Privacy Notice

Welcome to the GFSC’s Privacy Notice

This is the Gibraltar Financial Services Commission’s (“GFSC”, “we”, “us” or “our”) public notice about what personal data we collect from you, how we store, process, use and share it, and our legal right for doing so (“Privacy Notice”). It also tells you about your privacy rights and how the law protects you.

We respect your privacy and are committed to protecting your personal data whether you are visiting our website, supplying us with information or having some other form of interaction with us. For avoidance of doubt, this Privacy Notice is not intended to cover our privacy obligations towards our employees (including consultants/contractors) or prospective employees. Such policies will be made available during the application process and at commencement of employment, where applicable. We reserve our right to issue separate policies in respect of other relevant stakeholders and/or business partners.

Our overall purpose is to regulate the financial services industry in Gibraltar in the public interest. Our aim is to protect consumers, enhance the reputation of Gibraltar as a quality financial services centre and promote good business practices. Our activities involve three core areas, which are Authorisation, Supervision and Enforcement. We take a risk-based approach to the authorisation process; supervise the conduct of and application of prudential standards to firms across the financial services sector; and encourage and facilitate compliance with regulatory principles and other requirements.

We also act as Pensions Commissioner (“PC”) to ensure that the requirements (of the Private Sector Pensions Act 2019) are complied with. This means we collect, process, transfer and retain your personal data in a number of different ways; for example, personal data that includes information such as names and career histories about individual representatives from the firms we regulate and from employers that register with us (when carrying out our Pensions Commissioner role).

This Privacy Notice is provided in a format which allows you to click through the specific areas set out below. Please also use the Glossary to understand the meaning of some of the terms we have used.














This Privacy Notice gives you information on how we collect, store, process, use and transmit your personal data both through use of this website and via other interactions with us. Where personal data is processed, we take steps do this in a fair and transparent manner that protects your personal data rights.

Personal data includes such personal data as you or others may supply us with. Examples are when you or a firm you own or work for applies for an authorisation to carry out a financial activity; or when we use a third party’s database to check information about you.

This website is not intended for children, and we do not knowingly collect data relating to children.

It is important that you read this Privacy Notice together with any other privacy notice or data processing notice we may provide on specific occasions so that you are fully aware of how and why we are using data about you. This Privacy Notice supplements any such other notices and is not intended to override them.


This Privacy Notice gives you information on how we collect, store, process, use and transmit your personal data both through use of this website and via other interactions with us. Where personal data is processed, we take steps do this in a fair and transparent manner that protects your personal data rights.

Personal data includes such personal data as you or others may supply us with. Examples are when you or a firm you own or work for applies for an authorisation to carry out a financial activity; or when we use a third party’s database to check information about you.

This website is not intended for children, and we do not knowingly collect data relating to children.

It is important that you read this Privacy Notice together with any other privacy notice or data processing notice we may provide on specific occasions so that you are fully aware of how and why we are using data about you. This Privacy Notice supplements any such other notices and is not intended to override them.

Gibraltar has its own data protection laws that apply certain EU laws, with such modifications, as are necessary. This is referred to as the “Data Protection Legislation”, which includes:

  • The Data Protection Act 2004 (as amended) (“DPA 2004”), and regulations made under that Act; and
  • The “Gibraltar GDPR”, which is essentially the EU’s General Data Protection Regulation or (Regulation (EU) 2016/679, or the “EU GDPR”) as it forms part of Gibraltar law. The Gibraltar GDPR is read slightly differently to the EU GDPR, but still offers privacy protections and guarantees in a similar manner.

There are circumstances where, because of the GFSC’s status as a public authority engaged in the exercise of statutory objectives for the purpose of supervising and regulating the financial services sector, certain data subject rights may not be applicable.

The GFSC was established as a statutory body under the Financial Services Commission Act 2007 and continued in accordance with Part 3 of the Financial Services Act 2019 (“FSA 2019”) and our function is to perform as a public interest regulator. In our case, the processing of personal data carried out by the GFSC is necessary for the performance of its functions and powers to regulate financial services in Gibraltar, as conferred on it by the FSA 2019.

Gibraltar GDPR does not apply to public interest regulators in the same way as it applies to normal commercial companies, which may benefit commercially from interactions with you and your personal data. Specifically, Article 6 of Gibraltar GDPR (Lawfulness of Processing) states that in the absence of consent from a data subject, data processing will still be lawful if, and to the extent [Art 6(1)(e)]:

"…processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller."

The GFSC will follow the obligations imposed by the Gibraltar GDPR unless we consider that compliance with any of its provisions would be likely to materially prejudice the proper discharge of our functions, powers or purposes.


The GFSC is the data controller and is responsible for your personal data.

We have appointed a data protection officer (“DPO”) who is responsible for overseeing our data protection strategy and implementation.

The DPO will communicate the decision of whether or not the GFSC will agree to any information request you make (See Section 9). So, if you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the DPO using the details set out below:


Alan Pereira

Gibraltar Financial Services Commission

PO Box 940,

Suite 3, Ground Floor,

Atlantic Suites,

Europort Avenue,


Email address: [email protected]

You have a legal right to make a complaint at any time to the Gibraltar Regulatory Authority (GRA), which is the statutory Gibraltar supervisory authority responsible for data protection issues in Gibraltar. We would, however, appreciate the chance to deal with your concerns before you approach the GRA so please contact us in the first instance.


This version was last updated on 18 April 2024

It is important to us that the personal data we hold about you is accurate and current. If you think or know that we hold personal data on you, please inform us if your personal data changes. This will also ensure that we notify you promply in the event of a data breach notification being required (Section 7).


This website may include links to third-party websites, plug-ins and applications. Clicking on these links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy policies, notices or statements. When you leave our website, we encourage you to read the privacy notice of any website you visit.




Personal data, or personal information, means any information about an individual person from which that person can be identified. It does not include data where the identity has been removed (anonymous data). Nor does it include data about firms or other legal persons unless it is co-mingled with personal data. If that happens, we always treat the combined or co-mingled data as personal data.

We may collect, use, store, process and transfer different kinds of personal data about you which we have grouped together as follows:

Identity Data includes first name, any pre-marital name, last name, username or similar identifier, marital status, title, date of birth, gender and nationality. It may also include passport or identity card details.

Contact Data includes addresses, email addresses and telephone numbers and any stated communication preferences.

Financial Data includes records of returns, financial history, bank account and any payment card details.

Transaction Data includes details about any payments to and from you, and other details of services you or a firm you may be associated with have paid us for.

Employment and Directorship Data includes details of where you have worked and when; whether you are a member of a pension scheme; and which legal entity you have been employed by or held office in.

Regulatory History Data includes details of any personal regulatory history you may have such as authorisations, permissions, sanctions, applications and their outcomes etc. It may also include (i) records of any regulatory interview we have had with you or in which you were mentioned; and (ii) miscellaneous due diligence and ‘fitness and proprietary’ data (such as, for example, details of shares in companies and other financial and non-financial interests, details of public office or positions of influence, court matters, criminal convictions or sanctions including those of your spouse and/or children disciplinary issues, professional memberships, qualifications, credit status, investigations and police checks).

Technical Data includes internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website or our online application forms.

Profile Data includes any username and password, services or requests made by you, any interests, preferences, feedback and survey or consultation responses.

Usage Data includes information about how you use our website and services.

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can be used to identify you directly or indirectly, we always treat the combined data as personal data which will be used in accordance with this Privacy Notice.

Although we do not explicitly ask for or collect any Special Categories of Personal Data about you (to include details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data), it is possible that such information may be included, for example in the details of a complaint made against us and received as part of our complaint handling procedure and would be dependent on the nature of the complaint and the information a complainant chooses to give us. To the extent that we use any special categories of data as part of our complaints handling work, we do so under Article 9(2)(g) of the Gibraltar GDPR (it is necessary for reasons of substantial public interest) and Section 12(3) of the DPA 2004, in that it meets a condition in Part 2 of Schedule 1 of the DPA 2004 and we have an appropriate complaint handling procedure document covering this processing activity in which we advise individuals that we use the information collected in line with our standard process on data collection and this Privacy Notice.



We use different methods to collect personal data from and about you including the following:

Direct interaction with you

You may give us your Identity, Contact, Financial and other data by filling in forms or by communicating with us by post, telephone, email or otherwise. This includes personal data you provide when you (or a company or other legal person associated with you):

  • apply to us or pay for a service (such as a permission, licence, approval, registration or authorisation);
  • request information;
  • provide feedback or reply to a consultation;
  • make a complaint against us

Automated technologies or interactions

As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using Cookies, server logs and other similar technologies. Please see our cookie policy for further details.

Third parties or publicly available sources

We may receive personal data about you from various third parties (whether from public or private sources) such as other public interest regulators and due diligence/intelligence providers both within and without Gibraltar.

Technical Data

This may come from analytics providers such as Google and other based either inside or outside the EU.

This may also come direct from providers of technical, payment and delivery services such as banks or money transfer companies based inside or outside Gibraltar.

Identity and Contact Data

This may come from data brokers or aggregators based inside or outside the EU but also from publicly availably sources such as Companies House and electoral registers based inside the EU.

Employment and Directorship Data; Regulatory History Data

This may come from you; or a company or other legal person associated with you or trade or professional body with whom you are associated; or arise from one of our supervisory or regulatory investigation activities.




We only use your personal data when the law allows us to. Most commonly, we will use your personal data where we need to assess a matter involving our statutory and regulatory functions and powers. An example of this is to test that persons who exercise control or significant influence over the operations of a regulated financial firm are fit and proper as well as ensure that they have the correct training and competency to conduct that activity.

As we have a legitimate interest in processing your personal data, we do not rely on your consent as the lawful basis for processing your personal data. This applies to instances where it is necessary to comply with a statutory, legal or regulatory obligation, or legitimate request from another public interest regulator.

Please contact us if you need details about any specific legitimate interest we are relying on to process your personal data.


We typically do not conduct marketing, advertising or publishing activities except in relation to:

  • Human Resources requirements such as advertising a job vacancy; and
  • Publication of regulatory outcomes, warnings or updates on our website and/or in the Gazette, whether at our discretion or further to a legal obligation on us to do so.


We do not conduct or make promotional offers.


We will never share your personal data for marketing purposes.


As we never process or share your data for marketing purposes there can be no requirement to ask us to stop sending you marketing communications.


You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. For more information about the cookies we use please see Cookie Policy.


We will only ever use your personal data for the purposes we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to receive an explanation as to how the processing for a new purpose is compatible with the original purpose, please contact us.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal or other basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.



We may decide or be required to share your personal data with External Third Parties as set out in the Glossary.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. If we contract with a service provider (such as a law firm, a firm of expert investigators or skilled-persons) we will likewise ensure that that party uses your personal data only for the purposes of the service being provided and only permit them to process personal data for specified purposes and in accordance with our instructions.



We only ever transfer your personal data in accordance with our IT security policies and applicable international standards.

Only in certain limited circumstances will we transfer your personal data outside the European Economic Area (EEA).

These circumstances include when we:

    • receive a valid request for information from a public service regulator or similar relevant entity outside the EEA. We will ensure that a valid request will include at least a similar level of personal data protection as provided within the EEA.
    • provide your data to an external third-party based outside the EEA. Similarly, we will ensure your personal data receives at least the same level of protection it enjoys in Europe.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.




We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and external third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.



We will retain your personal data for as long as necessary to fulfil the purposes we collected it for, including to carry out our regulatory and supervisory activities for the purposes of satisfying any regulatory, legal, accounting, or reporting obligations or requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from its unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

We operate no fixed retention periods for the retention of personal data in electronic records.

In some circumstances you can ask us to delete your data: please see Section 9 below for further information. The DPO, with reference to the relevant legislation, is responsible for communicating the result of your request to you.

In some circumstances we may anonymise your personal data (for example, by deleting information such as your name, so that this Identity Data can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without notice to you.



You have a number of rights under data protection laws in relation to the personal data we hold about you, such as the right to request access or corrections or even erasure of your personal data. Exercising this right will help you to understand how and why we are using your data, and check we are doing it lawfully.

The decision in respect of such requests will be communicated by our DPO following receipt of a request in writing.

Please visit the GDPR regulation page to find out more about these rights:

  • Request access to your personal data
  • Request correction of your personal data
  • Request erasure of your personal data
  • Object to processing of your personal data
  • Request restriction of processing your personal data
  • Request transfer of your personal data

Please note that as we legally process personal data without your written consent there is no right for you to withdraw that consent.

If you wish to exercise any of the rights set out above, please Contact us

Upon receipt of a written request and subject to being able to prove your identity, the DPO will confirm whether or not we hold personal data about you and if so, what this data is. This data will be provided to you in a readily understood format though note that it may also be redacted or extracted from a larger document.


You will not have to pay a fee to access your personal data (or to exercise any of the other legal rights). However, we may charge a reasonable fee if your request is unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.


We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other legal rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in order to speed up our response.


We aim to respond to all legitimate requests within one calendar month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you that we require more time to process and prepare the disclosure for you and we will keep you updated on any progress. We are able to extend the processing of your request by two months. However, we will endeavour to deliver to you the contents of our searches as soon as these have been processed for release.


If you are a former employee of the GFSC and are using legal rights solely in respect of your employment with the GFSC you always have full access to such details.


You have the right to complain in respect of any of these issues to the Gibraltar Data Protection Commissioner if you think that we have not properly complied with any of the above requirements:

The Gibraltar Data Protection Commissioner

Gibraltar Regulatory Authority

Suite 811, Europort


Tel +350 200 74636

Fax +350 200 72166

E-Mail [email protected]





Legitimate Interest means the requirement upon us (or those of a relevant third party) to conduct and manage our activities to enable us to process your personal data where it is necessary to fulfil our statutory, legal and regulatory goals while ensuring the best and most secure data experience.



Service providers acting as data processors based either inside or outside the EEA who provide various services to us. An example would be a supplier of external IT, data processing or software application services.

Professional advisers acting as processors or joint controllers including lawyers, bankers, auditors and insurers based inside or outside the EEA who provide consultancy, banking, legal, insurance and accounting services. Examples are outsourcing investigations to third parties or obtaining advice from a legal firm.

Other Gibraltar and non-Gibraltar regulators or public bodies both inside or outside the EEA acting in a public interest and acting as processors or joint controllers based within and outside Gibraltar who require reporting of processing activities in certain circumstances. We may share your personal data via a number of statutory gateways as listed in the Financial Services Act 2019 and Private Sector Pensions Act 2019 (“PSPA”).

The procedure by which we may share information to certain bodies could be included in the various Multilateral Memorandum of Understanding (MMoU) and Memorandum of Understanding (MoU) routes to which we are a signatory. Examples of the former are our memberships of the International Association of Insurance Supervisors (IAIS) and the International Organisation of Securities Commissions (IOSCO); and examples of the latter are our MoUs with the Malta Financial Services Authority and the Royal Gibraltar Police. A list of the GFSC’s current bilateral and multilateral commitments to share information in this way may be viewed here. This sharing can come about either at our request or the request of another signatory or other regulatory party; and compliance may be either optional or obligatory on us.

However, we will never sell or trade your data and will only ever share your personal data subject to a data protection standard which is at least the equivalent of the EU standard.



These are set out in Section 9