Who are you and what is the purpose of this notice?
The Digital Services Team and HM Government of Gibraltar (“HMGoG”) are committed to protecting and respecting your right to privacy. This Privacy Notice aims to provide you with information on what personal data we collect about you, what we do with that information and why we do it, who we share it with, and how we protect your privacy.
The Digital Services Team (collectively referred to as “we”, “us” or “our” in this Privacy Notice) is the data controller for the purposes of this web portal and your interactions with us.
It is important that you read this Privacy Notice together with any future notice we may provide so that you are fully aware of how and why we are using your personal data.
We may change this Privacy Notice from time to time, so please check this page occasionally to ensure that you are happy with any changes.
Please note that our portal links to several departments and authorities who deliver public services to you. These departments and authorities are the data controllers of the personal data that they hold about you. They process that personal data under their own lawful basis depending on the relationship that they have with you and the services that they are providing to you. If you want more information about how a specific department or authority processes your personal data you should see that department or authority’s privacy notice (this is typically found on their website).
What information do you collect about me?
In order to register your account, we will collect personal data about you. This information will include: first name, surname, contact mobile number and email address.
In order to verify your identity we will require the following personal data: your date of birth, your ID card or passport number (along with the expiry date and country of issue for that identity document), and your nationality.
This information is necessary as we must be able to verify your identity before allowing you access to HMGoG services online. As integrated services launch on the Digital Portal, a verified identity will enable you to link your online record to those public bodies offering digital services. This will allow access to E-Gov integrated services, after a verification process, with those departments. This process is required to prevent fraud and false access to services. We will also request proof of identification documents, such as ID Card or Passport, so that we can confirm your identity during the verification process. These documents will be uploaded by you onto our secure portal.
Some information also gets collected automatically by our portal when you use it. This includes information such as:
This information allows the portal to remember who you are and provide you with whatever content you have asked for. For example, your IP address and information about the device you are using will confirm your location, so that we can find out whether you are accessing the services from inside or outside Gibraltar (making your experience more relevant to where you live).
When you report a problem with our portal or services, we will collect contact information along with a description of your problem. This is done so that we can better assist you in providing a solution.
It is important that the personal data that we hold about you is accurate and up-to-date. You can check your current personal data here. Having accurate personal data ensures that we can continue to provide services to you and that we minimise the potential for any risk to your personal data (such as sending information to a previous address or contacting you on a number that no longer belongs to you).
How do you use my information?
We may use your personal data to:
help resolve a service request, incident or problem you may report about our portal;
register you as a portal user, including to manage your account and set up your personal details and available services;
verify your identity and prevent user fraud;
facilitate your relationship and interaction with departments and authorities across the public sector;
monitor and improve the services that we provide to you;
monitor and identify web traffic, and facilitate technological development and improve our digital services;
we may also share your data if we are required to do so by law (for example complying with a court order) or to assist law enforcement bodies in the detection, prevention and prosecution of crimes.
What gives you the right to use my information?
We process your personal data under our legitimate interests as we are improving the method by which the public sector can deliver its services to you. Our aim is to improve your accessibility and experience as a citizen interacting with the public sector.
We are therefore relying on the lawful basis of Article 6(1)(f) of the Gibraltar GDPR, processing that is necessary for the purposes of our legitimate interests. In order to rely on this lawful basis we have established that:
we are pursuing a legitimate interest in modernising and improving public service delivery;
this processing is necessary to meet our legitimate interests and accomplish our objective; and
we have considered the impact of this processing on the rights of our data subjects and concluded that our legitimate interests are not overridden by any identified risks (as we have put in place sufficient safeguards to mitigate any potential risk).
Do we transfer your Personal Data internationally?
We do not normally transfer your personal data outside Gibraltar. We would only transfer your Personal Data if:
and we will always ensure that the recipient country or organisation offers the same levels of protection to your Personal Data as the Gibraltar GDPR and the Data Protection Act 2004.
How do you keep my information safe and secure?
Under the Data Protection Act 2004 and the Gibraltar GDPR, strict principles govern our use of personal data and our duty to ensure it is kept safe and secure.
Please rest assured that we have put in place appropriate security measures (such as password protection and access restrictions) to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We also use encryption for the collection or transfer of sensitive personal data, such as your credit card details when making a payment.
All our records are restricted so that only those individuals who have a need to know can access the information. This might be through the use of technology or other environmental safeguards.
All our employees are subject to the common law duty of confidentiality. This means that any personal data about you will only be used in connection with the purpose for which it was provided, unless we have specific consent from you or there are other special circumstances covered by law.
We remind you that you should never disclose your password or login credentials to anyone. This is specific to you and should remain private to ensure that your personal data are protected.
If you believe that someone has logged in with your credentials you should notify us by contacting our support team.
Who do you share my information with?
We do not share or disclose your personal data with any organisation other than those who already have access as a result of their direct and lawful interactions with you.
Your user account details (first name, surname, email address and contact telephone number) will be made available to HMGoG public bodies that are providing digital services to you. This will ensure that your personal data are kept up to date and accurate across all your interactions as a public citizen with HMGoG. This further ensures that HMGoG can provide you with the best level of service possible and make your interactions with us more efficient and effective.
There will be many occasions during which a HMGoG public body will need to confirm your identity and entitlement to public services before providing you with digital services via our portal. When this is necessary that HMGoG public body will be able to verify your identity by checking the identity documents (e.g.: passport or ID card) that you have uploaded onto our secure portal.
Rest assured that within all HMGoG public bodies, including within our own digital services team, only employees who directly deal with our portal or are assisting you with an enquiry will have sight of your personal data. Appropriate access restrictions and audit trails are in place to ensure that no one has unauthorised access to your personal data.
How long do you keep my information?
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
We will only keep your personal data for as long as reasonably necessary to fulfil the relevant purposes set out in this Privacy Notice. Certain profile information, such as first name, surname, date of birth will be kept permanently as they will form part of your unique identifier with HMGoG and form the basis of your record with HMGoG.
Should you ever want to deactivate your account please contact our support team.
If you deactivate your account this will mean that, you can no longer access our portal and our digital services, unless you request to reactivate your account with us. Please contact our support team should you need to reactivate your account. At this stage, you will need to re-verify your identity.
De-activating your account will not delete the user profile information, as this information is essential for HMGoG to identify you. By opening an account online, you are establishing yourself permanently as an individual with HMGoG.
It is also important to note that deactivating your account does not delete the personal data held by the departments and authorities, as they will be processing that personal data for their own purposes depending on their relationship with you and the services that they provide to you.
Service requests, incidents or problems you may report about your use of our portal and any concerns or complaints you may raise with us will be kept for as long as necessary to deal with your query, and for a year after the date that we close your ticket. Please note that retention periods may be extended if needed for legal proceedings or similar reasons.
What privacy rights do I have?
Under data protection law, you have certain rights in relation to the personal data that we hold about you. You may exercise these rights at any time by contacting us using the details at the end of this Privacy Notice.
It may not be possible to agree to your request, if the need to keep the record is of significant importance. If this is the case, we will explain the reason for this to you.
You have the right:
to ask us to confirm whether we hold any of your personal data and request a copy of any personal data that we hold about you. The process of asking for access to your personal data is known as a Data Subject Access Request (“DSAR”);
to correct any inaccuracies in your personal data and to modify it in such a way if you believe the personal data we hold is incomplete. You can do this yourself by clicking here
to delete (in as much as is possible in the specific circumstances) any of your personal data;
ask us to stop processing your personal data. However, there are exceptions; for example, we do not have to comply with your request if it is necessary to keep your information in order to perform tasks that are in the public interest for for the purposes of establishing, exercise or defending legal claims;
where we process your personal data on the basis that you have given us your consent to do so, withdraw your consent at any time.
How can I contact you with any questions or concerns?
We aim to meet the highest standards when collecting and using personal data. We encourage people to bring questions and concerns to our attention and we take any complaints we receive seriously.
If you have any questions about this Privacy Notice or any of our privacy practices, please contact our support team.
Alternatively, you can contact our Data Protection Officer on-
Postal address: Government Law Offices, No.40 Town Range, Gibraltar, GX11 1AA
If you are not satisfied with our response, you may wish to raise your concerns or make a complaint to the Gibraltar Regulatory Authority:
Postal address: 2nd floor, Eurotowers 4, 1 Europort Road, Gibraltar
Telephone: +350 20074636