Privacy | The Red House Gibraltar

1. Introduction and Purpose

William Serfaty & Company Limited (t/a The Red House) is a company incorporated under the laws of Gibraltar (together, “The Red House” “we” “our” “ours” or “us”). We are committed to protecting the privacy and security of your personal information in accordance with our legal obligations.

This Website Privacy Policy (the “Policy”) explains in detail the types of personal data we may collect about you and what we do with your personal data when you use, navigate or interact with our website (www.theredhousegib.com). It also set outs what we do to keep your personal data secure, as well as your rights in relation to the personal data we hold about you.

The Red House offers goods and services in or from within Gibraltar, which is no longer part of the EU. Gibraltar has its own data protection laws that apply certain EU laws. This is referred to in this Policy as the “Data Protection Legislation”, which includes: The Data Protection Act 2004 (as amended) (“DPA 2004”), and regulations made under that Act; and the “Gibraltar GDPR”, which is essentially the EU’s General Data Protection Regulation or (Regulation (EU) 2016/679, or the “EU GDPR”) as it forms part of Gibraltar law.

The Red House is a “Data Controller“. This means that we are responsible for deciding how we hold and use personal information about you. We are required under Data Protection Legislation to notify you of the information contained in this document.

In this Policy, “Personal Data” means any information relating to you as an identified or identifiable natural person. An identifiable “natural person” are human beings and this expression excludes corporate or legal entities, trusts or legal arrangements. Personal Data does not include data from which you cannot be identified (which is referred to simply as data, non-personal data, anonymous data, or de-identified data).

In this Policy, “processing” means our interaction with your Personal Data and what we do with it such as collecting, using, recording, altering, updating, storing and deleting your Personal Data.

2. The Personal Data We Collect & How We Collect it

We collect your Personal Data when you use our website, come into our premises, or communicate with us either by phone or email We may also collect Personal Data through the use of cookies as set out in our Cookie Policy.

The Personal Data we collect on our Website is:

Your name (including your preferred title or prefix);
Your email address;
Your phone number (including country code); and
The content of any message you may send us.

In addition to the above, we also collect the following Personal Data when you come into our premises, communicate with us and/or purchase goods from us:

Your name (including your preferred title or prefix);
Your email address;
Your phone number (including country code);
CCTV Images/footage;
Your Identification documents such as Passport, Driving Licence or Identity Card;
Your Bank Account and payment details;
Your purchase history;
Your watch servicing history

3. Data Collected by Rolex and Tudor

In order to keep our website up to date and to provide you with all the latest information on our brands, we directly embed content from the Rolex and Tudor websites.

Accordingly, when you navigate or view pages in respect of the Rolex section of our website, you are interacting with an embedded website from https://www.rolex.com/. In such case Rolex’s Terms of Use, Privacy Notice and Cookie Policy are applicable and they may collect further Personal Data from you for which we are not the Data Controller.

When you navigate or view pages in respect of the Tudor section of our website, you are interacting with an embedded website https://www.tudorwatch.com/ in such case Tudor’s Terms of Use, Privacy Notice and Cookie Policy are applicable and they may collect further Personal Data from you for which we are not the Data Controller.

4. Lawful bases for the processing of your data

In order to process personal data, we need a valid lawful basis under the Data Protection Legislation which will justify the processing. The lawful bases which we rely on are the following.

Contractual / Pre-contractual necessity

This lawful basis applies to most of our processing activities in relation to Personal Data. It applies both during the pre-contractual stages of our relationship (for example, when you are on a waiting list for an item or when you contact us through our website enquiring about an item) as well as when we complete a sale with you.

Compliance with a legal obligation to which we are subject

We are subject to legal obligations other than the Data Protection Legislation, which may require us to process Personal Data. For example, we are required to retain information in accordance with record-keeping requirements under other applicable legislation. Further, we may need to carry out certain customer due diligence checks and reporting for the purposes of anti-money laundering legal and/or regulatory requirements.

Our legitimate interests or that of a third party

We may also process your Personal Data where it is in our legitimate interests (or the interests of a third party) to do so. This, for example, is used for the purposes of recording CCTV, preventing fraud, or establishing our legal rights and other such interests.

Consent

We rarely rely on your consent to process your Personal Data, as usually another lawful basis will be more suitable. Where we do seek to rely on your consent, we will always ensure that this consent is fairly obtained by clearly informing you about why your consent is needed. We rely on your consent in order to store your purchase history and/or service history with us for a period longer than 6 years. Before doing so we will obtain your consent through a dedicated form which you complete and sign or by sending us your agreement via email. When we rely on consent in this way, you have the right to withdraw your consent at any time.

5. How we use your Personal Data

We may process your Personal Data for the following purposes, depending on how you interact with us. Some examples are:

To complete a sale with you – We process your Personal Data when you make a purchase from us by recording your name, address and contact details as well as copies of card payments and transfers. We may also require your identification documents in order to comply with our legal obligations.

To allocate or order items – Given the nature of the items we offer, commonly demand outweighs our ability to meet this demand. In these cases, we require your personal data in order to register your interest in items and contact you when such items become available. In other instances, for certain items we may be required to share your Personal Data with our supplier (Rolex S.A) in order to obtain items on your behalf.

To service your watches/jewellery – When you provide us with an item to be serviced or repaired we require your Personal Data in order to keep a record of your item whilst it is in our possession and to contact you when your items are ready for collection.

To respond to your queries – When you communicate with us it may be necessary to record and use your Personal Data in order to answer a query (for example about an item which is undergoing a service) or for us to be able to respond to you at a later time.

To comply with our legal obligations- In certain circumstances we are under legal obligations to carry out certain due diligence/ KYC checks on our customers. In these instances, we require your Personal Data in order to comply with these obligations.

To prevent or detect crime – We operate a CCTV system inside our premises and outside of our shop front in order to detect and prevent crime as well as other purposes outlined in this Policy.

6. CCTV Usage

We operate a CCTV system within our premises and our shopfront pursuant to our legitimate interests and for following specific purposes:

a) To detect, deter and prevent crime;

b) To detect, deter and prevent serious breaches of our policies and procedures in accordance with good management practice;

c) Assist with the identification, apprehension and prosecution of offenders; and

d) To ensure the safety of our staff, customers, tenants and visitors to our premises.

No sound is recorded by our CCTV system.

We clearly display signs in the vicinity of the cameras so that staff, visitors and customers are aware they are entering an area covered by CCTV.

We make every effort to position our CCTV cameras to ensure they only cover the areas necessary for the purposes set out above. No cameras will focus on residential or private accommodation or property.

Unless required for evidential purposes, the investigation of an offence or as required by law, CCTV images will be retained for no longer than 30 days from the date of recording. Images will be automatically deleted from this point.

All recordings captured via our CCTV system is centrally recorded on a password protected dedicated server.

CCTV Requests

A request for images by a third party should be made in writing to the Privacy Manager using the contact details set out in this Policy below. In limited circumstances it may be appropriate to disclose images to a third party, such as when a disclosure is required by law, in relation to the prevention or detection of crime or in other circumstances where an exemption applies under the Data Protection Legislation or other relevant legislation. Such disclosures will be made at the discretion of the Privacy Manager, with reference to relevant legislation.

7. How we secure your information

We are committed to taking appropriate measures designed to keep your personal data secure. Our technical, administrative and physical procedures are designed to protect personal data and from loss, theft, misuse and accidental, unlawful or unauthorised access, disclosure, alteration, use and destruction. We follow generally accepted standards to protect the personal information submitted to us. Some of the measures we deploy are:

Hardcopy – Where appropriate we keep hard copy records in organised physical filing systems which have physical locks in order to ensure access is restricted solely to our personnel.
Electronic – Where appropriate all Personal Data held electronically is stored in password protected devices. In other instances, Personal Data is contained within password protected documents and folders. We engage a third party provider to assist us with our IT infrastructure and to ensure that appropriate security measures (including backups) are in place.

8. Sharing your Personal Data

We do not share your Personal Data other than with the following:

Our service providers and professional advisors – these are located within Gibraltar and include our accountants, lawyers and those who provide us with services such as IT support.
Law enforcement or prosecuting entities– we may be required to share Personal Data (such as CCTV footage/images) with law enforcement agencies under the Data Protection Legislation.
Pursuant to a Court Order or legal requirement– we may also share Personal Data if we are required to do so under a Court Order or under a legal requirement to which we are subject

Under the Data Protection Legislation, personal data can flow fairly freely from Gibraltar to the United Kingdom or to the EEA. However, certain restrictions exist where personal data is being transferred to a ‘third country’ outside the EEA or the United Kingdom. We only transfer Personal Data outside Gibraltar to entities that are located in Switzerland. Switzerland has been deemed ‘adequate’ under the Data Protection Legislation which means it protects your Personal Data to a similar standard. The entities we share with in Switzerland are:

Rolex S.A – We share Personal Data with Rolex S.A for the purposes of registering your guarantee when you purchase an item from us or in some cases in order to acquire certain items for you. Rolex S.A
Tudor S.A – We share Personal Data with Tudor S.A for the purposes of registering your guarantee when you purchase an item from us.

9. Storing your Personal Data

We retain your Personal Data in accordance with our internal data retention policy which outlines how long we retain your Personal Data based on the type and nature of the information and the legal or regulatory requirements that apply.

Typically, we retain most of your Personal Data for no longer than 6 years. However, where you have provided your express consent, we retain your purchase and/or service history until you inform us you no longer wish us to retain this information. We offer this longer retention period to our clients as we understand that the items we sell are, by their nature, long lasting and durable and you benefit from having detailed service records for your items. Equally, in the event that items are lost or stolen we are able to provide you copies of your original sales receipts etc for insurance purposes. This is an entirely voluntary service which we offer and which requires your express consent. Should you not provide your consent then your information is kept for no longer than 6 years.

In some instances, it may be necessary to retain your Personal Data for longer periods such as where continued retention is necessary for the establishment, exercise or defence of legal claims. Where information we hold is no longer necessary and relevant we may de-identify and aggregate this data with other non-personal data to provide insights which are commercially valuable to us, such as statistics of the use of our website or sales. This information will be de-associated with your name and other identifiers and the data will therefore be anonymised.

10. Yours Rights

As noted above, Gibraltar has its own Data Protection laws that apply certain EU laws, with such modifications as are necessary. Depending on your particular circumstances, you may also have additional rights if you live or work outside of Gibraltar. For example, the EU GDPR may apply to you if you are based in the EEA.

Under the Data Protection Legislation in Gibraltar, if you are a natural person (in other words, a human being and not a company), you have the right to:

Request access to your Personal Data – This enables you to receive a copy of the Personal Data we hold about you. and to check that we are lawfully processing it.
Request correction of the Personal Data -This enables you to have any incomplete or inaccurate Personal Data we hold about you corrected.
Request erasure of your Personal Data – This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data where you have exercised your right to object to processing (see below).
Object to processing of your Personal Data – You have a right to object to our processing of your Personal Data generally on grounds relating to your particular situation or circumstances. You also have the right to object where we are processing your personal information for direct marketing purposes.
Request the restriction of processing of your Personal Data – This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
Request the transfer of your Personal Data – This enables you to ask us to send your Personal Data to another party
Withdraw your Consent – This enables you to withdraw your previously obtained consent to process your Personal Data where this is the sole basis we rely upon to process your data.

If you wish to exercise any of your rights please contact our Privacy Manager using the contact details set out in section 11 below.

You also have the right to complain about the use of their personal information to the supervisory authority which is the Gibraltar Regulatory Authority (“GRA”). You may contact the GRA on the below details:

Address: Gibraltar Regulatory Authority, 2nd Floor, Eurotowers 4, 1 Europort Road, Gibraltar, GX11 1AA

Email: info@gra.gi

Phone: (+350) 200 74636

Website: www.gra.gi

Limits to your Rights

Your right to information under Articles 13 and 14 of the Gibraltar GDPR is limited in certain cases. The requirements to give information do not apply insofar as:

a) The provision of information to you proves impossible or would require disproportionate effort on our part in order to provide. This is provided that we take appropriate steps as controller to protect your rights as a data subject, your freedoms and your legitimate interests, including by making information publicly available (as this Policy intends to do);

b) Obtaining or disclosure is expressly laid down by Gibraltar law which we are subject and which provides appropriate measures to protect your legitimate interests;

c) The Personal Data must remain confidential subject to an obligation of professional secrecy regulated by Gibraltar law (such as statutory obligations of secrecy); or

d) You already have the information.

11. Who We Are & How to Contact Us

The data controller for the Personal Data you provide to us is William Serfaty & Company Limited (t/a The Red House). If you have any questions, concerns or comments or if you would like further information about this Policy, how we handle your Personal Data, or otherwise wish to enforce your data protection rights please contact us at:

Address: The Red House, 68 Main Street, Gibraltar, GX11 1AA

Email: privacy@theredhouse.gi

Phone: (+350) 200 44504

Website: www.theredhousegib.com

12. Updates to this Policy

We reserve the right to amend this Policy from time to time without notice in order to be consistent with the Data Protection Legislation. Where we do make significant changes to this Policy, we will take appropriate steps to bring those changes to your attention including updating this Policy on our website

This Policy was last modified: 10^th June 2022

13. Rolex Section

While navigating on the Rolex section of our website, you may interact with an embedded website from www.rolex.com. In such case, Terms of Use, Privacy Notice and Cookies Policy of www.rolex.com are solely applicable.

Cookie	Duration	Description
_GRECAPTCHA	5 months 27 days	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_148404327_1	1 minute	Set by Google to distinguish users.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.