GDPR & Privacy Notice

Purpose of privacy notice

The Royal Gibraltar Post Office is committed to protecting and respecting your right to privacy. This privacy notice aims to provide you with information on what data we collect about you, what we do with that information and why we do it, who we share it with, and how we protect your privacy.

This notice covers all personal data collected by the Royal Gibraltar Post Office and where we tell other organisations to collect information for us. This is the same whether the data are collected by letter, email, face to face, telephone or online.

The Royal Gibraltar Post Office holds and processes personal data in accordance with the European Union’s General Data Protection Regulation (“GDPR”) and the Data Protection Act 2004.

It is important that you read this privacy notice together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data.

We may change this privacy notice from time to time, so please check this page occasionally to ensure that you are happy with any changes.

Personal Data

Personal data are information that identifies a living person. That can be obvious information like a name or an address, but it may also be something like an IP address.

This includes information you tell us about yourself, information we are provided by other people or organisations, or what we learn when you use services we provide.

Some information are considered more sensitive or special:
  • sexuality and sexual health;
  • religious or philosophical beliefs;
  • ethnicity;
  • physical or mental health;
  • trade union membership;
  • political opinion;
  • genetic/biometric data;
  • criminal history,
The Royal Gibraltar Post Office takes extra care when collecting and using these types of special information.

Who we are

The Royal Gibraltar Post Office is the data controller and is responsible for your personal data (collectively referred to as the Royal Gibraltar Post Office, “we”, “us” or “our” in this privacy notice).

If you have any questions about this privacy notice or any of our privacy practices, please contact us on the below details:

Royal Gibraltar Post Office
104 Main Street
Gibraltar
GX11 1AA
+350 200 75714
info@post.gi

Alternatively, you can contact our Data Protection Officer on:

Email address: dpo@gibraltar.gov.gi
Postal address: Government Law Offices, No.40 Town Range, Gibraltar, GX11 1AA

What personal data do we collect?

Personal data means any information about you from which you can be identified. It does not include data where the identity has been removed (anonymisation).

We may collect, use, store and transfer different kinds of personal data about you as follows:
  • Identity Data – this includes [first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender].
  • Contact Data – this includes [residential address, email address and telephone numbers].
  • Financial Data – this includes [bank account and payment card details].
  • Transaction Data – this includes [details about payments to and from you and other details of products and services you have purchased from us].
  • Technical Data – this includes [internet protocol (IP) address, your login data].

How we collect your personal data

We use different methods to collect data from and about you including through:
  • Direct interactions. You may give us your [Identity, Contact and Financial Data] by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:
    – raise a complaint with us;
    – apply for our products or services;
    – give us feedback or contact us.
  • Automated technologies or interactions. As you interact with our website, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies.

How we use your personal data

We process personal data for a number of different purposes. We will only process your personal data where there is a legal basis for doing so under data protection laws and the table below identifies these (more than one lawful basis may apply in some situations). In summary, the relevant legal bases are:
  • (a) Consent: you give consent for us to process your data for a specific purpose.
  • (b) Contract: the processing is necessary for a contract or agreement with you.
  • (c) Legal Obligation: the processing is necessary to comply with the law.
  • (d) Legitimate Interests: the processing is necessary for legitimate interests pursued by Royal Gibraltar Post or another organisation.
  • The purposes for which we process personal data and the legal bases for doing so in each case are:

Purpose Lawful bases for processing
Providing services to you where there is a contract or agreement in place with you. Contract – we need to process your data to provide these services to you in accordance with that contract or agreement.
Providing postal services to you when you have paid us to do so but we don’t have a contract or agreement in place with you, such as in some circumstances when you send a letter or parcel using our services. Legitimate Interests – we need to process your data to provide these postal services for which you have paid.
Providing postal services to a third party, such as when someone sends you a letter or parcel and we use your data to deliver it or provide delivery updates. Legitimate Interests – we need to process your data to provide these postal services, including delivering the letter or parcel to you and providing additional services, such as delivery updates.
Providing postal services via a third party, where you have agreed to accept delivery of an item on behalf of another person (such as a neighbour) and you have provided your details to enable us to record the delivery, including where we inform the sender and the intended recipient of Royal Gibraltar Post services that you have taken delivery of the item. Legitimate Interests and consent – we need to process your data to provide the sender and recipient with your details in order to complete the delivery and to allow the delivery to be properly tracked within the postal service. In some circumstances, we will obtain your consent to do this, otherwise we have a legitimate interest to do so.
As part of Royal Gibraltar Post track and trace services, where we provide a service which informs both the sender and recipient of Royal Gibraltar Post services about the delivery status and timing of that service. Legitimate Interests – we need to monitor the delivery status of Royal Gibraltar Post Services to improve our service and provide better information to our customers.
Customer services – dealing with enquiries, complaints or claims relating to our services. Legitimate Interests – we may need to process your data so we can handle and resolve any enquiry, complaint or claim raised by you or another person.
Providing data services to other organisations, namely our business customers, to help them run their businesses better, and to the Gibraltar Government. For example, we provide services for the purposes of maintaining and updating accurate address data, for identity verification or fraud prevention purposes, and for helping businesses to target their marketing. Legitimate Interests – our business customers and the Gibraltar Government have a legitimate interest to process data in these ways, and we have a legitimate interest to process personal data to support them to do so. In each case, we need to process your personal data to pursue those interests.
Market research and analysis, and the development of new services. For example, we may develop new postal services or new data services for business customers (for the purposes of maintaining accurate address data, for identity verification or fraud prevention purposes, and for helping businesses to target their marketing). Legitimate Interests – we sometimes need to process personal data to develop new services we can offer you and others.
Security, preventing fraud and money laundering, and taking action against fraudsters or people who commit an offence. Legitimate Interests – we sometimes need to process personal data to protect rights, property and personal safety
Customs and tax clearance, and security screening when sending or receiving post to or from overseas. Legal Obligation – we need to process personal data to comply with revenue and customs regulations.
Prevention and detection of crime – including the use of CCTV to protect our customers, employees and property. Legitimate Interests – we sometimes need to process personal data to protect the rights, property and the personal safety of our staff and customers.
Complying with the law, including regulatory requirements. Legal Obligation – to comply with our legal obligations, including regulatory conditions relevant to postal operators, and health and safety legislation, we sometimes have to process personal data.

Security, sharing and disclosure of personal data

The security and confidentiality of your data is very important to us.

We will:
  • Ensure safeguards are in place to make sure personal data is kept secure in compliance with Government’s Information Security Policy;
  • Ensure that your data remains under the control of our authorised controllers and processors with adequate safeguards to protect your rights;
  • Ensure only authorised staff are able to view your data;
  • Not make your information available for commercial use;
  • Only ask you for what is needed.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

All of our staff are trained in the importance of protecting personal and other sensitive information. All civil servants are required to work in line with the core values set out in the General Orders, including; integrity and honesty.

Transferring your personal data internationally

Where letters or parcels are sent overseas, personal data may need to be shared between postal authorities in different countries. Personal data that we collect from you may be transferred to, or stored or processed at a destination within or outside the EEA by ourselves or one of our suppliers in accordance with applicable laws on data protection. Such processing may include, among other things, the fulfilment of your order, the processing of your payment details and the provision of support services.

Should we ever transfer your personal data out of the EEA, we will ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
  • We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries.
  • Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries.
  • Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between Europe and the US. For further details, see European Commission: EU-US Privacy Shield.

Retention of personal data

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe, there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

By law, we have to keep basic information about our service users (including contact, identity, financial and transaction data) for 40 years after life cycle as per Accounting Instructions.

In some circumstances, you can ask us to delete your data: see [Your Rights] below for further information.

In some circumstances we will anonymise your personal data (so that it can no longer be associated with you).

Your rights

You have the right to ask us:
  • to confirm whether we hold any of your personal data;
  • to provide you with a copy of any personal data that we hold about you;
  • to correct any inaccuracies in your personal data and to modify it in such a way if you believe the personal data we hold is incomplete;
  • to delete (in as much as is possible in the specific circumstances) any of your personal data, where we are required to do so by law;
  • to stop processing your personal data, where required to do so by law;
  • to let you have a portable copy of the personal data we hold about you, where required to do so by law;
  • to stop processing any of your personal data that is processed by us on the basis of our legitimate interests; and
  • where we process your personal data on the basis that you have given us your consent to do so, you may contact us at any time to withdraw your consent.

If you wish to exercise any of these rights, or object to our processing your personal data, please email us on info@post.gi or write to us at;

If you wish to exercise any of these rights, or object to our processing your personal data, please email us on info@post.gi or write to us at;

Royal Gibraltar Post Office
104 Main Street
Gibraltar
GX11 1AA

If you remain dissatisfied, you can make a complaint about the way we process your personal information to the Gibraltar Regulatory Authority details found on their website at www.gra.gi or by emailing them on info@gra.gi