GIBRALTAR Law and Practice Contributed by: Emma Lejeune, Stuart Dalmedo, Nicholas Isola, James Castle and Louise Anne Turnock, ISOLAS LLP
side the EU, and the Gibraltar GDPR can apply outside Gibraltar. This is achieved in a similar manner in both pieces of legislation. Focusing on Gibraltar, the territorial scope of the Gibraltar GDPR can extend to any of the following situ - ations. • Where a controller/processor has an “estab - lishment” in Gibraltar and processing occurs ”in the context of the activities” of that estab - lishment. This applies regardless of whether the processing occurs in Gibraltar or not. • Where goods or services are offered to data subjects in Gibraltar, irrespective of whether payment is required by a non-Gibraltar controller/processor. There should be an ele - ment of targeting and other evidence will be considered, such as whether consumers are able to pay in their local currency, or whether a marketing campaign has taken place. This test is also not limited by citizenship or resi - dency of the data subjects. • Where the monitoring of behaviour of data subjects in Gibraltar is carried out by a non- Gibraltar controller/processor. Examples of monitoring would be predicting trends, or use of geo-location. • Where a controller is not established in Gibraltar, but in a place where Gibraltar law applies by virtue of public international law. Under Article 27 of the Gibraltar GDPR, con - trollers and processors established outside of Gibraltar would need to consider the appoint - ment of a local representative in Gibraltar, if they are offering goods or services or monitoring the behaviour of data subjects in Gibraltar. Controllers and processors based in Gibraltar offering goods or services or monitoring the behaviour of data subjects in the EU are subject to the EU GDPR, and will need to consider their
obligations in that context. In particular, until the issue of adequacy is decided by the European Commission in respect of Gibraltar, appropriate safeguards (eg, such as standard contractual clauses) would need to be considered prior to a data transfer from Gibraltar to the EU or vice versa, given that, at the time of writing, Gibraltar is considered as a “third country” for the pur - poses of Chapter V of the EU GDPR. 8.3 Role and Authority of the Data Protection Agency The DPA 2004 designates the Gibraltar Regu - latory Authority (GRA) as the Information Com - missioner. The GRA is an independent statutory body responsible for the enforcement of the DPA 2004, as read with the Gibraltar GDPR, and its primary role as Information Commissioner is to uphold the privacy rights of individuals. Under changes made to the DPA 2004, the GRA now has increased regulatory powers under that Act, as well as those granted under Article 58 of the Gibraltar GDPR. These powers are classed as “investigative”, ”corrective” and “authori - sation and advisory”, allowing the Information Commissioner to, among other things: • bring or defend legal actions in Gibraltar or other courts; • co-operate with and render assistance to supervisory authorities in other states of ter - ritories; • conduct data protection compliance audits; • issue information notices, requiring others to provide it with information to investigate compliance; • issue assessment notices to allow it to enter premises, obtain documents and equipment, and interview persons;
313 CHAMBERS.COM
Powered by FlippingBook