Luginsland Limited (the ‘Company’) is committed to complying with all aspects of the data protection legislation including its handling of personal information relating clients and employees, amongst others.
This Data Protection Policy (hereinafter referred to as the ‘Policy’) aims to ensure that any personal data relating to data subjects which processed by the Company is protected in accordance with applicable data protection legislation, including but not limited to, Regulation [EU] 2016/679, or as it is otherwise known, the General Data Protection Regulation (‘GDPR’).
This Policy applies to all employees, staff, engaged interested third parties (hereinafter referred to as ‘Authorised Persons’ as defined below) of the Company. Partners and any other third parties working with or for the Company, and who have or may have access to personal data will be expected to have read, understood and to comply with the provisions of this Policy, or any versions thereof as contained within separate contracts and agreements regulating the relationship between them and the Company.
If you are unsure of whether this Policy applies to you or have any questions on the contents therein, please contact the Company’s Data Protection Correspondent on [email protected]
The GDPR is a European Union-wide law which came into effect on 25th May 2018 and which applies to any processing carried out by organisation within the EU and outside the EU, where these offer goods and services to individuals within the EU. The Data Protection Act, Chapter 586 of the Laws of Malta, (hereinafter referred to as the ‘Act’) is the legislation that implements and further specifies provisions set out by the GDPR.
Data Controllers have a higher degree of responsibility and more obligations than Data Processors, however it must be noted that the Data Processors must provide sufficient guarantees to ensure that the processing meets the requirements set out by the GDPR and ensures the protection of the rights of the Data Subject. They remain fully responsible for their actions and the security of the Personal Data. Where a Data Controller engages a Data Processor, it shall ensure that the relationship between the parties is regulated by a contract, that is a Data Processing Agreement (hereinafter referred to as a ‘DPA’), or by virtue of any other legal act under EU law or local law, that is binding on the Data Processor with regard to the Data Controller, and the Personal Data the Data Processor processes on the Data Controller’s behalf.
The Company shall ensure that, regardless of whether it constitutes the Data Controller or the Data Processor of a specific processing operation, the relationship with any other Data Controllers/Data Processors is regulated by a relevant DPA or similar document.
In order to stay compliant at all times, the Company shall ensure that the following principles are adhered to;
To this effect, the Company shall only process Personal Data for the purpose of the undertaking of the Villa Luginsland Project, as further detailed below:
|Category of Personal Data||How the Personal Data is used||Why the Personal Data is used|
|Name & Contact Details of Data Subjects||To send the Data Subject service messages by text, e-mail, as well as to share relevant information, instructions, quotes and updates on Villa Luginsland Project.||The Company has got to do this to perform its contract with the Data Subjects, as well as to respond to any queries or questions in relation to the Villa Luginsland Project.|
|Payment Information of Data Subjects||To affect payment or give refunds as required.||The Company has got to do this to perform its contract with the Data Subjects involved within the Villa Luginsland Project.|
|Visual & Audio-Visual Content||To create project portfolio and any relevant marketing material.||The Company does this to make it easier to make its services and other items of interest available to third parties.|
Where the Personal Data has not been collected from the Data Subject, the Company shall also provide further clarification on the source of the Personal Data in question, on a case-by-case basis.
In addition to the above, it must be noted that the Data Controller shall be responsible for, and be able to demonstrate compliance with the aforementioned principles. Specifically, the Company shall maintain necessary documentation of all processing operations, implement appropriate security measures, perform DPIAs (Data Processing Impact Assessments), comply with requirements for prior notifications, or approval from supervisory authorities. In order to fulfil its obligations arising under the ‘Storage Limitation’ Principle (Principle No. 5), the Company shall process personal data for no longer than is necessary, and this in accordance with applicable law.
The Company shall ensure that any processing of Personal Data shall have a lawful valid basis, which is most appropriate depending on the purpose of the processing operation and the relationship with the Data Subject. Especially where it is acting as a Data Controller, the Company shall determine the lawful basis before processing is initiated. At least one of the following six lawful grounds must apply whenever the Company processes personal data:
LG1: The data subject has given consent to the processing of his or her Personal Data for one or more specific purposes;
LG2: The processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
LG3: The processing is necessary for compliance with a legal obligation to which the Data Controller is subject;
LG4: The processing is necessary in order to protect the vital interests of the Data Subject or of another natural person;
LG5: The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
LG6: The processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of Personal Data, in particular where the Data Subject is a child.
In the majority of its processing operations, the Company processes Personal Data on the basis of LG2 and/or LG3, and on other rarer occasions on LG1 and LG6, however in the latter case, the Company shall specifically inform the Data Subject accordingly. Where the Company processes Special Categories of Personal Data, it shall identify a lawful basis for general processing and one additional condition for processing this type of data, in accordance with applicable law.
Data subjects have the following rights regarding data processing, and the data that is recorded about them:
The Data Protection Correspondent will be responsible for handling any such requests that are received by the Company, and this in accordance with applicable law.
The sharing of Personal Data with Third Parties shall be construed as the disclosure of Personal Data by transmission, dissemination or otherwise making it available, and shall include instances where the Company gives Personal Data to a Third Party, by whatever means; as well as when a Third Party is given access to Personal Data on or via its IT systems. Sharing of Personal Data with Third Parties shall not include the Sharing of Personal Data with employees, or with processors. The Company shares Personal Data with the following categories of companies as an essential part of undertaking the Villa Luginsland Project, as set out in this statement:
Prior to undertaking sharing with Third Parties, the Company shall consider the same in light of its overall compliance with applicable data protection obligations, and therefore if the situation so requires, that is, where the situation may be of high risk to the Data Subjects, amongst other factors, the Company shall carry out a Data Privacy Impact Assessment (DPIA).
If the situation does not require the undertaking of a DPIA, or the result of the DPIA is that the Sharing will not result in an adverse effects on the rights and freedoms of data subjects, the Company shall enter into a Data Sharing Agreement with the Third Party in question. The Data Sharing Agreement shall set out the following:
Personal Data shall not be transferred to a Third Country unless that country or territory ensures an adequate level of protection for the ‘rights and freedoms’ of Data Subjects in relation to the processing of Personal Data. The transfer of Personal Data to Third Countries is prohibited unless one or more of the specified safeguards or exceptions, as listed below, apply. In this regard, an assessment of the adequacy by the Company, taking into account the following factors must be undertaken;
The Company may adopt approved Binding Corporate Rules for the transfer of data outside the EU. This requires submission to the relevant Supervisory Authority for approval of the rules that the Company is seeking to rely upon.
The Company may also adopt approved model contract clauses for the transfer of data outside of the EU.
In the absence of an adequacy decision taken by the EU Commission, including binding corporate rules, a transfer of Personal Data to a Third Country, or an international organisation, shall take place only on one of the derogations set out in applicable law.
In the event that that a Personal Data Breach is suffered, Authorised Persons shall ensure that the Data Protection Correspondent is immediately informed, and this in order to satisfy the Company’s obligation of notifying the Supervisory Authority of the same breach, and this without undue delay and where feasible, not later than seventy two (72) hours after having become aware of the breach. Where the breach is likely to result in a high risk to the rights and freedoms of the natural persons, the Data Protection [Officer/Correspondent] of the Company shall communicate the Personal Data Breach to the Data Subject without undue delay.
A Personal Data Breach Procedure shall be set up and maintained by the Data Protection Correspondent and this to satisfy the Company’s obligation of documenting any personal data breaches, comprising the facts relating to the Personal Data Breach, its effects and the remedial action taken.
The Company has appointed a Data Protection Correspondent (‘DPC’) to ensure its continued compliance with the GDPR and its internal policies and notices.
The DPC reports directly to the highest level of management and in the performance of its tasks, the DPC shall have due regard to the risk associated with processing operations, and takes in account the nature, scope and context and purposes of processing.
In order to ensure that the DPC is easily accessible as appoint of contact for all Authorised Persons, Data Subjects, Third Parties and Supervisory Authority, the Company has set up a specific email address [email protected] and published these relevant contact details to interested parties accordingly.
The Company shall involve the DPC, in a timely manner, in all issues relating to the protection of Personal Data. The Company shall support the DPC in performing their tasks by providing resources necessary to carry out those tasks and access to Personal Data and processing operations. The DPC will act as a contact point for the Supervisory Authority and cooperate with the latter, including in cases where prior consultations are required.
The Company shall ensure that it has implemented appropriate technical and organizational measures to protect the security of the Personal Data it processes. It shall further ensure that all departments establish appropriate protocols of security for storing Personal Data, which shall only be accessed where strictly necessary and only by those with the authority to do so.
The Company shall ensure that any transfers of Personal Data made to Third Parties, are made subject to appropriate security measures, and this especially in relation to the transfers considered in Section IX of this Policy.
In order to assist in the implementation of these principles, the following measures, amongst others, must be applied:
The Company will conduct regular audits of personal data, which is being stored, and the uses to which such information is being put, with the aim of monitoring compliance with the data protection principles described above, and will consider exercising sanctions in the event of breach.
The Board is responsible for this policy and approval of any significant changes to it. The Data Protection Correspondent, is responsible for ensuring that this Policy is regularly reviewed and complied with.