As a Foundation established in Malta, EU, the main privacy laws that are applicable to Us insofar as You are concerned, are as follows:
• The Maltese Data Protection Act (Chapter 586 of the Laws of Malta) as well as the various subsidiary legislation issued under the same – the ‘DPA’;
• The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – the ‘GDPR’.
These are collectively referred to as the “Data Protection Laws”, as updated from time to time.
What Personal Data do we collect about You?
“Personal Data” is information that identifies an individual, including but not limited to:
• Email address;
• Postal address;
• Contact number;
• Date of birth;
• Identification number.
Reasons for Processing Personal Data
Unless otherwise specified and subject to various controls, as a general rule, We only collect Personal Data (from You or elsewhere) that We:
• Need to be able to provide You with the services/information You request from Us
• Are legally required to collect/use and to keep for a predetermined period of time
• Believe to be necessary for the performance of a task carried out in the public interest, or by law.
• Believe to be necessary for Our legitimate interests (only in cases which do not already fall under any of the criteria listed above.
In certain instances, and especially where you effect a purchase on our Site, We act as joint controllers and are jointly responsible for processing Your personal data, together with other entities, such as the payment gateway that handles your payment, and with whom We have entered into a joint controllership agreement. We work together with such entities with the same purpose and goal, namely, to provide You with the services You request of Us. These third parties should be Your primary point of contact if You have any queries relating to the processing of Your personal data with respect to the services provided to You by such third parties, though You may still exercise any of Your rights, as explained below, with Us as well, where applicable.
Accuracy of Data
All reasonable efforts are made to keep any Personal Data We may hold about You up-to-date and as accurate as possible. You can check the information that We hold about You at any time by contacting Us in the manner explained below. If You find any inaccuracies, We will correct them and where required, delete them as necessary. When effecting such a request We will ask you to provide some sort of identity document, to verify that we are communicating with the right person, and with the person entitled by law to request any changes to any Personal Data.
We only send mail, messages and other communications relating to marketing where We are authorised to do so at law. In most cases We rely on Your consent to do so (especially where We use electronic communications). If, at any time, You no longer wish to receive direct marketing communications from Us please let Us know by contacting Us at the details below or update Your preferences on any of Our Site(s) or Apps (where applicable).
In the case of direct marketing sent by electronic communications (where We are legally authorised to do so) You will be given an easy way of opting out (or unsubscribing) from any such communications – usually in the communication itself.
Please note that even if You withdraw any consent You may have given Us or if You object to receiving such direct marketing material from Us (in those cases where We do not need Your consent), from time to time We may still need to send You certain important communications from which You cannot opt-out. These may include communications concerning any purchase you have made or any incident in which your personal data may have been compromised.
Sharing of Personal Data with some categories of recipients
Any such authorised disclosures will be effected in accordance with the Data Protection laws (for example all Our processors are contractually bound by the requirements in the said Data Protection Laws, including a strict obligation to keep any information they receive confidential and to ensure that their employees/personnel are also bound by similar obligations). The said service providers (Our processors) are also bound by a number of other obligations (in particular, Article 28 of the GDPR).
|CATEGORY OF RECIPIENT||PURPOSE OF PROCESSING|
|Cloud Service Providers||Hosting of data under state-of-the-art security protocols and our exclusive control|
|IT Service Providers||Maintenance and support of our IT systems/Website(s) – with restricted access and under Our strict controls|
|Auditors||Compliance with our auditing obligations – with access granted only to essential personal data|
|Legal Advisors||Compliance with our legal obligations or when necessary for the establishment, exercise or defence of legal claims.|
|Government/State departments or entities||Compliance with legal obligations, in the public interest and/or our exercise of official authority. This may include information passed on to the Police in the course of investigating crime, or information passed on to any Court following any order to do so.|
The personal information which We may process will be held securely in accordance with Our internal security policy and the law.
We use all reasonable efforts to safeguard the confidentiality of any and/or all Personal Data that We may process relating to You and regularly review and enhance Our technical, physical and managerial procedures so as to ensure that Your Personal Data is protected from:
• unauthorised access
• improper use or disclosure
• unauthorised modification
• unlawful destruction or accidental loss.
To this end We have implemented security policies, rules and technical and organisational measures to protect the Personal Data that We may have under Our control. All our members, staff and data processors (including but not limited to cloud service providers (Amazon Web Services, Google Analytics) established within the European Union), who may have access to and are associated with the processing of Personal Data, are further obliged (under contract) to respect the confidentiality of Our Users’ or recipients’ Personal Data as well as other obligations as imposed by the Data Protection Laws.
Despite all the above, We cannot guarantee that a data transmission or a storage system can ever be 100% secure. For more information about Our security measures please contact Us in the manner described below.
As stated above, the said service providers (Our data processors) are also bound by a number of other obligations in line with the Data Protection Laws (particularly, Article 28 of the GDPR).
The Site and Our online services (entering into contracts with the Foundation) are not intended to be used by any persons under the age of eighteen (18) and therefore We will never intentionally collect any Personal Data from such persons unless under a specific legal exemption (if any). If You are under the age of consent, please consult and get Your parent’s or legal guardian’s permission to use the Site and to use Our services.
Your Data Subject Rights
This section details the various rights to which you are entitled in terms of the Data Protection Laws. Before addressing any request You make with Us, We may first need to verify Your identity. In all cases We will try to act on Your requests as soon as reasonably possible.
Your various rights at law include:
Your right of access
You may, at any time request Us to confirm whether or not We are processing Personal Data that concerns You and, if We are, You shall have the right to access that Personal Data and to the following information:
• What Personal Data We have,
• Why We process them,
• Who We disclose them to,
• How long We intend on keeping them for (where possible),
• Whether We transfer them abroad and the safeguards We take to protect them,
• What Your rights are,
• How You can make a complaint,
• Where We got Your Personal Data from and
• Whether We have carried out any automated decision-making (including profiling) as well as related information.
Upon request, We shall (without adversely affecting the rights and freedoms of others including Our own) provide You with a copy of the Personal Data undergoing processing within one month of receipt of the request, which period may be extended by two months where necessary, taking into account the complexity and number of the requests. We shall inform You of any such extension within one month of receipt of the request, together with the reasons for the delay.
Your right to rectification
You have the right to ask Us to rectify inaccurate Personal Data and to complete incomplete Personal Data concerning You. We may seek to verify the accuracy of the data before rectifying it.
Your right to deletion
You have the right to ask Us to delete Your Personal Data and We shall comply without undue delay but only where:
• The Personal Data are no longer necessary for the purposes for which they were collected; or
• You have withdrawn Your consent (in those rare instances where We process on the basis of Your consent) and We have no other legal ground to process Your Personal Data; or
• You shall have successfully exercised Your right to object (as explained below); or
• Your Personal Data shall have been processed unlawfully; or
• There exists a legal obligation to which We are subject; or
• Special circumstances exist in connection with certain children’s rights.
In any case, We shall not be legally bound to comply with Your erasure request if the processing of Your Personal Data is necessary:
• for compliance with a legal obligation to which We are subject (including but not limited to Our duty to retain an accurate database of company records and Our data retention obligations);
• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as your exercise of this right to erasure is likely to render impossible or seriously impair the achievement of the objectives of such processing; or
• for the establishment, exercise or defence of legal claims.
• There are other legal grounds entitling Us to refuse erasure requests although the three instances above are the most likely grounds that may be invoked by Us to deny such requests.
Your right to withdraw your consent
In those instances where We may have relied on Your consent to process Your personal data (which, in any case, we would have obtained in the manner required by the GDPR), You may withdraw any such consent at any time in a manner that is as easy as when You first provided the said consent to Us.
Your right to file a complaint
You have the right to lodge complaints with the appropriate Data Protection Authority. The competent authority in Malta is the Office of the Information and Data Protection Commissioner (IDPC), the website for which is found at http://www.idpc.org.mt/
We would appreciate the opportunity to resolve any issues You may have with Us first even though your right to file a complaint remains unaffected.
Time limit in which your request is processed, and costs
We try to reply to all legitimate requests as soon as possible and at latest within one month from receiving them. In some particular cases (for example, if the matter is particularly complex or if You send Us multiple requests), it may take Us longer than a month. In such cases, we will notify You accordingly and keep You updated. There are no costs for you when you file a request in good faith. Where, however, the nature of the request requires Us to enter into significant expenses, or where repeated requests are made within the same time period, or where the request is made in bad faith, We reserve the right to charge you the costs for processing your request.
The Foundation’s Contact Details
The Foundation is registered in Malta and its registered address is: The St John’s Co-Cathedral Foundation, St John Square, Valletta VLT 1156, Malta. The Foundation is the data controller responsible for processing Your Personal Data that takes place via the Site or in the manner explained above.
If You have any questions / comments about privacy or should You wish to exercise any of Your individual rights, please contact Us at [email protected] or by writing to the Data Protection Officer at the address above or by phoning Us using telephone number +356 21220536 between 9am and 4pm on weekdays.