LUGINSLAND LIMITED – Data Protection Policy
I. Introduction and Purpose
Luginsland Limited (the ‘Company’) is committed to complying with all aspects of the data protection legislation including its handling of personal information relating clients and employees, amongst others.
This Data Protection Policy (hereinafter referred to as the ‘Policy’) aims to ensure that any personal data relating to data subjects which processed by the Company is protected in accordance with applicable data protection legislation, including but not limited to, Regulation [EU] 2016/679, or as it is otherwise known, the General Data Protection Regulation (‘GDPR’).
This Policy applies to all employees, staff, engaged interested third parties (hereinafter referred to as ‘Authorised Persons’ as defined below) of the Company. Partners and any other third parties working with or for the Company, and who have or may have access to personal data will be expected to have read, understood and to comply with the provisions of this Policy, or any versions thereof as contained within separate contracts and agreements regulating the relationship between them and the Company.
If you are unsure of whether this Policy applies to you or have any questions on the contents therein, please contact the Company’s Data Protection Correspondent on firstname.lastname@example.org
- Authorised Person/s shall mean any persons who, under the direct authority of the Data Controller or Data Processor, are authorised to process Personal Data;
- Consent shall mean any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data in question;
- Data Controller shall mean the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data and therefore exercises control on the same Personal Data;
- Data Processor shall mean the natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller;
- Data Subject shall mean any living individual in relation to whom Personal Data is the subject of the processing activity;
- Personal Data shall mean any information relating to an identified or identifiable natural person (’data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- Personal Data Breach shall mean a breach of security leading to the accidental, or unlawful, destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;
- ‘Processing’, ‘Process’, ‘Processed’ and any variation thereof shall mean any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- Profiling shall mean any form of automated processing of Personal Data intended to evaluate certain personal aspects relating to a natural person, or to analyse, or predict that person’s performance at work, economic situation, location, health, personal preferences, reliability, or behaviour;
- Recipient shall mean a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a Third Party or not;
- Special Categories of Personal Data shall mean Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation;
- Supervisory Authority shall mean an independent public authority which is established by a European Union Member State, which for the state of Malta shall mean the Information and Data Protection Commissioner (‘IDPC’);
- Third Country shall mean a country other than the Member States of the European Union and any other countries (such as EEA countries) that have adopted a national law implementing Regulation [EU] 2016/679;
- Third Party shall mean a natural or legal person, public authority, agency or body other than the Data Subject, Data Controller, Data Processor and Authorised persons;
III. Relevant data protection legislation
The GDPR is a European Union-wide law which came into effect on 25th May 2018 and which applies to any processing carried out by organisation within the EU and outside the EU, where these offer goods and services to individuals within the EU. The Data Protection Act, Chapter 586 of the Laws of Malta, (hereinafter referred to as the ‘Act’) is the legislation that implements and further specifies provisions set out by the GDPR.
IV. Relationship between the Data Controller and Data Processor
Data Controllers have a higher degree of responsibility and more obligations than Data Processors, however it must be noted that the Data Processors must provide sufficient guarantees to ensure that the processing meets the requirements set out by the GDPR and ensures the protection of the rights of the Data Subject. They remain fully responsible for their actions and the security of the Personal Data. Where a Data Controller engages a Data Processor, it shall ensure that the relationship between the parties is regulated by a contract, that is a Data Processing Agreement (hereinafter referred to as a ‘DPA’), or by virtue of any other legal act under EU law or local law, that is binding on the Data Processor with regard to the Data Controller, and the Personal Data the Data Processor processes on the Data Controller’s behalf.
The Company shall ensure that, regardless of whether it constitutes the Data Controller or the Data Processor of a specific processing operation, the relationship with any other Data Controllers/Data Processors is regulated by a relevant DPA or similar document.
V. The Data Protection Principles
In order to stay compliant at all times, the Company shall ensure that the following principles are adhered to;
- Personal data shall be processed lawfully, fairly and in a transparent manner in relation to individuals.
- Personal data shall be collected for specified, explicit and legitimate purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Personal data shall be adequate, relevant and limited to what is necessary in relation to the purpose or purposes for which they are processed.
- Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that Personal Data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
- Personal data shall be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are processed.
- Personal data shall be processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures.
To this effect, the Company shall only process Personal Data for the purpose of the undertaking of the Villa Luginsland Project, as further detailed below:
|Category of Personal Data||How the Personal Data is used||Why the Personal Data is used|
|Name & Contact Details of Data Subjects||To send the Data Subject service messages by text, e-mail, as well as to share relevant information, instructions, quotes and updates on Villa Luginsland Project.||The Company has got to do this to perform its contract with the Data Subjects, as well as to respond to any queries or questions in relation to the Villa Luginsland Project.|
|Payment Information of Data Subjects||To affect payment or give refunds as required.||The Company has got to do this to perform its contract with the Data Subjects involved within the Villa Luginsland Project.|
|Visual & Audio-Visual Content||To create project portfolio and any relevant marketing material.||The Company does this to make it easier to make its services and other items of interest available to third parties.|
Where the Personal Data has not been collected from the Data Subject, the Company shall also provide further clarification on the source of the Personal Data in question, on a case-by-case basis.
In addition to the above, it must be noted that the Data Controller shall be responsible for, and be able to demonstrate compliance with the aforementioned principles. Specifically, the Company shall maintain necessary documentation of all processing operations, implement appropriate security measures, perform DPIAs (Data Processing Impact Assessments), comply with requirements for prior notifications, or approval from supervisory authorities. In order to fulfil its obligations arising under the ‘Storage Limitation’ Principle (Principle No. 5), the Company shall process personal data for no longer than is necessary, and this in accordance with applicable law.
VI. Lawful basis for processing
The Company shall ensure that any processing of Personal Data shall have a lawful valid basis, which is most appropriate depending on the purpose of the processing operation and the relationship with the Data Subject. Especially where it is acting as a Data Controller, the Company shall determine the lawful basis before processing is initiated. At least one of the following six lawful grounds must apply whenever the Company processes personal data:
LG1: The data subject has given consent to the processing of his or her Personal Data for one or more specific purposes;
LG2: The processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
LG3: The processing is necessary for compliance with a legal obligation to which the Data Controller is subject;
LG4: The processing is necessary in order to protect the vital interests of the Data Subject or of another natural person;
LG5: The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
LG6: The processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of Personal Data, in particular where the Data Subject is a child.
In the majority of its processing operations, the Company processes Personal Data on the basis of LG2 and/or LG3, and on other rarer occasions on LG1 and LG6, however in the latter case, the Company shall specifically inform the Data Subject accordingly. Where the Company processes Special Categories of Personal Data, it shall identify a lawful basis for general processing and one additional condition for processing this type of data, in accordance with applicable law.
VII. Data Subject Rights
Data subjects have the following rights regarding data processing, and the data that is recorded about them:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling;
- The right to lodge a complaint with a Supervisory Authority.
The Data Protection Correspondent will be responsible for handling any such requests that are received by the Company, and this in accordance with applicable law.
VIII. Transfers to Third Parties
The sharing of Personal Data with Third Parties shall be construed as the disclosure of Personal Data by transmission, dissemination or otherwise making it available, and shall include instances where the Company gives Personal Data to a Third Party, by whatever means; as well as when a Third Party is given access to Personal Data on or via its IT systems. Sharing of Personal Data with Third Parties shall not include the Sharing of Personal Data with employees, or with processors. The Company shares Personal Data with the following categories of companies as an essential part of undertaking the Villa Luginsland Project, as set out in this statement:
- Other companies that are involved in the process of undertaking the Villa Luginsland Project, such as payment service providers, Credit Related Service Providers, distributors, and intermediaries as may be required the deliver the products/services.
- Professional service providers, such as marketing agencies, advertising partners, law firms and website hosts who service the Company in turn to operate its business.
- Credit reference agencies, law enforcement and fraud prevention agencies, so the Company can help tackle fraud.
Prior to undertaking sharing with Third Parties, the Company shall consider the same in light of its overall compliance with applicable data protection obligations, and therefore if the situation so requires, that is, where the situation may be of high risk to the Data Subjects, amongst other factors, the Company shall carry out a Data Privacy Impact Assessment (DPIA).
If the situation does not require the undertaking of a DPIA, or the result of the DPIA is that the Sharing will not result in an adverse effects on the rights and freedoms of data subjects, the Company shall enter into a Data Sharing Agreement with the Third Party in question. The Data Sharing Agreement shall set out the following:
- The objectives of the Sharing;
- The specific Personal Data to be shared in order to achieve said objective;
- The separate rights and obligations of the Parties.
IX. Transfers to Third Countries
Personal Data shall not be transferred to a Third Country unless that country or territory ensures an adequate level of protection for the ‘rights and freedoms’ of Data Subjects in relation to the processing of Personal Data. The transfer of Personal Data to Third Countries is prohibited unless one or more of the specified safeguards or exceptions, as listed below, apply. In this regard, an assessment of the adequacy by the Company, taking into account the following factors must be undertaken;
- the nature of the information being transferred;
- the country or territory of the origin, and final destination, of the information;
- how the information will be used and for how long; and
- the laws and practices of the country of the transferee, including relevant codes of practice and international obligations.
The Company may adopt approved Binding Corporate Rules for the transfer of data outside the EU. This requires submission to the relevant Supervisory Authority for approval of the rules that the Company is seeking to rely upon.
The Company may also adopt approved model contract clauses for the transfer of data outside of the EU.
In the absence of an adequacy decision taken by the EU Commission, including binding corporate rules, a transfer of Personal Data to a Third Country, or an international organisation, shall take place only on one of the derogations set out in applicable law.
X. Data Breach
In the event that that a Personal Data Breach is suffered, Authorised Persons shall ensure that the Data Protection Correspondent is immediately informed, and this in order to satisfy the Company’s obligation of notifying the Supervisory Authority of the same breach, and this without undue delay and where feasible, not later than seventy two (72) hours after having become aware of the breach. Where the breach is likely to result in a high risk to the rights and freedoms of the natural persons, the Data Protection [Officer/Correspondent] of the Company shall communicate the Personal Data Breach to the Data Subject without undue delay.
A Personal Data Breach Procedure shall be set up and maintained by the Data Protection Correspondent and this to satisfy the Company’s obligation of documenting any personal data breaches, comprising the facts relating to the Personal Data Breach, its effects and the remedial action taken.
XI. Data Protection Correspondent
The Company has appointed a Data Protection Correspondent (‘DPC’) to ensure its continued compliance with the GDPR and its internal policies and notices.
The DPC reports directly to the highest level of management and in the performance of its tasks, the DPC shall have due regard to the risk associated with processing operations, and takes in account the nature, scope and context and purposes of processing.
In order to ensure that the DPC is easily accessible as appoint of contact for all Authorised Persons, Data Subjects, Third Parties and Supervisory Authority, the Company has set up a specific email address email@example.com and published these relevant contact details to interested parties accordingly.
The Company shall involve the DPC, in a timely manner, in all issues relating to the protection of Personal Data. The Company shall support the DPC in performing their tasks by providing resources necessary to carry out those tasks and access to Personal Data and processing operations. The DPC will act as a contact point for the Supervisory Authority and cooperate with the latter, including in cases where prior consultations are required.
XII. Security of Processing
The Company shall ensure that it has implemented appropriate technical and organizational measures to protect the security of the Personal Data it processes. It shall further ensure that all departments establish appropriate protocols of security for storing Personal Data, which shall only be accessed where strictly necessary and only by those with the authority to do so.
The Company shall ensure that any transfers of Personal Data made to Third Parties, are made subject to appropriate security measures, and this especially in relation to the transfers considered in Section IX of this Policy.
In order to assist in the implementation of these principles, the following measures, amongst others, must be applied:
- Data protection queries should be directed to the Data Protection Correspondent;
- Where relevant, Authorised Persons must undergo training in relation to data protection issues;
The Company will conduct regular audits of personal data, which is being stored, and the uses to which such information is being put, with the aim of monitoring compliance with the data protection principles described above, and will consider exercising sanctions in the event of breach.
XIV. Roles and responsibilities
The Board is responsible for this policy and approval of any significant changes to it. The Data Protection Correspondent, is responsible for ensuring that this Policy is regularly reviewed and complied with.