Skip to main content

CTK LIMITED 

Confidentiality & Data Protection Policy

 

DOCUMENT STATUS:

The most recent amendment first.

Version

Date

Author

Reason

Sections

V1

December 2024

Carlos M. Martins

Draft

<All>

AMENDMENTS IN THIS RELEASE:

Section Title

Section Number

Amendment Summary

<e.g. This is the first release of this document.>

  1. Introduction

In the exercise of its functions, the Company will collect, store and process Personal Data about investors, customers, suppliers, employees and other third parties (these persons are the Company’s data subjects).

The Company recognises that it must (i) have a lawful basis for doing so and (ii) comply with the requirements of the Data Protection Legislation (and/or any other applicable or analogous legislation relating to the processing of personal data).

Data users (being those persons who will process the Personal Data for and on behalf of the Company in the course of their roles within the Company (including but not limited to the directors, employees, and agents of the Company)) are obliged to comply with this policy when Processing Personal Data on the Company’s behalf. Any breach of this policy may result in disciplinary action.

For the purposes of this policy, “Data Protection Legislation” means Gibraltar’s data protection law which consists of both the Gibraltar GDPR and the Data Protection Act 2004 (the “DPA”).

 

  1. Policy Statement

CTK Limited (“the Company”) recognises the need to use and protect information appropriately.  It sets forth the responsibility for all personnel for maintaining confidentiality of both client/counterparty information and other information deemed to be confidential.  This policy also sets out the Company’s arrangements in place to comply with its obligations under the Data Protection Act 2004 (“DPA”) and the General Data Protection Regulation (“GDPR”).

Further to compliance with data protection law, this policy helps to protect the organisation from other risks such as damage to the reputation of the organisation and trust in the services that it provides.

The policy provides demonstrable commitment and support from senior management to ensure compliance with data protection law.

  1. About this Policy

The types of Personal Data that the Company may be required to process includes information about current, past, and prospective investors, third party service providers and others that the Company communicate with. The Personal Data, which may be held on paper or on a computer or other media, is subject to certain legal safeguards specified in the Act.

This policy and any other documents referred to in it sets out the basis on which the Company will process any Personal Data the Company collects from Data Subjects, or that is provided to the Company by Data Subjects or other Companies.

This policy does not form part of any member of staff’s contract of employment/engagement and/or services contract and may be amended at any time.

The MLRO is responsible for ensuring compliance with the Act and with this policy. Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to the Managing Director.

 

  1. Definition of Data Protection Terms

Data is information which is stored electronically, on a computer, or in certain paper-based filing systems.

Data Subject(s) for the purpose of this policy include all living individuals about whom the Company holds Personal Data. A Data Subject need not be a Gibraltar national or resident. All Data Subjects have legal rights in relation to their personal information.

Personal Data means Data relating to a living individual who can be identified from that Data (or from that Data and other information in the Company possession). Personal Data can be factual (for example, a name, address, or date of birth) or it can be an opinion about that person.

Data Controller(s) are the people, or organisations, which determine the purposes for which, and the manner in which, any Personal Data is Processed. They are responsible for establishing practices and policies in line with the Act. The Company is the Data Controller of all Personal Data used in the Company business for the Company’s own commercial purposes.

Data Users are those of the Company employees whose work involves Processing Personal Data. Data users must protect the Data they handle in accordance with this Data protection policy and any applicable Data security procedures at all times.

Data Processors include any person or organisation that is not a Data user that processes Personal Data on the Company behalf and on the Company instructions. Employees of Data Controllers are excluded from this definition, but it could include suppliers which handle Personal Data on the Company’s behalf.

Processing is any activity that involves use of the Data. It includes obtaining, recording, or holding the Data, or carrying out any operation or set of operations on the Data including organising, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transferring Personal Data to third parties.

Special Categories of Personal Data includes information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life, or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of in such proceedings. Special Categories of Personal Data can only be processed under strict conditions, including a condition requiring the express permission of the person concerned.

 

  1. Responsibility to protect confidential information

All personnel are responsible for protecting confidential information from unauthorised disclosure, access, and use.

This requirement applies to the Company’s information as well as client and/or other third-party information.

Confidential information should be protected:

  • In any format or media (e.g., printed, digital, audio, video, etc.);
  • Wherever it is created, consumed, stored, or discussed (e.g., at a client site, in a Company office, in a public space, on Company and non-company computers/devices, etc.);
  • While it is stored or while it is being transmitted;
  • In non-work activities (e.g., confidential information should not be shared with friends and family or shared on social media sites)
  • Throughout the entire lifecycle of the information, from creation to storage to archiving to disposal.

  1. Understanding the nature of Information

All personnel should know the nature of the information they create, have access to or have in their possession so that it can be protected appropriately. Some information is so sensitive that sharing it with other members of them team is prohibited.

Examples are those such as client information, merger and acquisition information, income tax return information, sensitive personnel information, and trade secrets.

  1. Sharing of confidential information within the team

Unless prohibited by applicable law or regulation, and in the case of client information provided if the applicable engagement agreement so provides, in certain circumstances confidential information in the possession of one firm may be shared with other companies.  Prior to any such sharing of confidential information, personnel must:

  • Establish the business purpose for sharing the information;
  • Comply with data protection legislation;
  • Follow applicable protocols and obtain all necessary consents; and
  • If the recipient is a third party, establish the basis on which the third party may receive the information.

All personnel should guard against client information being accidentally disclosed via actions such as tagging social media posts with a geolocation or leaving computer screens visible to other passengers on airplanes.

  1. Custody of confidential information

Personnel should return or securely dispose of, in a timely manner, confidential information in their possession once it is no longer needed and all professional and policy obligations related to retention of records have been applied. Confidential information should not be retained longer than is reasonably needed or as is appropriate to fulfil their obligations.

Please refer to the Record Keeping Policy for further guidance.  

  1. Physical security of confidential information

All personnel are responsible for taking appropriate security measures when using, disclosing, transmitting, storing, and disposing of confidential information.  This includes the transporting, transmitting, and posting of confidential information.

Examples of where information security could be physically compromised include leaving a laptop computer unprotected in a public place (e.g.,: train, aeroplane, café, or restaurant), or leaving printed materials behind without properly storing or disposing of them.

  1. Reporting the loss of confidential information

If any personnel determine that confidential information has been, or it is reasonably possible that it has been, inappropriately disclosed, lost, or stolen (such as through the theft or loss of a laptop computer, a tablet or smartphone, working papers, or personal files), such personnel are required to follow the appropriate notification process per below:

  • Notify the MLRO/Data Protection Officer immediately
  • Record the data breach and report to the board of directors
  • The board discusses the severity of the breach
  • If considered severe, any relevant authorities such as the Royal Gibraltar Police, Gibraltar Regulatory Authority and Financial Services Commission must be notified promptly
  • Appropriate course of action is discussed and agreed with the relevant authorities
  • Continuous monitoring and updating of the data breach is maintained by the MLRO/Data Protection Officer

  1. Data Protection Principles

Anyone Processing Personal Data must comply with the eight enforceable principles of good practice. These provide that Personal Data must be:

  1. processed fairly and lawfully and in a transparent manner in relation to the Data Subject;
  2. processed for limited (specified and explicit) purposes and in an appropriate way;
  3. adequate, relevant and not excessive for the purpose;
  4. accurate and where necessary kept up to date;
  5. not kept in a form which would identify Data Subjects for longer than necessary for the purpose for which it is Processed; and
  6. processed in a manner which ensures appropriate security to that Personal Data (including the protection against unlawful or unauthorised processing, accidental loss or destruction).

  1. Fair and Lawful Processing

For personal data to be processed lawfully, it must be processed on the basis of one of the legal grounds set out in the Data Protection Legislation. These include (but are not limited to):

  1. the data subject’s clear and unambiguous consent to the processing for one or more specific purposes;
  2. the necessity of the processing for the performance of a contract with the data subject or in order to take steps, at the request of the data subject prior to entering into a contract;
  3. the necessity of processing to ensure its compliance with its legal obligations (other than those required under the Data Protection Legislation);
  4. the protection of the data subjects’ legitimate interests (or those of a third party) – except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject

In most cases, the main basis on which we will process any personal data will be those set out in Section 13.

 

  1. Processing for Limited Purposes

During the Company’s business, it may collect and process the personal data set out in Schedule 1.

The Company may collect and Process Personal Data. In most cases, this may include Personal Data that the Company receives directly from a Data Subject (for example, by completing forms or by corresponding with us by mail, phone, email or otherwise). It may also include Personal Data that the Company receives from other companies (including, for example, business partners, sub-contractors in technical, payment and delivery services, credit reference agencies and others).

The Company will only Process Personal Data for specific purposes and any purposes specifically permitted by the Act. These include:

  1. providing the Company’s engagement terms for clients to complete;
  2. the provision of the Company’s services to customers in connection with the contractual relationship entered between the Company and its customers;
  3. managing the Company’s relationship with any party and/or its clients, for record-keeping purposes and more generally for our proper and efficient operation;
  4. dealing with any complaints or feedback clients may have;
  5. monitoring and improving the performance and effectiveness of the Company’s services, including by training its staff;
  6. seeking advice on the Company’s rights and obligations, such as where it requires its own legal advice, and to exercise and defend its legal rights;
  7. compliance with its legal and regulatory obligations, such as anti-money laundering laws (which may include the carrying out of background checks and retention of a record of such checks), data protection laws and tax reporting requirements, and/or to assist with investigations competent authorities (where such investigation complies with relevant law) and to comply with Court orders;
  8. safeguarding the security of its systems and communications;
  9. for security purposes generally and to ensure the safety of its employees and visitors;
  10. marketing purposes.

Notifying Data Subjects

If the Company collects Personal Data directly from Data Subjects, the Company will inform them about:

  1. the purpose or purposes for which we intend to process that Personal Data;
  2. the categories of Personal Data concerned;
  3. the types of third parties, if any, with which we will share or to which we will disclose that Personal Data;
  4. How long the Company will retain the Personal Data;
  5. the means, if any, with which Data Subjects can limit its use and disclosure of their personal data;
  6. the existence of their rights to withdraw consent, deletion, rectification, restriction of Processing and to lodge a complaint with the Gibraltar Regulatory Authority; and
  7. the basis on which Personal Data may be transferred outside the EEA.

Where the Company receives Personal Data about a Data Subject from other sources, it will provide the Data Subject with this information about such other sources, unless prohibited by law or court order.

Data subjects will be directed to the privacy notice on its website https://loansctk.gi/ which explains the matters set out in this section in more detail (together with information on other rights that they have as Data Subjects which are not referred to in this section).

The Company will also inform Data Subject’s whose Personal Data the Company process that the Company is the Data Controller with regard to that Data.

 

  1. Adequate, relevant, and non-excessive processing

The Company will only collect Personal Data to the extent that it is required for the specific purpose complying with its contractual obligations, managing its relationship with the data subject and complying with its legal obligations.

 

  1. Accurate Data

The Company   will endeavour to ensure that the personal data the Company holds is accurate and kept up to date. To do so, data subjects will need inform us of any changes to the information they have provided to us in the past. The Company   will inform data subjects of their obligation to inform us of any such material changes.

 

  1. Timely Processing

The Company will not keep Personal Data longer than is necessary for the purpose or purposes for which it is collected. The Company will take all reasonable steps to destroy, or erase from its systems, all data which is no longer required – to the extent only, where the Company is permitted to do so in accordance with other legal obligations.

Data Subjects will be made aware that their right to be erased is not absolute and that the Company is required to keep its records after a certain matter and/or transaction has completed.

The Company’s practice is to delete and destroy all records relating to a particular transaction or matter after a period of 7 years since it concluded. This will serve as our baseline retention period – however, there will be limited circumstances in which the Company   may need to keep such records for a longer period. In such circumstances, Data Subjects shall be informed immediately.

 

  1. Processing in line with Data Subject’s Rights

The Company will process all Personal Data in line with Data Subjects’ rights, in particular their right to:

  1. be provided with clear, transparent and easily understandable information about how the Company uses personal data;
  2. withdraw consent (to the extent that the Company relies on the consent of a data subject);
  3. request access to any data held about them;
  4. restrict the processing of their data for direct-marketing purposes;
  5. request to have inaccurate data amended;
  6. have their personal data erased (subject to the circumstances in which the Company is required to keep records);
  7. prevent processing that is likely to cause damage or distress to themselves or anyone else; and
  8. make a complaint to the Gibraltar Regulatory Authority about any matter concerning their personal data.

  1. Data Security

The Company will take appropriate security measures against unlawful or unauthorised Processing of Personal Data, and against the accidental loss of, or damage to, Personal Data.

The Company will put in place procedures and technologies to maintain the security of all Personal Data from the point of collection to the point of destruction. Personal Data will only be transferred to a Data Processor if he agrees to comply with those procedures and policies, or if he puts in place adequate measures himself.

The Company will maintain Data security by protecting the confidentiality, integrity, and availability of the Personal Data, defined as follows:

  1. Confidentiality means that only people who are authorised to use the Data can access it.
  2. Integrity means that Personal Data should be accurate and suitable for the purpose for which it is processed.
  3. Availability means that authorised users should be able to access the Data if they need it for authorised purposes. Personal Data should therefore be stored on the Company’s central computer system instead of individual PCs.

Security procedures to be put in place in future would be very likely to include:

  1. Entry controls on business premises
  2. Secure lockable desks and cupboards. Desks and cupboards should be kept locked if they hold confidential information of any kind. (Personal information is always considered confidential.)
  3. Methods of disposal. Paper documents should be shredded. Digital storage devices should be physically destroyed when they are no longer required.
  4. Equipment. Data users must ensure that individual monitors do not show confidential information to passers-by and that they log off from their PC when it is left unattended.
  5. clean desk policies;
  6. passwords for Wi-Fi and individual staff login details (together with strict requirements as to passwords and requirements to regularly update passwords)
  7. policy to require staff to lock-screens whenever they are not at their desk;
  8. CCTV will monitor the business premises and recordings will be saved for up to 30 days offsite on the Cloud;
  9. backing-up data and storage of the same.

  1. Retention

The Data Protection Officer shall ensure that there is a clear policy (Record Keeping Policy) on how long each data item in its records are to be retained, such as any legal requirements to retain data for a certain period.   The Record Keeping Policy will stipulate the applicable legal regulations for data retention.

The Company will also store and process personal data during the period of ongoing civil, administrative, criminal, or supervisory proceedings, in order to defend its interest, even if this time period surpasses the definitions in the applicable legal regulations.

The Company purges its filing systems (manual and/or electronic) of personal data that is no longer required, in accordance with the retention periods established in the Record Keeping Policy, on an annual basis.

Details of the purges carried out including how it was carried out and by whom are recorded and signed off by the Data Protection Officer.

  1. Governance and Accountability

Under data protection law every person that handles personal data has some responsibility to ensure that it is used appropriately.  However, the following person(s) within the organisation have key responsibilities:

  1. The Managing Director has overall responsibility for ensuring that the organisation meets its obligations under data protection law
  1. Data Protection Officer: (MLRO) – The Data Protection Officer shall be responsible for:
  • day to day implementation and management of this policy;
  • advising the organisation and its employees on data protection compliance;
  • planning and coordinating activities within the Company to ensure the objectives of this policy are met;
  • monitoring compliance with data protection law;
  • reporting directly to the Managing Director on data protection;
    • ensuring that appropriate data protection training and awareness is provided to staff;
    • acting as the contact point for the Information Commissioner;
    • cooperating with the Information Commissioner;

  1. The Managing Directors shall approve this policy and periodically review its implementation and effectiveness to ensure ongoing compliance with data protection law.
  2. IT Manager: The MLRO is responsible for ensuring that the organisation has appropriate IT security measures in place to protect the personal data held.

 

  1. Transferring Personal Data to a Country outside the EEA

Where required, the Company may transfer any personal data the Company holds to a country outside the European Economic Area (“EEA”), provided that the country to which the Personal Data are transferred ensures an adequate level of protection for the Data Subjects’ rights and freedoms and one of the following conditions applies:

  1. the Data Subject has given clear and unambiguous consent.
  2. the transfer is necessary for one of the reasons set out in the Data Protection Legislation, including the performance of a contract between us and the data subject, or to protect the vital interests of the Data Subject.
  3. the transfer is legally required on important public interest grounds or for the establishment, exercise or defence of legal claims.
  4. the transfer is authorised by the relevant data protection authority where the Company has satisfied itself that adequate safeguards with respect to the protection of the Data Subjects’ privacy, their fundamental rights and freedoms, and the exercise of their rights.

Subject to the requirements in clause above, Personal Data the Company holds may also be processed by staff operating outside the EEA who work for us or for one of the Company suppliers. That staff maybe engaged in, among other things, the fulfilment of contracts with the Data Subject, the Processing of payment details and the provision of support services.

 

  1. Disclosure and sharing of Personal Information

The Company may share Personal Data the Company hold with any member of the Company group, which means the Company subsidiaries, the Company ultimate holding company and its subsidiaries, as defined in section 2(1) of the Companies Act 2014.

The Company may also disclose Personal Data the Company hold to third parties:

  1. in the event that the Company sell or buy any business or assets, in which case the Company may disclose Personal Data the Company hold to the prospective seller or buyer of such business or assets; and
  2. if the Company or substantially all of the Company assets are acquired by a third party, in which case Personal Data the Company hold will be one of the transferred assets.

If the Company is under a duty to disclose or share a Data Subject’s Personal Data in order to comply with any legal obligation, or in order to enforce or apply any contract with the Data Subject or other agreements; or to protect the Company rights, property, or safety of the Company employees, customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

The Company may also share Personal Data the Company holds with selected third parties in accordance with the Act.

  1. Dealing with Subject Access Requests (“DSAR”)

Data Subjects must make a formal request for information the Company hold about them. This must be made in writing and submitted to the MLRO.

DSAR’s may be sent to us either electronically via email to kelly@loansctk.gi  with “DSAR” clearly stated in the subject line.

All DSAR’s must be referred to the MLRO. Employees should not be bullied into disclosing Personal Data.

The Company must always be sure of the identity of the person making the request and, the Company may need to verify their identity – certified copies of ID documents may be requested from the individual at this stage.

A third party may make a request on a Data Subject’s behalf. In this case, the Company requires proof of the data subject’s and third party’s identity and evidence of the third party’s legal right to act on the data subject’s behalf.

The person directly liaising with the Data Subject must advise the Data Subject in writing via postal mail and/or electronically via email, that the Company has received the request and that the Data Subject should expect to receive a response within 30 days unless the request is excessive, disproportionate and/or repetitive of previous requests.

The Company may charge a reasonable fee if a Data Subject requires additional copies of their Personal Data. All members of staff are instructed to consult the Managing Director and/or the MLRO before charging Data Subjects in connection with a DSAR.

When receiving telephone enquiries, the Company will only disclose Personal Data the Company holds on the Company systems if the following conditions are met:

  1. the Company will check the caller’s identity to make sure that information is only given to a person who is entitled to it; and
  2. the Company will suggest that the caller put their request in writing if the Company are not sure about the caller’s identity and where their identity cannot be checked.

The Company will keep a written record of all DSAR’s together with information relating to the DSAR.

  1. Responding to Correction Requests

Data Subjects have the right to have their inaccurate Personal Data rectified. Rectification can include having incomplete Personal Data completed, for example, by a Data Subject providing a supplementary statement regarding the Personal Data. Such requests may be made electronically to the email address indicated in the respective section below.

Where such a request is made, the Personal Data must be rectified without undue delay.

Correction requests must be referred to the MLRO.

  1. Responding to Erasure Requests

Data Subjects have the right, in certain circumstances, to have the Company erase their Personal Data. Where such a request is made, the Company must, unless an exemption applies, erase the Personal Data that is the subject of the request if:

  1. the Personal Data is no longer necessary for the purpose the Company   collected it for;
  2. the Data Subject withdrew his or her consent to its processing activities and no other legal justification for processing applies;
  3. the Data Subject objects to processing and there are no overriding legitimate grounds to process the Personal Data;
  4. The Company unlawfully Processed the Data Subject’s Personal Data; and/or
  5. the Company is required by law to erase the Personal Data to comply with a legal obligation.

If the Company determines that it must erase the Data Subject’s Personal Data in response to the request, and the Company made the Personal Data that is the subject of the erasure request public, the Company must take reasonable steps, including technical measures, to inform any Processors processing the Personal Data (which is subject of the erasure request) on its behalf, including removing any links to, and copies of, the Personal Data.

The Company must communicate the erasure of Personal Data to the third-party data recipients (for example, organisations that are Processing Personal Data on its behalf), unless this involves an impossible or disproportionate effort.

The Company may also refuse to respond to a Data Subject erasure request if it   processes personal data that is necessary for:

  1. exercising the right of freedom of expression and information;
  2. complying with a legal obligation (statutory or otherwise);
  3. the performance of a task carried out in the public interest;
  4. exercising its official authority; and/or
  5. the establishment, exercise, or defence of legal claims.

  1. Responding to requests restricting Personal Data Processing

Data Subjects have the right, in certain circumstances, to request that the Company   restrict the Processing of their Personal Data. Where such a request is made, the Company must, unless an exemption applies, restrict Processing if:

  1. the Data Subject contests the accuracy of the Personal Data. The Company   must restrict processing the contested data until it can verify its accuracy;
  2. the Processing is unlawful;
  3. the Company no longer needs to Process the Personal Data but the Data Subject needs the Personal Data for the establishment, exercise, or defence of legal claims;
  4. a Data Subject objects to processing for:
  1. purposes that the Company considers necessary to perform a task in the public interest; or
  2. purposes that the Company considers necessary for its or a third party’s legitimate interest.

If the Data Subject objects to Processing, the Company must restrict the challenged Processing activity pending verification of whether it’s or a third party’s legitimate interests override the Data Subject’s interests.

The MLRO/Head of Compliance must determine if the Company has a basis not to respond to the data processing restriction request. Staff must inform the Data Subject of the reason(s) for not acting and of the possibility of lodging a complaint with the supervisory authority and seeking a judicial remedy.

Where Processing has been restricted, the Company must ensure that it only processes the Personal Data (excluding storing it) either:

  1. with the Data Subject’s consent;
  2. for the establishment, exercise, or defence of legal claims;
  3. for the protection of the rights of another person; and/or
  4. for reasons of important public interest.

Where Processing has been restricted, the Company must identify each recipient to whom it disclosed the personal data that is the subject of the processing restriction request communicate the same to such recipients.

  1. Responding to Data Portability Requests

Data Subjects have the right, in certain circumstances, to:

  1. receive a copy of certain Personal Data from us in a structured, commonly used, and machine-readable format and store it for further personal use on a private device;
  2. transmit certain Personal Data to another Data Controller.

The data portability right only applies to Personal Data Processed by automated means when processing is either:

  1. based on the Data Subject’s consent;
  2. necessary to perform a contract with the Data Subject.

The Personal Data covered by the data portability right includes only Personal Data concerning the Data Subject which the Data Subject knowingly and actively provided to us. The data portability right does not include data that the Company creates from the data provided by the data subject such as a user profile. If a client has any questions about whether personal data falls within the scope of a Data Subject portability request, they should be advised to contact the MLRO.

For Personal Data that the Data Subject requests, be transmitted to the Data Subject directly, the Company must, unless an exemption applies, transfer the Personal Data that is the subject of the data portability request.

For Personal Data that the Data Subject requests, be transmitted to a third party, staff must, unless an exemption applies, transfer the Personal Data that is the subject of the data portability request, provided that the identity of the data subject and the third party is appropriately verified.

  1. Responding to Objections to Personal Data Processing

Data Subjects have the right to object to Personal Data Processing when the Company processes their Personal Data for direct marketing purposes, including profiling related to direct marketing. The Company must stop Processing a Data Subject’s Personal Data for direct marketing purposes whenever the Data Subject objects.

When a request to object to Processing is received, the Company must stop the Processing related to the Data Subject’s request unless the Processing is necessary for the legitimate interests of us or a third party and the Company demonstrate:

  1. a compelling legitimate ground for Processing the Personal Data that overrides the Data Subject’s interests; or
  2. that the Company needs to Process the Personal Data to establish, exercise, or defend legal claims.

When the Company receives a request related to the above paragraph, the Company   must temporarily restrict (as far as reasonably practical) Processing that Personal Data pending verification of whether its legitimate interests override those of the Data Subject.

 

  1. Security

To ensure that the organisation has appropriate security measures in place to protect the personal data that it processes from being accidently or deliberately compromised, the organisation has established the following:

  • Management & organisational information security measures – Risk Management, documentation and implementation of security measures, accountability, outsourcing, data breach management, disciplinary measures.
  • Training & Awareness – regular training and awareness of all personnel as relevant.
  • Physical security – Clean Desk Policy applies, secure areas by locking doors and cabinets
  • Computer security – mobile devices and remote working, secure and modify IT settings, user access controls, password security, malware protection, data backups, firewalls, encryption, wireless networks

  1. Data Brach Management and Notification

As part of its data breach management procedure, CTK Limited shall notify the GRA[1], without undue delay and where feasible within 72 hours, after becoming aware of a data breach, unless it is determined that the breach is unlikely result in a risk to the individuals affected. If it is determined that the breach is likely to result in a high risk to the individuals affected, CTK Limited shall notify those individuals of the breach without undue delay[2].

CTK Limited shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken (including whether it has been notified to the GRA and/or the individuals affected.

  1. Data Protection by Design by Default

CTK Limited will consider the data protection and privacy implications of any project proposal that involves the use of personal data, prior to its implementation.

Further, periodic/annual reviews shall be undertaken to make appropriate adjustments to the data processing with the aim of improving data protection and privacy, taking into account technological developments.

  1. Data Protection Impact Assessments

Where a data processing activity is likely to result in a high risk to individuals, CTK Limited shall carry out a Data Protection Impact Assessment[3] (“DPIA”), particularly when:

  • new technologies are used,
  • systematic and automated processing resulting in decisions that affect individuals take place,
  • special categories of personal data and/or data relating to criminal convictions are processed on a large scale, or
  • systematic monitoring of a publicly accessible area on a large scale occurs.

CTK Limited shall:

  • Seek the advice of the Data Protection Officer in regard to DPIAs.
  • Include the following in its DPIAs –
  • a description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued;
  • an assessment of the necessity and proportionality of the processing in relation to the purposes;
  • an assessment of the risks to the rights and freedoms of individuals; and
  • the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data.

A record of all DPIAs conducted will be kept and updated.

  1. Data Processors

CTK Limited only uses third parties to carry out an activity on the personal data that we hold, when the third party provides sufficient guarantees that it will process the data in compliance with the GDPR and the DPA.

Further, all activities on the personal data that we hold carried out by third parties on our behalf, shall be governed by a written contract as per Articles 28 and 29 of the GDPR.

  1. Staff Training

The Company will endeavour to ensure that staff receive the training necessary in order to ensure compliance with this policy and the adherence to best practices.

Training will not necessarily be “in-house” and may consist of sending relevant members of staff to seminars on the relevant Data Protection Legislation and data protection generally.

  1. Changes to this Policy

The Company reserve the right to change this policy at any time. The Company will notify Data Subjects of those changes by mail or email.

Schedule 1

Types of Personal Data the Company will collect, store and use

  • Name (including where relevant) maiden name;
  • Date of birth;
  • Address;
  • Contact details;
  • Gender;
  • Marital status and dependants;
  • CCTV footage;
  • Emergency contacts, and immigration status;
  • Education;
  • Physical and mental health;
  • Offences;
  • Criminal proceedings outcomes and sentences;
  • Individual’s salary details (including bonuses, discretionary payments, and other benefits in kind);
  • Passport/ID card (and/or other forms of identification documentation);
  • Information about all forms of taxation, duties, imports, levies, withholding, taxes, rates, and charges of whatsoever nature whether in Gibraltar or elsewhere in any part of the world wherever or whenever, created or imposed and includes (without limitation); and
  • Bank account details.

[1] In accordance with Article 33 of the GDPR

[2] In accordance with Article 34 of the GDPR

[3] In accordance with Article 35 of the GDPR