General Privacy & Data Protection

 

1. Introduction

Your privacy is extremely important to us: equally so, is being transparent as to how we collect, use, and share information about you (“your personal data”) in the course of our carrying out our Gibraltar Real Estate services on your behalf. This is the reason for this policy and we would therefore be grateful if you could please read it carefully since it contains very important information about your privacy and your rights under Gibraltar Data Protection Law.

This policy sets out our commitment to ensuring that any Personal Data which we process in the course of carrying out our services to you, is carried out in compliance with applicable Data Protection Law. Overall and in essence, we ensure that good data protection practice is imbedded in the culture of our staff and our organisation.

 

Job Applicants

This policy also is aimed at ensuring compliance with Data Protection Law in respect of persons who submit CV’s and other documentation to us in pursuance of a job enquiry and/or an advertised vacancy at our organisation.

 

Interpretation

In this policy:-

  • “Data Protection Law” means the Gibraltar Data Protection Act 2004 (which contains “the Gibraltar GDPR”), and where applicable, retained General Data Protection Regulation 2016/679 (“EU GDPR”).

  • “Personal Data” any information relating to an identified or identifiable natural person (as defined by the GDPR). ‘Images’ are also considered personal data and therefore protected by the GDPR.

  • “Sensitive Personal Data” means data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.

  • “GRA” means the Gibraltar Regulatory Authority at https://www.gra.gi/ which is the local supervisory authority for Data Protection and Gibraltar equivalent of the United Kingdom Information Commissioner’s Office.

  • The terms “RCA Properties”,“we”,“our” and “us” are used interchangeably, and bear a corresponding meaning. Equally, references to “you” and “your” are used interchangeably and mean – you.

 

2. Our Contact Details

For the purposes of the GDPR, which regulates our use of your personal information, “RCA Properties” is considered the “Data Controller”.

“RCA Properties” is the trading name of “Consultant Logistics Limited”, a company registered in Gibraltar with Incorporation Number 96872, and with registered office: Suite 5, 38 Irish Town, Gibraltar, GX11 1AA.

 

3. Data Protection Administrator

Should you have any comments or questions about how we collect and use your personal information, you should address them to our Data Protection Administrator at: admin@rcagibraltar.

 

4. What type of Personal Data do we collect about you?

We will obtain the following Personal Data from you (for example):-

  • Information about yourself when you directly interact with us –for example, when you make an enquiry with us; when entering information via our website or using our website (please see our Website Privacy Policy); opt-in/consent forms; apps or by communicating with us by phone, post, e-mail, live chat, social media or otherwise; and when you formally engage us to provide real estate agency services on your behalf.

  • The above information you give us generally includes your contact details (name, address, date of birth, email address and telephone number – landline(s) and mobile(s)); residential address (and proof of address), other contact details (e.g. email and telephone details), gender, marital status, family details, date and place of birth.

  • Other identification information (e.g. your passport, national identity card, banking details, utility bill information) for the purposes of ascertaining your identity; including identification numbers issued by government bodies or agencies (e.g. depending on the country you are in, social security or national insurance number, passport number, ID number, tax identification number, driver’s licence number).

  • Financial information to enable us to check the source of funds or wealth, where appropriate; employment information and details included in any correspondence and information about you in connection with any matter on which we are engaged to advise you. We may also receive from you any payment card numbers, bank account number(s) and account details, income and other financial information.

 

5. How we collect your Personal Data

Although the majority of Personal Data will be provided to us by you, there are occasions (and this is by no means infrequent), that we will collect further personal data about you from outside sources and/or third parties as follows:-

  • From 3rd parties: for example:-

    • From third party client due diligence providers (either electronic providers or otherwise).

    • Other estate-agents where for example, we are acting as sub-agents or on a multi-agency basis.

    • Your legal advisers, accountants or any external professional advisers that we may need to deal with in relation to your instructions in the provision of our services to you.

  • From Publicly Registries: for example - Companies House; land registries; intellectual property registries – all either local and/or overseas.

  • Search Engines Providers; Public Websites & Social Media Pages (LinkedIn, Twitter, Facebook Etc.).

  • Open electoral registers and other publicly available information.

  • Business Information and research tools.

  • Via our IT Systems – for example, any cloud management systems; automated monitoring of our website(s); by email exchanges and instant messaging systems such as Skype; Facebook, Linked In and Whatsapp Messenging Services

  • Via our website(s) – We may automatically collect information about you which we may observe, detect or create without directly asking you to provide the information to us. In common with most other businesses, this will mainly include information gathered automatically through your use of our website or online services. Please see our Website Privacy Policy and Cookies Policy for further details.

 

6. Why do we use your Personal Data?

In this section, we set out the purposes for which we use Personal Data, explain how we share the information, and identify the “legal grounds” on which we rely upon in order to process the information.

These “legal grounds” are set out in the GDPR which allows companies to process Personal Data only when the processing is permitted by the specific “legal grounds” set out in the legislation in respect of ordinary personal data and Special Categories of Personal Data. These are set out in the following table:

 

For processing Personal Data

Legal ground

Details

Performance of our contract with you

Processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract.

Compliance with a legal obligation

Processing is necessary for compliance with a legal obligation to which we are subject – e.g. to undertake customer due diligence on you as required by law.

For our legitimate business interests

Processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data.

 

For processing Special Categories of personal data:

Special categories of personal data refer to data relating to, for example, racial or ethnic origin, revealing political opinions; religious or philosophical beliefs; trade union membership; genetic information.

Legal ground

Details

Your explicit consent

You have given your explicit consent to the processing of such Personal Data for one or more specified purposes.

You are free to withdraw your consent, by contacting our Data Protection Administrator. However withdrawal of this consent may impact our ability to provide the services in question.

For legal claims

In respect of any of our employees

Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.

The processing is necessary for the purpose of carrying out the obligations and exercising specific rights of the data controller or of the data subject in the field of employment, social security, and social protection law (insofar as it is authorised by EU or EU Member State law or a collective agreement pursuant to EU Member State law which provides for appropriate safeguards for the fundamental rights and interests of the data subject).

Substantial public interest

Processing is necessary for reasons of substantial public interest, on the basis of EU or Gibraltar law, including where such processing is necessary for insurance purposes or fraud prevention purpose

 

The Purposes:

In order to provide you with a broad outline, the purposes for which we use Personal Data, and the legal bases for such processing, are as follows (although some of these categories may not specifically apply to you):-

  • On-boarding you as a client of the estate agency (i.e. when we enter into a business relationship with you) and where we need to comply with any legal obligation(s) imposed by statutory bodies or authorities.

  • For the carrying out your instructions in the ordinary course of our contract with you; to include the updating of your data where relevant. By way of example, we may need to obtain references about you to pass onto Landlord’s for their consideration in the context of letting arrangements.

  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

  • To manage your business relationship with us.

  • To ensure that our internal practices and procedures are adhered to for matters such as security and client confidentiality.

  • For the bettering of our business practices, procedures, IT systems and professional relationships; and for matters pertaining to training and quality control.

  • To complete any customer feedback survey and to improve our website, services, marketing or customer relationships; including the security of our website(s)

  • Toconsider individuals for employment and contractor opportunities and manage on-boarding procedures.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data.

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.

 

7. Who we share your personal data with

We will share personal data with our third party providers (who are our data processors for the purpose):-

  • Third parties who are relevant to the property services that we provide you. This may include, but is not limited to – other estate agents, counterparties to transactions; other professional service provider(s) involved in property sales/purchasers/lettings; regulators; competent authorities; governmental institutions (including departments and agencies); banks; public and private registries; and stock exchanges; property repair and maintenance contractors; to arrange/alert utility companies of changes of occupancy in flats

  • Third parties for the purposes of our internal checks & credit control, compliance and regulatory issues – e.g. regulators, competent authorities, intelligence units; credit reference agencies; our professional insurers and brokers; our auditors; and our business bankers.

  • Third parties for the purposes of auxiliary work for the purposes of our carrying property services for you– e.g. IT and systems administration services.

  • Cloud Service & Case Management System Providers; our Email Providers; and Telecommunications Providers.

  • Other third parties such as our accountants, auditors and insurers.

 

Third Parties in general

When we use third party service providers, we only disclose to them any Personal Data that is necessary for them to provide their services and we have an agreementin place that requires them to keep your data secure and not to use it other than in accordance with our specific instructions. Furthermore, in the event that we share Personal Data with any third parties (including those based outside the EEA - see: further below – “International Transfers of Data”) we will ensure there are adequate safeguards in place to protect your Personal Data.

Except where required by law, we will not share your Personal Data with any other third parties.

 

8. Other ways in which we may share your personal data

We may transfer your personal data to a third party as part of a sale of some or all of our business and assets to any third party or as part of any business restructuring or reorganisation.

We may also transfer your personal data if we are under a duty to disclose or share it in order to comply with any legal obligation, to detect or report a crime, to protect your vital interests, to enforce or apply the terms of our contracts or to protect the rights, property or safety of our visitors and clients.

We will not share your Personal Data with any other third party.

 

9. Where your Personal Data is held

The website hosting facilities for our website is situated in Nottingham, United Kingdom which means that any personal information obtained via this website will be stored and processed to the agreed standards and requirements of the GDPR.

Additional Personal Data of yours may be kept at our principal place of business and/or with any third parties as above-described.

 

10. Personal Data Retention Period

We will only retain your Personal Data for as long as necessary to fulfil the purposes for which it was collected and processed, including for the purposes of satisfying any legal, regulatory, accounting or reporting requirements.

We reserve the right retain your Personal Data for such time as is advisable in order to safeguard or improve our position, for instance, in relation to statutes of limitation, litigation or regulatory investigations.

Please note that where your Personal Data is retained beyond where necessary as abovementioned, it will usually be in computer on database(s) or manual files.

 

11. International Transfers of Data

Transferring your personal data out of Gibraltar [and EEA]

To deliver services to you, it is sometimes necessary for us to share your personal data outside Gibraltar, e.g.:-

  1. with your and our service providers located outside the Gibraltar;

  2. if you are based outside the Gibraltar

Under data protection law, we can only transfer your personal data to a country or international organisation outside the Gibraltar [and EEA]where:-

  1. the Gibraltar Government[or, where the EU GDPR applies, the European Commission]has decided the particular country or international organisation ensures an adequate level of protection of personal data (known as an ‘adequacy decision’);

  2. there are appropriate safeguards in place, together with enforceable rights and effective legal remedies for data subjects; or

  3. a specific exception applies under data protection law.

 

These are explained below.

 

Adequacy decision

We may transfer your personal data to certain countries, on the basis of an adequacy decision. These include:

  1. all European Union countries, plus Iceland, Liechtenstein and Norway (collectively known as the ‘EEA’);

  2. United Kindgom; and

  3. Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay.

The list of countries that benefit from adequacy decisions will change from time to time. We will always seek to rely on an adequacy decision, where one exists.

Other countries than the above-mentioned thatwe may be likely to transfer personal data to, do not have the benefit of an adequacy decision. This does not necessarily mean they provide poor protection for personal data, but we must look at alternative grounds for transferring the personal data, such as ensuring appropriate safeguards are in place or relying on an exception, as explained below.

 

Transfers with appropriate safeguards

Where there is no adequacy decision, we may transfer your personal data to another country we are satisfied the transfer complies with data protection law, appropriate safeguards are in place, and enforceable rights and effective legal remedies are available for data subjects.

The safeguards will usually include using legally-approved standard data protection contract clauses.

To obtain a copy of the standard data protection contract clauses and further information about relevant safeguards, please contact our Data Protection Administrator.

 

Transfers under an exception

In the absence of an adequacy decision or appropriate safeguards, we may transfer personal data to a third country or international organisation where an exception applies under relevant data protection law, e.g.:

  1. you have explicitly consented to the proposed transfer after having been informed of the possible risks;

  2. the transfer is necessary for the performance of a contract between us or to take pre-contract measures at your request;

  3. the transfer is necessary for a contract in your interests, between us and another person; or

  4. the transfer is necessary to establish, exercise or defend legal claims

We may also transfer information for the purpose of our compelling legitimate interests, so long as those interests are not overridden by your interests, rights and freedoms. Specific conditions apply to such transfers and we will provide relevant information if and when we seek to transfer your personal data on this ground.

 

12. Our Website & Cookies

In the context of usage our website (https://www.rcagibraltar.com/), please refer to our Website Privacy Policy as well as our Cookies Policy

 

13. Data Subject Access Rights

The GDPR provides data subjects with certain access rights with respect to their Personal Data. Those rights are summarized briefly below:-

  • Basic Information – the right to understand who we are and how we collect and use Personal Data.

  • Access – the right to request a summary of the data subject’s Personal Data that is processed by us, along with a copy of such Personal Data (this is known as a “Subject Access Request”).

  • Portability – the right to request we provide a copy of your Personal Data in machine readable form for your own purposes and across different services.

  • Rectification – the right to request that we correct errors and/or update a data subject’s Personal Data to ensure that it is complete and accurate.

  • Erasure – the right to request that we erase Personal Data in our possession. This is also known as “The Right to be Forgotten”.

  • Restriction on Use – the right to request that we stop processing a data subject’s Personal Data.

  • Objection to Use – the right to object to our assertion that we have a legitimate interest in processing Personal Data.

  • The right to withdraw consent - to the extent that the legal basis of our processing of your personal data is consent, you can withdraw that consent.

  • Objection to Direct Marketing – the right to object to receiving direct marketing materials from us.

  • Objection to Automated Processing & Profiling – the right to object to our use of Personal Data to make automated decisions that affect you as a Personal Data subject.

  • To complain to a supervisory authority - you can complain about our processing of your Personal Data to the supervisory authority.

It is important that you realise that the above rights are not ‘absolute rights’ and are therefore subject to certain limitations and exceptions. You can learn more about the rights of data subjects by visiting:http://www.knowyourprivacyrights.org/, as well as the website of the Gibraltar Regulatory Authority (“GRA”) at: https://www.gra.gi/

 

14. Where you wish to access your Personal Data in pursuance of your rights

The exercise of your data subject access rights under the GDPR as outlined above are free of charge so you will not have to pay us anything should the situation arise. However, we reserve the right to charge you a reasonable fee if your request is clearly unfounded, repetitive or excessive.

For security reasons, we may need to request specific information from you and undertake certain measures in order to help us confirm your identity in the exercise of your rights so as to prevent any third party from wrongfully obtaining your Personal Data. We will specifically need further proof of your identity and address.

 

15. Rights of complaint to the Gibraltar Regulatory Authority

Under Data Protection Law, you have a right of complaint at any time in relation to the infringement of your rights to file a complaint with a local supervisory authority for Data Protection. In the case of Gibraltar, the supervisory authority is the Gibraltar Regulatory Authority who may be contacted at: https://www.gra.gi/ or by telephone: 00350 200 74636.

 

16. Time limit to respond

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated

 

17. Keeping your personal data secure

We have adopted appropriate security measures to prevent personal data from being accidentally lost, or used or accessed unlawfully. We limit access to your personal data to those who have a genuine business need to access it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

While we endeavour to always protect our systems, sites, operations and information against unauthorized access, use, modification and disclosure, due to the inherent nature of the Internet as an open global communications vehicle and other risk factors, we cannot guarantee that any information, during transmission or while stored on our systems, will be absolutely safe from intrusion by others.

You also have an important role in protecting Personal Data. You should not share any username, password or other authentication data provided to you with anyone, and we recommend that you do not re-use passwords across more than one website or application. If you have any reason to believe that your username or password has been compromised, please contact us as detailed below

 

18. Changes to this privacy notice

We reserve the right to update this privacy notice at any time, and we will make an updated copy of such privacy notice available on our website.

This version of the general privacy policy was last uploaded on 1 July 2021.

 

19. Further information

If you have any concerns or require any further information, please do not hesitate to contact the Data Protection Administrator at: admin@rcagibraltar.