List of definitions and abbreviations
Data subject – means an identified or identifiable natural person, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.
Data Protection Commissioner – means the national supervisory authority responsible for monitoring and enforcing the provisions of the GDPR and the Data Protection Act in Malta.
Controller – means a person who or public body which, alone or jointly with others, determines the purposes and means of the processing of personal data and has decision-making power with respect to the processing.
Processor – means a person who, or public body which, processes personal data on behalf of a controller.
Processing – means an operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Personal data – means any information relating to a data subject who is a natural person. A natural person cannot be a company or a public body. Representatives of companies or public bodies would, however, be natural persons.
- Special Categories of Data (as per the GDPR) – means information about a person’s:
- Racial or ethnic origin;
- Political opinions;
- Religious or similar (e.g. philosophical) beliefs;
- Trade union membership;
- Health (including physical and mental health, and the provision of health care services);
- Genetic data;
- Biometric data;
- Sexual life and sexual orientation.
1. Introduction
1.1 Objectives
The objective of the Data Protection Policy (the ‘Policy’) is to depict the legal data protection aspects in one summarising document. This is not only to ensure compliance with the GDPR and The Data Protection Act, Chapter 586 and subsidiary legislation of the Laws of Malta (“DP Act Malta”) but also to provide a guide to employees of the Company (the data controller) when in doubt regarding data protection issues that may arise.
1.2 Approval of the Policy
This Policy has been presented and approved by the Board of Directors via written resolution. It sets out the legal obligations that apply whenever we obtain, store or use personal data. The Board of Directors is ultimately responsible for ensuring the Company meets its legal obligations.
2. Importance of Data Protection
2.1 The need for a Data Protection Policy
Personal data is collected and used almost everywhere and has become the oil of the twenty-first century. As the value of personal data grows, the risks to personal data inevitably increase. In addition, with rapid technological change and innovation, controlling personal data is becoming more and more difficult especially with data intensive online activities. A robust data protection policy is therefore a must in any company processing personal data.
2.2 Policy Statement
The Company is committed to protecting personal data and respecting the rights of our data subjects; the people whose personal data we collect and use. We value the personal information entrusted to us and we respect that trust, by complying with all relevant laws and adopting good practice.
3. Personal Data – The Principles
3.1 Principles relating to the processing of personal data
The six privacy principles in the GDPR form the fundamental conditions which controllers must follow when collecting, processing and managing the personal information owned by data subjects. Personal data must be:
* (a) processed lawfully, fairly and in a transparent manner. Processing of personal data will only be fair and lawful when the purpose for the processing meets a legal basis and when the processing is transparent. In accordance with the laws, the Company processes data using the following legal conditions:
* For the performance of a contract
* To comply with a legal obligation
* Legitimate interests
Where necessary, the Company shall obtain the consent of data subjects for processing personal data;
* (b) processed for specified, explicit and legitimate purposes and not in a manner that is incompatible with those purposes;
* (c) adequate, relevant and limited to what is necessary for the purposes for which it is being processed;
* (d) accurate and, where necessary, up to date. Personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
* (e) not kept longer than necessary for the purposes for which it is being processed; and
* (f) processed in a secure manner, by using appropriate technical and organisational means.
Personal data must be processed in accordance with the rights of data subjects.
3.2 Consent for Processing Data
Where consent is used for processing personal data, the Company will ensure to document that consent was freely given and specific to the purpose sought.
If consent is given orally, the person receiving consent will document the time and date and any other relevant particulars to verify consent was given without coercion.
Consent can be withdrawn at any time and if withdrawn, the processing will stop. Data subjects will be informed of their right to withdraw consent.
4. Our Responsibilities
4.1 The Responsible Officer
The Company has appointed Anoushka Pascal as the point of contact should any queries arise regarding this Policy. She is also tasked with advising the Company, the employees, and other contracted members about the requirements of this policy.
She is responsible for overseeing any data protection breaches or subject access requests, and also for periodically reviewing this Policy as and when there are changes in data protection laws/regulations. Any questions about the Policy or any other concerns related to data protection should be referred to Anoushka.Pascal@altariusam.com. The Responsible Officer will assess and determine when a breach must be reported to the Data Protection Commissioner.
The Responsible Officer may refer to the GDPR, as well as any relevant guidance, and seek legal advice as required.
4.2 Employee Obligations
All employees of the Company, when processing personal data, are required to comply with this Policy. Employees must have legitimate grounds for collecting data which do not have a negative effect on data subjects. The Company shall provide full transparency about how we are going to use the data, as well as ensure data is only used in ways data subjects would legitimately expect.
Employees must use the personal data for the purpose they were originally agreed it would be used for. We must avoid holding more information than necessary. Reasonable steps must be taken to keep the information up to date and to change it if it is inaccurate.
Data must be held only for the amount of time required. Data that is out of date or no longer necessary must be destroyed or deleted.
4.3 Training
Training on data protection shall be delivered to all Employees at least annually to raise awareness of their obligations and responsibilities. The Company may also issue procedures, guidance or instructions from time to time as and when there are updates in laws/regulations. Employees may request for additional training should they need further guidance.
4.4 Contractors
Companies who are appointed as data processor of the Company are required to comply with this policy. Any breach of the Policy will be taken seriously and could lead us to take legal action against the appointed company and/or terminating the contract. Companies that process personal data have direct obligations under the laws, primarily to only process data on instructions from the controller and to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk involved.
4.5 Action Point for processors
Before employees or contractors collect or handle any personal data as part of their duties for the Company, it is important to take note of the provisions of this Policy and understand the organisation’s responsibilities when processing data. The Company’s procedures regarding data protection shall be in line with the requirements of this policy. When unsure about any data protection related issues which might breach this Policy, the Responsible Officer should be consulted accordingly.
5. Data Processing
5.1 Data collected
The Company collects and processes personal data for clients (individuals and corporate) as well as our employees. This includes data received, at an onboarding stage, during ongoing reviews, on our website, and for corporate clients, when there are changes to their structure and personnel.
For our employees, we may receive information from other sources including, previous employers, regulatory authorities, employment registries and government tax authorities.
5.2 Processing
The Company processes personal data electronically and in paper form. The personal data we process can include information such as names, contact details, including address and telephone number/s, email address as well as bank account details. The Company does not process Special Categories of Data. Employees should consult the Responsible Officer if in doubt when categorising data.
5.3 Data Storage and Security
Any personal data that is held by the Company will be accurate and, where appropriate, kept up to date. The accuracy of personal data will be checked at the point of collection and as and when needed for ongoing monitoring purposes.
Keeping data secure includes protecting it from unauthorised or unlawful processing, or from accidental loss, destruction or damage.
The Company has security measures which provide a level of security which is appropriate to the risks involved in the processing. Measures include physical and technical security measures. The Company ensures any personal data not stored on an electronic device is secure by:
* ensuring all third-party contractors with access to the Company’s offices are legally liable if they misuse any personal data;
* securing access to cabinets and desks to authorised individuals; and
* keys and passcodes are kept by users in a location inaccessible by an unauthorised party.
For personal data stored on electronic devices including laptops, memory sticks, and any other portable device, the Company requires users to
* encrypt data on portable devices
* set passwords and passcodes for logins and entry into a device
5.4 Data Retention
All data collected by the Company is considered confidential. The company shall collect date stamps or electronically date personal data to accurately indicate when the data was collected, when transactions occurred, and when contracts began. If the data can be anonymised during or after the retention period, the company will encourage the recipients of the data to do so.
Personal data will not be kept longer than is necessary for the purposes that it was collected for. Most data will be kept for a minimum of 5 years after the business relationship has terminated or as required legally. Information about how long the Company keeps records for can be found in the Data Retention Schedule under Appendix I.
6. The Rights of Data Subjects
6.1 Communication with Data Subjects
When personal data is collected, the data subject will be informed [in writing] about:
* the identity of Responsible Officer & contact details;
* the individual’s right to file a complaint with the supervisory authority in Malta if the Company contravenes the data protection laws/regulations;
* the legal basis, [including explaining any automated decision making or profiling];
* detailing reasons for processing;
* explaining, where relevant, the consequences of not providing data needed for a contract or regulatory requirement;
* who we will share the data with;
* if we plan to send the data outside of the European Union; and
* how long the data will be stored.
6.2 Informing Data Subjects
The Company processes personal data in line with data subjects’ rights including informing them of their right to:
* request access to any of their personal data held by us;
* ask to have inaccurate personal data changed;
* restrict processing, in certain circumstances;
* object to processing, in certain circumstances, including preventing the use of their data for direct marketing*;
* data portability, which means to receive their data, or some of their data, in a format (machine-readable) that can be easily used by another person (including the data subject themselves) or organisation;
* not be subject to automated decisions, in certain circumstances; and
* withdraw consent when we are relying on consent to process their data.
*The Company however does not engage in direct marking.
6.3 Subject Access Request
Any request from a data subject that relates or could relate to his/her data protection rights must be forwarded to our Responsible Officer immediately. Employees will be guided by the Subject Access Request Guide (Appendix II). The Company shall respond to all valid, written requests as soon as possible, and at the latest within 30 days.
For complex or large data requests, the Company can extend the timescale by up to two months. Initial data subject access requests are provided free of charge unless they are complex, the Company can then legally charge a nominal fee for the amount of data requested. Such fee shall be discussed with the initial data subject beforehand.
Any information provided to data subjects will be concise and transparent, using clear and plain language.
7. Sharing Data
7.1 Sharing information with other organisations
The Company shall share personal data with other organisations when we have a legal basis to do so, and if the data subject is made aware about the possibility of data being shared, unless legal exemptions apply to informing data subjects about the sharing.
Prior to appointing a contractor who will process personal data on our behalf, we will carry out due diligence checks. The check will determine if the processor will use appropriate technical and organisational measures to ensure the processing will comply with the GDPR, including keeping the data secure, and upholding the rights of data subjects. The Company will only appoint data processors who can provide sufficient guarantees that they will do this.
The Company shall appoint data processors on the basis of a written contract that will require the processor to comply with all relevant legal requirements. We will continue to monitor the data processing, and compliance with the contract.
7.2 Data Transfer outside of EU
Personal data cannot be transferred (or stored) outside of the European Union unless this is permitted by the Law. This includes storage on a “cloud” based service where the servers are located outside the EU.
We will only transfer data outside the EU where it is permitted.
8. Data Breaches
8.1 Managing a data breach
If there is a data breach employees should respond and manage the incident appropriately. Breaches to Policy may lead to disciplinary action, and where an employee has breached the policy intentionally, recklessly, or for personal benefit he/she may also be liable to prosecution or to regulatory action.-
8.2 Reporting a data breach
When an employee or a contractor has reasons to believe that this policy has not been followed, or there is a data breach, loss, or inaccessibility, this must be reported immediately to the Responsible Officer. The Responsible Officer will keep records (Appendix III) of all personal data breaches, even those not reported to the Data Protection Commissioner.
If a breach is unreported, the Responsible Officer will document the reasons and ensure no data subjects’ rights or freedoms are affected. The Data Protection Commissioner will be notified as soon as practicable and within 72 hours on all reportable data breaches.
In certain high-risk situations, where for example, bank account details are lost or an email containing sensitive information is sent to the wrong recipient; data subjects will be informed so that they can take steps to protect themselves and/or to exercise their rights.
8.3 Data Protection Impact Assessment (‘DPIA’)
When the risk is high, the Company may conduct a DPIA in cases when it is considered appropriate to do so. When unable to mitigate the identified risks such that a high risk remains, the Responsible Officer shall consult with the Data Protection Commissioner prior to processing.