Data Privacy and Protection

Introduction

The Gibraltar Data Protection Act 2004 (The Act) came into force in April 2006 and applies to all and any data whether it is processed in whole or part by electronic means as well as manual records. The Act applies to all data
processes in Gibraltar regardless of the residence or nationality of the individual about whom the data is being held and or processed.

The Act is designed to improve transparency, accountability and an individual’s rights with regard to organisations that hold, control and process their personal data. It also makes it easier for individuals to bring
private claims against Data Processors/Controllers when their data privacy has been infringed.

Logistable Limited (Logistable) in its capacity as a Data Processor/Controller uses and holds personal information (data) in multiple forms and must therefore process that data in a manner that adheres to the
principles relating to data quality and security set out in The Act, and which are as follows:

  1. The processing of personal data must be lawful and fair.
  2. Personal data collected must be specified, explicit and legitimate and must not be processed in a manner that is incompatible with the purpose for which it is collected.
  3. Personal data must be adequate, relevant and not excessive in relation to the purpose for which it is being collected/processed.
  4. Personal data must be accurate and, where necessary, kept up to date and furthermore where it is inaccurate, it is erased or rectified without delay.
  5. Personal data must be kept for no longer than is necessary for the purpose for which it is being processed.
  6. Personal data must be processed in a manner that ensures the appropriate security of said data using appropriate technical or organisational measures.

Registration details

Logistable completed its registration with the Gibraltar Regulatory Authority (GRA) in June 2009 and was added to the Data Protection Register with registration number DP 006099.

Provision of information

Prior to gathering any personal data on an individual, Logistable must communicate to that individual (in advance of processing their data) the following;

  • the legal basis for processing the data,
  • the retention period of that data,
  • the right of complaint if the individual is unhappy with the processing or storage of the data,
  • the use the data will be put to, and
  • to whom the data will be disclosed and if it is going to be transferred to third parties inside or outside of the EU, the rights that individual has under The Act.

The requirement to hold personal data

Whilst Logistable is required to collect and hold data on the individuals with whom it conducts business for know your client and source of funds/wealth purposes, it is Logistable’s policy to protect an individual’s right to  rivacy.

Logistable takes all reasonable steps in the circumstances of each case to ensure that internal procedures are in place to prevent inappropriate access to and disclosure of personal data. Logistable will therefore endeavour to
ensure that it complies with the principles relating to data quality and security set out in The Act by ensuring:

  • It has established governance and operational procedures including robust security controls to protect an individual’s data, whether this is held physically or electronically, against unauthorised access, processing, loss or accidental destruction and that these controls are reviewed and tested regularly so as to ensure they remain effective,
  • It will process an individual’s data in a manner that is consistent with the original purpose for its collection,
  • It will maintain the accuracy of an individual’s personal data and ensure that it can amend any inaccurate data without undue delay,
  • It establishes a staff training programme that provides guidance on their responsibilities and duty of care to protect an individual’s right to privacy, including their own.

Types of personal data collected

In the course of providing services to an individual, Logistable may collect
and hold their personal data. This typically includes the following
information:

  • Personal contact details such as name, title, address(es), telephone numbers and e-mail address(es);
  • Date of birth and place of birth;
  • Gender;
  • Marital status and details on dependants;
  • Copies of identification documents such as passports and identity cards;
  • Nationality, tax residence and country of residence;
  • Employment details;
  • Details of assets owned and liabilities incurred;
  • Personal details of any agent or attorney.

Sources of personal data

Logistable will collect an individual’s personal data:

  • directly from the individual;
  • when it is provided to Logistable by a third party;
  • from publically available sources.

How Logistable uses personal data

Logistable will only use an individual’s personal data in the following
circumstances:

  • when it is required to comply with a legal obligation imposed upon it or that applies to it;
  • when it is ordered by a judicial authority or regulator to disclose the information;
  • when it is required in the performance of its duties with regard to the contracts/services it has entered into or agreed with an individual;
  • when the individual has provided their consent;
  • when it is necessary for the legitimate interests of Logistable (or those of a third party) and the individual’s interests and fundamental rights do not override those interests;
  • when Logistable is required to do so for the purposes of any legal proceedings or regulatory action;
  • when Logistable needs to verify and confirm an individual’s identity.

Logistable may process an individual’s personal data without their knowledge or consent, in compliance with the above situations where this is required and/or permitted by law.

Logistable does not envisage any situation arising in which any decisions
will be taken about an individual using automated means.

Retention of personal data

Logistable will retain personal data for as long as is necessary in order to fulfil the purpose for which it was collected or to comply with legal, regulatory or internal policy requirements.

Access to personal data

Pursuant to legal obligations imposed on Logistable, it may have to report certain details of an individual’s personal information to the Gibraltar authorities. Pursuant to a Court order Logistable may have to disclose to the Court or judicial/regulatory authorities in Gibraltar details of an individual’s personal data.

The data protection officer

Logistable has appointed a Data Protection Officer (DPO). The person appointed as DPO for Logistable is Mr Charles Fava. The DPO will act as an advisor on personal data issues both internally for Logistable and
externally for all clients. The DPO will also be the point of contact for all clients whose data Logistable processes and the legal authorities that Logistable is obliged to interact with.

An individual’s data protection rights

The ACT provides an individual with enhanced rights to access the data that Logistable holds on them and greater control on how that data is used.

An individual can therefore exercise the following rights:

  • request and have access to a copy of the personal data Logistable holds on them;
  • request correction of the personal data Logistable holds on them;
  • request that Logistable delete or remove personal data held on them where there is no good reason for Logistable to continue to hold it or where the individual has exercised his/her right to object to Logistable having/holding such data;
  • request that Logistable suspend the processing of their personal data whilst it is established that the data is accurate or that Logistable have a valid reason for holding it;
  • request the transfer of their personal data to another party (ie data portability).
  • object to their data being collected or used

If an individual should wish to receive a copy of the information held by Logistable on them and/or change and/or challenge how Logistable uses their data they should make a request in writing to:

  • The Data Protection Officer
  • Logistable Limited
  • Suite 3A Tisa House
  • 143 Main Street
  • Gibraltar
  • GX11 1AA

Alternatively an individual can send an e-mail to the DPO at the following address; [email protected]

Logistable will take all and any steps it deems necessary (and which may vary from time to time) to verify an individual’s identity prior to processing their request.

This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.