This Privacy Notice discloses the privacy practices of the Legal Services Regulatory Authority (the “LSRA”), in accordance with the Data Protection Act 2004 and the Gibraltar General Data Protection Regulation (the “DP” Legislation”), and applies to information collected by the LSRA in respect of the following persons:
- Visitors to the website (lsra.gi);
- Regulated Persons (as defined below) and applicants to become Regulated Persons;
- Persons making complaints about Regulated Persons;
- Persons making complaints about the LSRA;
- Persons making enquiries or asking for general assistance;
- Other persons connected to our work.
This Privacy Notice explains how the LSRA collects, uses, shares and protects the personal data, which may be provided to it. Personal data is any information relating to an identified or identifiable natural person (“Personal Data”). The LSRA is responsible for the collection and proper management of any Personal Data provided to it.
The LSRA will keep the Persons’ Personal Data secure and use it consistently with applicable privacy and data protection laws and the terms of this Privacy Notice.
Capitalised terms are defined in the Legal Services Act 2017.
This Privacy Notice is a live document and is kept under review and updated, as required. It was last updated on 2nd August 2023.
 Excluding employees and all other persons working for or with the LSRA.
- Who is Responsible for Managing Personal Data?
The hard copy and electronic storage of data, including any information derived or received by the LSRA in hard copy or via the LSRA website (www.lsra.gi), is held on systems owned and maintained by:
The Legal Services Regulatory Authority, Suite 841, Europort, Gibraltar GX11 1AA
- What Personal Data does the LSRA collect and how does it use it?
Data will be collected, used and shared primarily in the exercise of the regulatory functions of the LSRA. Those functions and the duties and powers of the LSRA are contained in primary legislation, including but not limited to the Legal Services Act 2017, applicable rules, regulations and codes.
Data collected by the LSRA will include Personal Data (as above) including, potentially, special category data. Under the DP Legislation, special category data includes data revealing race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning a person’s sexual orientation or life.
It is the LSRA’s policy not to collect personal data about minors save where required in accordance with the LSRA’s regulatory functions.
- Regulated Persons
Included here are:
- Applicants for registration in any of Parts 1 to 8 of the Register of Authorised Persons and issue of practising certificates;
- Authorised Persons being persons registered and holding the relevant practising certificates;
- Persons who are applicants for, or have been admitted as, barristers or solicitors, including Counsel admitted for specific proceedings;
- Persons who are directors, shareholders, associates, employees or other staff of, or consultants to, any Law Firm registered in Part 9 of the Register of Authorised Persons;
- Applicants for approval as, or Approved Directors;
- Applicants for permission as, or Permitted Equity-holders.
Data collected and processed on Regulated Persons will include:
- Identification information include name, telephone number, address, electronic contact details, date of birth;
- Employment status and employer/ employment information (including former employers);
- Information regarding education and qualifications;
- Criminal convictions or regulatory sanctions;
- Banking details (as a result of payments made to the LSRA).
Information in respect of Regulated Persons may be collected from the following:
a) any Person making any enquiries as to or applying for registration and/or the issue of a practising certificate or approval as an Approved Director or permission as a Permitted Equity-holder and pursuant to the Legal Services Act 2017, the Legal Services (Registration and Practising Certificates) Rules 2022, any replacement thereof and any other related or subsidiary legislation;
b) the Registrar of the Supreme Court on his behalf or that of the Chief Justice in relation to any matter concerning the intended or actual admission of any Person as a barrister or solicitor or registration as a European lawyer or an EEA Lawyer or any matter relating to the practice, conduct or discipline of any such persons, or generally concerning the registration, regulation or supervision of such persons by the LSRA;
c) any person in relation to any matter relating to the practice or conduct of any Regulated Person or generally concerning the registration, approval, authorisation, regulation or supervision of any Regulated Persons by the LSRA;
d) the Registrar of the Supreme Court, any law enforcement agency or supervisory body (as specified in the Supervisory Bodies (Powers etc) Regulations 2017), or any other person in relation to any matter concerning the supervision, regulation and sanctioning of Persons in respect of anti-money laundering, the combatting of terrorist financing and countering proliferation financing;
e) any other persons who may make enquiries of, lodge complaints at or interact with the LSRA.
Data collected will be used as may be required by the LSRA to carry out all or any of its functions and obligations, whether pursuant to the Legal Services Act 2017, the Proceeds of Crimes Act 2015, the Supervisory Bodies (Powers etc.) Regulations 2017, or any other applicable legislation (primary or secondary) which may be in force from time-to-time, including:
- to process the application for and/or registration of any Person in the Register of Authorised Persons and Law Firms, under the Legal Services Act 2017 and/or for the issue of practising certificate under the Legal Services (Registration and Practising Certificates) Rules 2022, any replacement thereof and any other related or subsidiary legislation;
- to process applications, including for Approved Directors and Permitted Equity-holders, and any related activities including the suspension or withdrawal of the same;
- to maintain current and up-to-date the Register of Authorised Persons and Law Firms and records of Practising Certificates;
- to maintain current and up-to-date the records of and relating to Approved Directors and Permitted Equity-holders;
- the supervision of Regulated Persons generally and with specific regard to the maintaining / ensuring adherence to the professional principles in s. 15(4) of the Legal Services Act 2017, regulating the provision of legal services, in relation to admissions and disciplinary functions; monitoring the Authorised Persons’ and Law Firms’ systems of control to prevent, detect and report money laundering, terrorist financing and any other supervisory functions which currently are or may be ascribed to the LSRA in respect of the Proceeds of Crime Act 2015 or any other legislation;
- to respond to any complaints received, and, where required, undertake investigations in relation thereto;
- to deal with any enquiries received, whether regarding a Regulated Person or from any Person regarding procedural and substantive aspects of registration, issue of practising certificate and approval or permission, and renewal, removal or suspension from the same, of practice generally, CPD, disciplinary processes and sanctions;
- to process any replies, comments or submissions following any limited or public consultation;
- for the purpose of maintaining, reviewing and updating information and other records in relation to any of the above.
When applications are received containing personal information the LSRA will create or update information held on its systems and files. That personal information will be used to process the applications, including to make any decisions. It may also be retained in order to capture a full regulatory history of a Regulated Person.
Failure to provide requisite or requested information may result in the refusal of an application.
Personal information collected on an annual basis from individuals or Law Firms may be, as above, used to inform our regulatory work including investigations, enforcement and applications received. It may also be used to undertake analysis to identify trends including about risks that exist/are emerging in the legal sector.
Email addresses will be used to make contact with Regulated Persons, to deliver notices or reminders relating to regulatory requirements (e.g., Practising Certificate renewal) and to inform Regulated Persons and Law Firms of regulatory news, regulatory requirements, events or other important information.
Where a Regulated Person contacts the LSRA for guidance or information, the LSRA may use that information for the primary purpose of handling the request and for the secondary purposes of checking levels of service or amending our processes (where applicable).
When enforcement action is taken, the LSRA may publish decisions. In the course of investigations, it may be necessary to disclose information to third parties such as employers, employees, partners, Shareholders of a Law Firm or complainants in order to establish factual context, to explain decisions made and keep our processes transparent.
Where there is an overriding public interest in doing so, the LSRA may make further details available, including public statements where there is a need to safeguard public confidence.
The LSRA may make some information about Regulated Persons publicly available and accessible including the name, date of call, qualification and place of work.
For any events held, Personal Data may be processed for invitation or registration purposes. This would assist the LSRA with understanding how many individuals attend events and the arrangements required.
B. Persons making complaints about Regulated Persons
On receipt of a complaint about a Regulated Person, the LSRA will create a complaint file which will contain data including the identity of the complainant and persons complained of, the relevant Law Firm and/or third parties involved in the complaint.
The identity of a complainant will usually be disclosed to the Regulated Person and/or the Law Firm or employer from which they provide services. If a complainant does not wish to be identified the LSRA will try to respect such wishes. However, the LSRA may be unable to do so where it is considered that there is an overriding need to protect the public.
Information received by complaint or during an investigation may be used to inform the LSRA’s work which may include using information in further related or unrelated investigations, enforcement and applications. Details may also be shared with relevant third parties where required in order to establish the factual matrix of any complaint, explain decisions taken, and ensure transparency in the LSRA’s processes.
The LSRA may need to process diversity data and special category data in the course of investigating and compiling complaint files. This may be relevant to the complaint.
Records of complaints (and any action taken following a complaint) will be kept by the LSRA. The reason for this is because such information could, along with other complaints or concerns received about the same Regulated Person or Law Firm, be relevant to follow up action.
Information may also be used to prepare statistics and information (though not in a form which identifies any individuals).
C. Persons making complaints about the LSRA
On receipt of a complaint about the LSRA, a complaint file will be created, containing data including the identity of the complainant and persons complained of.
The LSRA will use personal information to deal with the complaint but may also use it to review level of service. The LSRA may also prepare or publish statistics / research from data collected (e.g.) the number and types of complaints received.
Should the complainant request that a complaint be independently reviewed, data may be shared with an independent reviewer who will consider the relevant information in order to reach any decision.
In respect of any enquiries received, whether via the website, via any method of communication or by telephone, the LSRA usually only uses information to handle or deal with the request.
Information may also be used to inform how the LSRA regulates or to review and makes changes to services provided.
E. Other persons including contacts and suppliers
The nature of the work undertaken by the LSRA means that personal information will be handled about third parties who are, in some way, connected to the work undertaken or services provided to the LSRA. It may include witnesses to an investigation, clients of Regulated Persons or Law Firms, or even service providers.
It may be that data collected could include special category data about such third parties. Such data will only be processed where the requirement for doing so has been identified.
- What is the legal basis for processing the Person’s Personal Data?
The LSRA will always process Personal Data on lawful grounds, in accordance with the requirements and exemptions of the DP Legislation.
The LSRA will generally process data on the basis that it is necessary for the performance of a task carried out in the public interest and / or in accordance with its statutory functions. When special category data is processed, it is done so either in the substantial public interest to achieve regulatory objectives or to comply with the LSRA’s statutory duties or because the LSRA is exercising functions designed to protect the public from misconduct, unfitness or incompetence.
Data may also be processed because it is necessary for the pursuit of our legitimate interests and/or the legitimate interests of others. There will be occasions where data is processed to comply with legal obligations, particularly in the context of legal proceedings and compliance with requests by law enforcement agencies. In such circumstances, it is likely the LSRA’s regulatory functions will generally be engaged.
The LSRA will not generally rely on consent as a basis for processing personal data. In the limited circumstances where it may rely upon consent, such consent will be specifically obtained.
Upon the submission to the LSRA of any enquiry, application, complaint or response, as the case may be, the Person will be deemed to have given his/her consent to the LSRA to use the Person’s name, email address, phone number(s) and postal address to contact the Person about his/her enquiry, application, complaint or, response.
Such consent may be withdrawn at any time, however, please be aware that there are certain legal provisions which require that the LSRA process Personal Data in order to supervise the activities of Authorised Persons or respond to a complainant or to members of the public.
- Who does the LSRA share Personal Data with?
The LSRA may share information as permitted or required by law or international obligations or requirements to which the LSRA or the jurisdiction of Gibraltar may be subject, or may determine to observe, or for any purposes concerning or relating to the reporting, detection, investigation and legal process of any actual or suspected criminal or other unlawful or prohibited activity.
Therefore, data may be processed because it is necessary for the pursuit of our legitimate interests and/or the legitimate interests of others, compliance with legal obligations, particularly in the context of legal proceedings and compliance with requests by law enforcement agencies. Pro-active disclosures to the Royal Gibraltar Police and other authorities, regulators and/or Supervisory Bodies2 may be made.
It is a requirement in s.31 of the Legal Services Act that persons registered in Parts 1 to 8 of the Register shall automatically hold membership of the Law Council. Because of the functions of the Law Council under the Legal Services Act, the LSRA will share with the Law Council, Personal Data (including but not limited to name, year of call, date of first, latest and last registration, business address, telephone and email details).
Additionally, the LSRA may share information with the Chief Justice and/or the Registrar of the Supreme Court and their respective Offices with regard to past, present and future admissions, the issue of practising certificates, disciplinary matters and any other relevant aspects of their practice and the supervision of the delivery of legal services and those who deliver them. The LSRA may do likewise in the case of the Institute of Legal Executives or Law Costs Draftsmen and principals of Government service or of commercial or other business concerns, statutory bodies or agencies or not-for-profit organisations in or for which persons who are Authorised Persons or registrable as such may be practising. In these instances, information will only be shared to the extent that it either permissible by law or necessary for the LSRA to carry out its functions, as may be required by legislation including the Supreme Court Act 1960, the Legal Services Act 2017 and respectively related and subsidiary legislation.
As also set out above, the LSRA will disclose a complainant’s identity to whomever the complaint is against, in order to be able to properly resolve the matter. The LSRA will try to accommodate a complainant who wishes to remain anonymous, but if a complaint proceeds it is generally inevitable that the identities of both parties will be revealed for reasons of fairness and transparency.
In circumstances where the LSRA holds, or may, in the future hold, any data as a joint controller with another entity (in particular, but not only, the Registrar), the LSRA does so and will do so in accordance with applicable data protection legislation.
Overseas transfers of data
Personal Data may be transferred internationally where the LSRA needs to send information to regulatory counterparts or to officials overseas in connection with regulatory or criminal investigations or processes. In such circumstances, the Persons will not generally be informed that their data has been transferred if doing so would undermine the purpose for which it is transferred.
2 See Proceeds of Crime Act 2015
- How long will the LSRA hold Personal Data for?
Personal Data is only stored whilst it is required for the relevant purposes, or to meet legal requirements. It will be kept for as long as necessary to ensure that the LSRA fulfils its regulatory role in the public interest and in line with its retention policy.
Specifically, in the case of registrations, practising certificates, renewals of same and conduct and disciplinary matters, the Personal Data may be held for longer than the Authorised Person is currently practising and/or indefinitely.
In the case of investigations carried out as a result of a complaint, the LSRA will hold the Personal Data for the course of the investigation, any hearings and any appeals therefrom and if the LSRA has issued any decisions, recommendations, directions, or any other action which is appealable, it will usually hold the data for the period provided for by statute for such appeals, including judicial review, to take place and a further six years from the date of final determination, but will keep it for longer periods. For example, Personal Data may be retained in order to capture a full regulatory history of a Regulated Person.
Where the Personal Data is no longer required, the LSRA will ensure it is disposed of or deleted in a secure manner. In certain circumstances, it will anonymise the data to the extent that it will continue to process data in a format which makes identifying the Person impossible. In these instances, every effort will be made to ensure proper and correct processes are in place to carry this out effectively.
- The Person’s rights
Persons will usually have the following rights in relation to data held by the LSRA:
- Right of access: A Person has the right to request and obtain a copy of any Personal Data that the LSRA holds about the Person including the reasons why it is held, who that data would be shared with as well as details of the period for which it will be retained;
- Right to rectification: A Person has the right to request the modification of data held if that Person believes the Personal Data held is inaccurate or incomplete;
- Right to erasure: A Person has the right to request the deletion of Personal Data in certain circumstances.
- Right to data portability: A person has the right to receive data a copy of the Personal Data in a structured, commonly used and machine-readable format;
- Right to restrict processing: where the LSRA processes the Person’s Personal Data on the basis that it has consent to do so, the consenting Person may withdraw that consent;
- Right to object to processing: A Person has the right to object to the LSRA processing their data.
The exercise of such rights is expressly subject to the statutory exemptions or other similar provision, including, but not only, in relation to the detection, investigation and prosecution of persons or entities. As such, these rights are not absolute in all cases.
For example, the LSRA may be unable to stop processing Personal Data where such processing is carried out on the basis of the LSRA’s legitimate interests or its legal obligations (including where the Personal Data is needed by the LSRA to perform regulatory functions). Even where consent is relied upon as the lawful basis for processing and such consent is withdrawn, the LSRA may continue to process that Personal Data unless there is no other lawful basis for a continuation of the processing or there are no overriding legitimate grounds to continue.
Should a Person wish to exercise the right of access, the LSRA will need to satisfy itself of that Person’s identity. Proof of identification will be requested. If satisfied, contact details will be requested in order to pass on the data.
If any Person wishes to exercise any of these rights, the LSRA should be contacted in writing at the address set out below.
- How does the LSRA update this Privacy Notice?
This Privacy Notice is reviewed and updated, as required. It is available on our website or on request.
- Who can be contacted with regard to this Privacy Notice?
The point of contact at present is Albert Yome who may be contacted at the following address:
The Legal Services Regulatory Authority
Suite 841, Europort, Gibraltar
Alternatively, he can be reached:
By telephone: (00350) 22250490
By email: email@example.com
The Gibraltar Regulatory Authority
You have the right to lodge a complaint with the Information Commissioner or any other supervisory authority where you work, normally live or where any alleged infringement of data protection laws occurred.
The supervisory authority in Gibraltar is the Gibraltar Regulatory Authority which may be contacted as follows:
By telephone: +350 200 74636
By email: firstname.lastname@example.org
Complaints may also be submitted online here.
This Notice has been updated on 2nd August 2023