The Data Protection Regulations 2026 came into force at midnight last night on the Implementation Date of the EU–UK Treaty on Gibraltar. They adjust several aspects of the Gibraltar GDPR and the Data Protection Act 2004, principally by replacing references to UK adequacy regulations with references to European Commission adequacy decisions.
The practical day-to-day impact for most Gibraltar businesses will be modest, but the underlying legal framework has now changed, and controllers and processors should be aware of the new position.
The Regulations were made under section 13 of the Treaty on Gibraltar and the European Union Act 2026 and section 184 of the Data Protection Act 2004, implementing Article 14 of the Treaty.
Outward Transfers: Change of Legal Basis
Previously, Article 45(1) of the Gibraltar GDPR permitted (a) a transfer of personal data to a third country if it would, had it been made from the UK, be based on UK "adequacy regulations" under the UK GDPR; and (b) a transfer of personal data to the UK, without any further condition.
Under the new Article 45(1), the legal basis changes. A transfer may take place if it is (a) to a third country that has an adequacy decision from the European Commission under the EU GDPR; (b) to the United Kingdom; or (c) a Member State of the European Union. The former reference to UK adequacy regulations, and the definition in paragraph 1A tying that concept to the UK GDPR/UK DPA 2018, are deleted.
The status of the ” Gibraltar – UK data bridge” is therefore preserved, meaning that transfers of personal data from Gibraltar to the UK continue as before without the need for additional safeguards.
In practice, these changes are unlikely to alter the day-to-day position for most Gibraltar controllers or processors. The UK's adequacy regulations list was carried over from the EU's own adequacy findings at the end of the Brexit transition period, and the two lists have remained substantially aligned since. One notable difference is that EU-US Data Privacy Framework can now be relied on without having to ensure the UK-US extension is in place.
The practical step for controllers and processors is straightforward: from today, verify adequacy by checking the European Commission's list of adequacy decisions rather than the UK's list. Be aware that in the event of future divergence between the two lists, a country adequate under UK regulations but not under an EU Commission decision would no longer be an adequate destination for Gibraltar transfers.
Where no adequacy decision, UK destination, or EU Member State destination applies, the existing fallback mechanisms, Article 46 safeguards (such as the Gibraltar IDTA or Standard Contractual Clauses with the Gibraltar Addendum) and Article 49 derogations, continue to operate as before.
Gibraltar controllers and processors should also take this opportunity to review existing data sharing agreements and where necessary amend them to reflect the provisions of the Data Protection Regulation 2026.
Note to bring law enforcement transfers into line, section 83A of the Data Protection Act 2004 now references EU Commission adequacy decisions under the Law Enforcement Directive rather than UK adequacy regulations.
Inward Transfers: Gibraltar Ceasing to Be a Third Country
Under Article 14(7) of the Treaty, references to third countries and their competent authorities in the EU data protection instruments listed in Annex 3 (including the EU GDPR) are to be understood as not including the United Kingdom, in respect of Gibraltar, and its competent authorities, provided Gibraltar continues to comply with Annex 3.
This is a different and more direct mechanism than an EU adequacy decision: rather than the European Commission making a finding about Gibraltar’s data protection adequacy status as a third country, Gibraltar is removed from the third-country category altogether.
The practical result for EEA-based controllers or processor subject to the EU GDPR is the same as if an adequacy finding were in place for Gibraltar: they will no longer need Chapter V safeguards - Standard Contractual Clauses, binding corporate rules, or other transfer mechanisms - when sending personal data to Gibraltar.
For Gibraltar businesses receiving personal data from third parties, group companies, or partners in the EU and EEA, this removes the need to enter into Standard Contractual Clauses or have in place additional Chapter V safeguards and is a welcome change.
GRA Interpretive Alignment with the EDPB
A new paragraph 5 is inserted into Article 57 of the Gibraltar GDPR. It provides that, whenever the Commissioner decides a case raising similar questions of interpretation to those arising under the EU GDPR, the Commissioner must take "utmost account" of decisions taken by: (a) a foreign designated authority under Article 60 of the EU GDPR (the lead supervisory authority cooperation mechanism underpinning the EU’s one-stop-shop); and (b) the European Data Protection Board under Article 65 of the EU GDPR.
No such obligation existed before. Since Brexit, the GRA's interpretive frame of reference had in practical terms been closer to the UK Information Commissioner's Office and the UK GDPR.
Going forward, the Commissioner is required to look to EDPB and EU supervisory authority decisions and take such decisions into account where the Gibraltar GDPR mirrors the EU GDPR. The standard “utmost account” is not absolute, but it sets a high threshold; departure would need clear justification.
This interpretive duty should not be read as extending the EU’s one-stop-shop mechanism to Gibraltar. The Gibraltar GDPR already omits the EU provisions on lead supervisory authority competence and cooperation between supervisory authorities, and Article 14(2) of the Treaty expressly excludes the EU GDPR provisions governing the lead supervisory authority and the supervisory authority concerned.
The GRA therefore continues to operate as Gibraltar’s sole supervisory authority, handling complaints against Gibraltar-established controllers directly, while EU data subjects and controllers subject to EU GDPR continue to use their own national lead authority under the ordinary one-stop-shop rules. The GRA’s connection to the EU system is limited to participating in EDPB meetings as an expert or guest on relevant agenda items, alongside the new interpretive duty described above.
For FAQs relating to the Data Protection changes, visit our website here.
Professional advice. This note provides a general overview of selected changes. It does not constitute legal advice. Individuals and businesses affected should seek professional guidance tailored to their specific circumstances, data flows, and contractual arrangements.
Subscribe to more insights from our experts at Hassans Subscribe now!

