Privacy Notice

This privacy notice sets out the information required under Articles 13 and 14 of the Gibraltar General Data Protection Regulation (“GDPR”) and sections 53 and 54 of the Data Protection Act 2004 (“DPA”).

Purposes of the Processing.

The main aims and statutory duties of Companies House Gibraltar (“CHG”) are:

To incorporate and dissolve companies and other Gibraltar entities;

To examine and hold documents delivered to it under the Companies Act and various other enactments that are more particularly listed below; and

To make this information available to the public.

CHG's function is designed, amongst other things, to protect members of the public against dishonesty, malpractice, improper conduct, unfitness or incompetence by virtue of our public registers, and the purposes they serve to inform the public about who is running what company (or other registered entity). CHG is legally obliged to request and store information, including but not limited to personal data about you, in connection with its legal obligations under the following enactments:

Companies Act 2014 and related company legislation;

Business Name Registration Act 1918 and related legislation;

Limited Partnerships Act 1927 and related legislation;

Limited Liability Partnerships Act 2009 and related legislation;

Registered Trust Act 1999 and related legislation;

Private Foundations Act 2017 and related legislation;

Trade Marks Act 1948 and related legislation;

Patents Act 1924 and related legislation;

European Economic Interest Grouping Act 1993 and related legislation.

As Gibraltar's national registry for all of the above, CHG is legally required to collect, hold and process information relating to individuals that falls into the categories of public and non-public data.

Our function is conferred on us by the various enactments pursuant to which we act as registrar. As such, the GDPR provisions listed below do not apply to personal data processed by us for the purposes of discharging our function, to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function. The information processed by CHG is required in order to comply with our legal obligations to make certain information public, and the non-public information processed by CHG is necessary for the performance of our task as registrar (lawful bases for processing personal data, Articles 6(1)(c) and 6(1)(e) of the GDPR).

The listed GDPR provisions (“the listed provisions”) are:

1. Article 13(1) to (3) (personal data collected from data subject: information to be provided);
2. Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);
3. Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);
4. Article 16 (right to rectification);
5. Article 17(1) and (2) (right to erasure);
6. Article 18(1) (restriction of processing);
7. Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing);
8. Article 20(1) and (2) (right to data portability);
9. Article 21(1) (objections to processing);
10. Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in sub-subparagraphs (i) to (ix); and
11. 11. the following provisions of the GDPR (the application of which may be adapted by virtue of Article 6(3) of the GDPR)-
12. Article 5(1)(a) (lawful, fair and transparent processing), other than the lawfulness requirements set out in Article 6; and
13. Article 5(1)(b) (purpose limitation).

Therefore, the listed provisions do not apply to personal data processed by CHG for the purposes of discharging its function as the national registry, if by applying the listed provisions CHG would be unable to properly carry out its job. Note also that Article 15(1) to (3), which relates to the right of access by the data subject, is one of the listed exemptions. Any information we hold on you is held by us for the sole purpose of enabling us to discharge our function, and is required to enable us to properly discharge the said function.

There is a further exemption contained in Schedule 2, part 3, at section 11, which concerns data subject access requests. In essence it states that Article 15 does not oblige a data controller to disclose information on a data subject, if by doing so the controller would disclose information about another identifiable individual, unless that individual has consented to this, or it is reasonable to disclose the information without the consent of that person.

Categories of Personal Data Concerned

The categories of personal data that CHG holds on each individual will vary from person to person depending on what entity the person has registered with CHG, as for different entities the law requires CHG to request and store varying types of information.

Members of the public involved in any of the entities registered in Gibraltar under any of the enactments pursuant to which we act as registrar are legally obliged to register several personal details with CHG that will generally consist of, but will not be limited to their:

Name

Address

Occupation

Nationality

Date of birth

In connection with an individual's registration CHG may ask for certain additional information allowing CHG to properly identify the individual, such as:

Passport / ID card

Proof of address

When individuals are registering entities involved in providing professional services to members of the public CHG will also ask for proof of their professional qualifications.

In addition, we may hold other information on you that is required for the sole purpose of enabling us to discharge our function. This includes any communication relating to you that has been sent to us either by you directly, or by a third party, and which is necessary for us to perform our task as registrar.

Who do we disclose your data to?

As stated above, data collected by CHG falls into the category of either public or non-public.

The public data is kept by CHG on our public registers and under law is open to be inspected by any member of the public. CHG at times shares some of this information with certain Government Departments, such as the Tax Authorities, or the Royal Gibraltar Police, but will only do so when specific requests for particular information have been made.

Non-public data held by CHG is not routinely disclosed to anyone, or passed on to any other department or body. In certain specific circumstances (e.g., as part of a police investigation) we may be compelled to disclose some specific non-public data to a competent authority (Article 6(1)(c), legal obligation, being the lawful basis for sharing data in such cases).

How long do we store your data for?

Given our legal obligations under the relevant pieces of legislation governing how CHG operates (including, but not limited to, the Companies Act 2014, Business Names Registration Act 1918, and other enactments listed in the section of this document entitled “Purposes of Processing”) we are duty bound to hold on to the data we are provided with as long as the entity registered with us remains in existence. For example, as long as a company remains alive and trading all necessary information will be kept by CHG.

Additionally, given the ability under Gibraltar law to restore to the register entities that had previously been removed from our public registers, CHG is legally obliged to store this information in the event that we receive instructions to restore.

CHG will therefore safely store this information until we receive a request from the Data Subject under Art.17 of the GDPR to erase the data held. However, CHG retains the right under Art.17(3)(b) to determine whether processing of that data is still required in order to remain fully compliant with its legal obligations, and to be able to carry out our task as registrar.

Data Subject's rights under the GDPR.

The GDPR affords the Data Subject (you) more control over their data held by the Data Controller (us) and contains several rights that may be exercised by you in relation to your personal data.

Article 16 of the GDPR gives the Data Subject the right to obtain from the Data Controller the rectification of inaccurate personal data. CHG takes this opportunity to clarify that any information relating to the Data Subject that falls under any of the existing pieces of legislation that CHG is legally compelled to adhere to must still be rectified in the manner prescribed by law.

Article 17 of the GDPR allows the Data Subject to request that their data held by the Data Controller be erased where one of the grounds listed therein applies. CHG takes this opportunity to clarify that under Art.17(3)(b) of the GDPR a request to erase data will not apply if it is determined that the data in question is still required by CHG to be held in order to comply with its legal obligations as registry under Gibraltar law.

Article 18 of the GDPR allows the Data Subject to impose restrictions on how their data is processed if one of the grounds listed therein applies to their case. CHG takes this opportunity to clarify that it remains at all times bound by its obligations under the laws of Gibraltar to maintain an up to date and properly functioning registry and as such any data subjects who wish to impose any restrictions that would hinder the effective management and administration of the registry cannot be proceeded with.

Article 20 of the GDPR affords the Data Subject with the right to receive all of their data held by the Data Controller in a commonly used, machine-readable format so that they may transmit that data to another Data Controller.

Article 21 of the GDPR gives the Data Subject the right to object at any time to the processing of personal data concerning him or her when the processing is based on points (e) or (f) of Article 6(1). CHG takes this opportunity to clarify that it processes data primarily under Article 6(1)(c), namely that processing is necessary for compliance with a legal obligation to which the Data Controller is subject.

The Supervisory Authority.

Article 77 of the GDPR allows the Data Subject to lodge a complaint with a supervisory authority if they are of the opinion that the processing of personal data relating to them infringes the GDPR. In Gibraltar the supervisory authority for all GDPR matters is the Gibraltar Regulatory Authority (“GRA”).

Contact details for the GRA are:

Gibraltar Regulatory Authority,
2nd Floor, Eurotowers 4,
1 Europort Road,
Gibraltar.

Telephone: (+350) 20074636
Fax: (+350) 20072166
Email: privacy@gra.gi

How do we obtain our data?

CHG acts pursuant and according to the relevant pieces of legislation currently in force. As such, individuals willing to be a part of any of the entities whose public registers are held by CHG are obliged under the relevant laws to provide CHG with the requisite information.

Accordingly, some of our data is obtained directly from the Data Subjects themselves as is required by law. Alternatively, if the Data Subject has employed the services of a Trust and Company Service Provider (“TCSP”), CHG would then obtain the Data Subject’s personal data indirectly through the TCSP.

In certain circumstances CHG may also receive communications from third parties relating to matters connected with an entity that is registered in one of the public registers held by CHG.

Automated decision-making.

CHG takes no significant decision based solely on automated processing (including profiling).

Registry Contact Details

For further information, or to make a request for information, please contact us (details listed below).

Companies House Gibraltar
1st Floor
The Arcade
30-38 Main Street
PO Box 848
Gibraltar
Tel: +350 200 78193
Fax: +350 200 44436
mail@companieshouse.gi
www.companieshouse.gi