Your privacy is extremely important to us: equally so, is being transparent as to how we collect, use, and share information about you in the course of our carrying out our marina berthing services at Queensway Quay Marina, Gibraltar. This policy is aimed at ensuring compliance with Data Protection Law in the course of carrying out our services, and to a lesser extent, in respect of third parties that supply services to us, as well as the personal data of individuals who submit CV’s and other documentation to us in pursuance of a job enquiry and/or an advertised vacancy at our organisation.
In this policy:-
For the purposes of Data Protection Law, which regulates our use of your personal information, QQML is considered the “Data Controller”. What this means is that we are responsible for deciding how we hold and use your personal information.
QQML is a company registered in Gibraltar with Incorporation Number 77641, and with registered office situate at Suite 5, 38 Irish Town, Gibraltar, GX11 1AA. Our principal place of business is:-
The Sails, Office 43
Should you have any comments or questions about how we collect and use your personal information, you should address them to our Data Protection Administrator who can be reached at the contact details provided by this website or directly to: firstname.lastname@example.org
We will obtain the following Personal Data from you (for example):-
Although the majority of Personal Data will be provided to us by you, there are occasions that we will collect further personal data about you from outside sources and/or third parties as follows:-
CCTV System Overview
This section details the purpose, use and management of the CCTV system and the procedures to be followed by us to ensure it complies with Data Protection Law and the current CCTV Code of Practice issued by the Gibraltar Regulatory Authority (“GRA”).
The Data Protection Administrator is responsible for the overall supervision and management of the CCTV system, which includes: installation, recording, monitoring and reviewing the system to ensure it adheres to this policy and the aforesaid Code of Practice, and that it is consistent with the individual’s right of privacy. The CCTV system is also subject to a yearly Data Protection Assessment.
QQML has in place a CCTV surveillance system in certain parts of Queensway Quay Marina at the following locations:-
The above CCTV Camera operation locations are referred to collectively as “the Designated Areas”. The cameras continuously record activities in those areas. Other cameras operate in other locations comprising Queensway Quay, Gibraltar (outside the above areas), but these are owned operated and controlled by a separate legal entity, unconnected to QQML.
In selecting the location of the installation of our CCTV cameras we have positioned them in such a manner as to limit the recording of irrelevant material. No audio is recorded on the camera system.
Signs are also placed at the Designated Areas to inform individuals that CCTV is in operation in those areas and a 24 hour contact number is also made available. The CCTV is capable of being monitored 24/7/365.
Purposes of CCTV system
Details of the “purposes” of the CCTV system appear in Section 7 below.
Monitoring and recording
Cameras are monitored in the Marina Office which maintains a Digital Video Recorder (DGV) which can be accessed online via a desktop computer and mobile device(s) with appropriate security access codes.
Images are accessible with an authorised user name and password from specific PCs and laptops.
CCTV images are available only to persons authorised to view them. Only the Senior Pier Master (who is also the Data Protection Administrator) of QQML has access to the CCTV images.
We ensure that images are not available to unauthorised persons, for example by minimising screens when not in use or when unauthorised persons are present. We ensure that screens are always locked when unattended.
Nobody reviews the CCTV recorded material unless there is an incident necessitating viewing of the said footage.
All images recorded by the CCTV system remain our property; copyright in the imagery is vested at all material times in QQML.
Applications for disclosure of images
Requests by individuals for images relating to themselves (known as “Subject Access Requests”) should be submitted in writing to Data Protection Administrator of QQML (see: details provided above), together with proof of identification. QQML reserves the right to request further information and/or proof identity for the purposes of complying with a Subject Access Request. On the procedure for CCTV requests, see further Section 14 below.
Access to and disclosure of images to third parties
Requests by third parties are government by the provisions set out in Sections 14 & 15, below.
How long do we keep CCTV imagery for? See Section 15 below.
Complaints about our CCTV system
Any complaints relating to the CCTV system should be directed in writing to the Managing Director of QQML promptly and in any event within seven days of the date of the incident giving rise to the complaint. The complaint may be addressed via email to email@example.com or by letter to:
The Managing Director
Queensway Quay Marina
Ragged Staff Wharf
A complaint will be responded to within a month of the date of its receipt. Records of all complaints and any follow-up action will be maintained by the relevant office.
Complaints in relation to any release of images should be addressed to the Data Protection Administrator. These will be responded to promptly and, in any event, within 30 days of receipt. They will be dealt with in accordance with the provisions of local Data Protection Law.
In this section, we set out the purposes for which we use your Personal Data, explain how we share the information, and identify the “legal grounds” on which we rely upon in order to process the information.
These “legal grounds” are set out in the Data Protection Law which allows companies to process Personal Data only when the processing is permitted by the specific “legal grounds” set out therein in respect of ordinary personal data as well as ‘Special Categories of Personal Data’. These are set out in the following table:-
A. For processing Personal Data
|Performance of our contract with you||Processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract.|
|Compliance with a legal obligation||Processing is necessary for compliance with a legal obligation to which we are subject – e.g. to undertake customer due diligence on you as required by law.|
|For our legitimate business interests||Processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data.|
B. For processing Special Categories of personal data:
Special categories of personal data refer to data relating to, for example, racial or ethnic origin, revealing political opinions; religious or philosophical beliefs; trade union membership; genetic information.
In order to provide you with a broad outline, the purposes for which we use Personal Data, and the legal bases for such processing, they are as follows (although some of these categories may not specifically apply to you):-
Note that we may process your Personal Data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your Personal Data.
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
We will share Personal Data with third parties as follows:-
We use “WorldPay” for our “on-site” card transactions with you, that is to say, when you make payment via our Marina Office at Queensway Quay.
When you pay via the WorldPay in-office card machine, a print-out receipt is provided to you, and a merchant receipt is retained by us for accounting purposes. Merchant receipts are stored securely in a locked cabinet by use and used solely for the purposes of accounting, and as such are restricted to authorised staff only. For data retention periods regarding WorldPay card transactions, please see Section 11 below.
Payment information using WorldPay is never transferred to us via our website.
Third Parties in general
When we use third party service providers, we only disclose to them any Personal Data that is necessary for them to provide their services and we have an agreement in place that requires them to keep your data secure and not to use it other than in accordance with our specific instructions. Furthermore, in the event that we share Personal Data with any third parties (including those based outside the EEA – see: further below – “International Transfers of Data”) we will ensure there are adequate safeguards in place to protect your Personal Data.
Except where required by law, we will not share your Personal Data with any other third parties.
We may transfer your Personal Data to a third party as part of a sale of some or all of our business and assets to any third party or as part of any business restructuring or reorganisation.
We may also transfer your Personal Data if we are under a duty to disclose or share it in order to comply with any legal obligation, to detect or report a crime, to protect your vital interests, to enforce or apply the terms of our contracts or to protect the rights, property or safety of our visitors and clients.
We use GoDaddy, LLC website hosting facilities. The website hosting facilities for our website is situated in Amsterdam, Holland, which means that any personal information obtained via this website will be stored and processed to the agreed standards and requirements of the EU GDPR.
Any additional Personal Data of yours is kept in our computer systems and/or manual files at our principal place of business and/or with any third parties as above-described, e.g. our email service providers (where applicable).
We will only retain your Personal Data for as long as necessary to fulfil the purposes for which it was collected and processed, including for the purposes of satisfying any legal, regulatory, accounting or reporting requirements.
We reserve the right to retain your Personal Data for such time as is advisable in order to safeguard or improve our position, for instance, in relation to statutes of limitation, litigation or regulatory investigations.
Please note that where your Personal Data is retained beyond where necessary (as abovementioned), it will usually be in computer on database(s) or manual files.
We will retain Personal Data in connection with employment opportunities, applications for up to 3 years in case we decided to contact you at a later date.
CCTV Retention Period
Unless required for evidential purposes, the investigation of an offence or as requied by law, CCTV images will be retained for no longer than 30 days from the date of recording. Images will be automatically overwritten after this point. Data storage is automatically managed by the CCTV digital records which overwrite historical data in chronological order to produce a 30-day rotation in data retention.
If there is a legitimate reason for retaining the CCTV images (such as for use in an accident investigation, disciplinary investigation and/or legal proceedings), the footage or still frames can be isolated and saved outside the DVR to a separate encrypted zip file. Any saved images or footage will be deleted once they are no longer needed for the purpose for which they were saved.
All retained CCTV images will be stored securely.
WorldPay – Card Transaction Details
When you pay by credit or debit card at our Marina Main Office, the only data we obtain from our “WorldPay” card machine is your card PAN number and expiry date. We do not obtain any further data from the machine. We retain a printout of the receipt of payment for accounting purposes and for a maximum period of 18 months from its issue for the purposes of any payment queries or discrepancies. After this, the printout will be destroyed.
Transferring your personal data out of Gibraltar [and EEA]
To deliver services to you, it is sometimes necessary for us to share your personal data outside Gibraltar, e.g.:-
Under data protection law, we can only transfer your personal data to a country or international organisation outside the Gibraltar[ and EEA] where:-
These are explained below.
We may transfer your personal data to certain countries, on the basis of an adequacy decision. These include:
The list of countries that benefit from adequacy decisions will change from time to time. We will always seek to rely on an adequacy decision, where one exists.
Other countries than the above-mentioned that we may be likely to transfer personal data to, do not have the benefit of an adequacy decision. This does not necessarily mean they provide poor protection for personal data, but we must look at alternative grounds for transferring the personal data, such as ensuring appropriate safeguards are in place or relying on an exception, as explained below.
Transfers with appropriate safeguards
Where there is no adequacy decision, we may transfer your personal data to another country we are satisfied the transfer complies with data protection law, appropriate safeguards are in place, and enforceable rights and effective legal remedies are available for data subjects.
The safeguards will usually include using legally-approved standard data protection contract clauses.
To obtain a copy of the standard data protection contract clauses and further information about relevant safeguards, please contact our Data Protection Administrator.
Transfers under an exception
In the absence of an adequacy decision or appropriate safeguards, we may transfer personal data to a third country or international organisation where an exception applies under relevant data protection law, e.g.:
We may also transfer information for the purpose of our compelling legitimate interests, so long as those interests are not overridden by your interests, rights and freedoms. Specific conditions apply to such transfers and we will provide relevant information if and when we seek to transfer your personal data on this ground.
The Data Protection Law provides data subjects with certain access rights with respect to their Personal Data. Those rights are summarized briefly below:-
It is important that you realise that the above rights are not ‘absolute rights’ and are therefore subject to certain limitations and exceptions.
You can learn more about the rights of data subjects by visiting https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights
The above hyperlink is to the Information Commissioner’s Office which is the UK’s Independent Authority for, inter alia, data protection issues. Although our organisation is based in Gibraltar, the above link provides very useful information as to our rights; you can further examine your data protection rights by visiting the website of the Gibraltar equivalent of the UK ICO Officer – the GRA – at the following website: https://www.gra.gi/data-protection/general-dpr/gibraltar-gdpr-dpa-23-guidance-on-the-rights-of-individuals
For further information please contact our Data Protection Administrator at firstname.lastname@example.org.
The exercise of your data subject access rights under the GDPR as outlined above are free of charge so you will not have to pay us anything should the situation arise. However, we reserve the right to charge you a reasonable fee if your request is clearly unfounded, repetitive or excessive.
For security reasons, we may need to request specific information from you and undertake certain measures in order to help us confirm your identity in the exercise of your rights so as to prevent any third party from wrongfully obtaining your Personal Data. We will specifically need further proof of your identity and address.
CCTV Imagery Requests & Disclosure
Recorded images, if sufficiently clear, are considered to be the personal data of the individuals whose images have been recorded by the CCTV system. Data subjects have a right to access to their personal data under the data protection legislation (as well as other rights of access as described in Section 14, above). You can seek to exercise your right of access by writing via email to the Data Protection Administrator at: email@example.com. This should be done without undue delay and at the latest within one month of receiving the request unless an extension of the period is justified.
Third Party Requests
Any request for CCTV imagery made by any third party should be made in writing to the Data Protection Administrator of QQML. We reserve the right to request from you proof of identity and other information we may deem fit to ensure your Personal Data is not improperly obtained.
In limited circumstances, it may be appropriate to disclose images to a third party where such disclosure is required by law, in relation to the prevention or detection of crime or in other circumstances where an exemption applies under local legislation.
Third party requests for access will usually only be considered, in line with the data protection legislation, in the following categories:
§ from a legal representative of the data subject (letter of authorisation signed by the data subject would be required) from law enforcement agencies including the police
§ disclosure required by law or made in connection with legal proceeding
§ HR staff responsible for disciplinary and complaints investigations; and
§ related proceedings, and Staff employed by our contractors responsible for disciplinary; and
§ complaints investigation and related proceedings concerning their own staff.
A record of any disclosure made under this policy will be held on the CCTV record management system and will details the time date, camera, authoriser of the request, the reason(s) for the disclosure of the imagery to the third party in question.
Under Data Protection Law, you have a right of complaint at any time in relation to the infringement of your rights to file a complaint with a local supervisory authority for Data Protection. In the case of Gibraltar, the supervisory authority is the Gibraltar Regulatory Authority who may be contacted at: https://www.gra.gi/ or by telephone: 00350 200 74636.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated
We have adopted appropriate security measures to prevent personal data from being accidentally lost, or used or accessed unlawfully. We limit access to your personal data to those who have a genuine business need to access it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
While we endeavour to always protect our systems, sites, operations and information against unauthorized access, use, modification and disclosure, due to the inherent nature of the Internet as an open global communications vehicle and other risk factors, we cannot guarantee that any information, during transmission or while stored on our systems, will be absolutely safe from intrusion by others.
We reserve the right to update this privacy notice at any time, and we will make an updated copy of such privacy notice available on our website.
If you have any concerns or require any further information, please do not hesitate to contact our Data Protection Administrator at: firstname.lastname@example.org