This is our public statement about what we do with your personal data and our legal right for doing it.
We respect your privacy and are committed to protecting your personal data whether you are visiting our website (regardless of where you visit it from), supplying us with information or having some other form of interaction with us. It also tells you about your privacy rights and how the law protects you.
Our overall purpose is to regulate the financial services industry in Gibraltar in the public interest. Our aim is to protect consumers, enhance the reputation of Gibraltar as a quality financial services centre and promote good business practices. Our activities involve three core areas, which are Authorisation, Supervision and Enforcement. We take a risk-based approach to the authorisation process; supervise the conduct of and application of prudential standards to firms across the financial services sector; and encourage and facilitate compliance with regulatory principles and other requirements. Doing so requires us variously to collect, process, transfer and retain your personal data in a number of different ways; for example, personal data includes information such as names and career histories about individual representatives from the firms we regulate.
1. IMPORTANT INFORMATION AND WHO WE ARE
2. THE DATA WE COLLECT ABOUT YOU
3. HOW IS YOUR PERSONAL DATA COLLECTED
4. HOW WE USE YOUR PERSONAL DATA
5. DISCLOSURES OF YOUR PERSONAL DATA
6. INTERNATIONAL TRANSFERS OF PERSONAL DATA
7. DATA SECURITY
8. DATA RETENTION
9. YOUR LEGAL RIGHTS
1. IMPORTANT INFORMATION AND WHO WE ARE
This website is not intended for children and we do not knowingly collect data relating to children (except in strictly limited circumstances, for which see below).
DATA PROTECTION LAW
How Gibraltar companies deal with your personal data is governed by the Data Protection Regulation (EU 2016/679) (GDPR). EU regulations are directly applicable in EU member states. GDPR seeks to harmonise privacy laws across Europe and standardises many of the transparency rules for how companies describe and deal with their personal data processing.
It is important to realise that for the purposes of protecting your personal data the GFSC is not a ‘normal’ commercial Gibraltar company. While in common with many other commercial companies we have a CEO, we are established as a statutory body under the Financial Services Commission Act 2007 and our function is to perform as a public interest regulator. In our case this is the regulation of financial services in Gibraltar. GDPR does not apply to public interest regulators in the same way as it applies to normal commercial companies which may benefit commercially from interactions with you and your personal data. Specifically, Article 6 of GDPR (Lawfulness of Processing) states that in the absence of consent from a data subject, data processing will still be lawful if (Art 6(1)(e)):
"…processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller."
To the greatest extent possible, the GFSC will follow the obligations imposed by the GDPR unless we consider that compliance with any of its provisions would be likely to materially prejudice the proper discharge of our functions or purposes.
Gibraltar Financial Services Commission
PO Box 940,
Suite 3, Ground Floor,
Email address: [email protected]
This version was last updated on 23rd May 2018 and historic versions are archived here and can be obtained by contacting us.
It is important to us that the personal data we hold about you is accurate and current. If you think or know that we hold personal data on you, we would be grateful to be kept informed if your personal data changes. This will also ensure that we notify you promptly in the event of a data breach notification being required (Section 7).
THIRD-PARTY WEB LINKS
This website may include links to third-party websites, plug-ins and applications. Clicking on these links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy policies or statements. When you leave our website, we encourage you to read the privacy notice of any website you visit.
2. THE DATA WE COLLECT ABOUT YOU
Personal data, or personal information, means any information about an individual person from which that person can be identified. It does not include data where the identity has been removed (anonymous data). Nor does it does include data about firms or other legal persons unless it is co-mingled with personal data. If that happens we always treat the combined or co-mingled data as personal data.
We may collect, use, store, process and transfer different kinds of personal data about you which we have grouped together as follows:
Identity Data includes first name, any pre-marital name, last name, username or similar identifier, marital status, title, date of birth, gender and nationality. It may also include passport or identity card details.
Contact Data includes addresses, email addresses and telephone numbers and any stated communication preferences.
Financial Data includes records of financial history, bank account and any payment card details.
Transaction Data includes details about any payments to and from you, and other details of services you or a firm you may be associated with have paid us for.
Employment and Directorship Data includes details of where you have worked and when; and which legal entity you have been employed by or held office in.
Regulatory History Data includes details of any personal regulatory history you may have such as authorisations, sanctions, applications/outcomes etc. It may also include (i) records of any regulatory interview we have had with you or in which you were mentioned; and (ii) miscellaneous due diligence data (such as, for example, details of shares in companies and other financial interests, details of public office or positions of influence, court matters, criminal convictions or sanctions including those of your spouse and/or children).
Technical Data includes internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website or our online application forms.
Profile Data includes any username and password, services or requests made by you, any interests, preferences, feedback and survey or consultation responses.
Usage Data includes information about how you use our website and services.
We never collect any Special Categories of Personal Data about you. This includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data.
3. HOW YOUR PERSONAL DATA IS COLLECTED
We use different methods to collect personal data from and about you including the following:
Direct interaction with you
You may give us your Identity, Contact, Financial and other data by filling in forms or by communicating with us by post, telephone, email or otherwise. This includes personal data you provide when you (or a company or other legal person associated with you):
- apply to us or pay for a service (such as a licence or authorisation);
- request information;
- provide feedback or reply to a consultation.
Automated technologies or interactions
Third parties or publicly available sources
We may receive personal data about you from various third parties (whether from public or private sources) such as other public interest regulators and due diligence/intelligence providers both within and without Gibraltar.
This may come from analytics providers such as Google and other based either inside or outside the EU.
This may come direct from providers of technical, payment and delivery services such as banks or money transfer companies based inside or outside Gibraltar.
Identity and Contact Data
This may come from data brokers or aggregators based inside or outside the EU but also from publicly availably sources such as Companies House and electoral registers based inside the EU.
Employment and Directorship Data; Regulatory History Data
This may come from you; or a company or other legal person associated with you or trade or professional body with whom you are associated; or arise from one of our supervisory or enforcement activities.
4. HOW WE USE YOUR PERSONAL DATA
We only use your personal data when the law allows us to. Most commonly, we will use your personal data where we need to assess a matter involving a licence, authorisation or financial activity. An example of this is to test that persons who exercise control or significant influence over the operations of a regulated financial firm are fit and proper as well as ensure that they have the correct training and competency to conduct that activity.
Generally, and unlike normal Gibraltar companies, we do not rely on your consent as the lawful basis for processing your personal data. This is because we have a legitimate interest in processing your personal data where it is necessary to comply with a statutory, legal or regulatory obligation, or legitimate request from another public interest regulator.
Please contact us if you need details about any specific legitimate interest we are relying on to process your personal data.
We typically do not conduct marketing, advertising or publishing activities except in relation to:
- Human Resources requirements such as advertising a job vacancy; and
- Publication of regulatory outcomes, warnings or updates on our website and/or in the Gazette, whether at our discretion or further to a legal obligation on us to do so.
We do not conduct or make promotional offers.
We will never share your personal data for marketing purposes.
As we never process or share your data for marketing purposes there can be no requirement to ask us to stop sending you marketing communications.
CHANGE OF PURPOSE
We will only ever use your personal data for the purposes we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for a new purpose is compatible with the original purpose, please Contact us.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal or other basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
5. DISCLOSURE OF YOUR PERSONAL DATA
We may decide or be required to share your personal data with External Third Parties as set out in the Glossary.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. If we contract with a service provider (such as a law firm, a firm of expert investigators or skilled-persons) we will likewise ensure that that party uses your personal data only for the purposes of the service being provided and only permit them to process personal data for specified purposes and in accordance with our instructions.
6. INTERNATIONAL TRANSFERS
We only ever transfer your personal data in accordance with our IT security policies and applicable international standards.
Only in certain limited circumstances will we transfer your personal data outside the European Economic Area (EEA).
These circumstances include when we:
- receive a valid request for information from a public service regulator or similar relevant entity outside the EEA. We will ensure that a valid request will include at least a similar level of personal data protection as provided within the EEA.
- provide your data to an external third-party based outside the EEA. Similarly, we will ensure your personal data receives at least the same level of protection it enjoys in Europe.
Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US.
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.
7. DATA SECURITY
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and external third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any regulatory, legal, accounting, or reporting obligations or requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from its unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
We operate no fixed retention periods for personal data retention.
In some circumstances you can ask us to delete your data: Request Erasure below for further information. The DPO, with reference to the relevant legislation, is responsible for communicating the result of your request to you.
In some circumstances we may anonymise your personal data (for example, by deleting information such as your name, so that this Identity Data can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without notice to you.
9.YOUR LEGAL RIGHTS
You have a number of rights under data protection laws in relation to the personal data we hold about you, such as the right to request access or corrections or even erasure of your personal data.
While you do have these rights, they will not always be granted in the context of our standing as a public interest regulator (of the Gibraltar financial sector). The decision in respect of such requests will be communicated by our DPO following receipt of a request in writing.
Please visit the GDPR regulation page to find out more about these rights:
- Request access to your personal data
- Request correction of your personal data
- Request erasure of your personal data
- Object to processing of your personal data
- Request restriction of processing your personal data
- Request transfer of your personal data
Please note that as we legally process personal data without your written consent there is no right for you to withdraw that consent.
If you wish to exercise any of the rights set out above, please Contact us
Upon receipt of a written request and subject to being able to prove your identity, the DPO will confirm whether or not we hold personal data about you and if so, what this data is. This data may be provided to you in a readily understood format though note that it may also be redacted.
NO FEE USUALLY REQUIRED
You will not have to pay a fee to access your personal data (or to exercise any of the other legal rights). However, we may charge a reasonable fee if your request is unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
WHAT WE MAY NEED FROM YOU
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other legal rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in order to speed up our response.
TIME LIMIT TO RESPOND
We try to respond to all legitimate requests within one calendar month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
FORMER EMPLOYEES OF GFSC
If you are a former employee of the GFSC and are using legal rights solely in respect of your employment with the GFSC you always have full access to such details.
RIGHT TO COMPLAIN
You have the right to complain in respect of any of these issues to the Gibraltar Data Protection Commissioner if you think that we have not properly complied with any of the above requirements:
The Gibraltar Data Protection Commissioner
Gibraltar Regulatory Authority
Suite 811, Europort
Tel +350 200 74636
Fax +350 200 72166
E-Mail [email protected]
Legitimate Interest means the requirement upon us (or those of a relevant third party) to conduct and manage our activities to enable us process your personal data where it is necessary to fulfil our statutory, legal and regulatory goals while ensuring the best and most secure data experience.
EXTERNAL THIRD PARTIES
Service providers acting as data processors based either inside or outside the EEA who provide various services to us. An example would be a supplier of external IT, data processing or software application services.
Professional advisers acting as processors or joint controllers including lawyers, bankers, auditors and insurers based inside or outside the EEA who provide consultancy, banking, legal, insurance and accounting services. Examples are outsourcing investigations to third parties or obtaining advice from a legal firm.
Other Gibraltar and non-Gibraltar regulators or public bodies both inside or outside the EEA acting in a public interest and acting as processors or joint controllers based within and without Gibraltar who require reporting of processing activities in certain circumstances. We may share your personal data via a number of gateways, including the various Multilateral Memorandum of Understanding (MMoU) and Memorandum of Understanding (MoU) routes to which we are a signatory. Examples of the former are our memberships of the International Association of Insurance Supervisors (IAIS) and the International Organisation of Securities Commissions (IOSCO); and examples of the latter are our MoU’s with the Malta Financial Services Authority and the Royal Gibraltar Police. A list of the GFSC’s current bilateral and multilateral commitments to share information in this way may be viewed here: http://www.gfsc.gi/international/mmou. This sharing can come about either at our request or the request of another signatory or other regulatory party; and compliance may be either optional or obligatory on us. However, the sharing comes about we will never sell or trade your data, and will only ever share your personal data subject to a data protection standard which is at least the equivalent of the EU standard.
YOUR LEGAL RIGHTS
These are set out in Section 9