What is a privacy notice?
Triay & Triay (“we”) want to ensure that individuals (“you”) understand what information we have about you, how we will use it and for what purpose. We are also required by data protection legislation to explain certain matters to you. This privacy notice intends to sets these matters out.
We are a “data controller”. This means that we are responsible for deciding how we hold and use certain personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.
It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.
This Privacy Notice is dated 25th May 2018.
We may update this Privacy Notice in line with changes to how we process personal data. We will publish any new version of the Privacy Notice on our website.
The data protection legislation in Gibraltar has been the Data Protection Act 2004 (the “DPA”) and implements European Directive 95/46/EC. On 25th May 2018 Regulation 2016/678 of the European Union on the protection of personal data (“GDPR”) comes into force.
We will ensure that the personal information we hold about you is:
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
Whilst personal data does not extend to Companies, LLP’s, Trust structures or other vehicles, please note that we would ultimately be obtaining personal information about the individuals behind the relevant vehicle.
There are also “special categories” of more sensitive personal data which will require a higher level of protection.
The types of personal data that we will collect, store and use about you may include:
There are also “special categories” of more sensitive personal data which we may also collect, process and store for the provision of professional services.
These special categories may include your race or ethnicity, religious beliefs, sexual orientation, trade union membership, political opinions and information relating to criminal convictions and offences.
These special categories of personal data require a higher level of protection and we will ensure that this is achieved.
When you are a client most of the information we collect is obtained from you. You may, for example, provide us with personal information when you initially request us to provide professional services and otherwise during the normal course of providing professional services. You may also provide us with personal information when you complete client engagement formalities and when are responding to our KYC (“know your customer”) requirements
You provide us with personal information when you:
We may receive personal data about you from public registries and from various third parties (including your organisation, agents, advisers, intermediaries or custodians of your assets and our clients or those involved in the matter which we are engaged).
We may also collect personal information about you from you or sometimes from persons or entities authorised by you to provide us with information.
As you interact with our website, we may automatically collect personal information about you.
We collect this personal data by using cookies and other similar technologies. A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer’s hard drive.
How we use your personal data will depend on whether you are a client, a representative of a client, a business contact, someone whose personal data we necessarily process as part of our provision of professional services, or otherwise. We may process your personal data for the following purposes:
We may process your personal data for any of the purposes set out above where one (or more) of the following lawful processing grounds applies:
We may have to share your data with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.
Such third parties include your organisation, our own client in a particular matter, third-party service providers.
We require third parties to respect the security of your data and to treat it in accordance with the law.
We may transfer your personal information outside the EEA. If we do, you can expect a similar degree of protection in respect of your personal information.
We will only retain your personal data for as long as necessary to fulfil the purposes set out above. We may keep your personal data for longer where we are required to do so by law, or it is necessary to establish make or defend a legal claim or an applicable code of conduct permits or requires us to retain the data for longer. Currently the relevant code permits us to retain the data for a period of 7 years from the date the matter has concluded.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data, and the likelihood of a legal claim.
We take the security of your personal information very seriously and we have put in place internal controls and security measures to protect it.
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used, altered, disclosed or accessed in an unauthorised way. Personal data will only be transferred to a data processor if he agrees to comply with those measures, or if he puts in place adequate measures himself.
In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
Your duty to inform us of changes
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.
We use mailing lists to manage how we contact you. This enables us to record and manage how we contact you, and to manage your preferences and bookings for our events.
This data helps us to ensure our mailing list remains up to date; it also provides us with some basic information about your interests and to personalise our communications with you.
You can ask us to stop sending you marketing messages at any time by contacting us at any time.
You have certain rights in relation to your personal data as summarised here:
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may refuse to comply with your request in circumstances where your request is clearly unfounded, repetitive or excessive.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Time limit to respond
We try to respond to all legitimate requests as soon as reasonably practicable and, in any event, within 30 days of receipt of the request except in cases of complex or multiple requests.
You have the right to make a complaint at any time to the Gibraltar Regulatory Authority (the “GRA”), the supervisory authority for data protection issues in Gibraltar (www.gra.gi). We would, however, appreciate the chance to deal with your concerns before you approach the GRA so please contact us in the first instance
The GRA’s contact details are:
Gibraltar Regulatory Authority
1 Europort Road
Tel: (+350) 20074636
We have not appointed a Data Protection Officer. If you have any questions about anything in this privacy notice, please do not hesitate to contact Data Protection Team. Our contact details are:
Triay & Triay
28 Irish Town
Tel: 200 72020