PRIVACY NOTICE

This Privacy Notice discloses the privacy practices, in accordance with the Data Protection Act 2004. This notice applies solely to information collected by the Legal Services Regulatory Authority (the “LSRA”).

This Privacy Notice is a live document and is kept under review and updated, as required. It was last updated on 22nd September 2022.

1. Who is Responsible for Managing Personal Data?

The hard copy and electronic storage of data, including any information derived or received by the LSRA in hard copy or via the LSRA website www.lsra.gi, the latter once live, is held on systems owned and maintained by:

The Legal Services Regulatory Authority, Suite 841, Europort, Gibraltar GX11 1AA

This Privacy Notice explains how the LSRA collects, uses, shares and protects the personal data (referred to in this Notice as Personal Data), which may be provided to it by:

• any person making any enquiries as to or applying for registration and/or the issue of a practising certificate, including Authorised Person and a Law Firm (which expression refers to the firm itself and, where appropriate, its principals, partners, directors, shareholders, employees, associates and consultants) pursuant to the Legal Services Act and any related or subsidiary legislation;
• any person for the purposes of supervision generally and with specific regard to anti-money laundering, the combatting of terror financing and proliferation financing;
• any other persons who may make enquiries from, lodge complaints at or interact with the LSRA

  (all of whom such persons are referred to as “the Person”),
• by the Registrar of the Supreme Court for the proper discharge of the LSRA’s functions and where the LSRA assists the Registrar in discharge of his his supervisory functions concerning anti-money laundering, the combatting of terror financing and proliferation financing, and any other function.

The LSRA is responsible for the collection and proper management of any Personal Data provided to it. The LSRA will keep the Person’s Personal Data secure and use them consistently with applicable privacy and data protection laws and the terms of this Privacy Notice.

2. What Personal Data does the LSRA collect?

The LSRA will collect details that are provided to it for the following purposes:

• registration by any Person in the Register of Authorised Persons and Law Firms, under the Legal Services Act 2017 and/or for the issue of practising certificate under the rules which may be in force from time-to-time, whether for initial or annual registration and/or issue of practising certificate
enquiries from any Persons regarding procedural and substantive aspects of registration, issue of practising certificate and renewal, removal or suspension from the same, of practice generally, CPD, disciplinary processes and sanctions;
  responses from any Persons who are Authorised Persons and Law Firms registered under and/or subject to the Legal Services Act and any related and subsidiary legislation in relation to any questionnaire, consultation or other enquiry, whether general or specific to the Person who responds thereto;
• the supervision of Authorised Persons generally and with specific regard to anti-money laundering, the combatting of terror financing and proliferation financing;
• enquiries from any Person regarding Authorised Persons and Law Firms registered under and/or subject to the Legal Services Act, related and subsidiary legislation;
• complaints by any Person of or in relation to Authorised Persons and Law Firms registered under and/or subject to the Legal Services Act, related and subsidiary legislation
• information submitted by members of the public or any other persons or entities in response to a public or other consultation issued by the LSRA.

Information held is likely to include the Person’s name, contact details and any other information the LSRA may need for the carrying out of the purposes set out in this section.

It is the LSRA’s policy to not collect personal data about minors.

3. How the LSRA uses Personal Data

The Personal Data which the Person provides is used in a number of ways, for example,

• to process registrations in the Register of Authorised Persons and Law Firms and the issue of practising certificates;
• to keep the Register of Authorised Persons and Law Firms registered under the Legal Services Act 2017 and records of Practising Certificates, current and updated;
• as may be required or arise in order to carry on and/or in the carrying out of the functions of the LSRA in and pursuant to the Legal Services Act and related and subsidiary legislation, which may be in force from time-to-time, including, but not only, the maintaining of adherence to the professional principles in s. 15(4) of the Legal Services Act, regulating the provision of legal services, in relation to admissions and disciplinary functions, monitoring the Authorised Persons’ and Law Firms’ systems of control to prevent, detect and report money laundering, terrorist financing and any other supervisory functions which currently are or may be ascribed to the LSRA in respect of the Proceeds of Crimes Act 2015 or any other legislation;
• as may be required in circumstances where the LSRA assists the Registrar in the discharge of his supervisory functions concerning anti-money laundering, the combatting of terror financing and proliferation financing, and any other function.
• to carry out investigations in relation to complaints
• to handle any enquiries received;
• to process any replies, comments or submissions following any limited or public consultation;
• maintaining, reviewing and updating information and other records in relation to any of the above.

4. What is the legal basis for processing the Person’s Personal Data?

The LSRA will always process the Person’s Personal Data in accordance with the requirements and exemptions of relevant data protection legislation, subject to which it will process data on lawful grounds and in particular on the basis that LSRA, where applicable, will seek to obtain the Person’s explicit consent before it begins to process his/her Personal Data.

Upon the submission to the LSRA of any enquiry, application, complaint or response, as the case may be, the Person will be deemed to have given his/her consent to the LSRA to use the Person’s name, email address, phone number(s) and postal address to contact the Person about his/her enquiry, application, complaint or, response.

The Person can withdraw his/her consent at any time, however, please be aware that there are certain legal provisions which require us to process your personal data in order to supervise your activities as a legal professional or as a complainant or members of the public.

5. Who does the LSRA share Personal Data with?

The LSRA may share information with the Chief Justice and/or Registrar of the Supreme Court and their Offices with regard to past, present and future admissions, issue of practising certificates, disciplinary matters and any other relevant aspects of practice and the supervision of the delivery of legal services and those who deliver them. The LSRA may do likewise in the case of the Institute of Legal Executives or Law Costs Draftsmen and principals of Government service or of commercial or other business concerns, statutory bodies or agencies or not-for-profit organisations in or for which persons who are Authorised Persons or registrable as such may be practising. In these instances, information will only be shared to the extent that it either permissible by law or necessary for the LSRA to carry out its functions and as may be required by the Supreme Court Act 1960, the Legal Services Act 2017 and respectively related and subsidiary legislation.

The LSRA may share information with law enforcement agencies, other supervisory bodies or similar third parties as is or may be permitted or required by law or international obligations or requirements to which the LSRA or the jurisdiction of Gibraltar may be subject, or may determine to observe, or for any purposes concerning or relating to the reporting, detection, investigation and legal process of any actual or suspected criminal or other unlawful or prohibited activity.

The LSRA will disclose a complainant’s identity to whomever the complaint is against, in order to be able to properly resolve the matter. The LSRA will try to facilitate a complainant who wishes to remain anonymous, but if a complaint proceeds it is generally inevitable that the identities of both parties are revealed. This is to ensure fairness in the legal process.

In circumstances where the LSRA holds, or may, in the future hold, any data as a joint controller with another entity (in particular but not only the Registrar), the LSRA does so in accordance with the all relevant data protection legislation.

6. How long will the LSRA hold Personal Data for?

The Personal Data is only stored whilst it is required for the relevant purposes, or to meet legal requirements.

Specifically, in the case of registrations, practising certificates, renewals of same and conduct and disciplinary matters, the Personal Data may be held for longer than the Authorised Person is currently practising and/or indefinitely. In the case of investigations carried out as a result of a complaint, the LSRA will hold the Personal Data for the course of the investigation, any hearings and any appeals therefrom and if the LSRA has issued any decisions, recommendations, directions, or any other action which is appellable, it will hold the data for the period provided for by statute for such appeals, including judicial review, to take place and a further six years from the date of final determination.

Where the Personal Data is no longer required, the LSRA will ensure it is disposed of or deleted in a secure manner. In certain circumstances it will anonymise the data to the extent that it will continue to process data in a format which makes identifying the Person impossible. In these instances, every effort is made to ensure proper and correct processes are in place to carry this out effectively.

7. The Person’s rights

The Person has the right to ask the LSRA:

• to confirm whether it holds any of the Person’s Personal Data;
• to provide the Person with a copy of any Personal Data that the LSRA holds about the Person;
• to correct any inaccuracies in the Personal Data and to modify it in such a way if the Person believes the Personal Data the LSRA holds is inaccurate or incomplete;
  to delete (in as much as is possible in the specific circumstances) any of the
• Personal Data where the LSRA is required to do so by law;
  to stop processing the Person’s Personal Data where required to do so by law;
  to let the Person to have a portable copy of the personal data the LSRA hold about him/her. where required to do so by law;
• to stop processing any of the Person’s Personal Data that is processed by the LSRA except where such processing is carried out on the basis of the LSRA’s legitimate interests; and
• where the LSRA processes the Person’s Personal Data on the basis that the Person has given the LSRA his/her consent to do so, the Person may contact the LSRA at any time to withdraw his consent except where processing is necessary in order for the LSRA to carry out its functions.

If any Person wishes to exercise any of these rights, or object to the LSRA processing his/her Personal Data, please write to or email the LSRA at the address provided for below.

The exercise of such rights is expressly subject to the statutory exemptions or other similar provision, including, but not only, in relation to the detection, investigation and prosecution of persons or entities.

8. How does the LSRA update this Privacy Notice?

This Privacy Notice is reviewed and updated, as required. It is available on our website or on request.

9. Who can be contacted with regard to this Privacy Notice?

The point of contact at present is Rose Cornelio at the LSRA’s office. This is currently at Suite 841 Europort, Gibraltar. The telephone number is 22250490 and email enquiries should be sent to info@lsra.gi 

This Notice is issued with effect from 22 September 2022