Image Alt

Privacy Policy

Useful Information

Privacy Policy

1. Introduction.

This Privacy Policy (“Privacy Policy”) relates to the website hereinafter referred to as the “Site” and the services (which may include the sale of goods) provided by the St John’s Co-Cathedral Foundation (the ‘Foundation’) as the owner of the Site, (“We“, “Us“, “Our“, “Ourselves”), and any related software applications (‘Apps’), where Personal Data are processed by the same (via the Site, any of Our Apps or otherwise) relating to You.

In this Privacy Policy, “You” and “Your” and “User” refer to an identified or identifiable natural person being the User of the Site, and/or recipient (or prospective recipient) of any of Our services and/or identifiable natural person (including, where applicable, a visitor to any sites or venue operated or managed by the Foundation). Our full details, including contact details, can be read below.

Although this Privacy Policy provides general and basic information on how and why We generally process Personal Data (via the Site, any of Our Apps, or otherwise) as well as general information about Your various rights, it does not amount to legal advice, and if you are in doubt as to what your privacy rights are and how to exercise them you remain welcome to contact us, and if we are unable to provide a satisfactory reply, you are also welcome to seek your own legal advice.

Applicable Laws

As a Foundation established in Malta, EU, the main privacy laws that are applicable to Us insofar as You are concerned, are as follows:

•  The Maltese Data Protection Act (Chapter 586 of the Laws of Malta) as well as the various subsidiary legislation issued under the same – the ‘DPA’;

•  The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – the ‘GDPR’.

These are collectively referred to as the “Data Protection Laws”, as updated from time to time.

What Personal Data do we collect about You?

“Personal Data” is information that identifies an individual, including but not limited to:

• Name;
• Email address;
• Postal address;
• Contact number;
• Date of birth;
• Identification number.

Reasons for Processing Personal Data

Unless otherwise specified and subject to various controls, as a general rule, We only collect Personal Data (from You or elsewhere) that We:

• Need to be able to provide You with the services/information You request from Us

• Are legally required to collect/use and to keep for a predetermined period of time

• Believe to be necessary for the performance of a task carried out in the public interest, or by law.

• Believe to be necessary for Our legitimate interests (only in cases which do not already fall under any of the criteria listed above.

Joint Controllers

In certain instances, and especially where you effect a purchase on our Site, We act as joint controllers and are jointly responsible for processing Your personal data, together with other entities, such as the payment gateway that handles your payment, and with whom We have entered into a joint controllership agreement. We work together with such entities with the same purpose and goal, namely, to provide You with the services You request of Us. These third parties should be Your primary point of contact if You have any queries relating to the processing of Your personal data with respect to the services provided to You by such third parties, though You may still exercise any of Your rights, as explained below, with Us as well, where applicable.

Accuracy of Data

All reasonable efforts are made to keep any Personal Data We may hold about You up-to-date and as accurate as possible. You can check the information that We hold about You at any time by contacting Us in the manner explained below. If You find any inaccuracies, We will correct them and where required, delete them as necessary. When effecting such a request We will ask you to provide some sort of identity document, to verify that we are communicating with the right person, and with the person entitled by law to request any changes to any Personal Data.

Direct Marketing

We only send mail, messages and other communications relating to marketing where We are authorised to do so at law. In most cases We rely on Your consent to do so (especially where We use electronic communications). If, at any time, You no longer wish to receive direct marketing communications from Us please let Us know by contacting Us at the details below or update Your preferences on any of Our Site(s) or Apps (where applicable).

In the case of direct marketing sent by electronic communications (where We are legally authorised to do so) You will be given an easy way of opting out (or unsubscribing) from any such communications – usually in the communication itself.

Please note that even if You withdraw any consent You may have given Us or if You object to receiving such direct marketing material from Us (in those cases where We do not need Your consent), from time to time We may still need to send You certain important communications from which You cannot opt-out. These may include communications concerning any purchase you have made or any incident in which your personal data may have been compromised.

Sharing of Personal Data with some categories of recipients

Relevant data will also be disclosed or shared as appropriate (and in all cases in line with the Data Protection Laws) to/with staff/employees and/or officials of the Foundation and/or sub-contracts of the Foundation established within the European Union if pertinent to any of the purposes listed in this Privacy Policy (including to/with Our services providers who facilitate the functionality of the Site and/or any service You may require). Personal information will only be shared by Us to provide the services You request from Us or for any other lawful reason (including authorised disclosures not requiring Your consent).

Any such authorised disclosures will be effected in accordance with the Data Protection laws (for example all Our processors are contractually bound by the requirements in the said Data Protection Laws, including a strict obligation to keep any information they receive confidential and to ensure that their employees/personnel are also bound by similar obligations). The said service providers (Our processors) are also bound by a number of other obligations (in particular, Article 28 of the GDPR).

Your Personal Data will never be shared with third parties for their marketing purposes or for reasons that go beyond those stated in this Privacy Policy.

The third parties who We may disclose to and/or share Your Personal Data with are, at the date of this Privacy Policy, the following:

[wpdatatable id=”1″]

Security Measures

The personal information which We may process will be held securely in accordance with Our internal security policy and the law.

We use all reasonable efforts to safeguard the confidentiality of any and/or all Personal Data that We may process relating to You and regularly review and enhance Our technical, physical and managerial procedures so as to ensure that Your Personal Data is protected from:

• unauthorised access

• improper use or disclosure

• unauthorised modification

• unlawful destruction or accidental loss.

To this end We have implemented security policies, rules and technical and organisational measures to protect the Personal Data that We may have under Our control. All our members, staff and data processors (including but not limited to cloud service providers (Amazon Web Services, Google Analytics) established within the European Union), who may have access to and are associated with the processing of Personal Data, are further obliged (under contract) to respect the confidentiality of Our Users’ or recipients’ Personal Data as well as other obligations as imposed by the Data Protection Laws.

Despite all the above, We cannot guarantee that a data transmission or a storage system can ever be 100% secure. For more information about Our security measures please contact Us in the manner described below.

Authorised third parties, and external/third party service providers acting as Our data processors, with permitted access to Your information (as explained in this Privacy Policy) are specifically required to apply appropriate technical and organisational security measures that may be necessary to safeguard the Personal Data being processed from unauthorised or accidental disclosure, loss or destruction and from any unlawful forms of processing.

As stated above, the said service providers (Our data processors) are also bound by a number of other obligations in line with the Data Protection Laws (particularly, Article 28 of the GDPR).


The Site and Our online services (entering into contracts with the Foundation) are not intended to be used by any persons under the age of eighteen (18) and therefore We will never intentionally collect any Personal Data from such persons unless under a specific legal exemption (if any). If You are under the age of consent, please consult and get Your parent’s or legal guardian’s permission to use the Site and to use Our services.

Your Data Subject Rights

This section details the various rights to which you are entitled in terms of the Data Protection Laws. Before addressing any request You make with Us, We may first need to verify Your identity. In all cases We will try to act on Your requests as soon as reasonably possible.

Your various rights at law include:

Your right of access

You may, at any time request Us to confirm whether or not We are processing Personal Data that concerns You and, if We are, You shall have the right to access that Personal Data and to the following information:

• What Personal Data We have,

• Why We process them,

• Who We disclose them to,

• How long We intend on keeping them for (where possible),

• Whether We transfer them abroad and the safeguards We take to protect them,

• What Your rights are,

• How You can make a complaint,

• Where We got Your Personal Data from and

• Whether We have carried out any automated decision-making (including profiling) as well as related information.

Upon request, We shall (without adversely affecting the rights and freedoms of others including Our own) provide You with a copy of the Personal Data undergoing processing within one month of receipt of the request, which period may be extended by two months where necessary, taking into account the complexity and number of the requests. We shall inform You of any such extension within one month of receipt of the request, together with the reasons for the delay.


Your right to rectification

You have the right to ask Us to rectify inaccurate Personal Data and to complete incomplete Personal Data concerning You. We may seek to verify the accuracy of the data before rectifying it.


Your right to deletion

You have the right to ask Us to delete Your Personal Data and We shall comply without undue delay but only where:

• The Personal Data are no longer necessary for the purposes for which they were collected; or

• You have withdrawn Your consent (in those rare instances where We process on the basis of Your consent) and We have no other legal ground to process Your Personal Data; or

• You shall have successfully exercised Your right to object (as explained below); or

• Your Personal Data shall have been processed unlawfully; or

• There exists a legal obligation to which We are subject; or

• Special circumstances exist in connection with certain children’s rights.


In any case, We shall not be legally bound to comply with Your erasure request if the processing of Your Personal Data is necessary:

• for compliance with a legal obligation to which We are subject (including but not limited to Our duty to retain an accurate database of company records and Our data retention obligations);

• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as your exercise of this right to erasure is likely to render impossible or seriously impair the achievement of the objectives of such processing; or

• for the establishment, exercise or defence of legal claims.

• There are other legal grounds entitling Us to refuse erasure requests although the three instances above are the most likely grounds that may be invoked by Us to deny such requests.


Your right to withdraw your consent

In those instances where We may have relied on Your consent to process Your personal data (which, in any case, we would have obtained in the manner required by the GDPR), You may withdraw any such consent at any time in a manner that is as easy as when You first provided the said consent to Us.


Your right to file a complaint

You have the right to lodge complaints with the appropriate Data Protection Authority. The competent authority in Malta is the Office of the Information and Data Protection Commissioner (IDPC), the website for which is found at

We would appreciate the opportunity to resolve any issues You may have with Us first even though your right to file a complaint remains unaffected.


Time limit in which your request is processed, and costs

We try to reply to all legitimate requests as soon as possible and at latest within one month from receiving them. In some particular cases (for example, if the matter is particularly complex or if You send Us multiple requests), it may take Us longer than a month. In such cases, we will notify You accordingly and keep You updated. There are no costs for you when you file a request in good faith. Where, however, the nature of the request requires Us to enter into significant expenses, or where repeated requests are made within the same time period, or where the request is made in bad faith, We reserve the right to charge you the costs for processing your request.

The Foundation’s Contact Details

The Foundation is registered in Malta and its registered address is: The St John’s Co-Cathedral Foundation, St John Square, Valletta VLT 1156, Malta. The Foundation is the data controller responsible for processing Your Personal Data that takes place via the Site or in the manner explained above.

If You have any questions / comments about privacy or should You wish to exercise any of Your individual rights, please contact Us at or by writing to the Data Protection Officer at the address above or by phoning Us using telephone number +356 21220536 between 9am and 4pm on weekdays.

Monday to Saturday:
09.00 hrs to 16.45 hrs
(last entry at 16.15 hrs)
Closed on Sundays and Public Holidays
Adults €15
Seniors €12
Students €12
Children Free under 12 years of age (when accompanied by an adult)
Monday to Friday:
08.30 hrs
08.30 hrs / 17.45 hrs
Sundays and Feast Days:
7:45 hrs / 9:15 hrs / 11:30 hrs / 17:45 hrs