A summary of how The IT Lab meets its obligations under the Gibraltar Data Protection Act 2004 and the UK GDPR as it applies in Gibraltar — both as a data controller and as a processor for our customers.
1. Our role under GDPR
When we deliver managed IT, cyber security or related services to a customer, we typically act as a data processor on behalf of that customer (the controller). The customer decides what personal data is processed and why; we process it on documented instructions to deliver the agreed service.
When we collect personal data through our website, marketing activities or HR processes, we act as a data controller in our own right. The Privacy policy explains how that data is handled.
2. Data processing agreement
Every customer engagement is supported by a Data Processing Agreement (DPA) that sets out the scope, duration, nature and purpose of the processing, the categories of data and data subjects involved, and the technical and organisational measures we apply. A standard DPA template is available on request.
3. Subprocessors
We use a small number of carefully vetted subprocessors to deliver our services. As of May 2026, these include:
- Microsoft Ireland — productivity, identity and cloud hosting (Microsoft 365, Azure)
- Sophos Ltd — endpoint detection and response
- Duo Security (Cisco) — multi-factor authentication
- Veeam Software — backup and disaster recovery
- 3CX Ltd — telephony platform
We update this list when subprocessors change and notify customers in advance where required by the DPA.
4. International transfers
Where personal data is transferred outside Gibraltar or the UK, we rely on Standard Contractual Clauses, UK International Data Transfer Agreements, or adequacy decisions as appropriate. Transfer impact assessments are completed for higher-risk transfers.
5. Security measures
We apply the following technical and organisational measures to protect personal data we process:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Multi-factor authentication on all administrative and customer-facing accounts
- Role-based access control with least-privilege defaults
- Endpoint detection and response on every device that handles customer data
- Quarterly access reviews and annual penetration testing
- Documented incident response runbooks with named owners
- Staff training on security and data protection at onboarding and annually
6. Breach notification
In the event of a personal data breach affecting customer data, we will notify the affected customer without undue delay — and in any case within 24 hours of becoming aware — providing the information they need to meet their own regulatory obligations under GDPR Article 33.
7. Data subject requests
When a data subject contacts us directly about personal data we process on behalf of a customer, we forward the request to the relevant customer promptly and assist them in responding, as required by Article 28(3)(e). For data we hold as controller, requests can be sent to privacy@itlab.gi.
8. Records of processing
We maintain records of processing activities in accordance with Article 30 and make them available to supervisory authorities on request. Customers can request a copy of the records relating to their engagement.
9. Supervisory authority
The Gibraltar Regulatory Authority (GRA) is our lead supervisory authority. Individuals have the right to lodge a complaint with the GRA at any time. Contact details are available at gra.gi.
10. Contact our DPO
Our Data Protection Lead can be contacted at hello@itlab.gi or by post to: Data Protection Lead, The IT Lab, 22 City Mill Lane, Gibraltar GX11 1AA.
