Senior management and organisation

Please identify the authority’s senior management.

Paul Canessa is the CEO of the Gibraltar Regulatory Authority (GRA). His position as CEO encompasses the role of the information commissioner (the commissioner) with responsibility for the supervision and enforcement of the General Data Protection Regulation (GDPR), the Data Protection Act 2004 (DPA) and the Freedom of Information Act 2015.

Mr Canessa is supported by John Paul Rodriguez (deputy CEO) and Bradley Tosso (head of information rights). The GRA can be contacted via email at [email protected] or [email protected].

When was the head of the authority appointed?

Mr Canessa was first appointed as CEO of the GRA in 2000 and has been continually reappointed since.

How long is their term of office?

The term of office is five years, which can be renewed every term.

What is the process for nominating the head of the authority?

The appointment for the position of head of the authority is signed off by the chief minister of Gibraltar.

What was the authority's budget for the most recently available financial year?

Please see our publicly available annual accounting report on

How many data protection/privacy-focused staff does the authority employ?

The Information Rights Division deals with all data protection related matters. The team consists of seven individuals: the head of the division; the manager of the division; and five information rights officers. All report to the commissioner and his deputy.

Contacting the authority

How and where should companies or their advisers contact the authority to notify a data breach? Please specify individuals, email addresses, URLs for online forms, etc.

Individuals or organisations can contact the GRA in the following ways:

What other contact information should companies and their advisers be aware of?

Organisations and their advisers can also opt to subscribe to our newsletter via our website, Our newsletter contains information of investigations carried out in the last quarter of the year, information on any new guidance notes on data protection and in general any type of information related to data protection.

Legal and enforcement framework

What are your investigative powers?

Our investigative powers as a supervisory authority are those contained in article 58 of the GDPR. In addition, under Schedule 13(1)(g) of the DPA, our office can conduct investigations as part of the section on the Law Enforcement Directive     .

Can you search premises or force the disclosure of information without having to approach the courts?

Section 160 of the DPA gives the commissioner powers of entry and inspection; these powers are further explained in schedule 15 of the DPA. The commissioner may seek a search warrant from a judge by providing information to the courts in order to search a premise. Therefore, to search a premises, the commissioner would have to approach the courts.

Under section 150 of the DPA, the information commissioner has powers to issue an information notice to data controllers or processors to provide the information requested. This can be done without approaching the courts.

What fines can you impose on companies that breach data protection rules?

Under section 162 of the DPA, the commissioner has powers to issue penalty notices, taking into consideration the matters concerned as covered in article 83 of the GDPR.

What other measures can you take against companies that breach data protection rules?

The commissioner has powers under the DPA to issue:

  • assessment notices under section 153;
  • enforcement notices under section 155; and
  • penalties under section 162.

A data subject may apply to the courts for compensation under article 82 of the GDPR.

What emergency or interim measures can you take pending the full conclusion of your investigations?

In an ongoing investigation, our office can issue an enforcement notice under section 155 of the DPA.

In addition, article 66 of the GDPR provides measures for urgency procedures if there is a need to act in order to protect the rights and freedoms of data subjects.

Priorities and the future

What are your enforcement priorities over the next year? For example, are you targeting any particular topics, or industry sectors?

No particular sectors are being targeted. Investigations are undertaken on the basis of complaints received and information obtained via other means. In this period, resources for inspections have been diverted to the preparation of guidance. Sector-specific inspections will be restarting shortly.

What data protection/privacy-related guidelines have you issued to date?

Since the GDPR came into effect, our office has issued new guidance notes on data protection. These are:

  • GDPR (1) Getting Started;
  • GDPR (2) Lead Supervisory Authority;
  • GDPR (3) Data Protection Officer;
  • GDPR (4) Data Protection Impact Assessment;
  • GDPR (5) Data Portability;
  • GDPR (6) Identifying the Lawful Basis; and
  • GDPR (7) Guidance for SMEs.

These can be located at

Are you working on any further data protection/privacy guidelines or guidance, or on amending any of your current guidance? If so, what?

We are looking to continue issuing new guidance notes and at the same time update previous ones. At this stage, we will be looking to issue new guidance on GDPR data breach notification, CCTV systems and transparency.

Would you like to see further reforms to your laws (beyond GDPR implementation legislation, if applicable) or to your enforcement framework? If so, what?

At this time the regulator is focusing on the GDPR and related legislation.

Unlock unlimited access to all Global Data Review content