Terms & Conditions
Last updated: 11 August 2021.
Protection of your privacy and the security of your personal data are very important to ISOLAS LLP.
By using our website, providing personal information and/or using any of our services, you agree that:
- if you have provided personal information to us relating to any other person, you:
- (i) have a right to provide that information
- (iii) each such person has agreed to those terms.
If we determine the purposes and means of processing of your personal data, then we are a “controller”, and anyone who acts on our instructions in respect of such processing is a “processor”. There may be times where we act as controller and processor.
We offer services in or from within Gibraltar, which is no longer part of the European Union (“EU”). Accordingly, Gibraltar has its own data protection laws that apply certain EU laws, with such modifications as are necessary. This is referred to as the “Data Protection Legislation”, which includes:
- The Data Protection Act 2004 (as amended)(“DPA 2004”), and regulations made under that Act; and
- The “Gibraltar GDPR”, which is essentially the EU’s General Data Protection Regulation or (Regulation (EU) 2016/679, or the “EU GDPR”) as it forms part of Gibraltar law. This basically means it is read slightly differently to the EU GDPR but still offers privacy protections and guarantees in a similar manner. For more information visit:
If you live or work outside Gibraltar, other laws (including the EU GDPR) may be applicable to your individual circumstances.
WHAT INFORMATION DO WE COLLECT AND USE (PROCESS) ABOUT YOU?
What are we collecting?
However, if you wish to use certain services offered on our website, obtain certain information made available by us, or request us to provide you with legal services through our Contact page or by contacting Our People directly, then you may be asked for information such as name, email address, telephone number and residential address. Other parts of our website may also have access to legal resources and marketing material and we may ask for basic contact information for the purpose of marketing to you, provided you opt-in to such communications (see below).
If you enter into a business relationship with us, either as a client or as one of our business partners, vendors or suppliers, then the kinds of personal information that we collect and hold about you may include:
- identifying information / basic identifiers, such as your name, occupation, age, and any photographs found in your identity verification documentation;
- contact information, such as your email address, mailing address or phone number;
- records of our communications with you;
- in certain cases (e.g. family law or private client matters), basic information about your family, partners and dependants and your social circumstances, including your employment; and/or
- information we may have obtained from other sources (such as risk intelligence service providers) or directly from you in order to identify who we are doing business with as part of the ‘know your customer’ or ‘customer due diligence’ obligations contained in relevant legislation. This includes personal data in official documents such as passports or national identity cards, payslips and proofs of address.
In these cases, the provision of your personal data will be a contractual requirement or a requirement relating to entering into a contract, and you will be obliged to provide the personal data we require in order to comply with our legal obligations and provide the services to you under that contract. Without this information, we may not be able to provide you with our services or to respond to queries or requests that you submit to us. You may, however, visit our website anonymously.
Additionally, we may also process certain special categories of data. This data would only be collected and processed with either your explicit consent or where we are lawfully permitted to do so without your consent (e.g. personal data which is manifestly made public by you). Such processing would be for limited purposes such as fraud prevention, prevention of money laundering, financial crime and terrorist financing, or in order to represent you in civil or criminal proceedings. Such data may include matters such as:
- racial or ethnic origin;
- political opinions
- religious or philosophical beliefs;
- trade union membership;
- genetic data
- biometric data for the purpose of uniquely identifying you
- health or medical conditions (physical or psychological);
- sex life or sexual orientation
- criminal convictions (including the alleged commission of offences, proceedings in relation to such offences or alleged commission of offences or the disposal of such proceedings, including sentencing).
How do we collect the information?
We collect your personal data in the following manner:
- Information you provide to us directly when contacting us or meeting us at our offices;
- Information we receive from third parties, such as third party service providers, government agencies/departments and other firms, financial services institutions or regulatory authorities;
- Information acquired by us during the course of our relationship and dealings with you;
- Information collected through the use by you of our website, platforms and applications;
- Information collected via CCTV footage for the purposes of keeping our premises secure;
- Information gathered from publicly available sources.
WHY DO WE COLLECT THIS INFORMATION?
Lawful bases for processing
We always ensure we respect your privacy rights. This means we can only collect your personal data if we have a lawful basis for doing so. If the data is particularly sensitive we may need additional justification. In most cases, we may rely on the following grounds:
- Compliance with a legal obligation to which we are subject: there may be a legal obligation for us to process your personal data (e.g. so we can properly identify you and comply with relevant anti-money laundering legislation)
- For our legitimate interests or those of a third party: we may want to fulfil a compelling legitimate interest we may have in a manner that does not outweigh your rights and freedoms. There may be cases where your interests and fundamental rights could override our legitimate interests (or those of a third party). This may happen in cases where personal data are processed in circumstances where you do not reasonably expect further processing. We will always need to (i) identify a legitimate interest (ii) show that processing is necessary to achieve it; and (iii) balance it against your interests, rights and freedoms. Some non-exhaustive examples of situations where we may seek to pursue legitimate interests are:
- (i) establishing, exercising, or defending legal claims;
- (ii) ensuring security of our IT infrastructure and systems;
- (iii) monitoring the use and effectiveness of our website;
- (iv) for marketing purposes (see section on ‘Direct Marketing’ below);
- (v) to prevent fraud, keep our staff and premises secure and disclosing criminal acts (e.g. CCTV use); or
- (vi) employee monitoring (to which our Employee Privacy Notice(s)/Policy(ies) will apply).
- Consent: you may have expressly asked us to do something or have otherwise given your clear consent to us that you are happy for us to process your data (e.g. to access certain marketing resources, newsletters or other content; or simply responding to a question you may have asked us or other feedback you may have given us).
- Vital interests: The law allows us to process personal data where it is necessary to protect your vital interests or those of another person (e.g. matters of life and death). We rarely rely on this lawful basis, but it may apply in certain limited circumstances such as when we ask for allergy information or there is an incident at our premises
- Task carried out in the public interest or to exercise official authority: Given it is more relevant to public authorities, we will not normally rely on this lawful basis, and will inform you if we need to.
In most cases, we collect personal data that you choose to provide to us so that we can provide you with a service you have requested from us such as provision of legal advice for example. The relevant information is then used by us to communicate with you on any matter relating to the conduct of your instructions in general. Specifically, if you are a client, this would be providing the services set out in our engagement letter and in accordance with applicable terms of business (as may be amended) and as necessary for the performance of our contract with you. If you choose not to provide certain information, we may not be able to provide you with some services.
We also process information relating to our employees, and prospective applicants, for general employment and recruitment purposes. These purposes will be disclosed in more detail at the time we collect personal data from such persons.
WHAT DO WE DO WITH THIS INFORMATION?
How we use your information
Your information may be used:
- to verify your identity when you are dealing with us, so we may satisfy our obligations with respect to crime prevention and detection (including tax evasion), anti-money laundering and due diligence, as well as any other relevant legal or regulatory obligations we may be subject to;
- to provide you with the information and services that you have requested from us or otherwise process transactions on your behalf such as settling invoices payable by you to us or to third parties;
- as permitted by law or regulation, and as required by law or regulation, or as requested by government or regulatory authorities, for the protection of persons or property or to establish or exercise our legal rights or defend against legal claims, including to comply with anti-money laundering obligations;
- in connection with an acquisition, merger, restructuring, sale or other transaction involving all or any portion of our business or assets;
- to ensure that content from our website is presented in the most effective manner for you and for your device(s); and/or
- to administer our website and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes, or otherwise as part of our efforts to keep our website safe and secure.
Your information may also be used to provide you with information about us and our range of services, otherwise known as ‘Direct Marketing’. To this end, we may use your information:
- to allow you to participate in interactive features of our services, when you choose to do so;
- to inform you about and manage your involvement with our services and events, including educational or corporate hospitality events
- to measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you, including making suggestions and recommendations to you and other users of our website about goods or services that may interest you or them; and/or
- to provide you, with news bulletins, newsletters, brochures, or general information about other goods, services and events which we offer that are similar to those that you have already purchased or enquired about, or otherwise feel may be of interest to you (unless you have opted-out of receiving such information).
In circumstances where you are an existing client or we otherwise have an existing relationship with you we will rely on our legitimate interests as the lawful ground for processing your personal data for direct marketing purposes. To this end, it may be necessary to process your personal data so we can directly market in our legitimate interest. In addition, we consider it reasonable for you to expect you may receive marketing material from us in the same methods we normally communicate with you (e.g. via email) and that there is no disproportionate impact to your individual privacy rights in this case.
In circumstances where you are not a client or we do not otherwise have an existing relationship with you, marketing our materials, events and services (or those of others) to you shall be subject to your consent which shall be requested at the latest on our first communication to you, where you will be given the option to elect to receive such information (known as ‘opting-in’) by checking the appropriate boxes on the forms we use to collect your data or in links provided within our email communications.
On each and every marketing communication, we will always provide the option for you to exercise your right to object to the processing of your personal data for marketing purposes (known as ‘opting-out’) by clicking on the ‘unsubscribe’ button on our marketing emails or choosing a similar opt-out option on any forms we use to collect your data. You may also opt-out at any time by contacting us on the below details.
If you wish to be removed, we will retain your details in our marketing database(s) specifically for the purposes of suppressing your details from inclusion in all future marketing campaigns. These database(s) are restricted for access only by members of our marketing team. Your unsubscription request will only affect these database(s) and will not change any existing information on our other databases that you have provided to us or we have otherwise obtained for the purposes of providing our legal services to you or for any other lawful purposes.
WHOM MIGHT WE SHARE YOUR INFORMATION WITH?
In addition, we may be required by law or by a court to disclose certain information about you or any engagement we may have with you to relevant regulatory, law enforcement and/or other competent authorities, unless such information is protected by legal professional privilege. We may also need to share your information in order to enforce or apply our legal rights under any agreed terms of business.
Finally, if our business enters into a joint venture, sale, reorganisation, transfer or asset disposal, or is merged with another business entity, your information may be disclosed to our new business partners.
In connection with the provision of our services, personal data may also be transferred outside of Gibraltar. This may include countries or territories outside of the United Kingdom or the European Economic Area (“EEA”) where necessary (e.g. in the context of international legal proceedings or cross-jurisdictional legal services, or because we use service providers outside the EEA). The EEA includes countries in European Union as well as Iceland, Lichtenstein and Norway. Under the Data Protection Legislation, personal data can flow fairly freely from Gibraltar to the United Kingdom or to the EEA (note that the same may not be true for inward transfers to Gibraltar from the EEA, as it is no longer part of the EU). However, certain restrictions exist where personal data is being transferred to a ‘third country’ outside the EEA or the United Kingdom and these are referred to as “restricted transfers”.
Generally, we will only perform restricted transfers where the transfer will be adequately protected by measures such as the following:
- where the transfer is to a territory that has been deemed ‘adequate’ under the Data Protection Legislation, through applicable adequacy regulations;
- where ‘appropriate safeguards’ are provided such as:
- (i) binding corporate rules;
- (ii) standard data protection clauses specified in regulations made under the Data Protection Legislation;
- (iii) approved codes of conduct; or
- (iv) approved certification mechanisms,
In the absence of adequacy regulations or appropriate safeguards, we may also rely on derogations for specific situations as set forth in Article 49 of the Gibraltar GDPR. In particular, we may collect and transfer your personal data outside the EEA:
- with your explicit consent;
- to perform a contract we may have with you (or for taking pre-contractual steps);
- to perform a contract we may have with a third party which has been concluded in your interest (e.g. instructing foreign counsel)
- for important reasons of public interest;
- for the establishment, exercise or defence of legal claims; or
- to protect your vital interests or those of a third party (where you are physically or legally incapable of giving consent).
Finally, we may also perform restricted transfers in ‘one-off’ cases where a transfer is not repetitive, concerns a limited number of data subjects, and is necessary for the purposes of compelling legitimate interests pursued by us, which are not overridden by your interests or rights and freedoms, and only after we have assessed all relevant circumstances.
We do not sell your information
HOW LONG DO WE KEEP YOUR INFORMATION FOR?
Our retention policies
Retention periods are determined based on the type and nature of the information and the legal or regulatory requirements that apply. We shall retain a record of our engagement with all our clients, as well as all files and documentation relating to clients and/or the particular matter that forms the basis of the contractual relationship for a minimum period of 6 (six) years from the end of the business relationship described in the relevant engagement documentation, unless:
- we are required by law to retain such records for a longer period;
- continued retention is necessary for the establishment, exercise or defence of legal claims; or
- in order to protect your vital interests or the vital interests of another natural person.
We will attempt to minimise personal data to what is necessary to identify the client and the services provided by ISOLAS LLP, and after the applicable retention period has expired shall destroy all personal data and other records. At our discretion, we may retain personal information for less than or longer than the said period of 6 (six) years if we consider it necessary or desirable to do so to meet our legal or regulatory obligations, or at your specific request (for example, if you ask us to retain certain documents such as final orders, marriage and birth certificates, policy documents and counterpart documents relating to evidencing title to land).
For more information on where and how long your personal data is stored, and for more information on your rights of erasure and portability, please contact us on the details provided below.
HOW DO WE SECURE YOUR INFORMATION?
How we secure your information
We are committed to taking appropriate measures designed to keep your personal data secure. Our technical, administrative and physical procedures are designed to protect personal data and non-personal data from loss, theft, misuse and accidental, unlawful or unauthorised access, disclosure, alteration, use and destruction. We follow generally accepted standards to protect the personal information submitted to us, both during transmission and once it is received. We implement security measures across the firm to ensure our clients’ data is protected within secured and encrypted servers we control, which are located in Gibraltar. We may also keep hard copy records of this personal information in physical storage facilities with access restricted solely to our personnel. We also take steps to monitor access to and modification of your information by our contractors, advisers, consultants and staff members, and ensure that they are aware of and properly trained in their obligations for managing your privacy.
We update and test our security technology on an ongoing basis. We restrict access to your personal data to those employees who need to know that information to provide benefits or services to you. In addition, we train our employees about the importance of confidentiality and maintaining the privacy and security of your information. We commit to taking appropriate disciplinary measures to enforce our employees’ privacy responsibilities. If you have any further questions about the security of your personal information, you can contact us on the details below.
Risks of using the Internet
We use reasonable physical, electronic, and procedural safeguards to protect the personal information that we obtain from you from loss, misuse, and unauthorised access, disclosure, alteration, and destruction. Please note that we are not responsible for the security of any data you are transmitting over the Internet, or any data you are storing, posting, or providing directly to a third party’s website, which is governed by that party’s policies. Please note that no method of transmission over the Internet or method of electronic storage is 100% secure and we cannot ensure or warrant the security of any information you transmit to us. Transfer of your data via these means is therefore at your own risk.
The accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data is known as a “data breach”. The Gibraltar GDPR imposes requirements on businesses to identify, assess and report breaches in a timely manner (within 72 hours). We undertake to inform you if your personal data is compromised and there is a high risk to your rights and freedoms as a result.
WHAT RIGHTS DO YOU HAVE?
Gibraltar GDPR and EU GDPR rights
As noted above, Gibraltar has its own data protection laws that apply certain EU laws, with such modifications as are necessary. Depending on your particular circumstances, you may also have additional rights if you live or work outside of Gibraltar. For example, the EU GDPR may apply to you if you are based in the EEA.
Under the Data Protection Legislation in Gibraltar, if you are a natural person (in other words, a human being and not a company), you have the right to:
- obtain access to the personal data held about you;
- ask for incorrect, inaccurate or incomplete personal data to be corrected (‘rectification’);
- request, in certain cases, that personal data be erased when it’s no longer needed or if processing it is unlawful (‘right to be forgotten’);
- object to the processing of your personal data for marketing purposes or on grounds relating to your particular situation;
- request the restriction of the processing of your personal data in specific cases;
- receive your personal data in a structured, commonly used and machine-readable format, or ask us to send it to another person (‘data portability’);
- request that decisions based on automated processing concerning you or significantly affecting you and based on your personal data are made by natural persons, not only by computers. You also have the right in this case to express your point of view and to contest the decision. We do not use automatic decision-making or profiling when processing personal data. If this changes, we will inform you and provide meaningful information about the logic involved, as well as the significance and the envisaged consequences for you;
- withdraw consent you have given to processing of your personal data; and
- freedom from Direct Marketing (‘opting-out’).
You also have a right to lodge a complaint with the Information Commissioner under the DPA 2004. This is the Gibraltar Regulatory Authority, whose details are provided below. Please note different rights may apply under the EU GDPR or other relevant legislation if you are outside of Gibraltar. For example, under the EU GDPR you may be able to lodge a complaint in the EU member state of your habitual residence, your place of work or the place of the alleged infringement, but you should note that the ‘one-stop shop’ mechanism does not presently apply to Gibraltar.
The DPA 2004 also gives you the right to bring legal actions in the Gibraltar courts.
Limits on your rights
In addition, note that your right to information under Art. 13 and 14 of the Gibraltar GDPR is limited in certain cases. The requirements on us to give information do not apply insofar as:
- obtaining or disclosure is expressly laid down by Gibraltar law which we are subject and which provides appropriate measures to protect your legitimate interests;
- the personal data must remain confidential subject to an obligation of professional secrecy regulated by Gibraltar law (such as statutory obligations of secrecy); or
- you already have the information.
HOW CAN YOU ACCESS INFORMATION WE HOLD ON YOU AND ENFORCE YOUR RIGHTS?
How can you enforce your rights?
Requests will be processed without undue delay and within one month of receipt of the request, or receipt of identification information, where applicable. This might be extended by two further months in case of a complex request, where you have made a number of requests, or if the identity of the requestor cannot be verified. We will not normally charge a fee for actioning such requests but may charge a reasonable fee where one or more of your requests are manifestly unfounded or excessive, in particular because any repetitive character in such requests. In such cases we may also refuse to comply with such requests.
There may be cases where we are unable to provide the information you request, such as where it would interfere with the privacy of others or result in a breach of confidentiality. In these cases, we will let you know why we cannot comply with your request.
In addition, you can enforce your right to object to direct marketing as described in the Direct Marketing section above by contacting us or using ‘unsubscribe’ or other opt-out mechanisms we provide our marketing communications.
We want to ensure that your personal information is accurate and up to date. If any of the information that you have provided to us changes, for example if you change your email address or name, please let us know the correct details by contacting us on the details below. You may ask us, or we may ask you, to correct information you or we think is inaccurate, and you may also ask us to remove information which is inaccurate. Even if you do not request access to and/or correct your personal information held by us, if we are satisfied that, having regard to the reasons for which we hold your personal information, that personal information is inaccurate, incomplete, out-of-date, irrelevant or misleading, we may take reasonable steps to correct that information.
WHO WE ARE AND HOW CAN YOU CONTACT US OR MAKE A COMPLAINT
Contact information of Data Controller
Suite 23, Portland House
Phone: (+350) 2000 1892
ISOLAS has not designated a Data Protection Officer, but our Information Rights, Data Protection and Privacy Team can be can be contacted directly via the above details. If your query is not privacy related, you can also contact any of Our People, or use email@example.com.
Your right to complain
We will make a record of your complaint and refer it to our internal complaint resolution committee for further investigation. We will deal with the matter as soon as we can, and keep you informed of the progress of our investigation.
If we have not responded to you within a reasonable time or if you feel that your complaint has not been resolved to your satisfaction, you are entitled to make a complaint to the Information Commissioner under the Data Protection Act, which is presently the Gibraltar Regulatory Authority (“GRA”). The GRA is responsible for ensuring that your rights and obligations are respected. The GRA is also competent to hear your complaints and may prohibit or restrict the processing of your personal data in certain cases. You may contact the GRA on the below details:
Gibraltar Regulatory Authority
2nd Floor, Eurotowers 4
1 Europort Road
Phone: (+350) 200 74636
Fax: (+350) 200 72166
Governing Law and Jurisdiction
Privacy Protections for Children Using the Internet
Protecting children’s privacy is important to us. For that reason, we do not collect or maintain information on our website from those we actually know are under the age of 16, nor is any part of our website targeted to attract anyone under 16. We request that all visitors to our website who are under 16 not disclose or provide any personal data and discontinue use of our website.
© ISOLAS LLP. All rights reserved.