Privacy Policy

Data Protection Policy

1. Introduction

We, Abacus Financial Services Limited (and its group companies, together “Abacus”) are routinely required to collect and use certain types of information, or personal data, about our clients, suppliers and business partners in order to carry on our work.  We may also need to deal with personal data relating to existing, former or potential clients, contacts, and business partners.

This personal information must be collected and dealt with appropriately whether it is collected on paper, stored in a computer database, or recorded on other material and there are safeguards to ensure this under the current Data Protection Act 2004 (the “DPA”) and also under the General Data Protection Regulation (“GDPR”) which comes into force on 25th May 2018.

2. Data Controller, Data Protection Officer

Abacus is the Data Controller under the DPA and GDPR, which means that it determines what purposes personal information held, will be used for. It is also responsible for notifying the Data Protection Commissioner of the data it holds or is likely to hold, and the general purposes that this data will be used for.

Abacus has designated a Data Protection Officer with specific responsibility for ensuring compliance with Data Protection. The Data Protection Officer may be contacted at

3. Registration with Supervisory Authority

Abacus complies with the DPA/GDPR requirement for the firm to register the fact that it collects and uses particular categories of personal data. The Gibraltar Regulatory Authority maintains a register (“the Register”) of processing operations in respect of all organisations registered to handle personal data. The Register is a public document.

Details of Abacus’s Gibraltar registration is published on the Gibraltar Regulatory Authority’s website ( under the following registration number: DP002888.

4. Our approach to dealing with confidential information and personal data

The DPA and the GDPR are about protecting people, not just data, and this philosophy guides our confidentiality and privacy policy. Our policy includes the eight key principles of data protection, which we will apply to all confidential information as well as to personal data. Specifically, the principles require that personal information:

  • Is processed fairly and lawfully and, in particular, is not processed unless specific conditions are met,
  • Is obtained only for one or more of the purposes specified in the law, and is not processed in any manner incompatible with that purpose or those purposes,
  • Is adequate, relevant and not excessive in relation to those purpose(s),
  • Is accurate and, where necessary, kept up to date,
  • Is not kept for longer than is necessary,
  • Is processed in accordance with the rights of data subjects under the Act and the GDPR,
  • Is kept secure by the Data Controller who takes appropriate technical and other measures to prevent unauthorised or unlawful processing or accidental loss or destruction of, or damage to, personal information,
  • Is not transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of individuals/service Users in relation to the processing of personal information.

5. Use of Confidential Information and Personal Data

On the basis of these principles, therefore, we will:

5.1 Ensure that we have in place a robust data protection policy that accords with all the principles of the Act and of GDPR. When directly collecting personal data, where reasonably practicable we will provide data subjects with notice about the types of information collected and the intended uses of this information together with any other information that may be necessary to ensure the processing is fair.  This information need not be provided where the effort involved would be disproportionate to the value to the individual of being informed.

5.2 Only collect and use confidential information and personal data for legitimate regulatory, client service and Abacus business purposes and only disclose this information to Abacus personnel or a third party that need to have access to the information for the purposes outlined above.

5.3 Collect only confidential information and personal data that is adequate, relevant and not excessive for the intended purposes.

5.4 Keep confidential information and personal data up to date for the intended purposes and take reasonable steps to ensure the information is up to date by periodically asking data subjects whether there have been any changes. We will promptly correct any errors upon discovery or notification by the data subject. Individuals may request that Abacus corrects the personal data it holds about them. Abacus will comply with a reasonable request for correction and if it does not agree that the personal data is incorrect, it will record the fact that the individual believes the information is incorrect. In the event of a dispute, a complaints procedure is in place.

5.5 Retain confidential information and personal data no longer than necessary for the intended purposes, unless a longer period is required for legal or regulatory reasons. Once the data is not required for its intended purposes or under any statutory provision, it will be disposed of appropriately.

5.6 Upon request or when required, we will explain to our clients and other data subjects what confidential information or personal data of theirs is shared with other third parties locally or across country borders, where and with whom and for what purpose; and we will at all times respect any confidential and/or data protection obligations which may be in the client engagement contract. We will only share confidential information and personal data with the consent of the party to whom the information or data belongs.

5.7 We take all appropriate technical and organisational security measures against any unauthorised disclosure or access, alteration, accidental loss, destruction or damage to confidential information and/or personal data.

5.8 When transferring or receiving confidential information or personal data across country borders, we will comply with any relevant legal, professional or contractual requirements. Personal data shall not be transferred to countries outside the EE Area unless certain conditions are met. We will keep on our database details of any legal and professional requirements for certain territories, as we become aware of them.

6. Data Subject's rights and requests

6.1 All individuals in respect of whom we hold personal data have rights when it comes to how we handle their data. These include rights to:

  • withdraw consent to processing at any time;
  • receive certain information about our processing activities;
  • request access to their personal data that we hold;
  • prevent our use of their personal data for direct marketing purposes;
  • ask us to erase personal data if it is no longer necessary in relation to the purposes for which it was collected or processed or to rectify inaccurate data or to complete incomplete data;
  • restrict processing in specific circumstances;
  • challenge processing which has been justified on the basis of our legitimate interests or in the public interest;
  • request a copy of an agreement under which personal data is transferred outside of the EEA;
  • object to decisions based solely on Automated Processing, including profiling (ADM);
  • prevent processing that is likely to cause damage or distress to the data subject or anyone else;
  • be notified of a personal data breach which is likely to result in high risk to their rights and freedoms;
  • make a complaint to the supervisory authority; and
  • in limited circumstances, receive or ask for their personal data to be transferred to a third party in a structured, commonly used and machine readable format.

6.2 Any individual who wishes to access their personal data should make a request in writing to the Data Protection Officer. Upon any request by a data subject to obtain details of personal data being held by Abacus, documentary proof of identity and proof of address of the person requesting the information (such as an I.D. card or passport and utility bill) will be obtained prior to disclosure. Where practicable, the person requesting the information will be asked to come into the offices in person to collect the data. Any data sent by post as a result of such a request will only be sent to the address we have in our records for the subject.

6.3 Abacus will abide by any request from any individual not to use their personal data for direct marketing purposes by endeavouring to ensure that the individual’s details are suppressed.

7. Complaints to the Competent Authority

Data subjects have the right to complain to the supervisory authority, the Data Protection Commissioner, if they are not satisfied that their rights under the legislation are being respected.  The Data Protection Commissioner is the Gibraltar Regulatory Authority, of 2nd Floor, Eurotowers 4, 1 Europort Road, Gibraltar. Telephone: (+350) 20074636 Fax: (+350) 20072166  email:

Last updated: May 2018