Spot the Ball Winners Fair Processing Notice
Last updated – APRIL 8, 2026
Spot the Ball Competition — Winner Testimonial and Photography Campaign
This notice is provided pursuant to Articles 13 and 14 of the General Data Protection Regulation as retained in Gibraltar law (“Gibraltar GDPR”) and, where applicable, the UK General Data Protection Regulation (“UK GDPR”). It supplements Xapo Bank’s general Privacy Notice available at https://legal.xapobank.com/privacy/privacy-notice. It explains how we will process your personal data specifically in connection with this campaign.
1. Data controller
Xapo Bank Limited, Units 1/1, 1/2 and 1/a-1 Casemates Square, Gibraltar, GX11 1AA. Contact: [email protected].
2. Data Protection Officer
Our Data Protection Officer can be contacted at [email protected].
3. Personal data we collect
In connection with this campaign, we collect the following categories of personal data:
(a) Identity data: your full name and email address.
(b) Testimonial data: your written account of winning the Competition and receiving the prize.
(c) Image data: photograph(s) of you with your signed replica shirt. Where photographs include your face, these images constitute personal data capable of identifying you. Photographs without your face (e.g. showing only the shirt, or parts of you that are not identifiable) may not constitute personal data, but we will process all materials in accordance with this notice.
(d) Competition data: the month in which you won.
4. Purposes and legal basis
| Purpose | Legal basis |
|---|---|
| Collecting your testimonial and photograph(s) | Consent (Article 6(1)(a) Gibraltar GDPR / UK GDPR) |
| Publishing content on Xapo Bank’s social media channels (Instagram, Facebook/Meta, LinkedIn, YouTube and X (formerly Twitter), identifying you by first name and surname initial only | Consent (Article 6(1)(a) Gibraltar GDPR / UK GDPR) |
| Internal record-keeping of consents obtained and withdrawn in connection with the campaign | Legal obligation (Article 6(1)(c) Gibraltar GDPR / UK GDPR) — to comply with our accountability and record-keeping obligations under Articles 5(2) and 7(1) of the Gibraltar GDPR / UK GDPR |
5. Recipients of your personal data
Your testimonial and photograph(s) will be published on Xapo Bank’s social media channels and will therefore be visible to the public. When published, you will be identified by your first name and surname initial only (e.g. “John S.”). We may share your materials with third-party service providers who assist us in managing our social media presence (e.g. social media management platforms), who are bound by data processing agreements.
We will not sell your personal data or share it with any third party for their own marketing purposes.
6. International transfers
Xapo Bank is established in Gibraltar. If you are based in the United Kingdom, your personal data will be transferred to Gibraltar. Gibraltar benefits from a UK adequacy regulation under the UK’s Data Protection Act 2018 and is regarded as providing an adequate level of data protection. We will ensure that any transfer of your personal data is carried out in compliance with applicable data protection law.
7. Retention period
We will retain the materials you provide for a maximum of two (2) years from the date of consent, unless you withdraw your consent earlier. At the end of this period, the materials will be securely deleted from our systems. Content published on social media will be removed from our channels at the end of the retention period or upon withdrawal of consent (within 30 days of the withdrawal request).
8. Your rights
You have the right to: access your personal data; rectify inaccurate data; request erasure; restrict processing; data portability; object to processing; and withdraw consent at any time. To exercise any of these rights, please contact [email protected].
9. Right to complain
If you are dissatisfied with how we handle your personal data, you have the right to lodge a complaint with:
- The Gibraltar Regulatory Authority (GRA): [email protected], (+350) 200 74636; or
- (if you are a UK resident) The Information Commissioner’s Office (ICO): ico.org.uk.
10. Applicable law
This notice and the processing described herein are governed by the Gibraltar GDPR and the Gibraltar Data Protection Act 2004. To the extent that UK GDPR applies to you as a data subject located in the United Kingdom, we will also comply with the requirements of the UK GDPR and the UK Data Protection Act 2018.
11. Contact
For any questions about this notice or the processing of your personal data, please contact our Data Protection Officer at [email protected], or write to us at Xapo Bank Limited, Units 1/1, 1/2 and 1/a-1 Casemates Square, Gibraltar, GX11 1AA.