Privacy Policy – Chestertons Gibraltar

Chestertons Gibraltar (“we”, “us”, “our”) is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store and protect personal data in accordance with Gibraltar data protection legislation, including the Gibraltar GDPR and the Data Protection Act.

For the purposes of applicable data protection legislation, personal data means any information relating to an identified or identifiable natural person.

1. Who We Are

Chestertons Gibraltar is an estate agency providing property sales, lettings, property management, valuation, advisory and related services.

Chestertons Gibraltar is the trading name of Buckingham Properties (Gibraltar) Limited, a company registered in Gibraltar with company number 98761.

Registered office:
Suite 4, 2nd Floor
The West Wing, Montarik House
3 Bedlam Court
Gibraltar

Data Controller: Buckingham Properties (Gibraltar) Limited (trading as Chestertons Gibraltar)
Data Protection Lead: Finance Director
Email: info@chestertons.gi
Telephone: +350 200 40041

2. What Personal Data We Collect

We may collect and process the following categories of personal data:

• Contact details (name, address, email, phone number)

• Identification and verification data (ID documents, proof of address)

• Financial and transaction information

• Property preferences and requirements

• Communications (email, telephone, WhatsApp)

• Marketing preferences

• Employment and recruitment data (where applicable)

• Technical information including Internet Protocol (IP) address and related website usage data

Where required by law or regulation, this may include source of funds, proof of ownership, references and related due diligence information.

Examples of identity documentation we may request include passport, driving licence, EEA identity card, utility bill, bank statement, tenancy agreement, certificate of incorporation and list of beneficiaries.

It is important that the personal data we hold about you is accurate and current. Please inform us if your personal data changes during your relationship with us.

3. How We Collect Personal Data

We collect personal data directly from you and from third parties where appropriate, including:

• When you instruct us, enquire about a property or register with us

• When you complete forms on our website

• When you correspond with us by phone, email or otherwise

• When you request a valuation or property information

• Through our website, portals and marketing channels

• When you respond to surveys (participation is voluntary)

• From landlords, vendors, developers, professional advisers and public registers

• As required for legal and regulatory compliance

We may also receive personal data from property portals, social media platforms, booking platforms, messaging tools and referral partners.

4. Why We Process Your Data (Lawful Bases)

We process personal data only where a lawful basis applies, including:

• Contract – to provide estate agency, lettings and property management services

• Legal obligation – including AML/CFT checks and regulatory requirements

• Legitimate interests – property marketing, business administration, fraud prevention, credit risk management, website security and service improvement

• Consent – where required, such as optional marketing communications

Where you enter into a relationship with us for the provision of estate agency services, we process your personal data as necessary to fulfil that contract.

In accordance with Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) obligations under the Proceeds of Crime Act 2015 and related legislation, we are required to obtain and retain identity verification and related due diligence documentation prior to entering into a business relationship.

You may withdraw consent at any time where consent is the lawful basis for processing.

Where you choose not to provide personal data that is necessary for us to meet legal or contractual requirements, we may be unable to provide certain services.

5. How We Use Your Data

Your personal data may be used to:

• Provide property sales, lettings and management services

• Carry out viewings, negotiations and transactions

• Meet legal and regulatory obligations

• Communicate with you about properties or services

• Send marketing communications where permitted

• Manage our business and internal records

• Administer and improve our website

• Ensure website content is presented effectively

• Measure advertising effectiveness and deliver relevant property information

• Protect against fraud and reduce credit risk

Where we manage a property, personal data may be shared with contractors engaged for inventories, maintenance, cleaning or related services where necessary to provide services.

Where you apply to rent a property, proof of income and references may be shared with the relevant landlord as part of the letting process.

6. Marketing Communications

We send marketing communications only where permitted by law.

You may be asked to provide express consent to receive our newsletter (including Property News) and other property-related communications, such as development launches or regulatory updates.

For short-let bookings, you may be offered the option to receive future marketing communications relating to similar properties. This is optional and consent may be withdrawn at any time.

Email newsletters are sent via Campaigner to opted-in recipients only. You can unsubscribe at any time by:

• Clicking the unsubscribe link in any newsletter

• Updating your preferences using the “manage your preferences” link in marketing emails

• Contacting us at info@chestertons.gi

If you no longer wish to receive property alerts or marketing communications, you may notify us at any time and we will update your preferences promptly.

7. Disclosure of Personal Data

We may disclose your personal data to third parties where necessary for the purposes set out in this Privacy Policy. Where third parties process personal data on our behalf, they do so under contractual agreements requiring them to:

• Process data only in accordance with our instructions

• Maintain appropriate security measures

• Comply with applicable data protection legislation

Categories of Recipients

We may disclose personal data to:

Professional advisers
Including lawyers, accountants and other professional consultants.

Service providers acting as processors, including:

• Email marketing service providers (including providers based outside Gibraltar or the UK where appropriate safeguards are in place).

• Inventory report providers who generate inventory reports for managed properties.

• Short-lets booking system providers. Data may be securely hosted via third-party data hosting providers (including Amazon Web Services) with servers located in the UK and Europe.

• IT and system administration service providers based in Gibraltar or other jurisdictions.

• CRM, payroll, accounting and property maintenance software providers.

Landlords and property owners
Where you apply to rent a property, relevant information such as references and proof of income may be disclosed to the landlord as part of the letting process.

Regulatory and law enforcement authorities
Where required by law, regulation, court order or legal process.

Business Transfers

We may disclose personal data:

• In the event that we sell or buy any business or assets;

• If Buckingham Properties (Gibraltar) Limited or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers may form part of the transferred assets.

Legal and Protective Disclosure

We may also disclose personal data where necessary:

• To comply with a legal obligation;

• To enforce or apply our terms of use and other agreements;

• To protect the rights, property or safety of Buckingham Properties (Gibraltar) Limited, our customers or others;

• For fraud prevention and credit risk reduction purposes.

We do not sell personal data.

8. Systems and Processors

We use third-party systems including:

• Alto (CRM)

• Microsoft 365

• EasyPay

• QuickBooks

• Fixflo

• KeyHive

• Campaigner

Certain services may involve secure data hosting providers, including Amazon Web Services (AWS), with servers located in the UK and Europe. Appropriate contractual safeguards are in place.

9. International Transfers

Where personal data is processed or stored outside Gibraltar or the UK, appropriate safeguards are applied in accordance with data protection law.

These safeguards may include adequacy decisions, standard contractual clauses or equivalent legal mechanisms.

10. Data Retention

We retain personal data for as long as we are contracted to provide services to you, or for as long as you consent to receive marketing communications.

In compliance with anti-money laundering, proceeds of crime, tax and related legislation, we are required to retain personal data relating to financial transactions and identity verification for a minimum of six (6) years following completion of the transaction or end of the business relationship.

After this period, personal data relating to inactive clients will be securely deleted or anonymised where appropriate.

11. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss or misuse.

Once we have received your information, we follow strict procedures and security measures to prevent unauthorised access.

While we take all reasonable steps to protect personal data, transmission of information via the internet is not completely secure and is undertaken at your own risk.

12. Your Rights

At any time while we are processing your personal data, you have the right to:

• Access your personal data

• Request correction of inaccurate or incomplete data

• Request erasure where applicable

• Restrict processing in certain circumstances

• Request data portability

• Object to certain processing, including direct marketing

• Object to automated decision-making or profiling where applicable

• Lodge a complaint with the Gibraltar Regulatory Authority

• Seek judicial review if you believe your rights have been infringed

If we refuse a request under data protection law, we will provide you with an explanation.

Where third-party processors are involved, relevant requests will be forwarded where appropriate.

We will respond to rights requests within one month of receipt, subject to verification of identity and lawful extensions where applicable.

Requests should be made in writing to:

Chestertons Gibraltar
Suite 4, 2nd Floor
The West Wing, Montarik House
3 Bedlam Court
Gibraltar
Email: info@chestertons.gi

We may request identification documents to verify your identity before processing your request.

13. Cookies

Our website uses cookies to distinguish you from other users. This helps us provide you with a good browsing experience and improve our website.

Further details are available in our Cookie Policy at:
https://www.chestertons.gi/cookie-policy

14. External Links

Our website and communications may contain links to third-party websites, including partner networks, advertisers and affiliates. These websites have their own privacy policies and we do not accept responsibility or liability for those policies. Please review their privacy notices before submitting personal data.

15. Complaints

If you are not satisfied with how we process your personal data, you have the right to lodge a complaint with:

Gibraltar Regulatory Authority
2nd Floor, Eurotowers 4
1 Europort Road
Gibraltar GX11 1AA
Telephone: +350 200 74636
Email: info@gra.gi