Privacy Notice

Updated on January 9, 2023

RSM Gibraltar Limited (“RSM”, “we”, “us”, “our” and “ours”) respects your privacy and seeks to protect your personal data. The following privacy policy contains important information on who we are and how and why we collect, store, use and share your personal data. It also explains your rights in relation to your personal data and how to proceed if you wish to complain. In general terms, “personal data” refers to any information relating to an identified or identifiable living individual.

Our aim is to:

  • Keep to a minimum the amount of information we hold about you;
  • use your data to respond to your enquiries and provide our services to you;
  • delete your data when it is no longer needed;
  • apply the appropriate security mechanisms to protect your personal data.

When we use your personal data we are regulated under the Gibraltar General Data Protection Regulation (the “GDPR”) and the Data Protection Act 2004. The GDPR took effect on 1st January 2021 and replaced the EU General Data Protection Regulation which had been hitherto in vigour in Gibraltar. The GDPR functionally operates in the same way as the EU Regulation and as such, we are responsible as “controller” of your personal data in practically the same way as under the EU Regulation. Our use of your personal data is therefore subject to your instructions, the GDPR, any other relevant Gibraltar legislation and our professional duty of confidentiality.


The following are summary responses to basic and common questions you may have on how we handle your data. We however encourage that you read the more detailed sections that follow for additional details.

What information does RSM collect about me?

We collect various elements of your personal data depending on the processing activity. We list these in more detail in the “What personal data do we collect?” section below.

Why does RSM need my information?

We need your personal data in order to provide you with our best service experience and comply with our legal and regulatory obligations.

How is my information used?

We use your personal data for the following purposes:

  • to comply with our legal and regulatory obligations;
  • for the provision of our services or to take steps at your request before entering into a contract for services;
  • for our legitimate interests or those of a third party; or
  • where you have given consent.

Please refer to the “How we collect your personal data?” section below.

What are my rights as a data subject?

You have a right to:

  • opt out of communications;
  • have any incorrect data we hold about you rectified;
  • have your data deleted in certain circumstances;
  • restrict the use of your data;
  • transfer your data to a third party organisation in certain situations;
  • object to us processing your information;
  • access any information we hold on you;
  • complain to us and the Gibraltar Regulatory Authority.

Further information relating to your rights can be found in the “Your rights regarding our use of your personal data” section below.

How do I delete my personal data held by RSM and what are the consequences?

You can always send us an email to [email protected], contact us via our website, write or telephone us and request that your data be deleted. However, we will not be able to provide our services where you request your data to be deleted.

How long does RSM keep my information?

We retain personal data for as long as is necessary to provide our services and fulfil the transactions you have requested, or for other essential purposes such as complying with our legal obligations, resolution of disputes or enforcement of agreements. Data retention periods will vary significantly depending on the different data types involved and the context and nature of the services been provided.

How will you store my information?

We are committed to protecting the security of your personal data. We use a variety of security technologies and procedures to help protect your personal data from unauthorised access, use or disclosure. Please refer to the “Security” section below for more information in relation to our data security processes.


What personal data do we collect?

When you visit our Website

Your name and contact information, provided by you, will be used to respond to your enquiry, requests for further information and to communicate with you during the provision of our services to you. We may also capture your IP address which is only used for analytical purposes, is not shared and not used to identify you.

When you engage us to provide services to you

In order to engage us in the first instance and subsequently provide the services you have engaged us for, we may require to collect and keep, amongst other things, the following information:

  • your name, address and telephone number;
  • information to enable us to check and verify your identity eg. your passport details;
  • your electronic contact details, eg your email address and mobile phone number;
  • your financial details so far as relevant to your instructions;
  • our correspondence and communications with you;
  • details of any services you have received from us;
  • information received from sources other than yourself such as publicly available information.

Depending on the engagement we may also need to collect your tax/accounting/employment/banking information in order to properly divest ourselves of our obligations under the engagement.

This personal data is required to enable us to provide our services to you. Please note that withholding this data from us may delay or prevent us from providing services to you.

When you contact us

We collect your contact information and use it to respond to your question/request.

When you apply for a vacant position

We will collect your name, address, contact details and any other data you supply via your CV. We may also subsequently collect proof of ID, references and right to work documentation.


How do we collect your personal data?

We collect most of this information from you. However, we may also collect information, by way of an example:

  • from publicly accessible sources, eg Companies House or the Land Registry;
  • directly from a third party, eg: sanctions screening providers/due diligence providers.
  • from a third party with your consent, eg:
  • your bank or building society, another financial institution or advisor;
  • consultants and other professionals we may engage in relation to your matter;
  • your employer and/or trade union, professional body or pension administrators;
  • via our website — we use cookies on our website;
  • via our IT systems eg. document management systems.

We do not process any data using automated means.


Why do we collect your personal data?

We can only use your personal data if we have a proper reason for doing so, ie.

  • to comply with our legal and regulatory obligations;
  • for the provision of our services or to take steps at your request before entering into a contract for services;
  • for our legitimate interests or those of a third party; or
  • where you have given consent.

A legitimate interest occurs when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests.

Below are some examples of the uses we may have for your personal data and the general purposes for which we may use them:

PurposeUse for personal data
To comply with our legal and regulatory obligations.
  • Conducting checks to identify our clients and verify their identity/screening for financial sanctions or embargoes.
  • Gathering and providing information required by or relating to audits, enquiries or investigations by regulatory bodies.
  • Other processing necessary to comply with our professional, legal and regulatory obligations that apply to our business, eg under health and safety regulation, with regards to statutory returns and tax filings or regulatory rules issued by our professional regulator.
  • Ensuring confidentiality.
  • Filing statutory returns.
  • Preventing unauthorised access and modifications to systems.
To provide professional services to you.
  • For the provision of our services or as part of our engagement process.
For our legitimate interests or those of a third party eg. to ensure that we follow our own internal procedures in the interests of providing the highest quality service or to protect our intellectual property.
  • Ensuring business policies are adhered to, eg policies covering security and internet use.
  • Operational reasons, such as improving efficiency, training and quality control.
  • Ensuring the confidentiality of commercially sensitive information.
  • Statistical analysis to help us manage our practice.
  • Preventing unauthorised access and modifications to systems.
  • Updating and enhancing client records.
  • Ensuring safe working practices, staff administration and assessments.
  • Marketing our services to existing and former client and third parties who have previously expressed an interest in our services.


The above table does not apply to “special category personal data”, which we will only process with your explicit consent. In accordance with the GDPR, “special category personal data” includes any data revealing racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs or trade union membership, genetic and biometric data and data concerning health, sex life or sexual orientation.


Promotional communications

We may use your personal data to send you updates about our services, including exclusive offers, promotions or new services.

We have a legitimate interest in processing your personal information for promotional purposes. This means we do not usually need your consent to send you promotional communications. However, where consent is needed we will ask for it separately and clearly.  You also have the right to opt out of receiving promotional communications at any time by contacting us at [email protected] or clicking the ‘unsubscribe’ link in our emails containing promotional communications.


With whom do we share your personal data?

We may share your personal data with other organisations in order to enable the provision of our services. These may include statutory bodies, law enforcement agencies and regulatory bodies. We will also discuss any specific security requirements you may have during the provision of these services.

All other third parties that we may use, including those who provide email and storage solutions used in our day to day work, are selected for and monitored, on how they meet current data protection statutory obligations and the requirements set by the GDPR. Where appropriate, we will also impose contractual obligations on third parties to ensure that they can only use your personal data to provide their services to us and to you. We only permit our third-party service providers to process your personal data for specified purposes and in accordance with our instructions.

We may also need to share some personal data with other parties in order to complete any transaction(s) connected to the provision of our services (eg. a sale transaction). Usually, information will be anonymised but this may not always be possible. The recipient of the information will be bound by confidentiality obligations.

By way of examples, we routinely share personal data with:

  • professional advisers who we instruct on your behalf or refer you to, eg barristers or solicitors, tax advisors or other experts;
  • other third parties where necessary to carry out your instructions;
  • group companies other than the one you are engaged with;
  • our insurers and brokers;
  • our bank;
  • KYC screening providers.


Where do we hold your personal data?

Information may be held at our offices and those of our network companies, third party agencies, service providers, representatives and agents as described in the “With whom do we share your data?” section above.

Where information is required to be held outside the European Economic Area (eg. because you are based outside the EEA or where there is an international dimension to the transaction you have engaged us for), we will only share your data in accordance with the special rules imposed by the GDPR.

The following non-EEA territories have been deemed by the European Commission to have adequate levels of protection for your personal data: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited to the Privacy Shield framework).

With regards to all other non-EEA territories, we have put in place measures to ensure that your personal data is treated by those third parties in a way that is consistent with the relevant data protection legislation.


How long do we keep your personal data?

We will keep your personal data after we have finished advising or acting for you. We will do so for one of these reasons:

  • to respond to any questions, complaints or claims made by you or on your behalf;
  • to show that we treated you fairly;
  • to keep records required by law.

We will not retain your data for longer than necessary for the purposes set out in this policy. Different retention periods apply for different types of data, for example (in normal circumstances):

  • Documents pertaining to clients that we have withdrawn services for – 7 years from the end of the engagement.
  • Annual accounts – 7 years from the end of the relevant period or from the date any tax audit closes.
  • KYC – 7 years from the end of the engagement.
  • Vacancy Application Information – If you are unsuccessful candidate, 2 months from the date the data was submitted.

When it is no longer necessary to retain your personal data and there is no legal or regulatory requirement or guidance to the contrary, we will delete or anonymise it.


Your Rights regarding our use of your personal data

Should we be engaging with you as a Data Controller, you will have the following rights, which you can exercise free of charge:

  1. Right to access your data – you can review the data we hold and obtain a copy of the same by contacting us directly at [email protected]. We will respond to any request to access your personal data as soon as possible but certainly within 30 days. In some instances, we may need more than 30 days to comply. However, where this is the case we will notify you in advance and give you the reasons why.
  2. Right to rectify data – if any of the data we hold on you is inaccurate you have the right to have it corrected.
  3. Right to erase data – In certain circumstances and in particular when your data is no longer necessary for processing and is no longer required to be kept under legal obligation or in pursuance to our legitimate interests, you may have the right to have it deleted.
  4. Right to restrict use of your data – if you have a concern (for example, if you contest the accuracy of the data), you can (in certain circumstances) prevent us from processing your data.
  5. Right to port your data – You have a right to have your data provided in electronic format for use with another service provider.
  6. Right to object to our processing – Where we are relying on a legitimate interest as our lawful basis to process your data, you can object to its processing in some instances.

Where we are relying on your consent to process the data, you can withdraw it at any time.

You have an absolute right to object to our processing your data for direct marketing purposes.

  1. Right to complain – Should you feel that you need to complain about how we are handling your personal data, please email us at [email protected] or use the “Contact Us” form on our website.

We hope that we can resolve any query or concern you may raise about our use of your personal data but note that you have a right under the GDPR to lodge a complaint with the relevant supervisory authority, in our case, the Gibraltar Regulatory Authority (the “GRA”). The GRA may be contacted at [email protected] or via telephone on +350 200 74636.

  1. Right not to be subjected to automated individual decision-making – Is a right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly affects you.

The GRA website contains further information on each of these rights in their guidance section:

If you would like to exercise any of those rights, please:

  • email us at [email protected] or use our “Contact Us” form on out website. You can also call the Data Protection Manager on +350 200 74854 or write to him by post.
  • let us have enough information to identify you (eg. your full name, address and client or matter reference number);
  • let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill); and
  • let us know what right you want to exercise and the information to which your request relates.



We have developed strict policies governing information technology. These cover areas such as access control, authentication, audit, monitoring, data storage and back up, transmission standards and environment integrity. We will use reasonable endeavours to install and have appropriate security measures in place in our facilities to protect against loss, misuse or alteration of data.

We limit access to your personal data to those who have a genuine business need to access it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

We use industry standard encryption systems to ensure your payment details are sent in a secure format.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

As an additional security precaution we do not store any credit card details on our systems.



What is a cookie?
A cookie is a small text file, which often includes a unique identifier, which is issued to your computer or device when you visit a website.

Each website can send its own cookie to your browser if your browser's preferences allow it, but (to protect your privacy) your browser only permits a website to access the cookies it has already sent to you, not the cookies sent to you by other websites. Many websites do this whenever a user visits their website in order to track online traffic flows.

We use cookies to improve the quality of the Site and service and to enhance your browsing experience. A number of cookies we use last only for the duration of your web session and expire when you close your web browser. Others are used when, for example, we remember information you have asked us to (such as language preferences) and will last for a longer duration. 

How does RSM use cookies?
Cookies are only used to record aggregated data about your use of the Site including details of your visits such as pages viewed and the resources that you access. Such information also includes traffic data, location data and other communication data, all of which is used to help us improve the Site and therefore give you a better user experience.  Some cookies are set by us and some by third parties delivering services on our behalf.

We use the following types of cookies:

  • Essential cookies:  these enable you to navigate round the Site, manage your login session so you can move easily from one page to another within the Site and so that your page requests are loaded in smooth and secure manner.
  • Analytic cookies: these collect statistical information about how you use the Site so that we can improve the Site, they also remember that you have used the Site before; this means we can identify the number of unique visitors we receive to different parts of the Site. We use the Google Analytics service that relies on cookies to analyse how visitors use the Site and generate statistical reports. This information will generally be transmitted to and stored by Google on servers in the United States. See 'How to control and delete cookies' below for information on how you can exercise choice over the collection and use of this data.
  • Functional cookies these, remember information you have asked us to (such as language preferences) and will last for a longer duration. 
  • Retargeting cookies and website beacons:     RSM occasionally advertises on third party Websites and uses services provided by Google, including its AdSense and Doubleclick services for managing and placing advertisements. These service providers  place a cookie on your device and this then enable us at times to track the success of our advertising campaigns, by using a visitor identification technology such as "web beacons," or "action tags," which count visitors who have come to the Site after being exposed to an RSM banner ad on a third party site.  We do not use this technology to access your personal information and it is only used to compile aggregated statistics about visitors who come to the Site and to gauge the effectiveness of our ads. The information generated by these beacons is transmitted to us via Google servers in the USA.

This Site does not use cookies to provide any targeted behaviour or interest based advertising to users through the Site. For more information about interest based cookies and to control the use of these cookies please refer to

How to control and delete cookies
RSM will not use cookies to collect personally identifiable information about you.

You can prevent the collection of analytic and retargeting data described above that is generated by cookies by Google, as well as the processing of this data by Google, by downloading and installing the browser plug-in available from the following link:

Most web browsers automatically accept cookies but, if you prefer, you can set your browser to either accept all new cookies, have it notify you when you receive a new cookie or disable cookies altogether. If you wish to restrict or block the cookies which are used on the Site, or indeed any other website, you can do this through your browser settings. Please refer to the Help function within your browser to learn how to do this, as every device is different.

You can change your cookie settings at any time at

Please note that by blocking or deleting cookies on the Site, you may not be able to take full advantage of the Site if you do so.

Cookies set on Third Party sites
The Site will from time to time embed photos and video content from websites such as YouTube. As a result, when you visit a page with content embedded from, for example, YouTube, you may be presented with cookies from these websites. RSM does not control the dissemination of these cookies. You should check the relevant third party website for more information about these. 

More information
If you have any queries regarding this Cookie Policy please contact us by e-mail at: [email protected].


Changes to this privacy policy

If changes to our policy include any significantly different use of your personal data, we will let you know in advance.


Contact us

Should you have any questions about this policy or the processing of your data please contact us via email at [email protected], through our “Contact Us” form on our website or by post or telephone (on +350 200 74854), directly to our Data Protection Manager.