Privacy and Cookies Policy

Dear User,

This Privacy and Cookies Policy presents the rules for handling Personal Data obtained and for using cookies and other technologies on the domains and, also within the Mobile Banking and the Internet Banking services.

Please be informed that G-Rock Limited with its registered office in Gibraltar, acting as the personal data controller within the meaning of Regulation (EU) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), exercises good care in protecting and respecting the privacy of both Customers and Users who use our services. 

We pay particular attention to ensure that obtaining, using and distributing Your Personal Data is based solely on the provisions of this Privacy and Cookies Policy, the regulations governing the Bank’s services You have selected and the relevant provisions of the generally applicable law, in particular the General Data Protection Regulation. 

You acknowledge that when you contract for our services You and Your relatives may be subject to AML procedures (including those relating to Politically Exposed Persons) and any procedures which may be relevant for tax purposes. Such processing will be performed only to the extent necessary and required by applicable laws.



For the purpose of these Regulations, any reference in these Regulations to the following words and expressions shall have the following meaning:

  1. Agreement – shall mean Personal Banking Agreement and if applicable Wealth Management Agreement; 
  2. AML Directive (EU) – shall mean Directive 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC (Text with EEA relevance);
  3. AML – shall mean Anti-Money Laundering;
  4. Application Form – shall mean your statement made through the Mobile Application or our Website, using the registration form issued by us, to express your intent to enter into and execute the Agreement;
  5. Banking Services Agreement - shall mean the agreement entered into  between you and us in relation to how we maintain your Bank Accounts and execute your Instructions; agreement is jointly constituted of Application Form and documents: Terms & Conditions for Bank Accounts, Terms & Conditions of  Digital Channels Usage,  Fees and Charges Schedule; Interest Rates Schedule; Currency Exchange Rates Schedule, , Privacy and Cookies Policy (each as amended, varied, supplemented, substituted or novated from time to time);
  6. Banner Ad – shall mean a form of advertising our products and Services which entails embeds an advertisement into a view of the Mobile and Internet Banking;
  7. Biometric Data – shall mean Personal Data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a Customer, which allow or confirm the unique identification of that Customer, such as facial images or voice tone;
  8. CFT – shall mean Counteracting Financing Terrorism; 
  9. Consumer – shall mean a Customer acting for purposes which are outside his trade, business or profession;
  10. Complaint – shall mean your notification advising of your dissatisfaction/claim in relation to a service or product offered by us;
  11. Contact Centre – shall mean the centralised contact point where you can direct your queries/questions and receive a response, it can be via e-mail, voice, chat or video; information on how you can access our Contact Centre is included in the Guide to our Services and in the Terms & Conditions of Digital Channels Usage;
  12. Controller – shall mean us as a Personal Data controller whose tasks include, amongst other things, determining the purposes and means of processing of personal data in relation to the Bank’s business; 
  13. CRS – shall mean the common reporting standard for automatic exchange of financial account information on tax matters as developed by the Organisation for Economic Co-operation and Development and implemented by the European Union currently through the Directive on the mandatory automatic exchange of information in the field of taxation (Directive 2014/107/EU) and implemented currently in Gibraltar by the International Co-operation (Improvement of International Tax Compliance) Regulations 2016;
  14. Data Processor – shall mean a natural or legal person, public authority, agency or other bodies which processes Personal Data on our behalf;
  15. FATCA – shall mean Foreign Account Tax Compliance Act; 
  16. GDPR – shall mean The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) as applicable to Gibraltar through the Data Protection Act 2004; 
  17. Identity Document – shall mean a valid photo identity document which is issued under the laws and regulations in force at the time of the Agreement in the country of your citizenship and which confirms your identity; the types of Identity Documents which we accept are specified on our Website and updated from time to time; 
  18. Internet Banking – shall mean the electronic method which allows you to use our Services through our Website:;
  19. Internet Password – shall mean the sequence of characters used to verify your identity when accessing Internet Banking;
  20. Login – shall mean the sequence of characters which you defined yourself and entered in the Application Form, which has to comply with our security standards communicated to you in the Guide to our Services and which is used to identify you when accessing Internet Banking and/or when activating Mobile Application for the first time on your mobile device;
  21. Login Data – shall mean each or all of the following (as the case may be): Login, Internet Password or PIN and any other data used for identification and authentication from time to time notified by us to you and secured in accordance with Privacy and Cookies Policy and applicable law;
  22. MiFID II – shall mean the Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU, as supplemented by the delegated acts;
  23. Mobile Application – shall mean our software which you can download to your mobile devices such as smartphones and which allows you to use our Mobile Banking;
  24. Mobile Banking – shall mean the service provided by us which allows you to use our Services through mobile devices with access to the Internet and which are equipped with our Mobile Application; 
  25. Mobile and Internet Banking – shall mean our Mobile Banking and/or Internet Banking Service (as the case may be);
  26. PIN – shall mean your own secret identification number, selected by you, which you will use to log into Mobile Banking Service and to authorise your Instructions undertaken via the Mobile Application;
  27. PEP – shall mean Politically Exposed Person as defined in the article 3 point 9 of the AML Directive (EU);
  28. Personal Data – shall have the same meaning as in Article 4(1) of GDPR and covers any information relating to you, including but not limited to an identification number, location data, Login, Biometric Data;
  29. POCA Act – shall mean Proceeds of Crime Act 2015, Laws of Gibraltar;
  30. Privacy and Cookies Policy – shall mean the "Privacy and Cookies Policy" as amended, varied, supplemented, substituted or novated from time to time, the policy includes the rules for handling Personal Data obtained and for using cookies and other technologies on Website; 
  31. Profiling – shall mean any form of automated processing of Customers' Personal Data consisting of the use of their data to evaluate certain personal aspects relating to a natural person;
  32. Push Notification Service – shall mean notifications that we may send to your desktop and/or to your mobile device, which are alert-style messages that appear on the desktop screen or on a mobile device when you use your web browser or when you have our Mobile Application installed;
  33. Services – shall mean Personal Banking Services, Wealth Management Services and other services which we provide to you according to relevant terms and conditions;
  34. Text Message – shall mean message sent from our server to inform you about our products and services, which may also be based on the results of profiling;
  35. User – shall mean any natural person using the Website and/or Mobile Application; 
  36. We/us/our/Bank – shall mean G-Rock Limited with its registered office in Gibraltar, second Floor, 92 Irish Town, GX11 1AA Gibraltar, Company No. 112854, trading as the Golden Sand Bank. Contact details:; PO Box 1377, Gibraltar;
  37. Website – shall mean the content which can be found under the domains or;
  38. You/your/Customer – shall mean a natural person having full legal capacity (in accordance with the law of the citizenship) who intends or has concluded an Agreement with the Bank. A Customer acting for purposes which are outside his trade, business or profession is treated as a Consumer for the purposes of the Agreement.


The processing of the Personal Data within this Privacy and Cookies Policy is justified and necessary for the performance of the Agreement and Services offered by us to our Customers (please refer to Article 6(1)(b) of GDPR), and in respect of marketing communications which we may send to you from time to time, justified and necessary in accordance to our legitimate interests (please refer to Article 6(1)(f) of GDPR). We will not use the Personal Data acquired during provision of Services for other purposes than those specified in this Privacy and Cookies Policy or necessary for compliance with a legal obligation to which the Bank is or may be subject to.


Personal Data

3.1. You will provide your Personal Data to the Bank either through applications available on the Website, Mobile or Internet Banking or through any exchange of information with us by any means of distance communication, e.g. phone, e-mail or in any other way, including when lodging a Complaint. Please bear in mind that you may be asked to provide your Personal Data anytime you are in contact with the Bank or associated company to verify your identity.  

3.2. Please note that providing Personal Data is voluntary, however, if you refuse to provide it to us we may not be able to provide the Bank’s Services. 

3.3. Please find below the scope of information you may be requested to provide in relation to the Agreement: 

3.3.1. information necessary for using the Bank’s Services specified in the Application Form: your name(s) and surname, citizenship, e-mail address, mobile phone number, residential address and correspondence address (if applicable); 

3.3.2. information required according to applicable laws, i.e.: the type and number of your Identity Document, national identification number or its equivalent, tax identification number and country of your tax residence, date and place of birth, and for relevant Customers - also your mother’s maiden name or your mother’s name and surname. 

3.3.3.any declaration accepted and submitted by you while completing the Application Form, including statements relating to: PEP, FATCA and CRS. 

3.3.4. information on your financial position: source of wealth, source of funds and estimated monthly income for the AML purposes; 

3.3.5. information on your knowledge, experience and your risk profile in the area of Wealth Management Services. This data relates only to the Financial Instruments and Wealth Management Services and is required under relevant applicable law; 

3.3.6. information relating to Transactions and Instructions placed via Mobile and Internet Banking, and information on Transactions performed using a Debit Card; 

3.3.8. Biometric data – subject to your explicit consent in accordance with Article 9(2)(a) of GDPR; 

3.3.9. a photography of the Identity Document – subject to your explicit consent in accordance with Article 9(2)(a) of GDPR; 

3.3.10. recordings or minutes of any type of correspondence, by e-mail, voice, chat or video between You and Us;  

3.4. Please be advised that you may be required (subject to your consent) to provide additional Personal Data not indicated above if it is necessary to provide Bank’s Services. You will be informed on the purpose of this request.  

3.5. Where we rely on your consent to process Personal Data revoking consent does not deprive the Controller of the right to continue to process that data if it has a different legal basis accordance with Article 6 or 9 of GDPR. 

3.6. In addition, we will be processing Information on devices and networks used by you to access to our Services, e.g. your IP address, Login Data, the type and version of Your browser, operating system, advertising ID, information on visits (including URL address of the website on which you clicked a link redirecting you to our Website), products searched or browsed, downloading errors, time of visit on the Website or phone numbers used to connect to our Contact Centre. 

3.7. While using the Services you may be requested to give an explicit consent for processing of Personal Data for the purpose indicated in section 4 – Data processing – objectives and legal basis of the Privacy and Cookies Policy. Such situation may for example occur while uploading a photography for the purpose of identification of a Customer in Mobile and Internet Banking. 

Whenever such requirement would arise you will be fully informed on the consequences of such consent and about the right to withdraw such consent.  


Data processing – objectives and legal basis

4.1. Information obtained by us, referred to in paragraph 3.3 (Personal Data) above, shall be processed in order to: 

4.1.1. establish a relationship with you and to fulfil obligations resulting from the Agreement, and to provide you with any information and Banking Services;

4.1.2. confirm your identity; 

4.1.3. process Complaints submitted by you; 

4.1.4. collect fees and charges for Services provided by us; 

4.1.5. send you a newsletter and other marketing materials; 

4.1.6. reply to inquiry raised, referring to suggestions proposed, and other similar actions initiated by you; 

4.1.7. ensuring the highest level of security for you; 

4.1.8. implementation of the AML & CFT regulations, in particular: preparation of reports and submission to competent authorities - Gibraltar Financial Services Commission (GFSC) in accordance with applicable law, analysis of Customer data of the Transaction performed on the basis of AML & CFT regulations. 

4.1.9. Implementation of MiFID II regulations, in particular in the field of: providing you with the necessary information about Bank, our Services, basic rules and regulations, fees and charges, target market, existing or potential conflicts of interest and the so-called incentives, adjusting the Services rendered to you by performing suitability and appropriateness assessment, your classification as retail, professional Customer or eligible counterparty, Agreement  conclusion, providing you with the necessary information and reports (inclusive of performance reports) on both ex-ante and ex-post basis, orders and Instructions handling (i.e. their placement, acceptance, transfer and execution), transactions handling (e.g. their settlement), potential Complaints handling, preparation of reports and its submission to competent authorities.

4.2. Data relating to a person which is required to be reported under the acts of law implementing the FATCA and CRS regulations in Gibraltar will be reported to the Gibraltar Competent Authority and may be transferred to the competent authority of another country in accordance with relevant international acts of law. 

4.3. According to article 6 (f) of GDPR, we can process your data to conduct User satisfaction surveys and the quality of our Services. Where we process your Personal Data on the basis of legitimate interests you can always object to this at any time. Please see clause 9 of this Privacy and Cookies Policy for further details on how to exercise this right.



We strive to provide you with choices regarding certain uses of Personal Data, particularly around marketing and advertising.  You can ask us at any time to stop sending you such marketing and advertising on any marketing message we send you by contacting us at any time by email at


Data storage

6.1.  As a rule, your Personal Data will be stored for the entire period of the Agreement, and also for 5 years after its termination (e.g. after the end of the termination notice period). The 5-year period is calculated starting from the end of the calendar year in which the Agreement is terminated. If the law provides for this, the period may be longer, for example 7 years for recorded calls in the MIFID II scope. 

6.2. If you choose the right to cancel the Agreement within 

14 days from its conclusion and you have not done any Transaction on any of your Bank Accounts during that 14 day period, periods for storing your Personal Data shall be the same as those specified in item 6.3.3.

6.3. Certain categories of Personal Data may be stored for other periods: 

6.3.1. financial data shall be stored for the period required by the applicable tax and accounting regulations; 

6.3.2. data collected from the AML & CFT regulations perspective, will be processed for 5 years or later in accordance with POCA Act. 

6.3.3. data processed in connection with a filled  Complaint – for a period of 12 months, unless you are not our Customer or you cancel the Agreement within 14 days of its conclusion, without undertaking any Transaction on any of your Bank Accounts. In such case, we will process your data for a period of 12 months from the date of consideration of your Complaint. 

6.4. Where we process Personal Data on the basis of consent only, then after withdrawal of consent, the processing will be ended. 

6.5. Please be advised that all of your Personal Data may be stored for a longer period of time than specified in the Privacy and Cookies Policy due to a decision of any public authority (including law enforcement agencies) and in relation to any official proceedings.

6.6. While conducting our operations on an international scale, all your Personal Data will be stored and processed within the European Economic Area and may be transferred to a third country outside of the European Economic Area where it is necessary in order to provide our Services to you. We ensure that the Personal Data transferred to such third countries in relation to the Services offered will be subject to appropriate safeguards required in accordance with Article 46 of GDPR, including an approved certification mechanism and binding corporate rules and EU approved Standard Contractual Clauses. If you would like further information about this please contact

6.7. Any Personal Data of the Users that: 

6.7.1. partially completed the Application Form and 

did not submit the Application Form in full, or;  

6.7.2. abandoned the onboarding process, or;  

6.7.3. were refused by the Bank from the onboarding process for any reason, (with the exception of cases where the processing of Application Form is postponed, delayed or deferred);

will be erased by the Bank without undue delay provided that the Bank is not obliged to store the above-mentioned Personal Data under any applicable laws. 


Rights of the data subject

Right to rectification of Personal Data

7.1. At any time, you are entitled to make an Instruction of rectification of inaccurate Personal Data or for completion of incomplete Personal Data. This Instruction may be provided to the Bank in any manner specified in the Guide to our Services.  

Right to be forgotten

7.2. At any time, you are entitled to Instruction of the erasure of the Personal Data provided that one of the following grounds applies:  

7.2.1. the Personal Data are no longer necessary in relation to the purposes of the Agreement or Services;  

7.2.2. you would like to withdraw a consent on which the processing of Personal Data is based according to point (a) of Article 6(1), or point (a) of Article 9(2) of GDPR. 

Withdrawal of consent can be made by sending a letter to the address of the Bank's registered office or e-mail:

7.2.3. you object to the Personal Data processing pursuant to Article 21(1) of GDPR (personal situation) and there are no overriding legitimate grounds for the processing, or You object to the processing pursuant to Article 21(2) of GDPR (direct marketing purposes);  

7.2.4. you presume that the Personal Data have been unlawfully processed;  

7.2.5. the Personal Data have to be erased for compliance with a legal obligation in European Union or Member State law to which the Bank is subject;  

7.2.6. the Personal Data have been collected in relation to the offer of information society services.


Recipients of the Personal Data obtained

8.1. As a Bank, we cooperate closely with external parties which may be recipients of Your Personal Data, such as:  

8.1.1. payments or identity verification, and entities conducting market research or credit bureaus, Gibraltar Financial Services Commission (GFSC) and other state authorities if such obligation results from the applicable law, 

8.1.2. our business partners who can advertise their services on our Website or Mobile and Internet Banking to be reserved by a User – these may comprise any insurance, banking, lease services, etc. for example, we can provide information to such insurance companies to determine is You can obtain insurance cover; 

8.1.3. our business partners who can advertise their services on their own websites or in their mobile applications;

8.1.4. our key supplier - acting as a Data Processor - who delivers Push Notification Service on Mobile and Internet Banking. The use of Push Notification Service is intended to provide the Consumer with the transmission of technical messages related to the functioning of Mobile and Internet Banking. This constitutes a legitimate interest in accordance with Article 6(1)(f) of GDPR. Processing of Customer`s personal data in that scope is also necessary for the performance of the Agreement to which the Consumer and the Bank are parties, due to the Article 6(1)(b) of GDPR.

8.2. Any transfer of Personal Data to these parties will be subject to rules and procedures required in accordance with applicable laws, in particular the requirements set out in the GDPR.


Customer's rights with regard to his/her Personal Data

9.1. When entrusting your Personal Data to us, you have the following rights:  

9.1.1. the right to demand access to, correct, modify, remove or restrict the processing of, your Personal Data; 

9.1.2. the right to obtain a copy of your Personal Data held by the Bank; 

9.1.3. the right to object against processing where we are relying on our legitimate interests and you also have the right to object where we are processing your personal data for direct marketing purposes; 

9.1.4. the right to data portability; 

9.1.5. the right to withdraw your consent given in accordance with Article 6(1)(a) or Article 9(2) of GDPR to Personal Data processing for a specific purpose, if you have previously granted that consent; 

9.1.6. the right to lodge a complaint with a relevant regulator in connection with the processing of Personal Data by the Controller, or bringing a claim to court. The Supervisory authority in Gibraltar is: 

Gibraltar Regulatory Authority
2nd Floor, Eurotowers 4, 1 Europort Road, Gibraltar

9.2. To exercise the rights referred to in items 9.1.1 – 9.1.6, and–, please provide us an Instruction or, in the case of withdrawing your consent, change your settings in the Mobile and Internet Banking. However, we remind you that withdrawing your consent may involve Our inability to continue to provide you with Services. 

9.3. Moreover, in certain cases we may retain certain Personal Data, if required by applicable law, or justified by the possibility of providing our Services, or for another legally justifiable purpose. For example, if we presume that a Customer has committed fraud or infringement to applicable laws. In such circumstances, we may retain certain information in order to prevent the possibility of circumventing the rules governing the use of Mobile and Internet Banking.



10.1. As a Controller, We ensure the security of your Personal Data by using appropriate technical and organizational measures designed to prevent illegal data processing or the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Your Personal Data.  Moreover, we take particular attention to ensure that the Personal Data is: 

10.1.1. accurate and up-to-date; 

10.1.2. processed in accordance with applicable laws; 

10.1.3. obtained solely for the purposes specified in the Privacy and Cookies Policy and not processed contrary to these purposes; 

10.1.4. safely stored; 

10.1.5. not transferred unless with an appropriate legal basis and proper protection. 



11.1. When you use the Mobile and Internet Banking and when you visit the Website, small files (mainly text files) containing information necessary for the correct use of the page are saved on your device. These files are called cookies. They enable collecting the statistical data to help us improve out service and adjust it to your preferences and needs. 

11.2. Cookies contains some data which may identify you, especially when you accept such providers like Google. The content of those cookies may be read only by the server which created them so we will not have direct access to its content. 

11.3. When you visit the Website or Mobile Banking, we use the following types of cookies: 

11.3.1. strictly necessary cookies – they enable you to navigate and to use basic functions. Typically, they are placed only in response to such of your activities as logging in to Mobile and Internet Banking; 

11.3.2. functionality cookies – these are used to recognize a User during their next visit on the Website or Mobile Banking and enable us to improve and personalize the functions offered to a User, e.g. to remember their preferences (e.g. selection of a language or region). Such cookies collect information in an anonymous form and cannot monitor the User’s activity on other websites. 

11.3.3. analytical and performance cookies – enable us to recognize and count the number of persons visiting the Website or Mobile Banking, the logout pages, and to obtain information on how the service is being used (e.g. which pages are opened by the User most often or whether or not the User receives error messages from certain pages). They allow us to improve the performance of the Website by ensuring that the User can easily find what they are looking for. 

11.3.4. advertising and targeting cookies record a User’s visit on the Website, the pages visited and links clicked on. Based on this information, we are able to display ads which are better tailored to the User and their interests. They also serve to limit the number of displays of a single ad and to measure the effectiveness of advertising campaigns. To this end, we can provide the information obtained also to third parties (e.g. advertisers).  

11.4. At the same time, please note that we use third party services to learn how a User is using this Website or Mobile Banking, in order to optimize User experience and to display ads other than ours. Such third parties (including e.g. advertising networks and external service providers, e.g. those which analyse the network traffic) may also use cookies which are beyond our control.  

11.5. You will be asked to accept our Privacy and Cookies Policy when visiting the Website.  

11.6. Deactivating cookies -you are always able to deactivate cookies. Detailed information on how  to do this may be found on our Website. Please bear in mind that deactivation of cookies affects all cookies.  

11.7. Given the large variety of browsers used by the Users, there may be slight differences in how to set them to enable installing cookies. Typically, information on cookies may be find in their menus. For more detailed information, check the website of the producer of a given browser.  

11.8. Except for essential cookies, all cookies will expire within three years. 



12.1. Personal Data that we collect in connection with the use of Mobile and Internet Banking may be processed in an automated manner (including the form of profiling), however, it will not cause any legal effects to Customers or substantially affect their situation. We attach particular importance to profiling and indicate that:

  • we do not process any sensitive data for profiling purposes,
  • we profile to analyze or forecast personal preferences and interests of you and matching the marketing offer to the above preferences.

12. 2. Taking the above -mentioned into the consideration, we state that profiling is necessary for performance of the Agreement, due to the Article 22(2)(a) of GDPR. We reserve, that the banner ads content does not follow from profiling.

12.3. Delivering the text messages to the Customer is based on the grounds for our legitimate interest in processing of Customer`s Personal Data in that scope in accordance with Article 6 (1) (f) of GDPR.


Amendments to the Privacy and Cookies Policy

Any amendment to this document shall be published on the Website. You should regularly review any updates or amendments of this Privacy and Cookies Policy. In the event of significant changes to this document, we will contact you through Mobile and Internet Banking . This Privacy and Cookies Policy was last updated on 31 January 2019.