Privacy Statement

Welcome to the GFSC’s Privacy Policy notice

This is our public statement about what we do with your personal data and our legal right for doing it.

We respect your privacy and are committed to protecting your personal data whether you are visiting our website (regardless of where you visit it from), supplying us with information or having some other form of interaction with us. It also tells you about your privacy rights and how the law protects you.

Our overall purpose is to regulate the financial services industry in Gibraltar in the public interest. Our aim is to protect consumers, enhance the reputation of Gibraltar as a quality financial services centre and promote good business practices. Our activities involve three core areas, which are Authorisation, Supervision and Enforcement. We take a risk-based approach to the authorisation process; supervise the conduct of and application of prudential standards to firms across the financial services sector; and encourage and facilitate compliance with regulatory principles and other requirements. Doing so requires us variously to collect, process, transfer and retain your personal data in a number of different ways; for example, personal data includes information such as names and career histories about individual representatives from the firms we regulate.

This privacy policy is provided in a layered format so you can click through to the specific areas set out below. Please also use the Glossary to understand the meaning of some of the terms we have used in this privacy policy.















This privacy policy notice gives you information on how we collect, store, process, use and transmit your personal data both through use of this website and having other interactions with us. Where personal data is processed, we take steps do this in a fair and transparent manner that protects your personal data rights. Personal data includes such personal data as you or others may supply us with. Examples are when you or a firm you own or work for applies for a licence or authorisation to conduct a financial activity; or when we use a third party’s database to check information about you.

This website is not intended for children and we do not knowingly collect data relating to children (except in strictly limited circumstances, for which see below).

It is important that you read this privacy policy together with any other privacy notice or data processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using data about you. This privacy policy supplements any such other notices and is not intended to override them.


How Gibraltar companies deal with your personal data is governed by the Data Protection Regulation (EU 2016/679) (GDPR). EU regulations are directly applicable in EU member states. GDPR seeks to harmonise privacy laws across Europe and standardises many of the transparency rules for how companies describe and deal with their personal data processing.

It is important to realise that for the purposes of protecting your personal data the GFSC is not a ‘normal’ commercial Gibraltar company. While in common with many other commercial companies we have a CEO, we are established as a statutory body under the Financial Services Commission Act 2007 and our function is to perform as a public interest regulator. In our case this is the regulation of financial services in Gibraltar. GDPR does not apply to public interest regulators in the same way as it applies to normal commercial companies which may benefit commercially from interactions with you and your personal data. Specifically, Article 6 of GDPR (Lawfulness of Processing) states that in the absence of consent from a data subject, data processing will still be lawful if (Art 6(1)(e)):

"…processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller."

To the greatest extent possible, the GFSC will follow the obligations imposed by the GDPR unless we consider that compliance with any of its provisions would be likely to materially prejudice the proper discharge of our functions or purposes.


The Gibraltar Financial Services Commission is the data controller and is responsible for your personal data (collectively referred to as "Commission", "GFSC", "we", "us" or "our" in this privacy policy notice).

We have appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to our privacy policy. The DPO will communicate the decision of whether or not the GFSC will accede to any information request you make (See Section 9 YOUR LEGAL RIGHTS). So if you have any questions about this privacy policy, including any requests to exercise your legal rights, please contact the DPO using the details set out below:


Alan Pereira

Gibraltar Financial Services Commission

PO Box 940,

Suite 3, Ground Floor,

Atlantic Suites,

Europort Avenue,


Email address: [email protected]

You have a legal right to make a complaint at any time to the Gibraltar Regulatory Authority (GRA), which is the statutory Gibraltar supervisory authority responsible for data protection issues in Gibraltar. We would, however, appreciate the chance to deal with your concerns before you approach the GRA so please contact us in the first instance. See also Section 9 YOUR LEGAL RIGHTS of this Privacy Policy.


This version was last updated on 23rd May 2018 and historic versions are archived here and can be obtained by contacting us.

It is important to us that the personal data we hold about you is accurate and current. If you think or know that we hold personal data on you, we would be grateful to be kept informed if your personal data changes. This will also ensure that we notify you promptly in the event of a data breach notification being required (Section 7).


This website may include links to third-party websites, plug-ins and applications. Clicking on these links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy policies or statements. When you leave our website, we encourage you to read the privacy notice of any website you visit.




Personal data, or personal information, means any information about an individual person from which that person can be identified. It does not include data where the identity has been removed (anonymous data). Nor does it does include data about firms or other legal persons unless it is co-mingled with personal data. If that happens we always treat the combined or co-mingled data as personal data.

We may collect, use, store, process and transfer different kinds of personal data about you which we have grouped together as follows:

Identity Data includes first name, any pre-marital name, last name, username or similar identifier, marital status, title, date of birth, gender and nationality. It may also include passport or identity card details.

Contact Data includes addresses, email addresses and telephone numbers and any stated communication preferences.

Financial Data includes records of financial history, bank account and any payment card details.

Transaction Data includes details about any payments to and from you, and other details of services you or a firm you may be associated with have paid us for.

Employment and Directorship Data includes details of where you have worked and when; and which legal entity you have been employed by or held office in.

Regulatory History Data includes details of any personal regulatory history you may have such as authorisations, sanctions, applications/outcomes etc. It may also include (i) records of any regulatory interview we have had with you or in which you were mentioned; and (ii) miscellaneous due diligence data (such as, for example, details of shares in companies and other financial interests, details of public office or positions of influence, court matters, criminal convictions or sanctions including those of your spouse and/or children).

Technical Data includes internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website or our online application forms.

Profile Data includes any username and password, services or requests made by you, any interests, preferences, feedback and survey or consultation responses.

Usage Data includes information about how you use our website and services.

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can be used to directly or indirectly identify you, we always treat the combined data as personal data which will be used in accordance with this privacy policy notice.

We never collect any Special Categories of Personal Data about you. This includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data.




We use different methods to collect personal data from and about you including the following:

Direct interaction with you

You may give us your Identity, Contact, Financial and other data by filling in forms or by communicating with us by post, telephone, email or otherwise. This includes personal data you provide when you (or a company or other legal person associated with you):

  • apply to us or pay for a service (such as a licence or authorisation);
  • request information;
  • provide feedback or reply to a consultation.

Automated technologies or interactions

As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using Cookies, server logs and other similar technologies. Please see our cookie policy for further details.

Third parties or publicly available sources

We may receive personal data about you from various third parties (whether from public or private sources) such as other public interest regulators and due diligence/intelligence providers both within and without Gibraltar.

Technical Data

This may come from analytics providers such as Google and other based either inside or outside the EU.

Technical Data

This may come direct from providers of technical, payment and delivery services such as banks or money transfer companies based inside or outside Gibraltar.

Identity and Contact Data

This may come from data brokers or aggregators based inside or outside the EU but also from publicly availably sources such as Companies House and electoral registers based inside the EU.

Employment and Directorship Data; Regulatory History Data

This may come from you; or a company or other legal person associated with you or trade or professional body with whom you are associated; or arise from one of our supervisory or enforcement activities.




We only use your personal data when the law allows us to. Most commonly, we will use your personal data where we need to assess a matter involving a licence, authorisation or financial activity. An example of this is to test that persons who exercise control or significant influence over the operations of a regulated financial firm are fit and proper as well as ensure that they have the correct training and competency to conduct that activity.

Generally, and unlike normal Gibraltar companies, we do not rely on your consent as the lawful basis for processing your personal data. This is because we have a legitimate interest in processing your personal data where it is necessary to comply with a statutory, legal or regulatory obligation, or legitimate request from another public interest regulator.

Please contact us if you need details about any specific legitimate interest we are relying on to process your personal data.


We typically do not conduct marketing, advertising or publishing activities except in relation to:

  • Human Resources requirements such as advertising a job vacancy; and
  • Publication of regulatory outcomes, warnings or updates on our website and/or in the Gazette, whether at our discretion or further to a legal obligation on us to do so.


We do not conduct or make promotional offers.


We will never share your personal data for marketing purposes.


As we never process or share your data for marketing purposes there can be no requirement to ask us to stop sending you marketing communications.


You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. For more information about the cookies we use please see cookie policy.


We will only ever use your personal data for the purposes we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for a new purpose is compatible with the original purpose, please Contact us.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal or other basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.



We may decide or be required to share your personal data with External Third Parties as set out in the Glossary.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. If we contract with a service provider (such as a law firm, a firm of expert investigators or skilled-persons) we will likewise ensure that that party uses your personal data only for the purposes of the service being provided and only permit them to process personal data for specified purposes and in accordance with our instructions.



We only ever transfer your personal data in accordance with our IT security policies and applicable international standards.

Only in certain limited circumstances will we transfer your personal data outside the European Economic Area (EEA).

These circumstances include when we:

    • receive a valid request for information from a public service regulator or similar relevant entity outside the EEA. We will ensure that a valid request will include at least a similar level of personal data protection as provided within the EEA.
    • provide your data to an external third-party based outside the EEA. Similarly, we will ensure your personal data receives at least the same level of protection it enjoys in Europe.

Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.




We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and external third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.



 We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any regulatory, legal, accounting, or reporting obligations or requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from its unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

We operate no fixed retention periods for personal data retention.

In some circumstances you can ask us to delete your data: Request Erasure below for further information. The DPO, with reference to the relevant legislation, is responsible for communicating the result of your request to you.

In some circumstances we may anonymise your personal data (for example, by deleting information such as your name, so that this Identity Data can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without notice to you.




You have a number of rights under data protection laws in relation to the personal data we hold about you, such as the right to request access or corrections or even erasure of your personal data.

While you do have these rights, they will not always be granted in the context of our standing as a public interest regulator (of the Gibraltar financial sector). The decision in respect of such requests will be communicated by our DPO following receipt of a request in writing.

Please visit the GDPR regulation page to find out more about these rights:

  • Request access to your personal data
  • Request correction of your personal data
  • Request erasure of your personal data
  • Object to processing of your personal data
  • Request restriction of processing your personal data
  • Request transfer of your personal data

Please note that as we legally process personal data without your written consent there is no right for you to withdraw that consent.

If you wish to exercise any of the rights set out above, please Contact us

Upon receipt of a written request and subject to being able to prove your identity, the DPO will confirm whether or not we hold personal data about you and if so, what this data is. This data may be provided to you in a readily understood format though note that it may also be redacted.


You will not have to pay a fee to access your personal data (or to exercise any of the other legal rights). However, we may charge a reasonable fee if your request is unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.


We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other legal rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in order to speed up our response.


We try to respond to all legitimate requests within one calendar month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.


If you are a former employee of the GFSC and are using legal rights solely in respect of your employment with the GFSC you always have full access to such details.


You have the right to complain in respect of any of these issues to the Gibraltar Data Protection Commissioner if you think that we have not properly complied with any of the above requirements:

The Gibraltar Data Protection Commissioner

Gibraltar Regulatory Authority

Suite 811, Europort


Tel +350 200 74636

Fax +350 200 72166

E-Mail [email protected]





Legitimate Interest means the requirement upon us (or those of a relevant third party) to conduct and manage our activities to enable us process your personal data where it is necessary to fulfil our statutory, legal and regulatory goals while ensuring the best and most secure data experience.



Service providers acting as data processors based either inside or outside the EEA who provide various services to us. An example would be a supplier of external IT, data processing or software application services.

Professional advisers acting as processors or joint controllers including lawyers, bankers, auditors and insurers based inside or outside the EEA who provide consultancy, banking, legal, insurance and accounting services. Examples are outsourcing investigations to third parties or obtaining advice from a legal firm.

Other Gibraltar and non-Gibraltar regulators or public bodies both inside or outside the EEA acting in a public interest and acting as processors or joint controllers based within and without Gibraltar who require reporting of processing activities in certain circumstances. We may share your personal data via a number of gateways, including the various Multilateral Memorandum of Understanding (MMoU) and Memorandum of Understanding (MoU) routes to which we are a signatory. Examples of the former are our memberships of the International Association of Insurance Supervisors (IAIS) and the International Organisation of Securities Commissions (IOSCO); and examples of the latter are our MoU’s with the Malta Financial Services Authority and the Royal Gibraltar Police. A list of the GFSC’s current bilateral and multilateral commitments to share information in this way may be viewed here: This sharing can come about either at our request or the request of another signatory or other regulatory party; and compliance may be either optional or obligatory on us. However, the sharing comes about we will never sell or trade your data, and will only ever share your personal data subject to a data protection standard which is at least the equivalent of the EU standard.



These are set out in Section 9