Privacy Policy

Table of Contents

1. Introduction

Malta Digital Innovation Authority (‘MDIA’) is established by virtue of the Malta Digital Innovation Authority Act, Chapter 591 to seek the development  of  the  innovative technology sector in Malta through proper recognition and regulation of relevant innovative technology arrangements and related services.

The purpose of this Policy is to explain how MDIA collects, processes and store Personal Data of Data Subjects in order for the MDIA to fulfil the requirements of the Data Protection Act, Chapter 586 of the Laws of Malta and of the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council). This Policy also explains how MDIA uses Personal Data, who this information might be shared with and the ways in which the MDIA protects this Personal Data. Moreover, this Policy clarifies the rights that Data Subjects have and the decisions that they can make about their Personal Data held by the MDIA.

It is important that Data Subjects read this Policy together with any other related document so that Data Subjects are fully aware of how and why the Personal Data of the Data Subject is being used and what rights they have. This Policy supplements other documentation and is not intended to override them.

2. Personal Data

Personal Data means any information about an individual (‘Data Subject’) from which that individual can be identified, directly or indirectly. However, it does not include data where the identity has been removed (i.e. anonymous data). Personal Data can be in analogue form (such as, hard documents) or in digital form (such as, information systems, databases and emails).

The MDIA may collect, use, store and transfer different kinds of Personal Data which may include, but is not limited to:

  • Identity Data which includes first names and last name/s, identity card or passport number details.
  • Contact Data which includes email address, residential address and telephone number. This shall also include emergency contact information, where relevant.
  • Employment Data which includes details on work positions, CVs, employment history, details on directorships/affiliations and other related data including, information on board members of the Authority.
  • Financial Data which includes salary or wages amounts, tax and social security information, bank account details, bank references, receipts submitted, VAT numbers, annual financial statements, accounts etc. With respect to procurement, Financial Data may include details of contract and of suppliers including, quotes.
  • Technical Data includes internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices that the Data Subject uses to access a website.
  • Usage Data includes information about how the Data Subject makes use of MDIA’s website, and the date and time the website is accessed by the Data Subject.
  • Sensitive Data has a special status under the law, as it is particularly personal in nature. It concerns a person’s race, ethnicity, politics, religion, trade union membership, genetics, biometrics used for identification purposes, health, sex life or sexual orientation. It may also relate to one’s criminal convictions, such as, police conduct certificates. There are a number of strict rules about the processing of this kind of data, and the kinds of situations in which it is legitimate to process it, and usually the data subject’s explicit consent to do so or a clear legal basis are required. The MDIA will never disclose such data to any third party unless, legally obliged to do so, and then only to appropriate authorities as required by law.

3. Method by which Personal Data is collected

The MDIA makes use of different methods to collect Personal Data. However, this is mainly done by means of the following:

  • Direct interactions: Personal Data may be given to the MDIA in person, by post, via email or via website or by filling in application forms or even when filling in the ‘Contact us’ form of MDIA, if any.
  • Indirect interactions: Personal Data may be collected via CCTV of the MDIA and other security systems when the Data Subject attends the offices of the Authority.
  • Automated technologies or interaction: As the Data Subject interacts with the website of MDIA, MDIA will automatically collect Technical Data about the equipment, browsing actions and patterns of Data Subjects. MDIA collects this personal data by using cookies and other similar technologies. Please see our Cookie Policy for further details via https: ___________________________________ .

4. Legal Basis, Purpose and Why MDIA collects Personal Data and How it is Used

The below table provides a description of the ways MDIA plans to use the Personal Data of Data Subjects, and which of the legal basis it relies on to do so. Where appropriate, the legitimate interests of MDIA have also been identified.

Legitimate Interest refers to the interest of MDIA in conducting and managing its operations to enable it to give Data Subject the best service and the best and most secure experience. MDIA makes sure to consider and balance any potential impact on Data Subjects (both positive and negative) and their rights, before it processes their Personal Data for its legitimate interests. MDIA does not use Personal Data of Data Subjects for activities where its interests are overridden by the impact on Data Subjects, unless MDIA would have the consent of that Data Subject or is otherwise required or permitted to by law.

MDIA may process Personal Data for more than one lawful ground depending on the specific purpose for which it is using the Personal Data.

 

Purpose/ActivityType of dataLawful basis for processing including basis of legitimate interest
To allow Data Subjects to contact MDIA

(a) Identity

(b) Contact

Necessary for MDIA’s legitimate interests such as, to allow it to contact the Data Subject once the Data Subject would have filled an online form or application.
To administer and protect the business of MDIA and its website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)(a) Technical

(a) Necessary for legitimate interests of MDIA, such as, for providing our services, provision of administration and IT services, and network security;

(b) Necessary to comply with a legal obligation.

To deliver relevant website content and advertisements to Data Subjects and measure or understand the effectiveness of the advertising we serve to Data Subjects

(a) Usage

(b) Technical

Necessary for legitimate interests of MDIA, such as, to study how customers use its website, to develop them, to grow MDIA’s business and to inform its marketing strategy.
To use data analytics to improve MDIA’s website, products/services, marketing, customer relationships and experiences

(a) Technical

(b) Usage

Necessary for legitimate interests of MDIA such as, to define types of applicants for its schemes, to keep its website updated and relevant, to develop its business and to inform its marketing strategy.
To allow Data Subjects to apply under schemes and other initiatives offered by the MDIA

(a) Identity

(b) Contact

(c) Employment

(d) Financial

(e) Sensitive

Necessary for legitimate interests of MDIA, such as, to determine eligibility of applicants who apply under the schemes of MDIA.

Necessary to comply with a legal obligation.

To allow Data Subjects to benefit from any funding given by MDIA

(a) Identity

(b) Contact

(c) Financial

Necessary for the legitimate interests of MDIA such as, to be able to transfer funds that a Data Subject may be eligible to as an applicant under the MDIA’s schemes).
To allow employees to benefit from any internal schemes and other initiatives offered by the MDIA

(a) Identity

(b) Contact

(c) Financial

(d) Sensitive

Necessary for the legitimate interests of MDIA such as, to be able to transfer funds that a Data Subject may be eligible to as an applicant under the Authority’s schemes.
To retain information on the employee file, which may also include information relating to insurance claims for employees of the MDIA

(a) Identity

(b) Contact

(c) Financial

(d) Sensitive

Necessary for our legitimate interests such as, to be able to keep all up-to-date information on our employees, including financial information which relates to salaries, as well as to enable the Authority to process information on insurance claims with the insurance company).
To fulfil reporting duties to inter-governmental authorities

(a) Identity

(b) Contact

(c) Employment Data

(d) Sensitive

Necessary for our legitimate interests such as, to be able to allow MDIA to comply with its duties at law with other governmental authorities.
Publications in the Government Gazette, annual report, and the publishing of beneficiaries of the schemes of MDIA

(a) Identity

(b) Contact

(c) Financial

Necessary for the legitimate interests of MDIA such as, to be able to allow MDIA to comply with its duties at law.
Procurement

(a) Identity

(b) Contact

(c) Financial

Necessary for the legitimate interests of MDIA such as, to be able to allow us to comply with our duties at law.
Tender

(a) Identity

(b) Contact

(c) Employment Data

(d) Financial Data – including information on the company /supplier and information on employment, where relevant

Necessary for the legitimate interests of MDIA such as, to be able to allow MDIA to comply with MDIA’s duties at law.
Organisation of events and to allow you to participate in a prize draw, competition or complete a survey.

(a) Identity

(b) Contact

Necessary for legitimate interests of MDIA such as, to develop and market our services.

MDIA may have to process Personal Data for other legitimate interests as there would be a legal requirement or obligation to do so or if it is acting in the public interest and the interests and fundamental rights of the Data Subject do not override those interests.

MDIA will only use Personal Data for the purposes for which it collected it, unless it reasonably considers that it needs to use it for another reason and that reason is compatible with the original purpose or the above purposes.

MDIA may process Personal Data of Data Subjects without their knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

5. Data Controller

When determining the purposes and means of the processing of Personal Data, MDIA acts as the ‘Data Controller’ for the purposes of the law. Indeed, a ‘data controller’ is a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any Personal Data are, or are to be, processed.

6. Sharing and Disclosure of Personal Data

MDIA may share Personal Data of Data Subjects with third parties for the purposes set out in this Policy. These third parties may include, service providers based in Malta and/or overseas, even outside the European Union such as, other governmental entities, contractors, auditors, Microsoft and Shireburn Software Limited which companies provide web-based services, programmes, applications and/or software.

MDIA requires all third parties to respect the security of the Personal Data of Data Subjects and to treat it in accordance with EU data protection regulations. MDIA does not allow such third-party service providers to use Personal Data of Data Subjects for their own purposes and only permit them to process Personal Data of Data Subjects for specified purposes and in accordance with its instructions.

The MDIA website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about the Data Subject. MDIA does not control these third-party websites and are not responsible for their privacy statements. When a Data Subject leaves MDIA’s website, MDIA encourages such Data Subject to read the privacy policy of every website that would be visited.

MDIA will not share Personal Data with any third parties for the purposes of direct marketing.

7. Security of Personal Data

MDIA have put in place appropriate security measures to prevent Personal Data of Data Subjects from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, MDIA limits access to the Personal Data of Data Subjects to specific individuals. Third parties mentioned in the previous clause will only process Personal Data of Data Subjects on the instructions of MDIA and they are subject to a duty of confidentiality. Moreover, hard copies of Personal Data which are kept by MDIA are locked in a filing cabinet whilst Personal Data stored electronically will be subject to access controls, and passwords and encryption software will be used where necessary. For further information, kindly request for the IT Security Policy of MDIA.

8. Personal Data Breach

In the case of Personal Data breaches, MDIA shall upon its knowledge of this breach, inform immediately its Data Protection Officer whose details are further mentioned below, and who will then take the necessary actions, where this would be required by law.

9. Data Retention

MDIA will only retain the Personal Data of Data Subjects for as long as reasonably necessary to fulfil the purposes for which that data would have been collected for in accordance with this Policy. The time periods of retention are set out in the Data Retention Policy of MDIA which can be found via https://www.mdia.gov.mt/data-retention-policy/. In some circumstances MDIA will anonymise the Personal Data of Data Subjects (so that it can no longer be associated with the Data Subject) for research or statistical purposes, in which case MDIA may use this information indefinitely without further notice to the Data Subject.

10. Data Subjects Access Requests

Subject Access Requests (SARs), can be made by Data Subjects where an organisation holds Personal Data about them. This can be done at any time, and the requests are made in order for the Data Subject to find out what Personal Data is being held, and what is being done with it.

SARS must be made by the Data Subject itself in writing and addressed to the Data Protection Officer, whose details are mentioned below, and who will deal with the request.

 

MDIA will usually respond to such requests within one (1) month, but it may need to extend such period for a period of up to a further two (2) months if it is a complex request or there are multiple requests. In that situation, the Data Subject will be informed accordingly.

 

It shall be at the discretion of MDIA whether to charge a fee in order to respond to the SAR and to enable the Data Subject to access its Personal Data.

 

Before providing Personal Data, MDIA may ask for proof of identity and sufficient information about your interactions with it. This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. MDIA may also contact the Data Subject to ask the same for further information in relation to its request.

MDIA may reserve its right to withhold the Data Subject’s right to access its Personal Data where any statutory exemptions apply.

11. Rectification of Personal Data

If the information that MDIA holds about a Data Subject is incorrect, incomplete or needs to be updated, the Data Subject has the right to request in writing MDIA to correct any inaccuracies which will in turn rectify the inaccuracies and inform the Data Subject of the rectification within one (1) one month from the written request of the Data Subject to MDIA. The latter will also ensure that third parties are also informed accordingly.

12. Data Protection Officer

MDIA has appointed a Data Protection Officer who can help Data Subjects with any questions that they may have about this Policy or any other related document, including any requests to exercise their legal rights. The contact details of the Data Protection Officer are the following:

  • Address: MDIA, Twenty20, Business Centre, Triq l-Intornjatur, Zone 3, Central Business District, Birkirkara, CBD 3050, Malta.
  • Email address: dpo@mdia.gov.mt

13. Conclusion

MDIA ensures to keep its Data Privacy Policy under regular review. This version was last updated on the 29th of November 2022. It is important that the Data Subject keeps MDIA informed of any changes in his or her Personal Data.

MDIA undertakes to respect the legal rights of Data Subjects and apart from those legal rights already mentioned above, MDIA reminds Data Subjects of some of their other legal rights, such as the following:

  • The right to object to MDIA processing Personal Data, if MDIA is not entitled to use it anymore,
  • The right to have Personal Data deleted if MDIA is keeping it too long, have its processing restricted in certain circumstances and/or to obtain copies of information, MDIA holds about the Data Subject in electronic form,
  • The right to withdraw consent at any time where MDIA is relying on consent to process Personal Data which however, will not affect the lawfulness of any processing carried out before the Data Subject would have withdrawn its consent. If consent is withdrawn, MDIA may not be able to provide certain services to the Data Subject. MDIA will advise the Data Subject if this is the case and
  • The right to make a complaint at any time to the Information and Data Protection Commissioner (IDPC), the Maltese regulator for data protection issues (www.idpc.org.mt). MDIA would, however, appreciate the chance to deal with aby concerns before the Data Subject approaches the IDPC, so please contact MDIA in the first instance.

14. Disclaimer

The MDIA makes every effort to maintain the accuracy of the information that is published on its website but accepts no responsibility and expressly excludes liability for any direct, indirect or consequential loss or damage which may arise from the usage of, and/or reliance on, such information.