Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Gibraltar: GRA fines Royal Gibraltar Police £10,000 following multiple breaches of DPA and GDPR
The Gibraltar Regulatory Authority ('GRA') published, on 18 April 2022, its decision, in which it imposed a fine of £10,000 to Royal Gibraltar Police, for violations of Sections 48(1) and (2), 49, 65(1) and (2), 70, 75, 77(1) and (2) of the Data Protection Act 2004 ('DPA'), and Articles 5(1)(e) and (f), 24(1) and (2), 30, 32, 34(1) and (2) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following multiple breaches relating to personal data held by the Police.
Background to the decision
In particular, the GRA stated that it was notified of the breach by the Police, in line with their obligations under Part III, Chapter 4, Section 76 of the DPA, which requires notification to the GRA where a personal data breach is likely to result in a risk to the rights and freedoms of individuals.
Furthermore, the GRA outlined that the Police had also notified data subjects as required by Part III, Chapter 4, Section 77 of the DPA, which provides that where a personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the controller must inform the data subject of the breach without undue delay. However, the GRA also noted that the notification to data subjects had been carried out with unjustified delay.
Findings of the GRA
Thus, the GRA launched an investigation and found that, in respect of personal data processed for law enforcement purposes, the Police breached the following Sections of the DPA:
- 48(1) and 48(2) – which relates to storage limitation;
- 49 – which relates to data security;
- 65(1) and 65(2) – general obligations of the controller;
- 70 – records of processing activities;
- 75 – security of processing; and
- 77(1) and 77(2) – communication of a personal data breach to the data subject.
Moreover, the GRA confirmed that, in respect of personal data processed for employment purposes, the Police breached the following Articles of the GDPR:
- 5(1)(e) – principles relating to processing of personal data (i.e. storage limitation);
- 5(1)(f) – principles relating to processing of personal data (i.e. integrity and confidentiality);
- 24(1) and 24(2) – responsibility of the controller;
- 30 – records of processing activities;
- 32 – security of processing; and
- 34(1) and 34(2) – communication of a personal data breach to the data subject.
Outcomes
As such, the GRA imposed a fine of £10,000 on the Police for the aforementioned violations.
You can read the decision here.