Who are you and what is the purpose of this notice?
The Digital Services Team and HM Government of Gibraltar (“HMGoG”) are committed to protecting and respecting your right to privacy. This Privacy Notice aims to provide you with information on what personal data we collect about you, what we do with that information and why we do it, who we share it with, and how we protect your privacy.
The Digital Services Team (collectively referred to as “we”, “us” or “our” in this Privacy Notice) is the data controller for the purposes of this digital portal and your interactions with us.
It is important that you read this Privacy Notice together with any future notice we may provide so that you are fully aware of how and why we are using your personal data.
Please note that our digital portal links to several departments and authorities who deliver public services to you. These departments and authorities are the data controllers of the personal data that they hold about you. They process that personal data under their own lawful basis depending on the relationship that they have with you and the services that they are providing to you. If you want more information about how a specific department or authority processes your personal data you should see that department or authority’s privacy notice (this is typically found on their website).
What information do you collect about me?
In order to register your account, we will collect personal data about you. This information will include: first name, surname, contact mobile number and email address.
In order to verify your identity we will require the following personal data: your date of birth, your ID card or passport number (along with the expiry date and country of issue for that identity document), and your nationality.
This information is necessary as we must be able to verify your identity before allowing you access to HMGoG digital services online. As integrated services launch on the digital portal, a verified identity will enable you to link your online record to those public sector organisations offering digital services. This will allow access to E-Gov integrated services, after a verification process, with those departments. This process is required to prevent fraud and false access to services. We will also request proof of identification documents, such as ID Card or Passport, so that we can confirm your identity during the verification process. These documents will be uploaded by you onto our secure digital portal.
Some information also gets collected automatically by our digital portal when you use it. This includes:
- the type of mobile device you are using.
- your IP address.
- your session history information and other related information about how you use our digital portal.
You can find further information about our data collection by accessing https://www.gibraltarbuscompany.gi/cookies-policy .This information allows our digital portal to remember who you are and provide you with whatever content you have asked for. For example, your IP address and information about the device you are using will confirm your location, so that we can find out whether you are accessing the services from inside or outside Gibraltar (making your experience more relevant to where you live).
When you report a problem with our digital portal or services, we will collect contact information along with a description of your problem. This is done so that we can better assist you in providing a solution.
It is important that the personal data that we hold about you is accurate and up-to-date. You can check your current personal data here. Having accurate personal data ensures that we can continue to provide services to you and that we minimise the potential for any risk to your personal data (such as sending information to a previous address or contacting you on a number that no longer belongs to you).
How do you use my information?
We may use your personal data to:
- register you as a digital portal user, including to manage your account and set up your personal details and available services;
- facilitate your relationship and interaction with departments and authorities across the public sector;
- verify your identity and prevent user fraud;
- help resolve a service request, incident or problem you may report about our digital portal;
- monitor and improve the services that we provide to you;
- monitor and identify web traffic, and facilitate technological development and improve our digital services;
- we may also share your data if we are required to do so by law (for example complying with a court order) or to assist law enforcement bodies in the prevention, investigation, detection or prosecution of criminal offences.
What gives you the right to use my information?
Whenever we process your personal data we ensure that we:
- process it lawfully, fairly and in a transparent manner.
- collect it only for valid purposes that we have clearly explained to you and not use it in any way that is incompatible with those purposes.
- hold accurate records and where possible keep your personal data up to date.
- keep it only as long as necessary for the purposes we have told you about.
- keep it safe and secure, to limit the potential of a personal data breach.
We will only use your personal data for the purpose for which we collected it, specifically for delivery of our digital services. Our lawful basis for processing your personal data is Article 6(1)(e) of the Gibraltar GDPR, which allows for processing that is necessary for the performance of a task carried out in the public interest. Additionally, we also rely on section 10(d) of the Data Protection Act 2004 processing that is necessary for the exercise of a function of a Minister or a government department.
We are focussed on improving the method by which the public sector can deliver its services to you; with our aim being to modernise our practices and improve your accessibility and your experience when you interact with the public sector.
Do we transfer your Personal Data internationally?
We would only transfer your Personal Data outside Gibraltar if:
- specifically directed by you;
- necessary to comply with a legal obligation or criminal investigation,
and we will use reasonable endeavours to procure that the recipient country or organisation offers the same levels of protection to your Personal Data as the Gibraltar GDPR and the Data Protection Act 2004.
How do you keep my information safe and secure?
Under the Data Protection Act 2004 and the Gibraltar GDPR, strict principles govern our use of personal data and our duty to ensure it is kept safe and secure.
Please rest assured that we have put in place appropriate security measures (such as password protection and access restrictions) to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We also use encryption for the collection or transfer of sensitive personal data, such as your credit card details when making a payment.
All our records are restricted so that only those individuals who have a need to know can access the information. This might be through the use of technology or other environmental safeguards.
All our employees are subject to the common law duty of confidentiality. This means that any personal data about you will only be used in connection with the purpose for which it was provided, unless we have specific consent from you or there are other special circumstances covered by law.
We remind you that you should never disclose your password or login credentials to anyone. This is specific to you and should remain private to ensure that your personal data are protected.
If you believe that someone has logged in with your credentials you should notify us by contacting our support team.
Who do you share my information with?
We do not normally share or disclose your personal data with any third parties. However, we may share when necessary to assist in the prevention, investigation, detection or prosecution of criminal offences, and in order to prevent fraud or assist in the recovery of public debt.
Our digital portal is a verification tool that places you in direct contact with public sector organisations that are providing digital services. There will be many occasions during which a public sector body will need to confirm your identity and entitlement to public services before providing you with digital services via our digital portal. When this is necessary our digital portal will confirm your verified profile and guarantee that you are entitled to digital services.
In order to ensure protection of your personal details we also have appropriate access restrictions and audit trails in place so that no one has unauthorised access to your personal data.
How long do you keep my information?
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements.
Service requests, incidents or problems you may report about your use of our digital portal and any concerns or complaints you may raise with us will be kept for as long as necessary to deal with your query, and for a year after the date that we close your ticket.
Please note that retention periods may be extended if we reasonably believe that there is a prospect of litigation in respect of our relationship with you.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
Should you ever want to deactivate your account please contact our support team. If you deactivate your account this will mean that, you can no longer access our digital portal and our digital services, unless you request to reactivate your account with us. Please contact our support team should you need to reactivate your account. At this stage, you will need to re-verify your identity by providing your personal data again.
De-activating your account will delete your user profile information.
However, please note that deactivating your account does not delete the personal data held by public sector organisations, as they will be processing that personal data for their own purposes depending on their relationship with you and the services that they provide to you.
What privacy rights do I have?
Under data protection law, you have certain rights in relation to the personal data that we hold about you. You may exercise these rights at any time by contacting us using the details at the end of this Privacy Notice.
It may not be possible to agree to your request, if the need to keep the record is of significant importance. If this is the case, we will explain the reason for this to you.
You have the right:
- to ask us to confirm whether we hold any of your personal data and request a copy of any personal data that we hold about you. The process of asking for access to your personal data is known as a Data Subject Access Request (“DSAR”);
- to correct any inaccuracies in your personal data and to modify it in such a way if you believe the personal data we hold is incomplete. You can do this yourself by clicking here
- to delete (in as much as is possible in the specific circumstances) any of your personal data;
- ask us to stop processing your personal data. However, there are exceptions; for example, we do not have to comply with your request if it is necessary to keep your information in order to perform tasks that are in the public interest for the purposes of establishing, exercise or defending legal claims;
- where we process your personal data on the basis that you have given us your consent to do so, withdraw your consent at any time.
How can I contact you with any questions or concerns?
We aim to meet the highest standards when collecting and using personal data. We encourage people to bring questions and concerns to our attention and we take any complaints we receive seriously.
If you have any questions about this Privacy Notice or any of our privacy practices, or if you want to exercise any of your privacy rights, please contact our support team by using the chat/support function on https://gibraltarbuscompany.gi or visit the Digital Services hub located at 323 Main Street.
Alternatively, you can contact our Data Protection Officer on-
Postal address: 7.3.03 Europort, Gibraltar, GX11 1AA
If you are not satisfied with our response, you may wish to raise your concerns or make a complaint to the Gibraltar Regulatory Authority:
Postal address: 2nd floor, Eurotowers 4, 1 Europort Road, Gibraltar
Telephone: +350 20074636