Data Protection Policy
The Information and Data Protection Commissioner is committed to protect the privacy of individuals who visit the website and who make use of the online facilities.
This privacy policy provides you with information in terms of Article 13 of the General Data Protection Regulation and can be easily accessible via a link at the bottom of each web page.
1. Data Controller
The data controller of this website is the Information and Data Protection Commissioner whose office is situated at Floor 2, Airways House, High Street, Sliema, SLM 1549, MALTA.
2. Data Protection Officer
Our Data Protection Officer may be contacted on idpc.info@idpc.org.mt or via our postal address.
3. Information Collected and Purpose
3.1 Download Information
When you visit our website the following information will be automatically processed and solely for the use by this Office:
- the requested web page or download;
- whether the request was successful or not;
- the date and time when you accessed the site;
- the Internet address of the web site or the domain name of the computer from which you accessed the site;
- the operating system of the machine running your web browser and the type and version of your web browser.
3.2 Cookies
Cookies are small pieces of data that the site transfers to the user’s computer hard drive when the user visits the website. This website makes limited use of cookies and consequently, for any further information, you are being guided to visit our Cookies Policy.
3.3 Personal data provided by the data subject
When using this website’s online facilities, data subjects may be required to provide their contact details for contact purposes.
All information provided in the complaints and queries sections will be solely used by the Commissioner and his staff as may be necessary to provide you with the required advice, remedy or service and for other administrative reasons for the purposes of enabling the Commissioner to exercise his regulatory tasks.
The legal basis we rely on to process your personal data is Article 6(1)(e) GDPR that allows us to process personal data when this is necessary to perform our public tasks as a regulator.
If the information you provide us in relation to your complaint contains special category of data, such as health, religious or ethnic information, the legal basis we rely on to process such information is Article 9(2)(g) GDPR, which also relates to our public task and the safeguarding of your fundamental rights.
No third parties have access to your personal information unless specifically provided by law. However, if you have made a complaint about an organisation, we would generally be required to disclose your identity to the controller to allow for further enquiry and investigation. Should there be information you do not wish to be passed on, please let us know accordingly. Naturally, during such process, we may also receive further information about you.
If you do not want information that identifies you to be shared with the organisation you complain about, we will try to respect your choice. However, it is not always possible to handle a complaint on an anonymous basis.
If you are acting on behalf of someone making a complaint, we will ask for information to satisfy us of your identity and, if relevant, ask for information to show you have authority to act on another data subject’s behalf.
We may publish statistics relating to the number and nature of complaints received but not in a form that would identify any individual.
For information about how long we hold personal data, click here to access our retention schedule.
3.4 Recipients of the personal data
We will not share your information with any third parties for the purposes of direct marketing.
We have in place a service contract with a data processor who provides dedicated technical services when specifically required for the purpose of assisting the Commissioner when conducting complex on-the-spot announced inspections. A contract is in place to ensure, inter alia, that any personal information, that may be forwarded to the processor, is solely processed upon our instructions, held securely throughout the process and returned to the Commissioner when the investigation is concluded.
In the case of investigating cross border complaints, for the purpose of the one-stop-shop mechanism as established under Chapter VII of the GDPR, your information will be shared with other European data protection supervisory authorities, primarily by means of the Internal Market Information (IMI) system. The IMI system provides a standardised format for the exchange of information with our counterparts, and is regulated by Regulation (EU) No 1024/2012 of the European Parliament and of the Council of 25 October 2012 (‘the IMI Regulation’) repealing Commission Decision 2008/49/EC).
3.5 Your rights as data subjects
Subject to regulation 4(f) of Subsidiary Legislation 586.09, as an individual you may exercise your rights to the personal data processed by this Office, including:
Your right of access
You have the right to ask us for copies of your personal data that is being processed. There are some restrictions which means you may not always receive all the information we process.
Your right to rectification
You have the right to ask us to modify your personal data in case you belief that your personal data is not correct, up to date or accurate.
Your right to erasure
You have the right to ask us to delete your personal data in certain circumstances. This is not an absolute right, and depends on our retention schedule and retention periods in line with other applicable laws.
Your right to restriction of processing
You have the right to ask us to restrict the processing of your information in certain circumstances.
Your right to object to processing
You have the right to object to processing unless such processing is required to execute our function and it forms part of our public tasks, or is in our legitimate interests.
Your right to data portability
You have the right to ask us to provide you with an electronic copy of the personal data that you have provided. You may also request us to forward such data to another controller. This right only applies if we are processing information based on your consent and processed by automated means.
Your right to withdraw your consent
You have the right to withdraw your consent at any time if such processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), without affecting the lawfulness of such processing taking place before its withdrawal.
No fees are applicable when exercising your rights. You will be provided with a response within one month.
Please contact our DPO on idpc.info@idpc.org.mt if you wish to make a request and exercise your rights.
4. Links to Other Websites
To give you a better service our site can connect you with a number of links to other local and international organisations and agencies. When connecting to such other websites you will no longer be subject to this policy but to the privacy policy of the new site.
5. Website Security Measures
This site uses Secure Sockets Layer (SSL) to ensure secure transmission of your personal data. You should be able to see the padlock symbol in the status bar on the top left-hand corner of the browser window. The url address also starts with https:// depicting a secure webpage. SSL applies encryption between two points such as your PC and the connecting server. Any data transmitted during the session will be encrypted or scrambled and then decrypted or unscrambled at the receiving end. This will ascertain that data cannot be read during transmission.
6. Changes to this Privacy Policy
If there are any changes to this privacy policy, we will replace this page with an updated version. It is therefore in your own interest to check this policy any time you access our web site so as to be aware of any changes which may occur from time to time.
7. Feedback
Any comments or suggestions that you may have and which may contribute to a better quality of service in relation to this website will be welcome and greatly appreciated.