Privacy Law at Gibraltar (BOT)
Gibraltar, a British Overseas Territory, enforces the Data Protection Act 2004 (DPA 2004), which aligns closely with the EU's General Data Protection Regulation (GDPR) and the Council of Europe's Convention 108.
Gibraltar's Data Protection Framework
1. Legislative Basis
Data Protection Act 2004 The primary legislation governing data protection in Gibralta.
Amendments The Act has been amended several times to enhance data protection measure.
Convention 108 Gibraltar is a signatory to the Council of Europe's Convention 108, which entered into force on 1st November.
2. Data Protection Authority
Gibraltar Regulatory Authority (GR) The GRA serves as the Data Protection Commissioner, overseeing the enforcement of data protection law.
Responsibilities: Monitoring compliance with dat protection law. Handling complaints and data subject access request.Imposing penalties for non-compliance.
3. Key Provisions of the DPA 2004
Lawful Processing Personal data must be processed lawfully, fairly, and transparently.
Purpose Limitation Data should be collected for specified, legitimate purposes and not further processed in a manner incompatible with those purpose.
Data Minimization Only data necessary for the intended purpose should be collecte.
Accuracy Data must be accurate and kept up to dat.
Storage Limitation Data should be kept in a form which permits identification of data subjects for no longer than necessar.
Integrity and Confidentiality Data must be processed in a manner that ensures appropriate security.
Accountability data controllers are responsible for and must be able to demonstrate compliance with these principle.
4. Rights of Data Subjects
Access Individuals can request confirmation of whether their personal data is being processed and access to that data.
Rectification Individuals can request correction of inaccurate personal data.
Erasure ndividuals can request deletion of their personal data under certain condition.
Restriction of Processing Individuals can request the restriction of processing of their personal data.
Data Portability Individuals can request the transfer of their personal data to another organization.
Objection Individuals can object to the processing of their personal data in certain situation.
5. Data Breach Notification
Current Status There is no mandatory requirement in the DPA 2004 to report data security breaches or losses to the Data Protection Commissioner or to data subject.
Future Amendments A mandatory requirement will be introduced with the transposition into Gibraltar law of the Amendments to Directive 2002/58/EC (Directive on privacy and electronic communications) introduced by Directive 2009/136/EC of the European Parliament and of the Council of 25 November.
6. Penalties for Non-Compliance
Fines: Up to £2,000 for summary conviction in the Magistrate's Cour.Up to £5,000 for conviction on indictment in the Supreme Court.
Offenses: Knowingly or recklessly obtaining or disclosing personal data without consen.Selling personal data obtained in contravention of the Act
RELATED Blog
0 comments