Privacy and Personal Data Protection Notice

Document Ref. GDPR-DOC-04-2
Version: 1
Dated: 25 May 2018
Document Author:
Document Owner:

Privacy and Personal Data Protection Policy

Revision History

Distribution

Approval

Version Date Revision Author Summary of Changes
1.0 25/5/2018 Brian Schembri Initial version
Name Position Signature Date

Version 1 Page 1 of 14 25 May 2018

Privacy and Personal Data Protection Policy

1 Introduction

Attard & Co Ltd. is a company registered under the laws of Malta having its registered address at [-] (“We”/ “Us”/ “Our” or the “Company”)

We are committed to respecting the privacy and personal data collected about individuals. If you wish to contact Us about Our privacy practices please feel free to do so by post on the abovementioned address or by email at dataprotection@attardco.com. You may also wish to contact us by telephone on 21237555.

Our Data Protection Officer is Brian Schembri who may be contacted by email at bschembri@attardco.com or by telephone on +356 21 32 2118.

Please read this Privacy Notice carefully to understand our practices with respect to your personal data. The purpose of this policy is to set out Our practices with respect to personal data in line with the relevant legislation and to describe the steps that the Company is taking to ensure that it complies with the law.

References to “data controller”, “data subject”, “personal data”, “process”, “processed”, “processing” and “Data Protection Officer” in this Privacy Notice have the meanings set out in, and will be interpreted in accordance with applicable laws, including but not limited to the Data Protection Regulation (EU) 2016/679 and the Data Protection Act, Chapter 586 of the Laws of Malta and subsidiary legislation thereto, as may be amended from time to time.

2 What Amounts to Personal Data?

The term “personal data” refers to all personally identifiable information about you, such as your name, surname and address, and includes all information which may arise that can be identified with you personally.

3 What Personal Data Do We Process?

In its everyday business operations the Company makes use of a variety of data about identifiable individuals, including data about:

  • ●  Current, past and prospective employees
  • ●  Customers
  • ●  Users of its websites
  • ●  Subscribers
  • ●  Other stakeholders In collecting and using this data, the organisation is subject to a variety of legislation controlling how such activities may be carried out and the safeguards that must be put in place to protect it. This control applies to all systems, people and processes that constitute the organisation’s information systems, including board members, directors, employees, suppliers and other third parties who have access to Attard & Co Group systems. The following policies and procedures should be read in conjunction with this document:

Version 1 Page 3 of 14 25 May 2018

Privacy and Personal Data Protection Policy

  • ●  Data Protection Impact Assessment Process
  • ●  Personal Data Mapping Procedure
  • ●  Legitimate Interest Assessment Procedure
  • ●  Information Security Incident Response Procedure
  • ●  GDPR Roles and Responsibilities
  • ●  Records Retention and Protection Policy
    We can provide you with a hard copy if you contact us on dataprotection@attardco.com.

Version 1 Page 4 of 14 25 May 2018

Privacy and Personal Data Protection Policy

4 Attard & Co Group Scope

The scope of this privacy and personal data protection policy applies to all the Attard & Co group subsidiary companies as shown below;

Version 1 Page 5 of 14 25 May 2018

Privacy and Personal Data Protection Policy

5 How do we collect and process Personal Data?

As importers and distribution of food products and related services, We regularly collect and process personal data as part of the provision of our goods and/or services as follows:

  • As part of Our client engagement procedures;
  • When you or your company requests Our goods/services;
  • When you or your company provide goods/services to Us or refer clients to Us;
  • When you post a query, complaint or observation through Our website;
  • When you contact Us voluntarily in other circumstances such as when seeking employment or traineeship with Us or seeking to attend Our events;
  • to manage our relationship with you or your company, including for billing and debt collection purposes;
  • to provide you with statements and to provide you with products and services;
  • for internal assessments and analysis (including credit behaviour scoring, market surveys, research market and product analysis);
  • for the detection and prevention of fraud and other criminal activity which we are legally bound to report;
  • for the development and improvement of our systems, products and services
  • Personal Data that We may process as a result of legal obligations imposed on Us;
  • your bank account details and other financial information;
  • any Personal Data lawfully generated by Us in the course of executing your instructions;
  • any Personal Data which you may voluntarily provide to Us;
  • in the recording of telephone conversations or electronic communications which result or may result in transactions which recording will take;
  • for safety and security purpose, including (amongst others) safety of our premises, property and employees (such as calls to our customer care for quality assurance purposes), and the establishment, exercise or defence of legal claims;
  • for direct marketing, promotions, communications about our new products or services, events;
  • for purposes of a legitimate interest pursued by Us or by a third party, provided such interest is not overridden by your interests, fundamental rights and freedoms; and,
  • the purposes you would have requested when providing your Personal Data to Us. Generally, you would have provided your personal data to Us. However, in some instances, We may collect personal data about you from third party sources, such as online searches or from public registers. Third parties such as Our clients and business partners may also have provided your personal data to Us. Special categories of Personal Data may be processed in the provision of the goods and services to the client. Special categories of Personal Data collected about you may be health data and data related to your conviction and offences. Irrespective of the manner that We have collected your Personal Data, We will only process such data for the purposes of rendering you with the goods or services or purposes which are inherently related thereto, including the fulfilment of any legal or regulatory obligation imposed on Us.

Version 1 Page 6 of 14 25 May 2018

Privacy and Personal Data Protection Policy

6 What Personal Data do we process?

The personal data that we typically collect and process about our data subjects are:

7

  • The personal data that We collect for the fulfilment of our obligations in rendering the goods and, or services to you;
  • Your identity details such as your name, surname, employer, title, position, and status;
  • Your contact information such as your email address, physical address and telephone numbers;
  • Your bank account details and other financial information;
  • Any information you provide to Us when posting a query, complaint or observation through Our website www.camilleripreziosi.com;
  • Information you provide to Us for the purposes of attending meetings or events;
  • Personal data provided to us by, on behalf of or in relation to our clients, business partners, service providers and employees
  • Any personal data lawfully generated by Us in the course of executing Our client’s instructions
  • CCTV footage, when you visit Our offices; and,
  • Any personal data which you may voluntarily provide to Us. Cookies

We use cookies when you visit our group websites. Cookies are pieces of information that a website transfers to your computer’s hard disk or to your browser’s memory. There are four main types of cookies that we use. Here’s how and why we use them:

(1) Site functionality cookies – these cookies allow you to navigate the site and use our features, such as “save flight”.
(2) Site analytics cookies – these cookies allow us to measure and analyse how our customers use the site, to improve both its functionality and your online experience.

(3) Customer preference cookies – when you are browsing, these cookies will remember your preferences (like your language or location), so we can make your online experience as seamless as possible and more personal to you.
(4) Targeting or advertising cookies – these cookies are used to deliver ads that are relevant to you. They also limit the number of times that you see an ad and help us measure the effectiveness of our marketing campaigns.

Please note that the cookies used by us do not personally identify you but they simply identify your computer or other device.

Most browsers are initially set to accept cookies. However, if you prefer, you can set your browser to block all, or certain, cookies. You can also set your browser to prompt you each time a cookie is offered. If you wish to block cookies, here’s a guide on how to do so for the most common browsers, such as Microsoft Internet Explorer, Google Chrome, or Mozilla Firefox.

Version 1 Page 7 of 14 25 May 2018

Privacy and Personal Data Protection Policy

8 Data analytics

If you read or download information from our site, we automatically collect and store the following information:

• The requested web page or download;
• Whether the request was successful or not;
• The date and time when you accessed the site;
• The Internet address of the web site or the domain name of the computer from which you accessed the site;
• The operating system of the machine running your web browser and the type and version of your web browser.

We use the information that we gather in order to evaluate the website’s usage, content, usability and composition. This statistical analysis allows us to better understand our users’ needs and to generally make your internet experience more enjoyable and to provide a value-added service to you as a visitor. In order to do so, we make use of third-party services such as Google Analytics.

Google Analytics is a web analytics service that analyses how you use our website based on cookies (see cookie policy above). Google will use this information for the purpose of evaluating your use of our website. Further information about Google’s privacy policy may be obtained from this link.

Be assured that Google will not use this information to identify individual users or to match it with further data on an individual user.

If you do not wish that your user behaviour is analysed, you can opt-out of both services respectively via the following links – Google Analytics Opt-Out.

9 Newsletter subscription

When you subscribe to one of our newsletters, you provide us with personal information such as your name and email address. We use the personal information submitted in the form only to send you the newsletter you subscribed to.
We use a third-party service provider called Mailchimp to send newsletters to users who subscribe to receive them and Mailchimp provides us with support statistics to help us improve our services to you. For more information on how Mailchimp manages your data please visit their Privacy Policy. Mailchimp is a data processor for us and only processes personal information in line with our instructions.

You will need to provide us with your consent as a legal basis for us to process your personal data to receive the newsletter. Personal data is deleted upon withdrawal of such consent by you, or, at the point where the purpose for holding that data is no longer valid.

10 Links to other Websites

Our site has a number of links to other local and international organisations and agencies. In some cases, for the benefit of the visitor, it may be required that we link to websites of other organisations after permission is obtained from them respectively. It is important for you to note that upon entering a linked website, you are no longer on our site and you become subject to the privacy policy of the other site.

Version 1 Page 8 of 14 25 May 2018

Privacy and Personal Data Protection Policy

11 Contact or feedback

When you fill the “Contact Us” form on our website, you provide us with personal information such as your name, email address, country and your message to us. We have a legitimate interest to process any personal data submitted in the form as this information is necessary to process and address your complaint/feedback in the way you expect us to and to respond to your message.

12 Legal Bases of Processing Personal Data

The legal bases of processing your Personal Data are the following:

  1. Entering into and performing the obligations in our agreement for the provision of goods and, or services to you – in particular to provide you with the goods and, or services that you have requested and to manage Our relationship with you. Providing such Personal Data is necessary for our performance of our obligations under such agreement. If you do not allow us to process your personal data, we would be unable to provide you with the goods and, or services requested;
  2. Our legitimate interests – in particular:
    1. Our legitimate interests in the context of the sale of a product or a service, where we may use Your electronic contact details for direct marketing of Our own similar products or services and where we have provided you with an opportunity to object to such use of electronic contact details when they are collected and on the occasion of each message to you;
    2. Our legitimate interest to process your Personal Data for safety and security, such as the recording of telephone conversations or electronic communications which result or may result in transactions where recording will take place, and CCTV footage at our premises;
    3. On the basis of Our legitimate interests or compliance with legal obligations, as applicable, We may also process your Personal Data for the purposes of establishing, exercising or defending legal proceedings or claims against Us.
    When we process your Personal Data on the basis of Our legitimate interests, we ensure that the legitimate interests pursued by Us are not overridden by your interests, rights and freedoms; and,
  3. Your explicit consent, or parental consent where the data subject is a child – in which case, Our processing shall be limited to the purposes specifically indicated when your consent was requested. We typically require your consent for direct marketing and with respect to communications related to our events, news and updates, and promotions of new goods and services, where we do not have a legitimate interest to send you such communications;

We will ensure that we have additional grounds for processing your Personal Data if processing of Special Categories of Personal Data is envisaged. We might also process your Personal Data on the basis of your explicit consent, in which case we will process your data for the purposes for which your explicit consent was requested.

13 Third Party Recipients of Personal Data

We may share your personal data with third party recipients who are:

Version 1 Page 9 of 14 25 May 2018

14

  • selected individuals within Our company, on a need-to-know basis;
  • any service providers that may have access to your personal data in rendering Us with their support services, including IT and accounting service providers;
  • third parties to whom disclosure may be required as a result of the relationship with Our clients;
  • any business partners to whom you may have requested that We transfer your personal data; and
  • third parties to whom disclosure may be required as a result of legal obligations imposed on Us. Automated Decision-Making and Profiling

Privacy and Personal Data Protection Policy

Your personal data will not be used for any decision solely taken on the basis of automated decision-making processes, including profiling, without human intervention.

In the interest of transparency, note that We use systems which could profile you. Such systems are used by Us exclusively to help Us in the due diligence process. As stated, no automated-decision will result from Our use of such systems.

15 Data Retention

We retain your personal data exclusively for the period which is lawfully permissible to retain your personal data. Thereafter, your personal data shall be immediately and irrevocably destroyed.

As a result of legal obligations imposed on Us, we typically retain your personal data relating to financial information for up to ten (10) years unless we have a statutory obligation imposed on Us to retain your data for a further period or a business need or require your personal data to exercise or defend legal claims.

If we have a contractual relationship with you, we typically retain your personal data for up to five (5) years from the end of Our contractual relationship on the basis of Our legitimate interests to protect ourselves from civil cases which you might institute against Us in relation to Our contractual relationship.

Invoices, credit notes and similar transactional documents or information will be kept by Us for up to ten (10) from completion of the relevant transaction on the basis of legal obligations imposed on Us to retain such information.

We may have a legitimate interest to hold your data for longer periods such as when your data is required for exercising or defending legal claims. For more information on our retention periods, you can request a copy of our Retention Policy by contacting us on dataprotection@attardco.com.

Any personal data which We may hold on the basis of your consent shall be retained exclusively until when you withdraw your consent. As noted above, retention of data on the basis of your consent is only envisaged where there are special categories of personal data collected, or for Our direct marketing activities.

16 Your Rights

The data subject also has rights under the GDPR. These consist of:

  1. The right to be informed
  2. The right of access

Version 1 Page 10 of 14 25 May 2018

Privacy and Personal Data Protection Policy

  1. The right to rectification
  2. The right to erasure
  3. The right to restrict processing
  4. The right to data portability
  5. The right to object
  6. Rights in relation to automated decision making and profiling.

You may exercise these rights as follows:

  • Right of access – you have the right to ascertain the personal data We hold about you and to receive a copy of such personal data;
  • Right to complain – you have the right to lodge a complaint regarding the processing of your personal data with the supervisory authority for data protection matters. In Malta this is the Information and Data Protection Commissioner (contact details provided below);
  • Right to Erasure – in certain circumstances you may request that We delete the personal data that we hold about you;
  • Right to Object – you have a right to object and request that We cease the processing of your personal data where We rely on Our, or a third party’s legitimate interest for processing your personal data;
  • Right to Portability – you may request that We provide you with certain personal data which you have provided to Us in a structured, commonly used and machine- readable format. Where technically feasible, you may also request that we transmit such personal data to a third party controller indicated by you;
  • Right to Rectification – you have the right to update or correct any inaccurate personal data which We hold about you;
  • Right to Restriction – you have the right to request that We stop using your personal data in certain circumstances, including if you believe that We are unlawfully processing your personal data or the personal data that We hold about you is inaccurate;
  • Right to withdraw your consent – where Our processing is based on your consent, you have the right to withdraw your consent. Withdrawal of your consent shall not affect the lawfulness of the processing based on your consent prior to the withdrawal of your consent; and
  • Right to be informed of the source – where the personal data We hold about you was not provided to Us directly by you, you may also have the right to be informed of the source from which your personal data originates. These timescales to exercise your rights are shown in Table 1.
Data Subject Request Timescale
The right to be informed When data is collected (if supplied by data subject) or within one month (if not supplied by data subject)
The right of access One month
The right to rectification One month
The right to erasure Without undue delay
The right to restrict processing Without undue delay
The right to data portability One month
The right to object On receipt of objection
Rights in relation to automated decision making and profiling. Not specified

Version 1 Page 11 of 14 25 May 2018

Privacy and Personal Data Protection Policy

Table 1 – Timescales for data subject requests

For direct marketing, you have a right to opt-out and to object to receiving any further such communications from Us at any time. Note that if We contact you about Our legal updates, newsletters and events on the basis of your consent, you have a right to withdraw your consent and no longer be contacted for such purposes at any time.

Please note that in terms of the applicable laws, your rights in relation to your personal data are not absolute.

You may exercise the rights indicated in this section by contacting Us or Our Data Protection Officer at the details indicated above.

17 Keeping your data secure

We shall keep your personal data secure and shall commit to take appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing, including against accidental loss, destruction, storage or access. Your personal data may be stored in paper files or electronically on our technology systems or on technology systems of our IT service providers.

18 International Transfers of Personal Data

Transfers of personal data outside the European Union will be carefully reviewed prior to the transfer taking place to ensure that they fall within the limits imposed by the GDPR. This depends partly on the European Commission’s judgement as to the adequacy of the safeguards for personal data applicable in the receiving country and this may change over time. Where required, we shall implement additional security measures, such as the EU Model Clauses, to ensure that the data transferred to non EEA countries is secure.

Intra-group international data transfers will be subject to legally binding agreements referred to as Binding Corporate Rules (BCR) which provide enforceable rights for data subjects.

19 Complaints

If you have any complaints regarding Our processing of your personal data, please note that you may contact Us or Our Data Protection Officer at the details indicated above. You also have a right to lodge a complaint with the Office of the Information and data Protection Commissioner in Malta (www.idpc.gov.mt).

20 Where You Provide Us with Personal Data Related to Third Party Data Subjects

If you are a trader, a company, an intermediary or other corporate entity, and you supply to Us Personal Data of third party Data Subjects such as your employees, affiliates, service providers, customers or any other individuals connected to your business, you shall be solely responsible to ensure that:

you immediately bring this Privacy Notice to the attention of such Data Subjects and direct them to it;
the collection, transfer, provision and any Processing of such Personal Data by You fully complies any applicable laws;

as Data Controller You remain fully liable towards such Data Subjects and shall adhere to the applicable laws;

Version 1 Page 12 of 14 25 May 2018

Privacy and Personal Data Protection Policy

you collect any information notices, approval, consents or other requirements that may be required from such Data Subject before providing Us with their Personal Data;
you remain responsible for making sure the information you give us is accurate and up to date, and you must tell us if anything changes as soon as possible.

You hereby fully indemnify Us and shall render Us completely harmless against all costs, damages or liability of whatsoever nature resulting from any claims or litigation (instituted or threatened) against Us as a result of your provision of said Personal Data to Us.

21 Updates

We may update this Privacy Notice in Our sole discretion including as result of a change in applicable law or processing activities. Any such changes will be communicated to you prior to the commencement of the relevant processing activity.

Version 1 Page 13 of 14 25 May 2018