Last Updated on 1st April, 2021 Version 1.1
PLEASE DO NOT HOLD BACK FROM CONTACTING US FOR ANY CLARIFICATION YOU MAY NEED.
- APPLICABLE LAWS
- WHAT ARE PERSONAL DATA?
- PERSONAL DATA HERITAGE MALTA COLLECTS ABOUT YOU
- HOW AND WHY WE COLLECT PERSONAL DATA
- JOINT CONTROLLERS
- PERSONAL DATA RELATING TO THIRD PARTIES
- WHAT WE USE YOUR PERSONAL DATA FOR (PURPOSE OF PROCESSING)
- SPECIAL NOTE ON CONSENT
- ACCURACY OF PERSONAL DATA
- DIRECT MARKETING
- TRANSFERS TO THIRD COUNTRIES
- INTERNET COMMUNICATIONS
- AUTHORISED DISCLOSURES
- SHARING OF PERSONAL DATA WITH OTHER CATEGORIES OF RECIPIENTS
- SECURITY MEASURES
- RETENTION PERIODS
- PROCESSING FOR RESEARCH AND STATISTICAL REASONS
- LINKS TO THIRD PARTY SOURCES
- FILMING & PHOTOGRAPHY
- AUTOMATED DECISION-MAKING
- YOUR RIGHTS UNDER THE DATA PROTECTION LAWS
- HERITAGE MALTA DETAILS
As a Government agency established in Malta, EU, the main privacy laws that are applicable to Us in so far as You are concerned, are as follows:
- The Maltese Data Protection Act (Chapter 586 of the Laws of Malta) as well as the various subsidiary legislation issued under the same – the ‘DPA’;
- The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – the ‘GDPR’.
All the above, as may be amended from time to time, referred to together as the “Data Protection Laws”
“PERSONAL DATA” means any information that identifies You as an individual or that relates to an identifiable individual.
Whenever it is not possible or feasible for Us to make use of anonymous and/or anonymised data (in a manner that does not identify any Users of the Site or recipients of Our services), We are nevertheless committed to protecting Your privacy and the security of Your Personal Data at all times.
We collect Personal Data in various ways both digitally via the Site (either when You choose to provide Us with certain data or in some cases, automatically or from third parties) as well as non-digitally (for example when You fill in a physical form to benefit from one or more of Our services such as signing up for membership with Us).
As a general rule, We do not collect any Personal Data, that is, information that identifies You as an individual other than that which You choose to provide to Us or to the entities with whom we jointly process Your Personal Data such as the data (including Contact Details and Registration Data) You provide when contacting us via Our Site (where registration is not required) or registering with the said Site (where this is available), when otherwise contacting Us with enquiries relating to Our services (and/or any products We may offer at any time), when subscribing to any service offered by Us (and/or Our affiliates) or via Our Site, such as any newsletters as may be issued by Us from time to time (see Personal Data We Collect About You above).
Unless otherwise specified and subject to various controls, as a general rule, We only collect Personal Data (from You or elsewhere) that We:
- Need to be able to provide You with the services/information You request from Us
- Are legally required to collect/use and to keep for a predetermined period of time
- Believe to be necessary for the performance of a task carried out in the public interest
- Believe it to be necessary for the performance of a task carried out in the exercise of official authority vested in Us (as a Government agency).
- Believe to be necessary for Our legitimate business interests (only in cases which are outside the scope of Our tasks as a public authority)
For a detailed description of the reasons why We process specific categories of personal data as well as the corresponding legal ground(s) for doing so, please see the ‘What We Use Your Personal Data For (Purpose of Processing)’ below.
We believe in full transparency. If You wish to obtain any clarification on Our role in any processing activities that may relate to You (or anyone You are legally responsible for) please do not hesitate to contact Us.
The following is a description (in a clear and plain manner) of what We use Your Personal Data for and the corresponding legal ground(s) We rely on for doing so.
For more detail on what is meant by terms such as ‘Contact Details’, ‘Registration Data’ ‘Membership Data’ and other categories of Personal Data used in the tables below, please see the section above relating to Personal Data We Collect About You.
Please note that in the rare instances (if any) WHERE WE RELY ON YOUR CONSENT, THIS CAN ALWAYS BE WITHDRAWN AT WILL.
|PURPOSE OF THE PROCESSING||CATEGORIES OF PERSONAL DATA||LEGAL BASIS FOR PROCESSING|
|Evaluating Your application(s)/requests You send Us to use/receive/subscribe to any of Our services (such as access to Our national heritage sites or the sale/delivery of goods)||Registration Data
Identification and Verification Details
|Set up a record on Our systems||Registration Data
|To manage Our relationship with You||Registration Data
Identification and Verification Details
Compliance with the legal obligations
|To establish and investigate any suspicious behaviour in order to protect Our systems from any risk and fraud||Registration Data
Identification and Verification Details
|Compliance with the legal obligations
Legitimate interest (detection and prevention of fraud)
|To be able to provide You with marketing material that You may have requested from Us or that We may be authorised at law to provide to You||Marketing Data||Your Consent (where we need this)
Our legitimate interests (where we don’t need Your consent)
|Subscribing to a newsletter or mailing list||Contact Details||Your consent|
|Your being able to participate in an online survey or poll||Contact Details||Your consent|
|To specifically evaluate Your membership card application and determine whether or not you are eligible to benefit from the same||Membership data||Your consent
Substantial Public Interest (where applicable)
|To verify Your identity before allowing You to enter certain sites of national heritage/importance (where required and depending on the site/venue)||Contact Details
Identification and Verification Details
Public Interest / in the exercise of Our tasks as an official authority (where no specific obligations arise at law)
|To monitor Our premises via CCTV for security purposes, when not exercising any of Our official tasks||CCTV footage (deleted after 7 days)||Legitimate Interests|
|To monitor and protect national/cultural heritage sites via CCTV for security purposes||CCTV footage (deleted after 7 days)||Public interest / in the exercise of Our tasks as an official authority|
For the avoidance of all doubt, We would like to point out that in those limited cases where We cannot or choose not to rely on another legal ground (for example, Our legitimate interests), We will process Your Personal Data on the basis of Your consent, for example, when You sign up to benefit from HERITAGE MALTA membership.
In those cases where We process on the basis of Your consent (which We will never presume but which We shall have obtained in a clear and manifest manner from You), for example in those cases where You have signed up for HERITAGE MALTA’s membership scheme (for which We are responsible), YOU HAVE THE RIGHT TO WITHDRAW YOUR CONSENT AT ANY TIME and this, in the same manner as You shall have provided it to Us.
Should You exercise Your right to withdraw Your consent at any time (by writing to Us at the physical or email address below), We will determine whether at that stage an alternative legal basis exists for processing Your Personal Data (for example, on the basis of a legal obligation to which We are subject) where We would be legally authorised (or even obliged) to process Your Personal Data without needing Your consent and if so, notify You accordingly.
When We ask for such Personal Data, You may always decline, however should You decline to provide Us with necessary data that We require to provide requested services, We may not necessarily be able to provide You with such services (especially if consent is the only legal ground that is available to Us).
Just to clarify, consent is not the only ground that permits Us to process Your Personal Data. In the last preceding section above We pointed out the various grounds that We rely on when processing Your Personal Data for specific purposes.
All reasonable efforts are made to keep any Personal Data We may hold about You up-to-date and as accurate as possible. You can check the information that We hold about You at any time by contacting Us in the manner explained below. If You find any inaccuracies, We will correct them and where required, delete them as necessary. Please see below for a detailed list of Your legal rights in terms of any applicable data protection law.
We only send mail, messages and other communications relating to marketing where We are authorised to do so at law. In most cases We rely on Your consent to do so (especially where We use electronic communications). If, at any time, You no longer wish to receive direct marketing communications from Us please let Us know by contacting Us at the details below or update Your preferences on any of Our Site(s) or Apps (where applicable).
In the case of direct marketing sent by electronic communications (where We are legally authorised to do so) You will be given an easy way of opting out (or unsubscribing) from any such communications.
Please note that even if You withdraw any consent You may have given Us or if You object to receiving such direct marketing material from Us (in those cases where We do not need Your consent), from time to time We may still need to send You certain important communications from which You cannot opt-out.
As a general rule, the data We process about You (collected via the Site, any of our Apps or otherwise) will be stored and processed within the European Union (EU)/European Economic Area (EEA) or any other non-EEA country deemed by the European Commission to offer an adequate level of protection (the so-called ‘white-listed’ countries listed here: https://ec.europa.eu/info/law/law-topic/data-protection_en).
You will be aware that data sent via the Internet may be transmitted across international borders even where sender and receiver of information are located in the same country. We cannot be held responsible for anything done or omitted to be done by You or any third party in connection with any Personal Data prior to Our receiving it including but not limited to any transfers of Personal Data from You to Us via a country having a lower level of data protection than that in place in the European Union, and this, by any technological means whatsoever (for example, WhatsApp, Skype, Dropbox etc.).
Moreover, We shall accept no responsibility or liability whatsoever for the security of Your data while in transit through the Internet unless Our responsibility results explicitly from a law having effect in Malta.
- For the purpose of preventing, detecting or suppressing fraud (for example, if You provide false or deceptive information about Yourself or attempt to pose as someone else, We may disclose any information We may have about You in Our possession so as to assist any type of investigation into Your actions);
- in the event of HERITAGE MALTA being involved in a restructure, transfer or absorption into another Government department (or similar event analogously applicable to Government agencies);
- to protect and defend Our rights (including the right to property), safety, or those of Our affiliates, of Users of Our Site, of Our members or even Your own;
- to protect against abuse, misuse or unauthorised use of Our Site;
- for any purpose that may be necessary for the performance of any agreement You may have entered into with Us (including the request for provision of services by third parties) or in order to take steps at Your request prior to entering into a contract;
- to comply with any legal obligations such as may arise by way of response to any Court subpoena or order or similar official request for Personal Data; or
- as may otherwise be specifically allowed or required by or under any applicable law, for example, under anti-money laundering legislation.
Any such authorised disclosures will be done in accordance with the Data Protection laws (for example all Our processors are contractually bound by the requirements in the said Data Protection Laws, including a strict obligation to keep any information they receive confidential and to ensure that their employees/personnel are also bound by similar obligations). The said service providers (Our processors) are also bound by a number of other obligations (in particular, Article 28 of the GDPR).
In certain cases, the recipients of Your personal data with whom We share personal data will not be acting on Our behalf (as Our data processors) but will be acting in their own capacity as entities/data controllers separate and independent from Us (eg. Other Government agencies etc.). We are not responsible for whatever these entities may do with Your personal data and encourage You to read through their respective privacy policies to find out more about how they handle Your personal data.
YOUR PERSONAL DATA WILL NEVER BE SHARED WITH THIRD PARTIES FOR THEIR MARKETING PURPOSES.
|CATEGORY OF RECIPIENT||PURPOSE OF PROCESSING|
|Our partners such as Heritage Malta Services Limited (C 31260)||To be able to provide you with the services You request and/or expect of Us|
|Cloud Service Providers||Hosting of data under state-of-the-art security protocols and our exclusive control|
|IT Service Providers – including The Malta Information & Technology Agency (MITA)||Maintenance and support of our IT systems/Website(s) – with restricted access and under Our strict controls|
|Auditors||Compliance with our auditing obligations – with access granted only to essential personal data|
|Legal Advisors||Compliance with our legal obligations or when necessary for the establishment, exercise or defence of legal claims.|
|Other Government agencies, departments or entities||Compliance with legal obligations, in the public interest and/or our exercise of official authority.|
The personal information which We may hold (and/or transfer to any affiliates/partners/subcontractors as the case may be) will be held securely in accordance with Our internal security policy and the law.
We use reasonable efforts to safeguard the confidentiality of any and/or all Personal Data that We may process relating to You and regularly review and enhance Our technical, physical and managerial procedures so as to ensure that Your Personal Data is protected from:
- unauthorised access
- improper use or disclosure
- unauthorised modification
- unlawful destruction or accidental loss.
To this end We have implemented security policies, rules and technical and organisational measures to protect the Personal Data that We may have under Our control. All our members, staff and data processors (including specific subcontractors (BMIT), including cloud service providers (Amazon Web Services, Google Analytics) established within the European Union), who may have access to and are associated with the processing of Personal Data, are further obliged (under contract) to respect the confidentiality of Our Users’ or recipients’ Personal Data as well as other obligations as imposed by the Data Protection Laws.
Despite all the above, We cannot guarantee that a data transmission or a storage system can ever be 100% secure. For more information about Our security measures please contact Us in the manner described below.
As stated above, the said service providers (Our data processors) are also bound by a number of other obligations in line with the Data Protection Laws (particularly, Article 28 of the GDPR).
We will retain Your Personal Data only for as long as is necessary (taking into consideration the purpose for which they were originally obtained). The criteria We use to determine what is ‘necessary’ depends on the particular Personal Data in question and the specific relationship We have with You (including its duration).
Our normal practice is to determine whether there is/are any specific EU and/or Maltese law(s) permitting or even obliging Us to keep certain Personal Data for a certain period of time (in which case We will keep the Personal Data for the maximum period indicated by any such law). For example, any data that can be deemed to be ‘accounting records’ must be kept for ten (10 years).
We would also have to determine whether there are any laws and/or contractual provisions that may be invoked against Us by You and/or third parties and if so, what the prescriptive periods for such actions are (this is usually five (5) years in those cases where Our contractual relationship with You terminates or two (2) years in those cases where no such contractual relationship exists). In this case, We will keep any relevant Personal Data that We may need to defend Ourselves against any claim(s), challenge(s) or other such action(s) by You and/or third parties for such time as is necessary.
Where Your Personal Data are no longer required by Us (in line with all applicable laws), We will either securely delete or anonymise the Personal Data in question.
Please note that certain laws oblige Us to disclose some personal to other Government entities (for example, the National Statistics Office) or to other entities, in which case, such entities (as separate controllers) would then determine their own retention policies (which in such cases may be much longer than those described above).
Research and statistics using User or recipient information is only carried out so that We may understand Our Users’ and/or recipients’ needs, to develop and improve Our services/activities and/or for tasks carried out in the public interest or under the exercise of official authority representative of HERITAGE MALTA’s purpose. In any case, where applicable, We will always ensure to obtain any consent We may legally require from You beforehand. As in all other cases, We will also ensure to implement all appropriate safeguards as may be necessary.
Links that We provide to third-party sources (such as websites) are clearly marked and We are not in any way whatsoever responsible for (nor can We be deemed to endorse in any way) the content of such sources (including any applicable privacy policies or data processing operations of any kind). We suggest that You should read the privacy policies of any such third-party sources (including the websites and respective policies or data processing operations of any kind).
We operate various sites and venues that due to their nature and the events hosted there, will sometimes require filming or photographing of crowds and the sites/venues themselves (for Our promotional or similar purposes). We have taken every measure to include signs at the sites/venues themselves explaining this, thereby giving You every opportunity not to (possibly) be filmed by Us by entering the said sites/venues.
Please note that when events are organised by third parties, it is those third parties that would usually have control over filming and photography and Our involvement would be limited (or none at all).
Should You need any clarification on a case-by-case basis, please do not hesitate to contact Us at any time.
The Site and Our online services (entering into contracts with HERITAGE MALTA) are not intended to be used by any persons under the age of eighteen (18) and therefore We will never intentionally collect any Personal Data from such persons unless under a specific legal exemption (if any). If You are under the age of consent, please consult and get Your parent’s or legal guardian’s permission to use the Site and to use Our services.
We shall consider that any Personal Data of persons under the age of eighteen (18) received by Us, shall be sent with the proper authority and that the sender can demonstrate such authority at any time, upon Our request.
We do not rely on any decisions taken solely by automated means (in other words, without significant human intervention) – including any profiling. Should this position change in the future (and only as We may be legally permitted to do), You will be notified accordingly.
Before addressing any request You make with Us, We may first need to verify Your identity. In all cases We will try to act on Your requests as soon as reasonably possible.
As explained in the Retention Periods section above, We may need to keep certain Personal Data for compliance with Our legal retention obligations but also to complete transactions that You requested prior to the change or deletion that You requested.
Your various rights at law include:
YOUR RIGHT OF ACCESS
You may, at any time request Us to confirm whether or not We are processing Personal Data that concerns You and, if We are, You shall have the right to access that Personal Data and to the following information:
- What Personal Data We have,
- Why We process them,
- Who We disclose them to,
- How long We intend on keeping them for (where possible),
- Whether We transfer them abroad and the safeguards We take to protect them,
- What Your rights are,
- How You can make a complaint,
- Where We got Your Personal Data from and
- Whether We have carried out any automated decision-making (including profiling) as well as related information.
Upon request, We shall (without adversely affecting the rights and freedoms of others including Our own) provide You with a copy of the Personal Data undergoing processing within one month of receipt of the request, which period may be extended by two months where necessary, taking into account the complexity and number of the requests. We shall inform You of any such extension within one month of receipt of the request, together with the reasons for the delay.
YOUR RIGHT OT RECTIFICATION
You have the right to ask Us to rectify inaccurate Personal Data and to complete incomplete Personal Data concerning You. We may seek to verify the accuracy of the data before rectifying it.
YOUR RIGHT TO ERASURE (THE RIGHT TO BE FORGOTTEN)
You have the right to ask Us to delete Your Personal Data and We shall comply without undue delay but only where:
- The Personal Data are no longer necessary for the purposes for which they were collected; or
- You have withdrawn Your consent (in those rare instances where We process on the basis of Your consent) and We have no other legal ground to process Your Personal Data; or
- You shall have successfully exercised Your right to object (as explained below); or
- Your Personal Data shall have been processed unlawfully; or
- There exists a legal obligation to which We are subject; or
- Special circumstances exist in connection with certain children’s rights.
In any case, We shall not be legally bound to comply with Your erasure request if the processing of Your Personal Data is necessary:
- for compliance with a legal obligation to which We are subject (including but not limited to Our duty to retain an accurate database of company records and Our data retention obligations);
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as your exercise of this right to erasure is likely to render impossible or seriously impair the achievement of the objectives of such processing; or
- for the establishment, exercise or defence of legal claims.
There are other legal grounds entitling Us to refuse erasure requests although the three instances above are the most likely grounds that may be invoked by Us to deny such requests.
YOUR RIGHT TO DATA RESTRICTION
You have the right to ask Us to restrict (that is, store but not further process) Your Personal Data but only where:
- The accuracy of Your Personal Data is contested (see the right to data rectification above), for a period enabling Us to verify the accuracy of the Personal Data; or
- The processing is unlawful and You oppose the erasure of Your Personal Data; or
- We no longer need the Personal Data for the purposes for which they were collected but You need the Personal Data for the establishment, exercise or defence of legal claims; or
- You exercised Your right to object and verification of Our legitimate grounds to override Your objection is pending.
Following Your request for restriction, except for storing Your Personal Data, We may only process Your Personal Data:
- Where We have Your consent (if any exists); or
- For the establishment, exercise or defence of legal claims; or
- For the protection of the rights of another natural or legal person; or
- For reasons of important public interest.
YOUR RIGHT TO DATA PORTABILITY
You have the right to ask Us to provide Your Personal Data (that You shall have provided to Us) to You in a structured, commonly used, machine-readable format, or (where technically feasible) to have it ‘ported’ directly to another data controller, provided this does not adversely affect the rights and freedoms of others. This right shall only apply where:
- The processing is based on Your consent or on the performance of a contract with You; and
- The processing is carried out by automated means
YOUR RIGHT TO WITHDRAW CONSENT (WHEN WE RELY ON CONSENT)
In the rare instances where We may have relied on Your consent to process Your personal data (which, in any case, we would have obtained in the manner required by the GDPR), You may withdraw any such consent at any time in a manner that is as easy as when You first provided the said consent to Us.
YOUR RIGHT TO OBJECT TO A CERTAIN PROCESSING
In those cases where We only process Your Personal Data when this is 1.) necessary for the performance of a task carried out in the public interest or in the exercise of Our official authority (as indicated above) OR 2.) when processing is necessary for the purposes of the legitimate interests pursued by a third party, You shall have the right to object to processing of Your Personal Data by Us. Where an objection is entered, the processing of data shall cease, unless We as data controller provide compelling and legitimate grounds requiring the continuation of the data processing which outweigh the objections You may have raised.
For the avoidance of all doubt, when We process Your Personal Data when this is necessary for the performance of a contract, when necessary for compliance with a legal obligation to which We are subject or when processing is necessary to protect Your vital interests or those of another natural person, this general right to object shall not subsist.
You also have the right to lodge complaints with the appropriate Data Protection Supervisory Authority. The competent authority in Malta is the Office of the Information and Data Protection Commissioner (OIDPC).
We kindly ask that You please attempt to resolve any issues You may have with Us first (even though, as stated above, You have a right to contact the competent authority at any time).
WHAT WE MAY REQUIRE FROM YOU
As one of the security measures We implement, before being in the position to help You exercise Your rights as described above We may need to verify Your identity to ensure that We do not disclose to or share any Personal Data with any unauthorised individuals.
TIME LIMIT FOR A RESPONSE
We try to reply to all legitimate requests within one month from receiving them. In some particular cases (for example, if the matter is particularly complex or if You send Us multiple requests), it may take Us longer than a month. In such cases, we will notify You accordingly and keep You updated.
If You have any questions/ comments about privacy or should You wish to exercise any of Your individual rights, please contact Us at email@example.com or by writing to the Data Protection Officer (at the address above) or by phoning Us using telephone number (+356) 2295 4200 (during normal office hours) or by contacting Our Data Protection Officer.
HERITAGE MALTA’s Data Protection can be contacted directly at firstname.lastname@example.org
Last Updated on 1st April, 2021