General Privacy Policy

1. Introduction

Your privacy is extremely important to us: equally so, is being transparent as to how we collect, use, and share information about you in the course of our carrying out our marina berthing services at Queensway Quay Marina, Gibraltar. This policy is aimed at ensuring compliance with Data Protection Law in the course of carrying out our services, and to a lesser extent, in respect of third parties that supply services to us, as well as the personal data of individuals who submit CV’s and other documentation to us in pursuance of a job enquiry and/or an advertised vacancy at our organisation.

Interpretation

In this policy:-

  • “Data Protection Law” means the Gibraltar Data Protection Act 2004 (which contains “the Gibraltar GDPR”), and where applicable, retained General Data Protection Regulation 2016/679 (“EU GDPR”).
  • “Personal Data” any information relating to an identified or identifiable natural person (as defined by the GDPR). ‘Images’ are also considered personal data and therefore protected by the GDPR.
  • “Sensitive Personal Data” means data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.
  • “GRA” means the Gibraltar Regulatory Authority at https://www.gra.gi/ which is the local supervisory authority for Data Protection and Gibraltar equivalent of the United Kingdom Information Commissioner’s Office.
  • “QQML” means Queensway Quay Marina Limited, a company registered in Gibraltar whose basic particulars appear in Section 2 below.
  • The terms “QQML”, “we”, “our” and “us” are used interchangeably, and bear a corresponding meaning. Equally, references to “you” and “your” are used interchangeably and mean – you.

2. Our Contact Details

For the purposes of Data Protection Law, which regulates our use of your personal information, QQML is considered the “Data Controller”. What this means is that we are responsible for deciding how we hold and use your personal information.

QQML is a company registered in Gibraltar with Incorporation Number 77641, and with registered office situate at Suite 5, 38 Irish Town, Gibraltar, GX11 1AA. Our principal place of business is:-

The Tower

The Sails, Office 43

Queensway Rd,

GIBRALTAR

GX11 1AA

3. Data Protection Administrator

Should you have any comments or questions about how we collect and use your personal information, you should address them to our Data Protection Administrator who can be reached at the contact details provided by this website or directly to: info@queenswayquay.com

4. What type of Personal Data do we collect about you?

We will obtain the following Personal Data from you (for example):-

  • Information about yourself when you directly interact with us – for example, when you make an enquiry with us; when entering information via our website or interacting with our website (for further details on website usage, please see our Website Privacy Policy) or by communicating with us by phone or e-mail; and when you enter into a contract with us to provide you with vessel berthing services.
  • The above information you give us generally includes your contact details (name, address, date of birth, email address and telephone number – landline(s) and mobile(s)); where supplied – other details such as gender, marital status, family details.
  • Other identification information (e.g. your passport, national identity card, debit and credit card information) for the purposes of ascertaining your identity; including identification numbers issued by government bodies or agencies (e.g. depending on the country you are in, social security or national insurance number, passport number, ID number.
  • Information provided to us by HM Customs Gibraltar on the “Vessel Pre-Arrival Notification Form” used by them, which includes:-
  • Vessel details – Registration Number; Country of Registration; Port of Registry; Date of Registry; Corporate Ownership details; vessel details in general; date of entry into port (including list of previous and subsequent overseas ports); and
  • Immigration details – name, nationality, date of birth, passport details, status on board a vessel (e.g. Skipper or Crew Member); Immigration VISA details; and any comments from the Gibraltar Immigration Authorities on your entry into Gibraltar.
  • A copy of your vessel registration certificate, insurance policy and any other documentation pertaining to your ownership of the said vessel being the subject-matter of the berthing contract.
  • VHF radio transmissions – which allow instant communication between the boats and the Marina Office are made over the public VHF network up to a radius of approximately 3 miles from the marina. The said transmissions may include the name of the skipper and the vessel. We do not record any VHF transmissions whatsoever.
  • We obtain your debit or credit account number (Personal Account Numbers) PAN’s and card issue/expiry date when printing out receipts of payment via our “WorldPay” payment processor card machine. In using the WorldPay card machine we do not obtain your CVC (Card Verification Code)/CV2 details, bank and/or issuer details (however – at times we obtain the latter information when accepting payment over the telephone – see further below).
  • Employment and occupation information (e.g) CV’s, qualifications and accreditations, memberships, associations to which you may belong, professional references and any other work-related documentation.
  • Personal information received in connection with any procurement for the supply of third party services to our organisation, and in our dealings with our independent contractors and agents in connection with our services.
  • Facial Imagery we may obtain of you when in designated areas forming part of the berthing facility service by way of (CCTV).

5. How we collect your Personal Data

Although the majority of Personal Data will be provided to us by you, there are occasions that we will collect further personal data about you from outside sources and/or third parties as follows:-

  • Via HM Customs Gibraltar when they supply us with their Vessels Pre-Arrival Entry Form (as above).
  • Your and/our legal advisers, insurance agents and/or brokers, or any other professional advisers that we may need to deal with in relation to any matter concerning the vessel berthing contract. The source of information may extend to third parties such as complainants, claimants, Government bodies such as agencies authorities and departments.
  • Via E-Mail Exchanges (Via Our Email Hosting Service Providers).
  • Via our website(s) – We may automatically collect information about you which we may observe, detect or create without directly asking you to provide the information to us. In common with most other businesses, this will mainly include information gathered automatically through your use of our website. Please see our Website Privacy Policy for further details.
  • Via our CCTV camera system (see Section 6)

6. Close Circuit Television (CCTV) Imagery

CCTV System Overview

This section details the purpose, use and management of the CCTV system and the procedures to be followed by us to ensure it complies with Data Protection Law and the current CCTV Code of Practice issued by the Gibraltar Regulatory Authority (“GRA”).

The Data Protection Administrator  is responsible for the overall supervision and management of the CCTV system, which includes:  installation, recording, monitoring and reviewing the system to ensure it adheres to this policy and the aforesaid Code of Practice, and that it is consistent with the individual’s right of privacy. The CCTV system is also subject to a yearly Data Protection Assessment.

QQML has in place a CCTV surveillance system in certain parts of Queensway Quay Marina at the following locations:-

  • By the gateway entries onto the Marina Berthing pontoons– cameras are installed at each of the entrance gates facing and pointing westerly unto the said pontoons;
  • By the lobby entrance to the shower/toilet facilities located at The Tower, Queensway Quay Marina;
  • At the “bin store” for berth holders. Thereat, the CCTV inside the store room looking toward the entrance door.
  • By the Marina Staff Workshop located at the public/private main car parking area of Queensway Quay Marina (please note that entry into the workshop is restricted to marina staff personnel only).

The above CCTV Camera operation locations are referred to collectively as “the Designated Areas”. The cameras continuously record activities in those areas. Other cameras operate in other locations comprising Queensway Quay, Gibraltar (outside the above areas), but these are owned operated and controlled by a separate legal entity, unconnected to QQML.

In selecting the location of the installation of our CCTV cameras we have positioned them in such a manner as to limit the recording of irrelevant material. No audio is recorded on the camera system.

Signs are also placed at the Designated Areas to inform individuals that CCTV is in operation in those areas and a 24 hour contact number is also made available. The CCTV is capable of being monitored 24/7/365.

Purposes of CCTV system

Details of the “purposes” of the CCTV system appear in Section 7 below.

Monitoring and recording

Cameras are monitored in the Marina Office which maintains a Digital Video Recorder (DGV) which can be accessed online via a desktop computer and mobile device(s) with appropriate security access codes.

Images are accessible with an authorised user name and password from specific PCs and laptops.

CCTV images are available only to persons authorised to view them. Only the Senior Pier Master (who is also the Data Protection Administrator) of QQML has access to the CCTV images.

We ensure that images are not available to unauthorised persons, for example by minimising screens when not in use or when unauthorised persons are present. We ensure that screens are always locked when unattended.

Nobody reviews the CCTV recorded material unless there is an incident necessitating viewing of the said footage.

All images recorded by the CCTV system remain our property; copyright in the imagery is vested at all material times in QQML.

Applications for disclosure of images

Requests by individuals for images relating to themselves (known as “Subject Access Requests”) should be submitted in writing to Data Protection Administrator of QQML (see: details provided above), together with proof of identification. QQML reserves the right to request further information and/or proof identity for the purposes of complying with a Subject Access Request. On the procedure for CCTV requests, see further Section 14 below.

Access to and disclosure of images to third parties

Requests by third parties are government by the provisions set out in Sections 14 & 15, below.

How long do we keep CCTV imagery for? See Section 15 below.

Complaints about our CCTV system

Any complaints relating to the CCTV system should be directed in writing to the Managing Director of QQML promptly and in any event within seven days of the date of the incident giving rise to the complaint. The complaint may be addressed via email to info@queenswayquay.com or by letter to:

The Managing Director

Marina Office

Queensway Quay Marina

Ragged Staff Wharf

Queensway

Gibraltar

GX11 1AA

A complaint will be responded to within a month of the date of its receipt. Records of all complaints and any follow-up action will be maintained by the relevant office.

Complaints in relation to any release of images should be addressed to the Data Protection Administrator. These will be responded to promptly and, in any event, within 30 days of receipt. They will be dealt with in accordance with the provisions of local Data Protection Law.

7. Why do we use your Personal Data?

In this section, we set out the purposes for which we use your Personal Data, explain how we share the information, and identify the “legal grounds” on which we rely upon in order to process the information.

These “legal grounds” are set out in the Data Protection Law which allows companies to process Personal Data only when the processing is permitted by the specific “legal grounds” set out therein in respect of ordinary personal data as well as ‘Special Categories of Personal Data’. These are set out in the following table:-

 

A.    For processing Personal Data

Legal ground Details
Performance of our contract with you Processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract.
Compliance with a legal obligation Processing is necessary for compliance with a legal obligation to which we are subject – e.g. to undertake customer due diligence on you as required by law.
For our legitimate business interests Processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data.

B.    For processing Special Categories of personal data:

Special categories of personal data refer to data relating to, for example, racial or ethnic origin, revealing political opinions; religious or philosophical beliefs; trade union membership; genetic information.

Legal ground Details
Your explicit consent

You have given your explicit consent to the processing of such Personal Data for one or more specified purposes.

You are free to withdraw your consent, by contacting our Data Protection Administrator. However withdrawal of this consent may impact our ability to provide the services in question.

For legal claims

 

In respect of any of our employees

Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.

The processing is necessary for the purpose of carrying out the obligations and exercising specific rights of the data controller or of the data subject in the field of employment, social security, and social protection law.

Substantial public interest Processing is necessary for reasons of substantial public interest, on the basis of Gibraltar law, including where such processing is necessary for insurance purposes or fraud prevention purpose

 

The Purposes:

In order to provide you with a broad outline, the purposes for which we use Personal Data, and the legal bases for such processing, they are as follows (although some of these categories may not specifically apply to you):-

  • Entering into a vessel berthing contract with you, supervising, managing and meeting our obligations under that contract and collecting berthing fees from you.

 

  • Where it is necessary for our legitimate interests (or those of a third party) – e.g in defence of any claim (or potential claims) made against us; or the protection of property or the securing of evidence (e.g. with the recording of CCTV imagery) and your interests and fundamental rights do not override those interests.
  • CCTV systems are in place in the Designated Areas for the purposes of : –
  • the prevention, reduction, detection and investigation of crime and other incidents;
  • security of the premises we occupy;
  • to assist in the investigation of suspected breaches of the berthing contract by berth-holders;
  • to support the maintenance of health and safety standards of the premises we occupy, and to detect any potential infringements of the latter as well as local environmental laws (e.g. by a berth-holder depositing in the said bin store any articles other than ordinary refuse which could be injurious to health and safety of visitors or otherwise be a nuisance or other environmental threat); and
  • preservation of evidence.
  • To ensure that our internal practices and procedures are adhered to for matters such as security.
  • For the bettering of our business practices, procedures, IT systems and commercial relationships; and for matters pertaining to training and quality control.
  • To improve our website, services, marketing or customer relationships; including the security of our website.
  • To consider individuals for employment and contractor opportunities and manage on-boarding procedures.

Note that we may process your Personal Data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your Personal Data.

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.

8. Who we share your Personal Data with

We will share Personal Data with third parties as follows:-

  • Third parties who may be relevant to the marina berthing services that we provide you. These parties may include, but are not limited to: regulators; competent authorities; governmental institutions (including departments and agencies); to include repair and maintenance contractors
  • Third parties for the purposes of auxiliary work for the purposes of our carrying berthing services for you– e.g. IT and systems administration services.
  • Our Email hosting service providers;
  • Other third parties such as our lawyers, accountants, auditors and insurers. In the event of claims made in relation to the berthing service, this may include your lawyers, insurers brokers or any other relevant third parties.
  • Website host – we have an external website host, GoDaddy, LLC. (see below), as well as website technicians/administrative service suppliers we engage.
  • Payment processors – we work with “WorldPay” to process payments securely (see below).

WorldPay

We use “WorldPay” for our “on-site” card transactions with you, that is to say, when you make payment via our Marina Office at Queensway Quay.

All your details are processed and handled by WorldPay which is an accredited payment bureau and compliant with PCI DSS (Payment Card Industry Data Security Standard) industry standards. WorldPay’s privacy policy is separate from ours and can be viewed on their website at https://www.fisglobal.com/en-gb/privacy. We recommend that you read this policy to understand the manner in which your personal information will be handled by them.

Worldpay is a “data controller” for the purposes of our fair processing notices and you should therefore refer to their privacy policy.

Please note that WorldPay may transfer any personal data of yours to a country outside the Gibraltar, the UK, or the EEA (such as the Unites States) which may not have the same data protection safeguarding laws as in Gibraltar, the UK or the EEA. Again, we refer you to the World Pay Privacy Policy for more information on their “international transfers of date”: https://www.fisglobal.com/en-gb/privacy.

When you pay via the WorldPay in-office card machine, a print-out receipt is provided to you, and a merchant receipt is retained by us for accounting purposes. Merchant receipts are stored securely in a locked cabinet by use and used solely for the purposes of accounting, and as such are restricted to authorised staff only. For data retention periods regarding WorldPay card transactions, please see Section 11 below.

Payment information using WorldPay is never transferred to us via our website.

Very infrequently, we may agree to process your payment over the telephone in which case we will obtain the cardholder name, credit/debit card number, expiry date and CVV/CV2 numbers. As soon as those details are received from the customer, they are inputted into the card machine by the relevant staff member. These payment details are not stored by us anywhere; they are received and used by WorldPay to process the transaction in question, and as to their dealing with that data we refer you once again to their privacy policy above-referred.

Third Parties in general

When we use third party service providers, we only disclose to them any Personal Data that is necessary for them to provide their services and we have an agreement in place that requires them to keep your data secure and not to use it other than in accordance with our specific instructions. Furthermore, in the event that we share Personal Data with any third parties (including those based outside the EEA – see: further below – “International Transfers of Data”) we will ensure there are adequate safeguards in place to protect your Personal Data.

Except where required by law, we will not share your Personal Data with any other third parties.

9. Other ways in which we may share your Personal Data

We may transfer your Personal Data to a third party as part of a sale of some or all of our business and assets to any third party or as part of any business restructuring or reorganisation.

We may also transfer your Personal Data if we are under a duty to disclose or share it in order to comply with any legal obligation, to detect or report a crime, to protect your vital interests, to enforce or apply the terms of our contracts or to protect the rights, property or safety of our visitors and clients.

10. Where your Personal Data is held

We use GoDaddy, LLC website hosting facilities. The website hosting facilities for our website is situated in Amsterdam, Holland, which means that any personal information obtained via this website will be stored and processed to the agreed standards and requirements of the EU GDPR.

Any additional Personal Data of yours is kept in our computer systems and/or manual files at our principal place of business and/or with any third parties as above-described, e.g. our email service providers (where applicable).

11. Personal Data Retention Period

We will only retain your Personal Data for as long as necessary to fulfil the purposes for which it was collected and processed, including for the purposes of satisfying any legal, regulatory, accounting or reporting requirements.

We reserve the right to retain your Personal Data for such time as is advisable in order to safeguard or improve our position, for instance, in relation to statutes of limitation, litigation or regulatory investigations.

Please note that where your Personal Data is retained beyond where necessary (as abovementioned), it will usually be in computer on database(s) or manual files.

We will retain Personal Data in connection with employment opportunities, applications for up to 3 years in case we decided to contact you at a later date.

CCTV Retention Period

Unless required for evidential purposes, the investigation of an offence or as requied by law, CCTV images will be retained for no longer than 30 days from the date of recording. Images will be automatically overwritten after this point. Data storage is automatically managed by the CCTV digital records which overwrite historical data in chronological order to produce a 30-day rotation in data retention.

If there is a legitimate reason for retaining the CCTV images (such as for use in an accident investigation, disciplinary investigation and/or legal proceedings), the footage or still frames can be isolated and saved outside the DVR to a separate encrypted zip file. Any saved images or footage will be deleted once they are no longer needed for the purpose for which they were saved.

All retained CCTV images will be stored securely.

WorldPay – Card Transaction Details

When you pay by credit or debit card at our Marina Main Office, the only data we obtain from our “WorldPay” card machine is your card PAN number and expiry date. We do not obtain any further data from the machine. We retain a printout of the receipt of payment for accounting purposes and for a maximum period of 18 months from its issue for the purposes of any payment queries or discrepancies. After this, the printout will be destroyed.

12. International Transfers of Data

Transferring your personal data out of Gibraltar [and EEA]

To deliver services to you, it is sometimes necessary for us to share your personal data outside Gibraltar, e.g.:-

  1. with your and our service providers located outside the Gibraltar;
  2. if you are based outside the Gibraltar

Under data protection law, we can only transfer your personal data to a country or international organisation outside the Gibraltar[ and EEA] where:-

  1. the Gibraltar Government [or, where the EU GDPR applies, the European Commission]has decided the particular country or international organisation ensures an adequate level of protection of personal data (known as an ‘adequacy decision’);
  2. there are appropriate safeguards in place, together with enforceable rights and effective legal remedies for data subjects; or
  3. a specific exception applies under data protection law.

These are explained below.

Adequacy decision

We may transfer your personal data to certain countries, on the basis of an adequacy decision. These include:

  1. all European Union countries, plus Iceland, Liechtenstein and Norway (collectively known as the ‘EEA’);
  2. United Kindgom; and
  3. Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay.

The list of countries that benefit from adequacy decisions will change from time to time. We will always seek to rely on an adequacy decision, where one exists.

Other countries than the above-mentioned that we may be likely to transfer personal data to, do not have the benefit of an adequacy decision. This does not necessarily mean they provide poor protection for personal data, but we must look at alternative grounds for transferring the personal data, such as ensuring appropriate safeguards are in place or relying on an exception, as explained below.

Transfers with appropriate safeguards

Where there is no adequacy decision, we may transfer your personal data to another country we are satisfied the transfer complies with data protection law, appropriate safeguards are in place, and enforceable rights and effective legal remedies are available for data subjects.

The safeguards will usually include using legally-approved standard data protection contract clauses.

To obtain a copy of the standard data protection contract clauses and further information about relevant safeguards, please contact our Data Protection Administrator.

Transfers under an exception

In the absence of an adequacy decision or appropriate safeguards, we may transfer personal data to a third country or international organisation where an exception applies under relevant data protection law, e.g.:

  1. you have explicitly consented to the proposed transfer after having been informed of the possible risks;
  2. the transfer is necessary for the performance of a contract between us or to take pre-contract measures at your request;
  3. the transfer is necessary for a contract in your interests, between us and another person; or
  4. the transfer is necessary to establish, exercise or defend legal claims

We may also transfer information for the purpose of our compelling legitimate interests, so long as those interests are not overridden by your interests, rights and freedoms. Specific conditions apply to such transfers and we will provide relevant information if and when we seek to transfer your personal data on this ground.

Our Website

In the context of usage our website (https://www.queenswayquay.com/), please refer to our Website Privacy Policy.

 

13. Data Subject Access Rights

The Data Protection Law provides data subjects with certain access rights with respect to their Personal Data. Those rights are summarized briefly below:-

  • Basic Information – the right to understand who we are and how we collect and use Personal Data.
  • Access – the right to request a summary of the data subject’s Personal Data that is processed by us, along with a copy of such Personal Data (this is known as a “Subject Access Request”).
  • Portability – the right to request we provide a copy of your Personal Data in machine readable form for your own purposes and across different services.
  • Rectification – the right to request that we correct errors and/or update a data subject’s Personal Data to ensure that it is complete and accurate.
  • Erasure – the right to request that we erase Personal Data in our possession. This is also known as “The Right to be Forgotten”.
  • Restriction on Use – the right to request that we stop processing a data subject’s Personal Data.
  • Objection to Use – the right to object to our assertion that we have a legitimate interest in processing Personal Data.
  • The right to withdraw consent – to the extent that the legal basis of our processing of your Personal Data is consent, you can withdraw that consent. For details to withdraw cookie consent when making use of our website, please refer to our Website Privacy Policy.
  • Objection to Direct Marketing – the right to object to receiving direct marketing materials from us.
  • Objection to Automated Processing & Profiling – the right to object to our use of Personal Data to make automated decisions that affect you as a Personal Data subject.
  • To complain to a supervisory authority – you can complain about our processing of your Personal Data to the supervisory authority.

It is important that you realise that the above rights are not ‘absolute rights’ and are therefore subject to certain limitations and exceptions.

You can learn more about the rights of data subjects by visiting https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights

The above hyperlink is to the Information Commissioner’s Office which is the UK’s Independent Authority for, inter alia, data protection issues. Although our organisation is based in Gibraltar, the above link provides very useful information as to our rights; you can further examine your data protection rights by visiting the website of the Gibraltar equivalent of the UK ICO Officer – the GRA – at the following website: https://www.gra.gi/data-protection/general-dpr/gibraltar-gdpr-dpa-23-guidance-on-the-rights-of-individuals

For further information please contact our Data Protection Administrator at info@queenswayquay.com.

14. Where you wish to access your Personal Data in pursuance of your rights

The exercise of your data subject access rights under the GDPR as outlined above are free of charge so you will not have to pay us anything should the situation arise. However, we reserve the right to charge you a reasonable fee if your request is clearly unfounded, repetitive or excessive.

For security reasons, we may need to request specific information from you and undertake certain measures in order to help us confirm your identity in the exercise of your rights so as to prevent any third party from wrongfully obtaining your Personal Data. We will specifically need further proof of your identity and address.

CCTV Imagery Requests & Disclosure

Recorded images, if sufficiently clear, are considered to be the personal data of the individuals whose images have been recorded by the CCTV system. Data subjects have a right to access to their personal data under the data protection legislation (as well as other rights of access as described in Section 14, above). You can seek to exercise your right of access by writing via email to the Data Protection Administrator at: info@queenswayquay.com. This should be done without undue delay and at the latest within one month of receiving the request unless an extension of the period is justified.

Third Party Requests

Any request for CCTV imagery made by any third party should be made in writing to the Data Protection Administrator of QQML. We reserve the right to request from you proof of identity and other information we may deem fit to ensure your Personal Data is not improperly obtained.

In limited circumstances, it may be appropriate to disclose images to a third party where such disclosure is required by law, in relation to the prevention or detection of crime or in other circumstances where an exemption applies under local legislation.

Third party requests for access will usually only be considered, in line with the data protection legislation, in the following categories:

§  from a legal representative of the data subject (letter of authorisation signed  by the data subject would be required)  from law enforcement agencies including the police

§  disclosure required by law or made in connection with legal proceeding

§  HR staff responsible for disciplinary and complaints investigations; and

§  related proceedings, and  Staff employed by our contractors responsible for disciplinary; and

§  complaints investigation and related proceedings concerning their own staff.

A record of any disclosure made under this policy will be held on the CCTV record management system and will details the time date, camera, authoriser of the request, the reason(s) for  the disclosure of the imagery to the third party in question.

15. Rights of complaint to the Gibraltar Regulatory Authority

Under Data Protection Law, you have a right of complaint at any time in relation to the infringement of your rights to file a complaint with a local supervisory authority for Data Protection. In the case of Gibraltar, the supervisory authority is the Gibraltar Regulatory Authority who may be contacted at: https://www.gra.gi/ or by telephone: 00350 200 74636.

16. Time limit to respond

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated

17. Keeping your personal data secure

We have adopted appropriate security measures to prevent personal data from being accidentally lost, or used or accessed unlawfully. We limit access to your personal data to those who have a genuine business need to access it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

While we endeavour to always protect our systems, sites, operations and information against unauthorized access, use, modification and disclosure, due to the inherent nature of the Internet as an open global communications vehicle and other risk factors, we cannot guarantee that any information, during transmission or while stored on our systems, will be absolutely safe from intrusion by others.

18. Cookies

For detailed information on the cookies which we and our third-party providers use and the reasons why we use them, please refer to our Website Privacy Policy

19. Changes to this privacy notice

We reserve the right to update this privacy notice at any time, and we will make an updated copy of such privacy notice available on our website.

This version of the general privacy policy was last uploaded on 1 April 2021.

20. Further information

If you have any concerns or require any further information, please do not hesitate to contact our Data Protection Administrator at: info@queenswayquay.com