Privacy Policy

1.    Introduction   

The Gibraltar Electricity Authority (“the GEA”) takes considerable measures in protecting your privacy and the utmost care is required from our data controllers when processing your data. This Privacy Notice is designed to inform you about the types of personal data we collect, how we gather it, the reasons for doing so, and how this information may be shared with third parties.

Under the Gibraltar General Data Protection Regulation (GGDPR) and The Data Protection Act 2004 (DPA) you have specific rights concerning the personal data we hold about you. We will detail these rights and provide guidance on how to contact us regarding them.

For the purposes of this Privacy Policy “we”, “our”, or “us” means the GEA whereas “you” or “your” refers to our customers (consumers) or any other data subjects whose personal data we may process, such as our suppliers. Our employees are however referred to the company’s internal Privacy Policy for further information.

2.    What types of personal data do we collect

The data we collect from you will depend on your relationship with the GEA and the use of our website. For consumers, this may include:

• Forename(s) & Surname(s)
• Date of Birth
• Passport or ID card details
• Telephone/Mobile numbers
• E-mail address
• Current, previous and billing addresses
• Death/marriage certificates
• Deed of Assignment/Rental Agreement
• Personal details of third parties (e.g., Power of Attorney)
• Additional personal data for arrears settlement or repayment agreements

When you visit our website, we may collect information about your browsing activities, IP address, and device information.

CCTV

CCTV cameras are in use at our Consumer Services Office and therefore your audio and image may be recorded should you visit our premises.

The implementation of our comprehensive CCTV camera system serves the purpose of protecting our facilities, assets, and personnel. It acts as a deterrent and plays a vital role in detecting, recording, and analysing a wide range of incidents, including theft, vandalism, accidents, fires, floods, and emergency situations, throughout the GEA premises.

The GEA acknowledges the importance of striking a balance between an individual's right to privacy and the imperative of ensuring the safety and security of GEA employees, customers, visitors, and corporate assets. When CCTV is deployed externally, it will exclusively capture images of public streets and buildings were permitted by law.

Access to operate the CCTV systems and review the recorded images is limited solely to authorized personnel.

To ensure transparency, notices indicating CCTV filming will be prominently displayed in areas under surveillance.

For further information regarding CCTV please refer to our CCTV Policy on our website.

Special Category Personal Data

Special Category Personal Data, which includes sensitive information, is subject to additional protection under GGDPR. This refers to certain categories of personal information, such as race, ethnicity, religion, health, political opinions, sexual orientation or biometric information, or data relating to criminal convictions and offenses. While not all types of sensitive data are processed, we may handle medical reports, financial statements, and other relevant data for arrears management, special requirements, or assisting authorities.

We limit the personal data collection, storage and usage to data that is relevant, adequate and necessary to successfully fulfil our obligations.

3.    How we use your information

We collect personal data for various reasons, including:

• Providing and managing your electricity supply
• To provide you with details of our services and your consumption.
• Meeting legal obligations under The Gibraltar Electricity Authority Act 2003
• Assisting individuals with arrears repayment agreements (in exceptional cases)
• Improving our services and website functionality
• Ensuring the security and integrity of our systems
• Crime and fraud prevention
• Responding to requests from governmental bodies, law enforcement, or regulatory authorities

4.    How we collect your information

Information is collected via various means and is very much dependent on the manner you interact with us. This section outlines the methods and sources through which we may collect your personal data.

• Direct Interactions - We may collect personal information directly from you when you interact with us. This includes, but is not limited to:
  • In person when you visit our offices.
  • Completion of the application form for the connection/disconnection of electricity supply.
  • Telephone and email communication.
• Automated Collection - When you visit our website, we automatically collect certain information through the use of cookies and similar technologies. This information may include:
  • Your IP address, browser type, operating system, and device identifiers.
  • Links visited, actions taken, and the duration of your visit on our website.
  • We may collect your approximate location based on your IP address or other methods with your consent.
• Third-Party Sources - In some cases, we may receive personal information from third-party sources, such as:
  • Information shared with us by our trusted business partners in accordance with data protection laws.
  • Information you make publicly available on social media platforms when you engage with our social media accounts or content.

5.    Lawful basis to process personal data legitimately

We identify the lawful basis we rely upon in order to collect, use and keep hold of your personal information. The following are the principal bases we rely upon:

• Contractual basis: Processing personal data is a critical requirement for us to meet our responsibilities under the contract we establish with consumers for the supply of electricity and/or the provision of our services.
• Legal obligation: When processing or retaining is necessary for fulfilling our obligations under The Gibraltar Electricity Authority Act 2003 (“The Act”).
• Public Task: The Authority was established with the object of supplying electricity to the general public under The Act and as such, processing of personal data is required in order to fulfil the requirements of the Act.
• Consent: We may process your information based on your explicit consent, which you can withdraw at any time.
• Legitimate Interests: We process data based on our legitimate interests, which include enhancing our services and upholding the security of our website. Additionally, we have a legitimate interest in protecting the well-being of our employees and safeguarding the data and assets stored on our premises.
• Health or Social Care purposes: We may from time to time be privy to a person’s medical condition, medical records, or financial situation in connection with arrears or special requirements. Before processing this special category of personal data, we will seek your explicit consent as our additional lawful basis under Article 9(2)(a) of the GDPR.

6.    Personal data retention

We retain personal data for periods appropriate to the data's purpose and lawful basis. This includes contractual obligations, legal requirements, legitimate interests, our obligations under The Act, health or social care matters, or assisting authorities.

We will keep the information for a period which enables us to handle or respond to any complaints, queries or concerns relating to our services.

CCTV recordings, both video and audio, are subject to automatic deletion one month from the date of the recording.

We will actively review the information we hold and delete it securely when it is no long necessary, however, in some circumstances we may anonymise so that it can no longer be associated to you and as such we may use the data without further notice to you.

7.    Sharing and disclosure of personal data

We employ several resources to ensure the personal data collected is secure and the confidentiality of said data is a matter of high importance to the GEA. Within the organisation we limit the sharing of personal data through staff authorisation levels. Personal data is administered by the authorised data controllers and is shared purely on a need-to-know basis for the task being carried out.

We share your personal information with third parties as follows:

• The Data Sharing (Public Authorities) Act 2021 allows us to share your data with other Government Departments, such as H.M. Government of Gibraltar’s Treasury Department, Housing Department, Department of Education, and No. 6, Convent Place, as a specified person under Schedule 1 of the Act. Appropriate protocols are employed to ensure the applicable security measures are in place.
• With law enforcement bodies, in order to assist in the protection or detection of crime, or to provide evidence in civil or criminal prosecutions. These include, The Citizens Advice Bureau, and The Royal Gibraltar Police.
• With our processors, AquaGib Limited, who carry out the following on our behalf: read meters, issue bills and collect payments.
• With estate agents, managing agents, power of attorneys or lawyers provided they can offer evidence that they have a legal right to obtain certain data or have written authority from you.
• For audit purposes.

Data transferred is limited to what is absolutely necessary and you can rest assured that we will undertake an independent assessment of the third-party requests, always identifying a lawful basis in order to do so.

We do not transfer personal data to any other third party, nor to any country outside the EEA, except under the following circumstances:

• To comply with requirements of legal proceedings.
• If our processors, suppliers or joint controllers are compelled to do so by law.

8.    Security and integrity of personal data

We have a framework of policies, procedures and training covering data protection, confidentiality and security. We regularly review the appropriateness of the measures in place which keep the data we hold secure. Technical measures are also implemented to ensure a level of security proportionate to the level of risk assessed for specific data sets.

Contractual agreements are in place with our processors and suppliers which include data protection clauses, to ensure that these entities protect data in accordance with the relevant legislation.

CCTV camera recordings are exclusively accessed by authorized personnel when the need arises, such as in the case of a security breach or an incident.

9.    What your rights are under law

We want to ensure you are aware of your rights under data protection law. You have the right to request the following:

• To identify whether we hold any of your personal data.
• To provide you with a copy of any personal data that we hold about you.
• To rectify any inaccuracies in your personal data and make amendments if you believe it is incomplete.
• To have your personal data deleted (to the extent possible given the specific circumstances) when required by law.
• To object to processing your personal data, when mandated by law.
• To receive a portable copy of the personal data we have on you when required by law.
• To cease processing any of your personal data based on our legitimate interests.
• Where we process your personal data on the basis that you have given us your consent to do so, you may contact us at any time to withdraw your consent.
• To transfer the personal data, you've provided to another organization or to yourself, under certain circumstances, which is also known as data portability.

If you wish to exercise any of these rights, or object to our processing your personal data, please email, call, or write to us (please refer to section ‘11. Contact Us’).

10. Fees to access Personal Data

Accessing your Personal Data or exercising any of your rights does not involve any fees. However, in cases where your request is deemed clearly unfounded or excessive, we may, at our discretion, apply a reasonable fee, or alternatively, we may choose not to process the request. In either scenario, we will provide a justification for our decision.

To confirm your identity and uphold your right to access information or exercise your rights, we may request specific details from you. This is an additional security measure to guarantee that Personal Data is not disclosed to individuals without the rightful authority to access it.

11. Contact us

If you have any questions or concerns about the information we hold about you and how we use it, or wish to exercise any of your rights as described above, you may contact our Data Protection Team at privacy@gea.gi.

You may also write, visit or call us, as follows:

Please note that, alternatively, you have a right to contact the Government’s Data Protection Officer directly as follows.

If you are dissatisfied with how we've addressed any data protection inquiries or if you have reservations regarding our personal data processing, you also have the option to reach out to the Gibraltar Regulatory Authority directly using the contact details provided below.

12. Changes to this Privacy Notice

We continually review and update this Privacy Notice to reflect changes in our services, as well as to comply with changes in the law. We will notify you of any updates either in writing or by updating this Privacy Notice on our website.

We may also notify you in other ways from time to time about the processing of your Personal Data.