Triay Lawyers Ltd. (“we”) want to ensure that individuals (“you”) understand what information we have about you, how we will use it and for what purpose. We are also required by data protection legislation to explain certain matters to you. This privacy notice intends to set these matters out.
We are a “data controller”. This means that we are responsible for deciding how we hold and use certain personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.
It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.
This Privacy Notice is dated 1st July 2019.
Changes to this Privacy Notice
We may update this Privacy Notice in line with changes to how we process personal data. We will publish any new version of the Privacy Notice on our website.
Data Protection Legislation
The data protection legislation in Gibraltar is the Data Protection Act 2004 (the “DPA”). This incorporates the Regulation 2016/678 of the European Union on the protection of personal data (“GDPR”).
Data Protection Principles
We will ensure that the personal information we hold about you is:
used lawfully, fairly and in a transparent way.
collected only for specified and legitimate purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
adequate, relevant and limited to what is necessary in relation to the purposes we have told you about.
accurate and kept up to date.
not kept in a form which permits your identification for longer than necessary and kept only as long as necessary for the purposes we have told you about.
not transferred to another country without appropriate safeguards being in place.
What information about you will we use?
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
Whilst personal data does not extend to Companies, LLP’s, Trust structures or other vehicles, please note that we would ultimately be obtaining personal information about the individuals behind the relevant vehicle.
There are also “special categories” of more sensitive personal data which will require a higher level of protection.
The types of personal data that we will collect, store and use about you may include:
name (including where relevant) maiden name and contact information such as your home and/or business address, email address and telephone number and emergency contact details;
identity and biographical information including you nationality gender, date of birth, marital status and dependants, tax status and information, passport / national identity card details and country of domicile, your employment and employment history, job title and role, educational profile, interests and other information relevant to our provision of professional services;
information in relation to your financial situation such as income, expenditure, assets and liabilities, sources of wealth, as well as your bank account details and other information necessary for processing payments and for fraud prevention purposes;
information that you provide to us for the provision of professional services including information about our meetings with you
Special Categories of personal data
There are also “special categories” of more sensitive personal data which we may also collect, process and store for the provision of professional services.
These special categories may include your race or ethnicity, religious beliefs, sexual orientation, trade union membership, political opinions and information relating to criminal convictions and offences.
These special categories of personal data require a higher level of protection and we will ensure that this is achieved.
How is your personal information collected?
When you are a client most of the information we collect is obtained from you. You may, for example, provide us with personal information when you initially request us to provide professional services and otherwise during the normal course of providing professional services. You may also provide us with personal information when you complete client engagement formalities and when are responding to our KYC (“know your customer”) requirements.
You provide us with personal information when you:
get in touch with us via our website;
email our general enquiries address;
directly interact with us personally;
provide us with documentation we may require for compliance with our “know your customer” obligations;
complete any forms which we may require you to complete to assist us with our compliance with our “know your customer” obligations.
We may receive personal data about you from public registries and from various third parties (including your organisation, agents, advisers, intermediaries or custodians of your assets and our clients or those involved in the matter which we are engaged).
We may also collect personal information about you from you or sometimes from persons or entities authorised by you to provide us with information.
As you interact with our website, we may automatically collect personal information about you.
Our Basis for processing and how and why will we use your personal information
How we use your personal data will depend on whether you are a client, a representative of a client, a business contact, someone whose personal data we necessarily process as part of our provision of professional services, or otherwise. We may process your personal data for the following purposes:
providing a proposal to you or your organisation in relation to the professional services we offer and for client engagement purposes (including the carrying out of background checks);
providing professional services to you and / or our clients (including legal research and advice, and associated advisory services);
managing our relationship with you and / or our clients (including billing and financial management), for record-keeping purposes and more generally for our proper and efficient operation;
dealing with any complaints or feedback you may have;
monitoring and improving the performance and effectiveness of our services, including by training our staff;
any other purpose for which you provide us with your personal data;
seeking advice on our rights and obligations, such as where we require our own legal advice, and to exercise and defend our legal rights;
compliance with our legal and regulatory obligations, such as anti-money laundering laws (which may include the carrying out of background checks and retention of a record of such checks), data protection laws and tax reporting requirements, and / or to assist with investigations by police and / or other competent authorities (where such investigation complies with relevant law) and to comply with Court orders;
safeguarding the security of our systems and communications;
for security purposes generally and to ensure the safety of our employees and visitors and/or
our marketing purposes.
We may process your personal data for any of the purposes set out above where one (or more) of the following lawful processing grounds applies:
it is necessary to perform a contract with you, or to take steps at your request before entering into a contract with you;
it is necessary for us to comply with our legal obligations;
it is necessary for our legitimate interests (including the operation of our business, and the provision of professional services) or those of any client or relevant third party, unless those legitimate interests are overridden by your interests or fundamental rights or freedoms; and/or
have consented to the processing in question.
The situations in which we will commonly use your personal information include:
provide services to you under the engagement letter we have entered into with you;
pay (on occasion) any disbursements to third parties in connection with the services provided to you;
liaising with the Supreme Court of Gibraltar and public registries (like Companies House or Land Property Services);
liaising with regulators (like the Gibraltar Financial Services Commission);
liaising with third party service providers (which may be providing other services to you or others);
liaising with legal advisors to third parties in respect of the services being provided to you by us (where those third parties are a party to the matter in which we act for you).
Who else might your personal information be shared with?
We may have to share your data with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.
Such third parties include your organisation, our own client in a particular matter, third-party service providers.
We require third parties to respect the security of your data and to treat it in accordance with the law.
We may transfer your personal information outside the EEA. If we do, you can expect a similar degree of protection in respect of your personal information.
For how long will your personal information be kept?
We will only retain your personal data for as long as necessary to fulfill the purposes set out above. We may keep your personal data for longer where we are required to do so by law, or it is necessary to establish make or defend a legal claim or an applicable code of conduct permits or requires us to retain the data for longer. Currently the relevant code permits us to retain the data for a period of 7 years from the date the matter has concluded.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data, and the likelihood of a legal claim.
How will your personal information be kept safe?
We take the security of your personal information very seriously and we have put in place internal controls and security measures to protect it.
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used, altered, disclosed or accessed in an unauthorised way. Personal data will only be transferred to a data processor if he agrees to comply with those measures, or if he puts in place adequate measures himself.
In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
Your duty to inform us of changes
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.
We use mailing lists to manage how we contact you. This enables us to record and manage how we contact you, and to manage your preferences and bookings for our events.
This data helps us to ensure our mailing list remains up to date; it also provides us with some basic information about your interests and to personalise our communications with you.
You can ask us to stop sending you marketing messages at any time by contacting us at any time.
What are your rights in relation to your personal information?
You have certain rights in relation to your personal data as summarised here:
Right to be informed– you have the right to be provided with clear, transparent and easily understandable information about how we use your personal data and your rights; this is why we are providing you with the information in this privacy notice;
Right to withdraw consent– where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time;
Right of access– you can request access to your personal data;
Correcting your information– where we hold information about you that is inaccurate or incomplete, you have the right to ask us to correct inaccuracies, or complete it;
Erasing your information – in certain circumstances you may require us to erase and/or destroy the information;
Right to restrict processing– in certain circumstances you have the right to restrict some processing of your personal information, which means that you can ask us to limit what we do with it;
Right to object to processing – you can object to us processing your personal information in certain circumstances, including where we are using it for the purpose of the Company’s legitimate business interests as set out above;
Right to data portability– you have the right to obtain from us and re-use your personal data for your own purposes. This only applies, however, where the processing is carried out by automated means, to personal data that you have provided to us yourself (not any other information) and where the processing is based on your consent or for the performance of a contract;
Right to complain – you are able to submit a complaint to Gibraltar Regulatory Authority about any matter concerning your personal information, using the details below. However, we take our obligations seriously, so if you have any questions or concerns, we would encourage you to raise them with us first, so that we can try to resolve them.
Subject Access Requests
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may refuse to comply with your request in circumstances where your request is clearly unfounded, repetitive or excessive.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Time limit to respond
We try to respond to all legitimate requests as soon as reasonably practicable and, in any event, within 30 days of receipt of the request except in cases of complex or multiple requests.
You have the right to make a complaint at any time to the Gibraltar Regulatory Authority (the “GRA”), the supervisory authority for data protection issues in Gibraltar (www.gra.gi). We would, however, appreciate the chance to deal with your concerns before you approach the GRA so please contact us in the first instance