GRA Privacy Notice

This Privacy Notice discloses the privacy practices, in accordance with the Data Protection Act 2004, for www.gra.gi. This notice applies solely to information collected by the Gibraltar Regulatory Authority (the “GRA”).

This Privacy Notice was last updated on 16^th May 2024. This Privacy Notice is a live document and will be kept under regular review and updated, as required.

1. Who is Responsible for Managing my Personal Data?

The website www.gra.gi and all forms which allow for the collection of personal data, submitted via the website or any other means are owned and maintained by:

Gibraltar Regulatory Authority

2nd floor

Eurotowers 4

1 Europort Road

Gibraltar GX11 1AA

This Privacy Notice explains how we collect, use, share and protect your personal data.

The GRA is responsible for the collection and proper management of any personal information you submit. We will keep your personal details secure and use the information you provide consistently with applicable privacy and data protection laws and the terms of this Privacy Notice.

2. What Personal Data do we collect?

We will collect details that you provide in relation to the following:

• Complaints or enquiries in relation to entities issued with a general authorisation under the Communications Act 2006;
• Complaints or enquiries in relation to data controllers in relation to their obligations under the Data Protection Act 2004, or any other privacy related legislation applicable in Gibraltar;
• Complaints or enquiries in relation to entities issued with a licence under the Broadcasting Act;
• Complaints or enquiries in relation to entities issued with a licence or general authorisation under the Postal Services Act;
• The issuing of licences under Part VI of the Communications Act 2006, such as radio amateur licences, private mobile radio licences and citizens band radio licences;
• Our subscriptions feature, which is used to update subscribers with news, updates or any other relevant information consistent with subscribers’ requirements;
• The Register of Data Controllers;
• The Opt-out Register for Telephone and Fax;
• Recruitment purposes;
• Personal data in relation to events we hold; and
• To carry out public consultations.

Information held is likely to include your name, contact details and any additional information we may need to help meet your specific requirements. Our website also uses "cookies". For further information about cookies and how we use them, please see our Cookie Policy below.

It is our policy to not collect personal information from any minors.

2.1. Personal Data Collected for Recruitment Purposes      

For the purposes of recruiting, we will collect a variety of information, depending on the role in question. This is usually all of the following, or a selection from this list:

• Applicant’s CV;
• Cover letter or email;
• References;
• Copies of qualifications;
• Submissions in relation to assigned assessments (we use this information in order to assess and short-list applicants).

Following the recruitment process, and in the case of unsuccessful applicants, we will delete all the data pertaining to them 2 weeks after we have notified them that they have been unsuccessful. This is in case they ask us for feedback on why they have been unsuccessful. We may then have to refer back to their information.

In the case of successful applicants, we carry on collecting information required for completion of the Notification of Terms of Engagement (for the Department of Employment) and for preparation of their employment contract.  This will include ID or passport number, contact details, address, details about previous employment, and any such information as required by the Department of Employment for the purposes of registering the applicant as an employee with the GRA. 

This information is kept in the future employee’s personal file for the duration of their employment with the GRA.

2.2. Personal Data Collected for Events

For the purposes of this Privacy Notice, “event” includes any conference, webinar, forum, panel discussions, trainings, seminar or workshop, whether taking place virtually or in-person. This section of the Privacy Notice provides information about personal data processing in relation to your attendance in these events.

By registering for an event, you agree to the GRA’s processing of the personal data you submit as part of registration and/or development of such an event, for the following purposes:

• To communicate with you regarding the event for which you registered for and/or are actively (or otherwise) participating in;
• For our internal reporting purposes;
• As reasonably necessary for the management and organisation of the event for which you registered for and/or are actively (or otherwise) participating in; and
• For any other purpose to which you consent in connection with the event.

For the above purposes, the GRA will collect your first name and last name, organisation, job title, email address and any other information requested as part of the registration process. If you attend a virtual event, your email address may be used to provide you with a personalised and secure login to an event.

By registering for an event, you agree that the GRA may disclose the personal data you submit to form part of the event to:

• Co-organisers of the event as reasonably necessary for the management and organisation of the event;
• Third-party service providers assisting the GRA with the event, subject to contractually agreed conditions of confidentiality and security; or
• Other third parties for which you consent to disclosure in connection with the event.

If the GRA provide food at an event or subcontract a third-party (or venue provider), for the provision of food, we may ask you about possible food allergies or special dietary requirements. This data is used solely for the purposes of catering during the event and the provision of this data is optional. If the data collected on food allergies or special dietary requirements is considered to be medical data, the consent you give will constitute the necessary legal basis for the processing of this data.

2.2.3 Personal Data Collected for the Purposes of Carrying out Public Consultations

The GRA carries out public consultations in order to obtain the views of relevant stakeholders and the public in general on a number of topics.  This section informs you how we collect and process your personal data in accordance with data protection legislation when you respond to one of our public consultations.  Dependent on the type of consultation being carried out, you may be able to respond:

• by post
• by email
• online

The way in which your data is handled varies depending on how you submit your response, but all information submitted to us will be treated in accordance with data protection principles.

We collect your personal data as part of the consultation process:

• to identify any responses from bots or other fraudulent sources
• to contact you regarding your response or related matters
• to produce anonymous statistical data, for example about the types of individuals and groups participating

We collect and process the following personal data:

• your name
• your email or postal address
• other relevant contact details
• depending on the topic of the consultation, other personal data such as your position within an organisation
• any personal data you volunteer by way of evidence or example in your response to the consultation

If you respond online we may also collect:

• your Internet Protocol (IP) address, and details of which version of web browser you used
• information on how you used the site, provided by cookies

3. How we use your Personal Data

The information you provide is used in a number of ways, for example:

• To carry out investigations in relation to your complaint or enquiry;
• To keep our register of radio licences issued under Part VI of the Communications Act 2006 current and updated;
• To keep you updated with any information we feel corresponds to your subscription requests;
• To maintain your entry in the Register of Data Controllers; and
• To maintain your entry in the Opt-out Register for Telephone and Fax

4. What is the legal basis for processing your Personal Data?

We will always process your personal information on lawful grounds and in particular on the basis that we will always seek to obtain explicit consent from you before we begin to process any personal data.

We will ask your consent to use your name, email address, phone number(s) and postal address to contact you about your complaint, enquiry, subscription, licence or register entry.

You can withdraw your consent at any time, however, please be aware that there are certain legal provisions which require us to process your personal data in order to provide you with specific services, such as the renewal of a radio licence.

5. Who do we share Personal Data with?

Our policy is not to share any personal information with any third party. However, in some circumstances, we will disclose the complainant’s identity to whomever the complaint is against, in order to be able to properly resolve the matter. We will try to facilitate a complainant who wishes to remain anonymous, but if a complaint proceeds it is generally inevitable that the identities of both parties are revealed. This is to ensure fairness in the legal process.

6. How long will we hold your information for?

Your information is only stored whilst it is required for the relevant purposes, or to meet legal requirements.

In the case of investigations carried out as a result of a complaint, we will hold your personal data for the course of the investigation and then, if we have issued any decisions, recommendations, directions, or any other action which is appealable, we will hold the data for the period provided for by statute for such appeals, including judicial review, to take place.  

Where your information is no longer required, we will ensure it is disposed of or deleted in a secure manner.  In certain circumstances we will anonymise the data to the extent that we will continue to process data in a format which makes identifying you impossible.  In these instances, every effort is made to ensure proper and correct processes are in place to carry this out effectively. 

7. Your rights

You have the right to ask us:

• to confirm whether we hold any of your personal data;
• to provide you with a copy of any personal data that we hold about you;
• to correct any inaccuracies in your personal data and to modify it in such a way if you believe the personal data we hold is incomplete;
• to delete (in as much as is possible in the specific circumstances) any of your personal data, where we are required to do so by law;
• to stop processing your personal data, where required to do so by law;
• to let you have a portable copy of the personal data we hold about you, where required to do so by law;
• to stop processing any of your personal data that is processed by us on the basis of our legitimate interests; and
• where we process your personal data on the basis that you have given us your consent to do so, you may contact us at any time to withdraw your consent.

If you wish to exercise any of these rights, or object to our processing your personal data, please email us on dpo@gra.gi or write to us at the address provided for below.

8. How do we update this Privacy Notice?

This Privacy Notice is always under regular review and we will update it accordingly on our website.

9. Who can I contact in reference to this Privacy Notice?

The GRA’s Data Protection Officer is Maurice Hook.  You can also contact him directly if you have any questions about our Privacy Notice or information we hold about you.

Please send an email to dpo@gra.gi or contact:

Maurice Hook

Data Protection Officer

Gibraltar Regulatory Authority

2nd floor

Eurotowers 4

1 Europort Road

Gibraltar GX11 1AA

Tel: (+350) 200 74636