused to the trade secret holder by the unlawful acquisition, use or disclosure of the trade secret; and • where appropriate, damages may be awarded on the basis of the royalties or fees which would have been due had the infringer obtained a licence to use the trade secret in question. In Gibraltar, the overarching national law on data protection is the Data Protection Act 2004 (DPA 2004). The DPA 2004 was amended on 25 May 2018 to: • implement the General Data Protection Regu - lation (Regulation (EU) 2016/679) (EU GDPR); • transpose the Law Enforcement Directive (Directive (EU) 2016/680); • implement a data protection framework under the Convention for the Protection of Individu - als with Regard to Automatic Processing of Personal Data of 1981 (Convention 108); and • implement Articles 126–130 of the Conven - tion of 19 June 1990 applying the Schengen Agreement of 14 June 1985. 8. Data Protection 8.1 Applicable Regulations The changes made to the DPA 2004 took Brexit into account, as well as the Data Protection Act 2018 of England and Wales (DPA 2018). Both statutes share a similar structure, but with nota - ble differences, such as the repeal of Part IV of the DPA 2004, which related to intelligence ser - vice processing and was similar in structure and content to Part 4 of the DPA 2018.

Following the end of the Brexit transition period (see 1. Legal System ), the DPA 2004 was further amended, and the EU GDPR now forms part of Gibraltar law by virtue of Section 6 of the Euro - pean Union (Withdrawal) Act 2019, as read with (i) Section 2 (1B)(a) of the DPA, and (ii) the Data Protection, Privacy and Electronic Communica - tions (Amendments etc) (EU Exit) Regulations 2019. This is now referred to as the “Gibraltar GDPR”, which is essentially the EU GDPR read with certain modifications. It is, therefore, impor - tant to read the Gibraltar GDPR and the DPA 2004 side-by-side. The DPA 2004 and the Gibraltar GDPR are sup - plemented by the following: • the Communications (Personal Data and Pri - vacy) Regulations 2006 (CPDP Regulations), made under the Communications Act 2006; and • the Data Protection (Search and Seizure) Regulations 2006 (DPSS Regulations). The Communications Act 2006, together with the CPDP Regulations, transpose the E-Privacy Directive (Directive 2002/58/EC), imposing obli - gations on publicly available electronic com - munications services providers and users when they process personal data. The DPSS Regulations, among other things, authorise justices of the peace to issue war - rants to the supervisory authority (see 8.3 Role and Authority of the Data Protection Agency ) in certain circumstances, allowing them to enter premises, inspect and seize as required. 8.2 Geographical Scope Both the EU GDPR and Gibraltar GDPR have what is referred to as “extraterritorial effect”, in that, respectively, the EU GDPR can apply out -

312 CHAMBERS.COM

Powered by