A&Co Group of Companies are registered under the laws of Malta having their registered address at Canter Business Centre, Patri Felicjan Bilocca Street, Marsa, Malta (“We”/ “Us”/ “Our” or the “Company”)
We are committed to respecting the privacy and personal data collected about individuals. If you wish to contact Us about Our privacy practices please feel free to do so by post on the abovementioned address or by email at firstname.lastname@example.org. You may also wish to contact us by telephone on +356 2123 7555.
Our Data Protection Officer is Brian Schembri who may be contacted by email at email@example.com or by telephone on +356 2123 7555.
Please read this Privacy Notice carefully to understand our practices with respect to your personal data. The purpose of this policy is to set out Our practices with respect to personal data in line with the relevant legislation and to describe the steps that the Company is taking to ensure that it complies with the law.
References to “data controller”, “data subject”, “personal data”, “process”, “processed”, “processing” and “Data Protection Officer” in this Privacy Notice have the meanings set out in, and will be interpreted in accordance with applicable laws, including but not limited to the Data Protection Regulation (EU) 2016/679 and the Data Protection Act, Chapter 586 of the Laws of Malta and subsidiary legislation thereto, as may be amended from time to time.
What Amounts to Personal Data?
The term “personal data” refers to all personally identifiable information about you, such as your name, surname and address, and includes all information which may arise that can be identified with you personally.
What Personal Data Do We Process?
In its everyday business operations the Company makes use of a variety of data about identifiable individuals, including data about:
- Current, past and prospective employees
- Users of its websites
- Other stakeholders
In collecting and using this data, the organisation is subject to a variety of legislation controlling how such activities may be carried out and the safeguards that must be put in place to protect it.
This control applies to all systems, people and processes that constitute the organisation’s information systems, including board members, directors, employees, suppliers and other third parties who have access to A&Co systems.
The following policies and procedures should be read in conjunction with this document:
- Data Protection Impact Assessment Process
- Personal Data Mapping Procedure
- Legitimate Interest Assessment Procedure
- Information Security Incident Response Procedure
- GDPR Roles and Responsibilities
- Records Retention and Protection Policy
We can provide you with a hard copy if you contact us on firstname.lastname@example.org.
How do we collect and process Personal Data?
We regularly collect and process personal data as part of the provision of our goods and/or services as follows:
- As part of Our client engagement procedures;
- When you or your company requests Our goods/services;
- When you or your company provide goods/services to Us or refer clients to Us;
- When you post a query, complaint or observation through Our website;
- When you contact Us voluntarily in other circumstances such as when seeking employment or traineeship with Us or seeking to attend Our events;
- to manage our relationship with you or your company, including for billing and debt collection purposes;
- to provide you with statements and to provide you with products and services;
- for internal assessments and analysis (including credit behaviour scoring, market surveys, research market and product analysis);
- for the detection and prevention of fraud and other criminal activity which we are legally bound to report;
- for the development and improvement of our systems, products and services;
- Personal Data that We may process as a result of legal obligations imposed on Us;
- your bank account details and other financial information;
- any Personal Data lawfully generated by Us in the course of executing your instructions;
- any Personal Data which you may voluntarily provide to Us;
- in the recording of telephone conversations or electronic communications which result or may result in transactions which recording will take place;
- for safety and security purpose, including (amongst others) safety of our premises, property and employees (such as calls to our customer care for quality assurance purposes), and the establishment, exercise or defence of legal claims;
- for direct marketing, promotions, communications about our new products or services, events;
- for purposes of a legitimate interest pursued by Us or by a third party, provided such interest is not overridden by your interests, fundamental rights and freedoms; and,
- the purposes you would have requested when providing your Personal Data to Us.
Generally, you would have provided your personal data to Us. However, in some instances, We may collect personal data about you from third party sources, such as online searches or from public registers.
Third parties such as Our clients and business partners may also have provided your personal data to Us.
Special categories of Personal Data may be processed in the provision of the goods and services to the client. Special categories of Personal Data collected about you may be health data and data related to your conviction and offences.
Irrespective of the manner that We have collected your Personal Data, We will only process such data for the purposes of rendering you with the goods or services or purposes which are inherently related thereto, including the fulfilment of any legal or regulatory obligation imposed on Us.
What Personal Data do we process?
The personal data that we typically collect and process about our data subjects are:
- The personal data that We collect for the fulfilment of our obligations in rendering the goods and, or services to you;
- Your identity details such as your name, surname, employer, title, position, and status;
- Your contact information such as your email address, physical address and telephone numbers;
- Your bank account details and other financial information;
- Any information you provide to Us when posting a query, complaint or observation through Our website attardco.com;
- Information you provide to Us for the purposes of attending meetings or events;
- Personal data provided to us by, on behalf of or in relation to our clients, business partners, service providers and employees;
- Any personal data lawfully generated by Us in the course of executing Our client’s instructions;
- CCTV footage, when you visit Our offices; and,
- Any personal data which you may voluntarily provide to Us.
- Site functionality cookies – these cookies allow you to navigate the site and use our features, such as “save flight”.
- Site analytics cookies – these cookies allow us to measure and analyse how our customers use the site, to improve both its functionality and your online experience.
- Customer preference cookies – when you are browsing, these cookies will remember your preferences (like your language or location), so we can make your online experience as seamless as possible and more personal to you.
- Targeting or advertising cookies – these cookies are used to deliver ads that are relevant to you. They also limit the number of times that you see an ad and help us measure the effectiveness of our marketing campaigns.
Please note that the cookies used by us do not personally identify you but they simply identify your computer or other device.
Most browsers are initially set to accept cookies. However, if you prefer, you can set your browser to block all, or certain, cookies. You can also set your browser to prompt you each time a cookie is offered. If you wish to block cookies, here’s a guide on how to do so for the most common browsers, such as Microsoft Internet Explorer, Google Chrome, or Mozilla Firefox.
If you read or download information from our site, we automatically collect and store the following information:
- The requested web page or download
- Whether the request was successful or not;
- The date and time when you accessed the site;
- The Internet address of the web site or the domain name of the computer from which you accessed the site;
- The operating system of the machine running your web browser and the type and version of your web browser.
We use the information that we gather in order to evaluate the website’s usage, content, usability and composition. This statistical analysis allows us to better understand our users’ needs and to generally make your internet experience more enjoyable and to provide a value-added service to you as a visitor. In order to do so, we make use of third-party services such as Google Analytics.
Be assured that Google will not use this information to identify individual users or to match it with further data on an individual user.
If you do not wish that your user behaviour is analysed, you can opt-out of both services respectively via the following links – Google Analytics Opt-Out.
When you subscribe to one of our newsletters, you provide us with personal information such as your name and email address. We use the personal information submitted in the form only to send you the newsletter you subscribed to.
You will need to provide us with your consent as a legal basis for us to process your personal data to receive the newsletter. Personal data is deleted upon withdrawal of such consent by you, or, at the point where the purpose for holding that data is no longer valid.
Links to other Websites
Contact or feedback
When you fill the “Contact Us” form on our website, you provide us with personal information such as your name, email address and your message to us. We have a legitimate interest to process any personal data submitted in the form as this information is necessary to process and address your complaint/feedback in the way you expect us to and to respond to your message.
Legal Bases of Processing Personal Data
The legal bases of processing your Personal Data are the following:
- Entering into and performing the obligations in our agreement for the provision of goods and, or services to you – in particular to provide you with the goods and, or services that you have requested and to manage Our relationship with you. Providing such Personal Data is necessary for our performance of our obligations under such agreement. If you do not allow us to process your personal data, we would be unable to provide you with the goods and, or services requested;
- Our legitimate interests – in particular:
- Our legitimate interests in the context of the sale of a product or a service, where we may use Your electronic contact details for direct marketing of Our own similar products or services and where we have provided you with an opportunity to object to such use of electronic contact details when they are collected and on the occasion of each message to you;
- Our legitimate interest to process your Personal Data for safety and security, such as the recording of telephone conversations or electronic communications which result or may result in transactions where recording will take place, and CCTV footage at our premises;
- On the basis of Our legitimate interests or compliance with legal obligations, as applicable, We may also process your Personal Data for the purposes of establishing, exercising or defending legal proceedings or claims against Us.
When we process your Personal Data on the basis of Our legitimate interests, we ensure that the legitimate interests pursued by Us are not overridden by your interests, rights and freedoms; and,
- Your explicit consent, or parental consent where the data subject is a child – in which case, Our processing shall be limited to the purposes specifically indicated when your consent was requested. We typically require your consent for direct marketing and with respect to communications related to our events, news and updates, and promotions of new goods and services, where we do not have a legitimate interest to send you such communications;
We will ensure that we have additional grounds for processing your Personal Data if processing of Special Categories of Personal Data is envisaged. We might also process your Personal Data on the basis of your explicit consent, in which case we will process your data for the purposes for which your explicit consent was requested.
Third Party Recipients of Personal Data
We may share your personal data with third party recipients who are:
- selected individuals within Our company, on a need-to-know basis;
- any service providers that may have access to your personal data in rendering Us with their support services, including IT and accounting service providers;
- third parties to whom disclosure may be required as a result of the relationship with Our clients;
- any business partners to whom you may have requested that We transfer your personal data; and
- third parties to whom disclosure may be required as a result of legal obligations imposed on Us.
Automated Decision-Making and Profiling
Your personal data will not be used for any decision solely taken on the basis of automated decision-making processes, including profiling, without human intervention.
In the interest of transparency, note that We use systems which could profile you. Such systems are used by Us exclusively to help Us in the due diligence process. As stated, no automated-decision will result from Our use of such systems.
We retain your personal data exclusively for the period which is lawfully permissible to retain your personal data. Thereafter, your personal data shall be immediately and irrevocably destroyed.
As a result of legal obligations imposed on Us, we typically retain your personal data relating to financial information for up to ten (10) years unless we have a statutory obligation imposed on Us to retain your data for a further period or a business need or require your personal data to exercise or defend legal claims.
If we have a contractual relationship with you, we typically retain your personal data for up to five (5) years from the end of Our contractual relationship on the basis of Our legitimate interests to protect ourselves from civil cases which you might institute against Us in relation to Our contractual relationship.
Invoices, credit notes and similar transactional documents or information will be kept by Us for up to ten (10) years from completion of the relevant transaction on the basis of legal obligations imposed on Us to retain such information.
We may have a legitimate interest to hold your data for longer periods such as when your data is required for exercising or defending legal claims. For more information on our retention periods, you can request a copy of our Retention Policy by contacting us on email@example.com
Any personal data which We may hold on the basis of your consent shall be retained exclusively until when you withdraw your consent. As noted above, retention of data on the basis of your consent is only envisaged where there are special categories of personal data collected, or for Our direct marketing activities.
The data subject also has rights under the GDPR. These consist of:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
You may exercise these rights as follows:
- Right of access – you have the right to ascertain the personal data We hold about you and to receive a copy of such personal data;
- Right to complain – you have the right to lodge a complaint regarding the processing of your personal data with the supervisory authority for data protection matters. In Malta this is the Information and Data Protection Commissioner (contact details provided below);
- Right to Erasure – in certain circumstances you may request that We delete the personal data that we hold about you;
- Right to Object – you have a right to object and request that We cease the processing of your personal data where We rely on Our, or a third party’s legitimate interest for processing your personal data;
- Right to Portability – you may request that We provide you with certain personal data which you have provided to Us in a structured, commonly used and machine-readable format. Where technically feasible, you may also request that we transmit such personal data to a third party controller indicated by you;
- Right to Rectification – you have the right to update or correct any inaccurate personal data which We hold about you;
- Right to Restriction – you have the right to request that We stop using your personal data in certain circumstances, including if you believe that We are unlawfully processing your personal data or the personal data that We hold about you is inaccurate;
- Right to withdraw your consent – where Our processing is based on your consent, you have the right to withdraw your consent. Withdrawal of your consent shall not affect the lawfulness of the processing based on your consent prior to the withdrawal of your consent; and
- Right to be informed of the source – where the personal data We hold about you was not provided to Us directly by you, you may also have the right to be informed of the source from which your personal data originates.
These timescales to exercise your rights are shown in Table 1.
Data Subject Request
The right to be informed
When data is collected (if supplied by data subject) or within one month (if not supplied by data subject)
The right of access
The right to rectification
The right to erasure
Without undue delay
The right to restrict processing
Without undue delay
The right to data portability
The right to object
On receipt of objection
Rights in relation to automated decision making and profiling.
Table 1 – Timescales for data subject requests
For direct marketing, you have a right to opt-out and to object to receiving any further such communications from Us at any time. Note that if We contact you about Our legal updates, newsletters and events on the basis of your consent, you have a right to withdraw your consent and no longer be contacted for such purposes at any time.
Please note that in terms of the applicable laws, your rights in relation to your personal data are not absolute.
You may exercise the rights indicated in this section by contacting Us or Our Data Protection Officer at the details indicated above.
Keeping your data secure
We shall keep your personal data secure and shall commit to take appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing, including against accidental loss, destruction, storage or access. Your personal data may be stored in paper files or electronically on our technology systems or on technology systems of our IT service providers.
International Transfers of Personal Data
Transfers of personal data outside the European Union will be carefully reviewed prior to the transfer taking place to ensure that they fall within the limits imposed by the GDPR . This depends partly on the European Commission’s judgement as to the adequacy of the safeguards for personal data applicable in the receiving country and this may change over time. Where required, we shall implement additional security measures, such as the EU Model Clauses, to ensure that the data transferred to non-EEA countries is secure.
Intra-group international data transfers will be subject to legally binding agreements referred to as Binding Corporate Rules (BCR) which provide enforceable rights for data subjects.
If you have any complaints regarding Our processing of your personal data, please note that you may contact Us or Our Data Protection Officer at the details indicated above. You also have a right to lodge a complaint with the Office of the Information and data Protection Commissioner in Malta (www.idpc.gov.mt).
Where Your Provide Us with Personal Data Related to Third Party Data Subjects
If you are a trader, a company, an intermediary or other corporate entity, and you supply to Us Personal Data of third party Data Subjects such as your employees, affiliates, service providers, customers or any other individuals connected to your business, you shall be solely responsible to ensure that:
- You immediately bring this Privacy Notice to the attention of such Data Subjects and direct them to it;
- The collection, transfer, provision and any Processing of such Personal Data by You fully complies any applicable laws;
- As Data Controller You remain fully liable towards such Data Subjects and shall adhere to the applicable laws;
- You collect any information notices, approval, consents or other requirements that may be required from such Data Subject before providing Us with their Personal Data;
- You remain responsible for making sure the information you give us is accurate and up to date, and you must tell us if anything changes as soon as possible.
- You hereby fully indemnify Us and shall render Us completely harmless against all costs, damages or liability of whatsoever nature resulting from any claims or litigation (instituted or threatened) against Us as a result of your provision of said Personal Data to Us.
We may update this Privacy Notice in Our sole discretion including as result of a change in applicable law or processing activities. Any such changes will be communicated to you prior to the commencement of the relevant processing activity.