Font size






*New emergency number for police, fire and ambulance is 999*

Privacy Policy

This Privacy Notice explains how the Royal Gibraltar Police (RGP) processes personal data relating to members of the public. It also outlines the steps we take to ensure that personal data is protected and describes the rights individuals have in relation to the data we process.

Personal data is any data that can be used to identify a living individual, on its own or in combination with other available information. References to names, identification numbers and location data would all be personal data. Processing means anything we do with the data and includes collecting, storing, and sharing.

1. Data Controller

The Commissioner of the Royal Gibraltar Police is the controller for any personal data processed by the RGP.

2. Data Protection Officer

The Data Protection Officer is Inspector Stephen Riley. You can contact him via email on:

Data Protection Officer

Information Management & Vetting Unit

Royal Gibraltar Police

New Mole House

Rosia Road


GX11 1AA

3. What information do we collect about you?

The RGP collects personal data from a range of sources in the course of the exercise of its statutory Law Enforcement functions. We also process personal data that is collated in the course of our administrative functions, for example staff administration.

The personal data we collect and use will include personal data and special category personal data.

Types of personal data we process may include information such as;

  • personal details such as name and address
  • sound and visual images, including Body Worn Video
  • financial details
  • intelligence material
  • complaint, incident and accident details
  • employment details

Special category personal data may include:

  • racial or ethnic origin
  • political opinions
  • religious beliefs, or those of a similar nature
  • trade union membership
  • physical or mental health
  • sexual health or orientation
  • genetic or biometric data

The RGP will only use the minimum amount of personal information necessary to carry out a particular activity.

4. Whose personal data do we handle?

In order to carry out our functions, we process information relating to a wide variety of individuals including:

  • victims
  • witnesses
  • people convicted of an offence
  • people suspected of committing an offence
  • complainants, correspondents and enquirers
  • consultants and other professional experts
  • suppliers

We also process data relating to existing and former members of staff.

Information is likely to be held in various forms, including electronically in emails and databases as well as in paper-based records. It may also be held in other electronic forms such as CCTV.

5. Why do we use personal data?

The RGP processes personal data for law enforcement purposes as outlined in Part 3 of the Data Protection Act 2004, which are the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. We also process data for the purposes of safeguarding National Security.

The legal basis for processing law enforcement data is that it is necessary for the performance of functions. The RGP's functions are established in the main under the Criminal Procedure and Evidence Act 2011 and the Police Act 2006 and include:

  • protecting life and property
  • preserving order
  • preventing the commission of offences
  • bringing offenders to justice
  • any duty or responsibility arising from common or statute law

We will only use personal information when the law allows us to and where it is necessary and proportionate to do so.

We may also process data for non-law enforcement purposes such as when we recruit and vet potential employees, and for staff administration. Where we process data for non-law enforcement purposes, the processing is likely to be based on the following grounds:

  • it is necessary for performing the contract
  • to comply with a legal obligation
  • it is in the public interest to do so; or for official purposes
  • we have a legitimate interest to do so, and it is necessary and balanced against your own interests, rights and freedoms
  • there may be rare occasions where it becomes necessary to use your personal information to protect your vital interests (or someone else's vital interests).

Where we process special categories of personal data, we will do so in accordance with the specific conditions of processing set out in the Data Protection Act 2004. It is likely that we will use special category data in the following circumstances:

  • where we have your explicit consent
  • where we are required to do so under Employment Laws
  • where it concerns a medical diagnosis, or the medical assessment of your working capacity
  • where it is for the purposes of the exercise of the RGP's functions and it is in the substantial public interest

6. Asking for your consent to process personal data

Occasionally, where there are no other appropriate grounds, the RGP may ask for your explicit consent in order to lawfully process your data. This will only happen in specific and limited circumstances and won’t usually be relevant to law enforcement data. When we do require consent, we will explain clearly what we are asking for and how we will use it. Consent must be freely given, specific and informed and there must be a genuine choice about offering your data. Where we are processing data based on your consent, you have the right to withdraw that consent at any time.

If we have asked you to provide your consent in order to process your personal data, you also have the right to withdraw your consent at any time. When we ask for your consent, we will tell you how we will process your data, how long we will keep it for and the steps we will take to delete it. We will also outline the steps we will take if you decide to withdraw consent.

7. How long do we keep personal data?

The RGP retains data in line with the RGP's retention policy and in accordance with the RGP Management of Police Information (MOPI) Policy, taking into account the type, content and sensitivity of the data, related records, the purposes for which we process your personal data, and any legal or business requirements. Personal data will be retained for as long as necessary for the particular purpose or purposes for which it is held.

8. Who will we share data with?

The sharing of data is a primary business function. For example, it may be necessary to share data with other law enforcement agencies, and with partner agencies working on crime reduction and prevention initiatives.

The RGP takes steps to ensure that any disclosures of personal data, however obtained, comply with the provisions of the Data Protection Act 2004 and General Data Protection Regulations. This includes ensuring that any disclosures are necessary and proportionate. Disclosures will be made on a case-by-case basis, using the personal data appropriate to a specific purpose, and with necessary safeguards in place.

Some of the bodies or individuals to which we may disclose personal information are situated outside of the European Union (EU). If we do transfer personal data to outside of the EU, we undertake to ensure that there are appropriate safeguards in place to certify that it is adequately protected as required by the legislation.

We will also disclose personal information to other bodies or individuals when required to do so by, or under, any act of legislation, by any rule of law, and by court order.

9. How do we keep your data secure?

Your personal data will be processed securely. We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees who have a business need to know.

10. Is my data subject to automated decision making or profiling?

No, you will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.

11. Your rights as a data subject

Under the Data Protection Act 2004 you have a number of rights that you can exercise in relation to the data we process about you. Under certain circumstances, by law you have the right to:

  • request access to your personal information (commonly known as a Subject Access Request). This enables you to receive a copy of the personal information we hold about you and check that we are lawfully processing it and that it is accurate
  • request rectification of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected
  • request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no lawful reason for us to continue to process it
  • request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we are allowed under the law to charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we can refuse to comply with the request in such circumstances.

We sometimes need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Further information about these rights can be found within the Data Protection Act 2004.

To exercise any of these rights please contact the RGP's Information Management & Vetting Unit (IMVU) at:

12. Complaints and further queries

The RGP tries to meet the highest standards when processing personal data. We take complaints very seriously. If you have any concerns about the way that we have handled your personal data please bring it to our attention via email to:

You are also able to submit complaints to the Information Commissioner’s Office