University of Gibraltar Privacy Notice


University of Gibraltar is the Data Controller of any personal data that you provide or we obtain with regard to your studies. This means that we will make decisions on how your data is used and for what reasons.

This purpose of this privacy notice is twofold:

  1. To be transparent about the information we collect and store about you and its use.
  2. To comply with our obligations under Gibraltar data protection and privacy law.

While as comprehensive as possible this notice may not answer all your queries or concerns, if you require further information please contact us at +350 20071000 or email

Why do we need your data?

Personal data means any information relating to you which allows us to identify you, such as your name, contact details, and information about your access to our website.

We collect personal data from you when you join our mailing list.

Specifically, we may collect the following categories of information:

  1. Name, contact address, e-mail address, telephone number, or company name;
  2. Information about your use of our website;
  3. The communications you exchange with us or direct to us via letters, emails, calls, and social media;

Below we provide more detail on the different purposes your personal data is used for and any third parties this data is shared with.

Lawful processing

Gibraltar Data Protection law requires us to determine a relevant legal basis for each data processing activity we undertake with your personal data. One example of a data processing activity we undertake is the sharing of personal data with our regulator GRA as described above.

These ‘lawful bases for processing’ are defined by Gibraltar data protection law and include:

  1. a) Consent – under certain circumstances, such as participating in third party surveys, we will only process your personal data with your explicit consent. Explicit consent requires you to make a positive, affirmative action and be fully informed as to what you are consenting to.
  2. b) Necessary for the provision of a contract – much of the personal Information University of Gibraltar processes is necessary to meet its commitments to you, for example processing related to teaching and assessment.
  3. c) Necessary to fulfil a legal obligation – we must process your personal data when required to do so under Gibraltar law, for example sharing information with our regulator GRA.
  4. d) Necessary to protect the vital interest of you or another person – under extreme

circumstances we share your personal data with third parties to protect your interests or those of another person, for example providing medical or emergency contact information to

emergency services personnel.

  1. e) Processing is necessary for the performance of a public task – University of Gibraltar is a higher education institution that will sometimes process your personal data in the public interest.
  2. f) Processing is necessary for fulfilling the legitimate interests of University of Gibraltar – University of Gibraltar has a right to pursue its own organisational interests and can process your personal data in pursuit of these providing it does not override your fundamental right to privacy. For instance, University of Gibraltar uses third party services for email and other applications which means your personal data may be stored on their servers. University of Gibraltar feels that using a third party to provide these services is in our interests but takes appropriate actions to ensure your privacy is respected.

In situations where the personal data is defined as sensitive or special category data (for example ethnicity, criminal conviction information and health or medical data) we must select one of the following lawful bases in order to process it:

  1. a) Explicit consent (see above).
  2. b) Processing is necessary for reasons of substantial public interest – for example the need to ask for criminal conviction data when applying to or studying courses with fitness to practice requirements
  3. c) Processing is necessary to establish a legal claim or administer justice – we may be required to release third parties to authorised agencies.
  4. d) For research and statistical purposes – sensitive personal data about you may be used for research purposes without your explicit consent providing sufficient safeguards are in place.

In the ‘How are you using my data and who is it shared with” section below we provide details of the different processing activities undertaken by University of Gibraltar together with their associated lawful basis.

Where did you get my personal data from?

Most of the personal data we process will have been collected directly from you.

Your data may be used for marketing purposes. From time to time we will contact you with information regarding news, events and courses via e-communications. You will have the choice to opt in or opt out of receiving such communications. You will also be given the opportunity on every e-communication that we send you to indicate that you no longer wish to receive our direct marketing material. We will only process your personal data where we have a legal basis to do so. The legal basis will depend on the reasons we have collected and need to use your personal data for.

How are you using my data and who is it shared with?

Personal data processed by University of Gibraltar is directly related to your subscription.

We will not retain your data for longer than is necessary to fulfil the purpose it is being processed for. To determine the appropriate retention period, we consider the amount, nature and sensitivity of the personal data, the purposes for which we process it and whether we can achieve those purposes through other means.

When we no longer need your personal data, we will securely delete or destroy it. We will also consider if and how we can minimise over time the personal data that we use, and if we can anonymise your personal data so that it can no longer be associated with you or identify you, in which case we may use that information without further notice to you.

Security of your personal data

We follow strict security procedures in the storage and disclosure of your personal data, and to protect it against accidental loss, destruction or damage.

Cookies and site tracking

This site uses cookies to enable us to improve our service to you and to provide certain features that you may find useful. This may include cookies of media and advertising partners that are being placed on your machine when visiting our website.

Cookies are small text files that are transferred to your computer’s hard drive through your web browser to enable us to recognise your browser and help us to track visitors to our site; thus, enabling us to understand better the products and services that will be most suitable to you. A cookie contains your contact information and information to allow us to identify your computer when you travel around our site, for the purpose of helping you accomplish your search. Most Web browsers automatically accept cookies, but, if you wish, you can change these browser settings by accepting, rejecting and deleting cookies. The “help” portion of the toolbar on most browsers will tell you how to prevent your browser from accepting new cookies, how to have the browser notify you when you receive a new cookie, or how to disable cookies altogether. If you choose to change these settings, you may find that certain functions and features will not work as intended. The cookies we use do not detect any information stored on your computers.

For more information about cookies and how to stop cookies being installed visit the following website: 

Will University of Gibraltar transfer my data outside of the European

Economic Area (EEA)?

Yes, in some instances your personal data will be shared with third parties outside of the EEA, for example North America and Australia. University of Gibraltar will only transfer your personal data outside of the EEA when one of the following conditions have been met:

  1. You have given us explicit consent for the transfer.
  2. The country has adequate data protection laws (this is determined by the Data Commissioner’s Office, not us).
  3. There are adequate safeguards in place, for example international data sharing frameworks or we have sufficiently robust contracts in place with the international third party.

What privacy rights do I have in respect to the personal data you hold?

  • You have the right to be informed – via privacy notices such as these and other communications relating to data protection and privacy.
  • You have the right of access to your data – if you would like copies of the personal data University of Gibraltar stores please contact the IT Services Information Management team (contact details are below).
  • You have the right to correct data – if it is wrong please contact the Information Management team if you believe your personal data is incorrect or out of date.
  • You have the right to ask for your data to be deleted – please contact the Information Management team if you believe you have a reason related to your personal situation for us to delete personal data we hold.
  • You have the right to restrict use of the data we hold – in certain circumstances you can request that processing of your personal data is restricted pending review.
  • You have the right to data portability – where possible University of Gibraltar will facilitate the digital transfer of data between compatible systems.
  • The right to object to University of Gibraltar using your data – please contact the Information Management team if you believe your personal data is being used unlawfully or you have reason particular to your personal situation why we should not be processing it.

Are there any consequences of not providing the requested data?

Yes, in many cases we will not be able to meet our commitments to you if we do not collect and store your personal data. In a situation where your explicit consent is required we will make clear the specific consequence of not providing your data.

Will there be any automated decision making using my data?

No, University of Gibraltar does not currently undertake any automated decision making or profiling using your personal data that falls within the scope of Gibraltar law.

How long will you keep my personal data?

University of Gibraltar will only retain personal data for as long as necessary to:

  1. Fulfil the purpose for which the data was collected or obtained.
  2. Fulfil our own obligations under Gibraltar Law.

Your personal data will be securely deleted once either of these conditions no longer apply.

 I’ve seen other University of Gibraltar privacy notices, why is this?

This privacy policy is specific to those on the University of Gibraltar mailing list.  As such you may see additional privacy notices when you are asked to provide personal data for specific purposes.

Who can I contact if I have further questions or concerns?

Please contact the University IT Services.


Tel: 200 71000 (office hours are 0800 to 1630, Monday to Friday)

In certain circumstances we may refer your query or concern to the University Data Protection Officer (DPO), a semi-independent role at University of Gibraltar required by Gibraltar Law. If you would prefer to contact the

DPO directly please email

 What is the Data Commissioner’s office?

Under the Data Protection Act 2004, the Gibraltar Regulatory Authority (GRA) is nominated as the Data Protection Commissioner. The Gibraltar Regulatory Authority is thereby the independent statutory body responsible for the enforcement of the Data Protection Act 2004, and carries out the functions assigned to it, to uphold the rights of individuals and their privacy. Amongst other things, this includes the provision of advice on data protection related matters and the investigation of complaints, as well as raising awareness on privacy issues.While we recommend that you raise any concerns or queries with us first you have the rights to complain to the GRA directly if you believe University of Gibraltar is using your personal data unlawfully.

Please visit for information on how to make a complaint or if you would like independent and impartial guidance on data protection and privacy.