Privacy Policy

Data Protection Policy

1. Introduction

The General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data Protection Act (Cap 586), including the regulations made thereunder, regulate the processing of personal data whether held electronically or in manual form if it forms part of a filing system. The Malta Digital Innovation Authority (hereinafter the ‘MDIA’) is set to fully comply with the applicable provisions of the data protection legislation.

In this Policy, any reference to ‘You’ or ‘Your’ shall refer to the Data Subject.

2. Legal Basis and Purposes of Processing

The MDIA shall process your personal data only where it is lawful under the provisions of the applicable law. In general, and most commonly, the MDIA shall be processing your personal data for the following purposes:

Where you have consented to the use of your personal data (Article 6 (1) (a) of the GDPR)
Where the processing is necessary to enter into or perform a contract or agreement the MDIA has entered into with you (Article 6 (1) (b) of the GDPR)
Where it is necessary to comply with a legal obligation (Article 6 (1) (c) of the GDPR)
Where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the MDIA (Article 6 (1) (e) of the GDPR)
Where it is necessary for the purposes of the legitimate interests pursued by the MDIA or by a third party (Article 6 (1) (f) of the GDPR)

Legitimate Interest refers to the MDIA’s interest in conducting and managing its operations in a way that allows it to provide Data Subjects with the highest quality service and the most secure experience possible. The MDIA makes sure to consider and balance any potential impact on Data Subjects and their rights, before it processes their Personal Data for its legitimate interests. The MDIA does not use Personal Data of Data Subjects for activities where its interests are overridden by the impact on Data Subjects, unless the MDIA would have the consent of that Data Subject or is otherwise required or permitted to by law. The MDIA shall not process any Personal Data on the basis of legitimate interest for the performance of its official functions.

MDIA may process Personal Data for more than one lawful ground depending on the specific purpose for which it is using the Personal Data.

An outline of personal data processing operations within the scope of GDPR is found in the following table:

Processing Operation

- Contact between the MDIA and the Data Subject

- Receipt and Processing of Applications and Forms, including associated documentation

- Management and administration of Schemes

- Administration of recognitions

- Processing of data for regulatory supervision, notification, surveillance and enforcement purposes

- Provision of other services

- Organisation of Events

- PR and Marketing

- Procurement

- Inter-governmental, EU and International reporting

- Legally mandated disclosures

- Operation of CCTV systems

- Recruitment within the Authority

Personal data shall be processed by the MDIA for the following purposes:

Purposes of Processing

- To enable the MDIA to contact Data subjects as necessary in the performance of its functions.

- To receive and process personal data provided by Data Subjects and to effectively manage and determine any applications submitted for any scheme, recognition or service provided by the MDIA.

- To enable the MDIA to effectively administer and manage its Schemes.

- To enable the MDIA to manage recognition programs, issue recognitions and renewals and associated processes.

- To perform regulatory supervision, notification, surveillance and enforcement purposes.

- To enable the provision of any other services which the MDIA may, from time to time, offer.

- To enable the Authority to organise and manage pertinent events.

- To market the MDIA and its initiatives (all personal data processed for direct marketing within the scope of the ePrivacy Directive (Directive 2002/58/EC) shall be processed on the basis of consent).

- To enable the MDIA to procure goods and services, issue tenders and enter into agreements with suppliers, contractors or service providers in accordance with the applicable procurement laws and procedures.

- To comply with legally binding publication and applicable reporting or disclosure obligations.

- For safety and security purposes.

- To receive, process and determine applications for open positions within the Authority.

3. Recipients of Personal Data

The MDIA may share Personal Data of Data Subjects with its employees, which may include staff redeployed through RSSL, and third parties for the purposes set out in this Policy. These third parties may include, service providers based in Malta and/or overseas, even outside the European Union including, but not limited to, other governmental entities, contractors, suppliers, auditors, assessors which companies provide services, processes and products.

The MDIA requires all third parties to respect the security of the Personal Data of Data Subjects and to treat it in accordance with EU data protection regulations.

The MDIA website and other websites managed by the MDIA may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about the Data Subject. The MDIA does not control these third-party websites and is not responsible for their privacy statements. When a Data Subject leaves the MDIA’s website, the MDIA encourages such Data Subject to read the privacy policy and data protection policy of every website that is visited.

The MDIA will not share Personal Data with any third parties for the purposes of direct marketing.

4. Your rights

Your rights as data subjects in connection with the processing of your personal data are:

The right to receive a copy of your personal data undergoing processing, including information in relation to the processing activities.
The right to request us to rectify personal data you think is inaccurate. You also have the right to ask us to complete personal data you think is incomplete.
The right to request the erasure of your personal data in certain circumstances.
The right to request the restriction of your personal data in certain circumstances.
The right to portability of your personal data in relation to information that you have given us.
The right to object to the processing of your personal data if we are able to process your information because the process forms part of our public tasks or is in our legitimate interests.
The right to not be subject to a decision based solely on automated processing including profiling.
The right to withdraw your consent at any time, where applicable.

Requests to exercise your rights are free of charge and should preferably be made in writing and sent to the Data Protection Officer of the MDIA. Your identification details such as ID number, name and surname must be submitted with the request for the purpose of verifying your identity. In case the controller has reasonable doubts concerning your identity, you may be requested to provide additional information necessary to confirm it. Reasonable fees, as determined by the MDIA, may apply for the provision of further copies of the data requested.

The MDIA aims to comply as quickly as possible with the request and is obliged to respond without undue delay and at the latest within one (1) month from receipt of request. In some cases, the MDIA may extend such period for a period of up to a further two (2) months if it is a complex request or there are multiple requests. In that situation, the Data Subject will be informed accordingly.

The right exercised by the data subject may be limited or restricted, where necessary, pursuant to the applicable law.

5. Retention Policy

The MDIA shall not retain any personal data for any longer than is necessary in light of the purposes for which the data is collected, held, and processed. The retention periods have been determined based on legal requirements and operational needs. In some circumstances MDIA will anonymise the Personal Data of Data Subjects (so that it can no longer be associated with the Data Subject) for research or statistical purposes, in which case the MDIA may use this information indefinitely without further notice to the Data Subject.

6. Disposal of Personal Data

Notwithstanding the above defined retention periods, certain Personal Data may be deleted or otherwise disposed of prior to the expiry of its defined retention period where a decision is made within the MDIA to do so, whether in response to a request by a Data Subject as mentioned in the Data Protection Policy of the MDIA, or otherwise.

On the other hand, in special circumstances, such as, in cases where the Personal Data is relevant to current or contemplated litigation, government or regulatory investigation or audit, that Personal Data must be retained until the Data Protection Officer determines that that Personal Data is no longer required.

The MDIA also ensures that it conducts periodical reviews of the Personal Data retained.

If Personal Data is not listed in the above table, it is likely that it should be classified as disposable information. Disposable information consists of data that may be discarded or deleted at the discretion of the user once it has served its temporary useful purpose and/or data that may be safely destroyed because it is not a formal or official record.

Examples include duplicates of originals that have not been annotated, preliminary drafts of letters, reports, worksheets and informal notes that do not represent significant steps or decisions in the preparation of an official record, materials obtained for reference purposes, spam and junk mail.

Nonetheless, if a Data Subject considers that there is an omission in the above table, or would like to request further clarifications, please contact the Data Protection Officer whose details are indicated below as well as in the Data Protection Policy of the MDIA.

Data that needs to be deleted after the established timeframes will be destructed in a secure manner to ensure that such information is no longer processed within the MDIA.

7. Storage and Back-up

The organisation will ensure that all Personal Data of Data Subjects is securely retained and stored.

With respect to hard or manual Personal Data, these are stored in locked cabinets and overnight, in locked premises as well. Personal Data stored electronically, will be subject to access controls and passwords. Where necessary, encryption software shall be used. All Personal Data, whether hard documents or electronically, are backed up and maintained off site.

For further details in relation to information technology security, kindly request for the IT Security Policy of MDIA.

8. Breach Reporting

In the event of a personal data breach, the MDIA’s Data Protection Officer (DPO) must be informed immediately. The DPO will assess the situation and take any necessary actions, including notifying affected parties and regulators as required by law.

9. The Data Protection Officer

The MDIA has appointed a Data Protection Officer who can help Data Subjects with any questions that they may have about this Data Protection Policy or any other related document, including any requests to exercise their legal rights. The contact details of the Data Protection Officer are the following:

MDIA, Twenty20, Business Centre,
Triq l-Intornjatur, Zone 3, Central Business District,
Birkirkara, CBD 3050, Malta.

Telephone: +356 21828800

Email: dpo@mdia.gov.mt

10. The Data Controller

The MDIA may be contacted at:

MDIATwenty20 Business Centre
Triq l-Intornjatur, Zone 3
Central Business District
Birkirkara, CBD 3050
Malta

Telephone: +356 21828800

Email: info@mdia.gov.mt / dpo.mdia@gov.mt

Website: https://www.mdia.gov.mt/

11. The Information and Data Protection Commissioner

You have the right to lodge a complaint with the supervisory authority, which could be reached at the following contact details:

Information and Data Protection Commissioner

Floor 2, Airways House,
Triq Il-Kbira,
Tas-Sliema SLM 1549

Telephone: +356 2328 7100

Email: idpc.info@idpc.org.mt