Gibraltar: Privacy and Data Protection-related Laws

Privacy laws in Gibraltar require

Current Gibraltar Privacy and Data Protection-Related Laws [1]

  • Data Protection Act 2004 is the law that governs how organisations (both private and public) should use information about individuals
    • This Data Protection Act 2004 can be found here and applies whenever an organisation processes (e.g. stores, collects, transmits, uses etc.) information that relates to a person such as a person’s name, DOB, their hobbies, comments about their performance, location, etc
    • This act nominates the Gibraltar Regulatory Authority is nominated as the Data Protection Commissioner
    • This act iterates a “right to privacy:” the right to respect for family, and private life, home and correspondence in accordance with Article 8 of the European Convention on Human Rights
    • Under the Data Protection Act 2004, every organisation that processes personal information is required to register in the Register of Data Controllers, unless they are exempt. Failure to do so is an offence. More information here
    • A description around the rules of transferring data out of Gibraltar can be found here
    • This act does not mention cryptocurrency or blockchain

Future Gibraltar Privacy and Data Protection-Related Laws

  • As of May 25, 2018, the EU’s General Data Protection Regulation (GDPR) will come into effect in Gibraltar, automatically replacing the existing Data Protection act of 2004
    • The GDPR applies to “data controllers” and “data processors”. The data controller is the organisation that says how and why personal data is processed and the data processor is the organisation that processes personal data on the data controller’s behalf [2]
    • A good summary of the GDPR can be found here
    • Overall, the GDPR mandates that the rights of the “data subject,” that is, the individual whose data it is, be protected. These rights include: [3]
      • Article 12: The right to have questions about use of personal data answered, and to seek redress if these questions are not answered in a clear, concise, timely manner.
      • Articles 13 & 14: The right to know how personal data is being used at the time of collection, as well as the length of time for which it will be stored and contact information for the collecting party.
      • Article 15: The right to access the personal data that is being processed.
      • Article 16: The right to have incorrect personal data rectified.
      • Article 17: The right to have personal data erased when they are no longer necessary for the purposes for which they were collected and there is no legal ground for their maintenance.
      • Article 18: The right to restrict data processing where the data is inaccurate, its collection unlawful, or its processing no longer required.
      • Article 19: The data collecting party must inform all additional data processors with whom it shares personal data to cease processing data that has been rectified or erased.
      • Article 20: The right to receive their personal data in a structured, commonly-used, machine-readable format which they can freely share with other data processors.
      • Article 21: The right to object to personal data being used to profile or market to them.
      • Article 22: The right to not be subject to legal outcomes that rely solely on automated data processing.
    • Therefore Gibraltar privacy and data-protection law will be the same as other countries in the EU. Several articles have been written about the potential impact of the GDPR on blockchain including here, here, here and here as it is unknown how these new regulations will affect public blockchains

SOURCE
[1] Gra.gi Data Protection
[2] Gra.gi General Protection Regulation
[3] Medium.com

Have a comment, edit, or item to add? Share your thoughts by commenting below!

comments powered by Disqus

NEO