The Ever Expanding Regulatory Perimeter: Outsourcing, Resilience & Supply Chains
Operational resilience is no longer a technology function but a primary board responsibility, inextricable from solvency, business continuity, and market conduct.
In today’s digital landscape, the General Data Protection Regulation (GDPR) stands as a critical framework safeguarding the personal data of individuals within Europe.
The world is becoming increasingly politically volatile and the risk of the misuse of advanced technologies – including Artificial Intelligence (AI) – and personal data for surveillance, misinformation and even cognitive warfare reminds us of why data protection laws were implemented (including the misuse of personal data by the Nazis and the Stasi).
The GDPR, established by the European Union, serves as a foundational framework for data protection, impacting any organization that processes the personal data of EU residents, regardless of its location. Gibraltar and the United Kingdom have implemented their own data protection laws that mirror the EU GDPR.
Our firm’s expertise in data protection, coupled with our specific experience in advising on DPIAs, controller-processor agreements, and GDPR readiness for complex or emerging sectors like payments, online gambling, crypto and VASPs positions us to provide comprehensive support to e-commerce businesses in Gibraltar navigating these complex legal issues across Europe (including the UK).
Ramparts includes lawyers that are able to advise on Gibraltar, UK, Irish and EU law. Get in touch to arrange a GDPR consultation.
In today’s digital landscape, the General Data Protection Regulation (GDPR) stands as a critical framework safeguarding the personal data of individuals within Europe.
The world is becoming increasingly politically volatile and the risk of the misuse of advanced technologies – including Artificial Intelligence (AI) – and personal data for surveillance, misinformation and even cognitive warfare reminds us of why data protection laws were implemented (including the misuse of personal data by the Nazis and the Stasi).
The GDPR, established by the European Union, serves as a foundational framework for data protection, impacting any organization that processes the personal data of EU residents, regardless of its location. Following the UK’s departure from the EU, both Gibraltar and the United Kingdom have implemented their own data protection laws that mirror the GDPR, necessitating a comprehensive understanding for businesses operating from Gibraltar or targeting these key markets.
For businesses operating in or from Gibraltar, understanding and adhering to GDPR is a legal imperative with significant consequences for non-compliance. Failure to meet the stringent requirements of the GDPR can expose organisations to substantial financial penalties, including fines of the greater of €20 million or 4% of annual global turnover. Many of our clients are ecommerce businesses which provide services to customers in Gibraltar, the UK and the European Economic Area and so choosing a cross-border specialist advisor is crucial to manage your GDPR compliance requirements and risks.
Beyond the immediate financial impact, non-compliance can inflict severe reputational damage, erode customer trust, and lead to costly legal actions. This article underscores the paramount importance of GDPR compliance for Gibraltarian businesses, particularly in the context of cross-border data transfers, and highlights the far-reaching repercussions of failing to uphold these vital data protection standards.
For e-commerce operations in Gibraltar targeting UK and EU consumers, compliance with GDPR necessitates having:
A lawful purpose for processing (such as obtaining explicit consent for data collection, particularly for marketing purposes and the use of cookies);
A comprehensive privacy policy or statement;
A data minimisation strategy;
Transparent data policies and procedures;
Robust data security protocols;
Lawful cross-border transfer mechanisms; and
Easy processes for users to withdraw their consent or access and amend their data.
A fundamental principle is establishing a lawful basis for processing personal data.
Lawful Basis: Article 6 of the GDPR provides an exhaustive list, but for most e-commerce activities, consent and contractual necessity are usually the most relevant. Other bases, such as legal obligation (such as retaining data for compliance and tax purposes) and legitimate interests (like preventing fraud or ensuring network or transaction security), often also apply depending on the specific data processing activity.
When relying on consent, e-commerce businesses must ensure it is:
Explicit: Customers must clearly say ‘yes.’
Freely Given: They shouldn’t be forced or pressured.
Specific: They’re agreeing to something particular (e.g., marketing emails).
Informed: They understand what they’re agreeing to.
Unambiguous: It’s clear they’re giving consent.
This necessitates the use of clear and plain language in consent requests, the provision of granular options for different processing purposes (such as marketing communications or analytics), and the absence of pre-ticked checkboxes. Customers must have the right to withdraw their consent at any time, which should be facilitated through easily accessible mechanisms like unsubscribe links in marketing emails.
Contractual necessity provides another key lawful basis, allowing the processing of personal data that is essential for the performance of a contract with the customer or to take preparatory steps at their request before entering into a contract. This basis underpins core e-commerce operations such as processing orders, managing payments, and arranging for the shipment of goods.
Data minimisation: Businesses should collect and process only the minimum amount of personal data necessary to achieve a specific, legitimate purpose. Regularly reviewing data collection practices and purging any data that is no longer needed are crucial aspects of this principle.
Transparency: another cornerstone of the GDPR, obliges businesses to provide customers with privacy policies that are clear, concise, and easily accessible. These policies should articulate in straightforward language what data is collected, the reasons for collection, how it is utilised, with whom it is shared, and how individuals can exercise their rights under the GDPR.
Data Subject Rights:The GDPR provides customers (data subjects) the right to access their personal data, the right to rectification of inaccuracies, the right to erasure (the right to be forgotten), the right to restrict processing, the right to data portability, and the right to object to processing.
Security: Ensuring the security of personal data is a fundamental obligation, requiring the implementation of appropriate technical and organisational measures to protect against unauthorised access, loss, or destruction. This can include encryption, access controls and staff training.
Reporting: In the event of a data breach, e-commerce businesses are mandated to notify the relevant supervisory authority within 72 hours of becoming aware of the incident, and to inform affected individuals if the breach poses a high risk to their rights and freedoms.
Lawful Basis | Description | E-commerce Examples |
Consent | Explicit agreement for specific purposes | Marketing emails, analytics tracking, personalized recommendations |
Contractual Necessity | Processing necessary for the performance of a contract | Processing orders, handling payments, arranging shipping |
Legal Obligation | Processing necessary to comply with a legal requirement | Maintaining tax records, complying with court orders, and meeting financial crime obligations (for AML regulated firms such as VASPs, payment service providers, financial services firms) |
Legitimate Interests | Processing necessary for the controller’s or a third party’s legitimate interests, unless overridden by rights | Fraud prevention, network security, personalising user experience (subject to balancing other obligations), some direct marketing to existing customers |
While largely mirroring the EU GDPR, the Gibraltar version includes technical adjustments to align with Gibraltar’s specific legal and administrative context, such as replacing references to “Member State law” with “Gibraltar law” and assigning the responsibilities of EU supervisory authorities to the Gibraltar Regulatory Authority (GRA). Gibraltar’s data protection legislation also encompasses the Data Protection Act 2004, which works along with the Gibraltar GDPR. The DPA 2004 designates the GRA as the Information Commissioner, making it the independent body responsible for enforcing both the Gibraltar GDPR and the DPA 2004. The GRA serves as the supervisory authority, tasked with enforcing data protection laws, offering guidance, investigating complaints, and promoting awareness of privacy issues. The close alignment of Gibraltar’s data protection regime with the EU GDPR simplifies compliance for businesses operating in both jurisdictions, although familiarity with local terminology and the role of the GRA is essential.
Following its withdrawal from the European Union, the United Kingdom established its own data protection framework, primarily through the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. The UK GDPR essentially mirrors the EU GDPR as it existed at the end of the Brexit transition period, with necessary amendments to function within the UK’s legal system. The UK’s data protection system maintains the same fundamental principles and data subject rights that were in place during its EU membership. This continuity means that many compliance measures adopted for the EU GDPR remain applicable under the UK GDPR and ensures the European Commission treats the UK as offering a level of protection essentially equivalent to that of the EU (Adequacy Decision). This Adequacy Decision facilitates the free flow of personal data between the EU and the UK (and Gibraltar).
While largely consistent, certain differences exist between the EU GDPR and the UK GDPR. There are also some variations in the regulations concerning the processing of criminal data and the application of automated decision-making. The Information Commissioner’s Office (ICO) stands as the independent supervisory authority in the UK, responsible for upholding data rights and enforcing the UK GDPR and the Data Protection Act 2018.
For e-commerce businesses in Gibraltar aiming for the UK market, understanding the continued alignment with the EU GDPR, while noting any specific UK variations, is key to achieving compliance.
Our firm has extensive experience in guiding businesses through the intricacies of data protection laws across these jurisdictions. This includes providing expert advice on specific challenges faced by various types of organisations, as illustrated by our work with a street mapping company, payment processing companies and financial services firms (where there are complex chains of controller-processor and subprocessors), online gambling companies and entities in the cryptocurrency and virtual asset service provider (VASP) sectors.
In the realm of e-commerce, the relationship between the online retailer and payment service providers necessitates clearly defined roles and responsibilities under data protection law. The GDPR distinguishes between data controllers, who determine the purpose and means of processing, and data processors, who act on the controller’s behalf.
Typically, e-commerce businesses act as data controllers for customer data, while payment gateways and payment service providers (PSPs) often function as data processors, handling payment information under the retailer’s instructions. Article 28 of the GDPR requires a legally binding agreement, known as a Data Processing Agreement (DPA), to govern this relationship. A comprehensive DPA for payment processing should outline the processor’s obligations regarding data handling, security, confidentiality, and assistance to the controller in meeting GDPR requirements. Best practices include clearly defining roles, ensuring the processor offers sufficient guarantees for GDPR compliance, and regularly reviewing the agreement.
However, payment processing companies such as PSPs have their own regulatory obligations, including to mitigate financial crime. Processing data for these purposes the payments firm is a controller and the ecommerce merchant may even be acting as a processor for the PSP for these purposes.
Our firm has significant experience in advising PSPs, payment gateways, financial services firms and online gambling companies on establishing robust controller-processor agreements that ensure compliance and clarify responsibilities within the payment processing ecosystem.
See below flowchart from the EU Data Protection Supervisor:
The cryptocurrency and VASP sectors face unique challenges in achieving GDPR readiness due to the decentralised and often pseudonymous nature of blockchain technology. Conducting a GDPR readiness audit and performing data mapping are crucial first steps for these entities.
Data mapping involves identifying and documenting the flow of personal data within the organisation, considering the specific characteristics of blockchain and crypto transactions. The immutability of blockchain can conflict with the right to be forgotten, and identifying data controllers in decentralised networks can be complex.
A GDPR readiness audit for crypto companies and VASPs assesses their data collection practices (especially during KYC/AML), data processing and storage methods (on and off-chain), and their ability to comply with data subject rights and implement robust security measures for sensitive financial data.
Our firm’s expertise in this area allows us to guide crypto companies and VASPs through these complex compliance requirements, addressing the specific technological and operational nuances of the industry.
Compliance in essential areas such as direct marketing, privacy statements, and international data transfers is also critical for e-commerce businesses operating across these jurisdictions. For direct marketing, GDPR mandates explicit consent for electronic communications in most cases. While legitimate interest can also serve as a basis in certain scenarios, a careful balancing test is required. Best practices include using double opt-in, providing clear unsubscribe options, and maintaining consent records.
Privacy statements and data protection policies must be comprehensive, easily accessible, and written in clear, plain language, outlining data collection practices, processing purposes, legal bases, data subject rights, and contact information. For international data transfers, GDPR restricts transfers outside the EEA the UK and Gibraltar unless an adequacy decision exists or appropriate safeguards, such as Standard Contractual Clauses or Binding Corporate Rules, are in place. Conducting transfer impact assessments is also crucial. The current political and legal instability in the USA makes this process and requirement even more demanding.
Mechanism | Description | Relevance for E-commerce |
Adequacy Decisions | Determination by the European Commission (or UK government) that a third country ensures an adequate level of data protection. | Enables free data flow to countries like the UK (from EU) and others deemed adequate. |
Standard Contractual Clauses (SCCs) | Pre-approved contract templates for data transfers to countries without adequacy decisions. | Commonly used for transfers to service providers or business partners outside the EEA/UK. |
Binding Corporate Rules (BCRs) | Internal data transfer policies adopted by multinational groups for transfers within the group internationally. | Relevant for e-commerce businesses that are part of larger international organizations. |
Derogations | Specific exceptions under Article 49 GDPR for data transfers in particular situations. | Used in limited circumstances, such as with explicit consent or for the performance of a contract. |
Trademarks: Beyond data protection, e-commerce businesses must also consider other legal aspects. Trademark protection is vital for securing brand identity across Gibraltar, the UK, and the EU. In Gibraltar, trademark registration typically involves extending a UK registration. The UK offers direct trademark registration through the UKIPO, while the EU has a central system via the EUIPO.
Tax: Cross-border taxation and VAT obligations also require careful attention. Gibraltar businesses selling electronically to the EU must comply with EU VAT rules, and the EU’s e-commerce VAT package introduced changes in 2021. The UK has its own VAT regime, requiring consideration for sales to and from Gibraltar. We regularly advise clients on cross-border tax and VAT issues.
Terms and conditions: Having well-drafted general terms and conditions for e-commerce websites, goods, and services is essential. These should cover aspects like terms of sale, delivery, returns, intellectual property, and liability limitations, ensuring users actively accept them. Compliance with e-commerce regulations in each jurisdiction regarding the provision of clear business information and consumer rights is also necessary.
Navigating the landscape of GDPR and data protection laws across Gibraltar, the UK, and the EU demands a proactive and continuous commitment to compliance. By prioritising data privacy and adhering to these regulations, e-commerce businesses can not only mitigate legal risks but also cultivate customer trust and enhance their brand reputation.
Our firm’s expertise in data protection, coupled with our specific experience in advising on DPIAs, controller-processor agreements, and GDPR readiness for complex or emerging sectors like payments, online gambling, crypto and VASPs positions us to provide comprehensive support to e-commerce businesses in Gibraltar navigating these complex legal issues across Europe (including the UK).
The information provided is for general guidance only and does not constitute legal advice. We strongly encourage businesses to seek professional legal advice to ensure they establish robust compliance frameworks tailored to their specific operations and the jurisdictions in which they operate.
Ramparts includes lawyers that are able to advise on Gibraltar, UK, Irish and EU law. Get in touch to arrange a GDPR consultation.
GDPR is a comprehensive data privacy law enacted by the European Union (EU). Its primary goal is to protect the personal data and privacy rights of individuals within the EU.
There are also equivalent GDPR rules in the UK and Gibraltar .What makes it crucial for your e-commerce business, regardless of your location, is its extraterritorial scope. If you offer goods or services to individuals in the EU, UK or Gibraltar or if you monitor their behaviour (e.g., through website tracking cookies) then GDPR applies to you.
Non-compliance can lead to significant fines – up to €20 million or 4% of your global annual turnover, whichever is higher – as well as reputational damage and loss of customer trust.
Your privacy policy needs to be clear, concise, transparent, easily accessible, and written in plain language. It should inform your EU customers about:
Ensure your privacy policy is easily found on your website (e.g., in the footer) and is updated regularly to reflect any changes in your data processing practices.
The consequences of GDPR non-compliance can be severe and include:
“Personal data” under GDPR is broadly defined as any information that relates to an identified or identifiable natural person (“data subject”). In the context of cross-border e-commerce, this includes a wide range of data you likely collect, such as:
Even pseudonymous data (where direct identification can be ascertained with additional information held separately) can be considered personal data if that additional information is available to you.
You need a lawful basis to process personal data. The most relevant ones for cross-border e-commerce include:
Obtaining valid consent under GDPR requires several key elements:
As a controller, you have obligations under GDPR to ensure that your processors provide sufficient guarantees regarding data protection and to have a written contract (Data Processing Agreement – DPA) in place with them that outlines their responsibilities and how they will process data on your behalf.
GDPR requires you to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing personal data. These measures should include:
Specific measures you might implement include:
GDPR compliance is an ongoing process. Best practices include:
Standard Contractual Clauses (SCCs) are pre-approved sets of contractual terms issued by the European Commission. They provide a legal mechanism for transferring personal data from the EU to countries outside the European Economic Area (EEA) that have not been deemed to have an “adequate” level of data protection by the EU.
If your e-commerce operations involve transferring personal data of EU customers to servers, processors, or affiliates located outside the EEA (which includes most countries outside the EU, Iceland, Liechtenstein, and Norway), and there is no adequacy decision for that country, you will likely need to implement SCCs with the recipient of the data. These clauses contractually obligate the data importer to protect the personal data to the standards required by GDPR and provide data subjects with enforceable rights.
GDPR grants several rights to individuals regarding their personal data. As a cross-border e-commerce business, you must be prepared to handle these requests:
To handle these requests effectively:
The UK and Gibraltar have their own versions of GDPR, which is very similar to the EU GDPR. However, for UK and Gibraltar-based e-commerce businesses selling to the EU, you still need to comply with the EU GDPR for the personal data of EU residents. This means you may need to:
Similarly, EU-based businesses selling to the UK or Gibraltar need to comply with the UK or Gibraltar GDPR for the personal data of UK or Gibraltar residents. In practice the equivalence of each regime makes cross-border compliance relatively straight-forward.
Article 27(1) of the GDPR establishes the obligation to appoint an EU representative for controllers and processors that are not based in the EU. However, the requirement to appoint a representative is triggered if and only if the controller or processor falls within the scope of the GDPR specifically via Article 3(2).
Article 3(2) requires that the non-EU business is “offering goods or services” or “monitoring behaviour” within the EU market.
The purpose of Article 27 is to provide a practical point of contact and an enforcement mechanism within the EU for entities that operate from outside the Union. If the processor is merely acting on behalf of an EU-established controller then this mechanism becomes less important, as the EU controller is already directly subject to the jurisdiction and enforcement powers of EU supervisory authorities under Article 3(1).
In some circumstances therefore a non-EU processor will not itself offer goods/services to, or monitor the behaviour of, individuals in the EU. In short, if a processor (acting on behalf of an EU controller) is not engaged in active targeting as required by Article 3(2) then there is no requirement for it to appoint an EU representative.
Operational resilience is no longer a technology function but a primary board responsibility, inextricable from solvency, business continuity, and market conduct.
Mandatory VAT Defences:Mastering the Two-Item Rule and managing the Fixed Establishment Trap.
Since its initial publication, the landscape surrounding the UK Gambling White Paper, particularly concerning illegal lotteries, prize competitions, and free draws, has continued to evolve…We will delve into the latest developments and their potential impact on businesses and consumers, offering a current perspective on the ongoing efforts to refine gambling regulations and ensure a fairer, more transparent environment for all.
Overview of current UK approach to systemic stablecoins and comparison with how MiCAR regulates important (significant) stablecoins
