Privacy and Policy
Here at Finesse as your trusted provider, we are committed to processing your personal information and respecting your privacy in ways that comply with our legal and regulatory obligations, and to being clear about what we do with your personal information.
This Policy lets you know what data we may collect about you, how we use it and gives you information about your rights and how you can get in touch with us.
DATA PROTECTION POLICY
Company Number: C83900
[Hereinafter referred to as the ‘Company’ and/or ‘We’ and/or ‘Our’]
Date: 23rd October 2019
In view of the business and the industry in which we operate, the Company holds personal data about the following individuals:
- Suppliers/Service Providers, and
- other individuals whether related directly or indirectly.
The following definitions shall apply without prejudice to the definitions given by the GDP Regulation, by the Data Protection Act (Chapter 440 of the Laws of Malta) and any other applicable rules and regulations. Moreover, these definitions shall apply where relevant and in the context of the Company and its business operations.
The purposes for which personal data may be used by us: Administrative, payroll, to pay service provides and other business development purposes. Business purposes include the following:
- Gathering information as part of investigations by regulatory bodies or in connection with legal proceedings or requests
- Ensuring business policies are adhered to (such as policies covering email and internet use);
- Operational and Administrative reasons,
- Managing complaints,
- Monitoring staff conduct, disciplinary matters (in the context of the Employer- Employee relationship),
- Marketing our business,
- Improving our services.
Information relating to identifiable individuals, such as clients, customers, service providers, suppliers, current and former employees, job applicant, agencies, and other staff, and marketing contacts. Personal data we gather may include: name and surname of individuals, identification number (both local and international), contact details (which could include mobile phone, telephone and/or email address), educational background, financial and pay details, details of certificates and diplomas, details of licenses applicable to the Company’s business, education and skills, marital status, nationality, job title, and Curriculum Vitae. Sensitive personal data Personal data about an individual’s criminal offences, or related proceedings or any use of sensitive personal data is strictly controlled in accordance with this policy.
This policy applies to all employees of the Company irrespective to seniority. We encourage all employees to be familiar with this Data Protection Policy and comply with its terms. This policy supplements our other policies relating to internet and email use We may supplement or amend this Data Protection Policy by additional policies and/or internal guidelines from time to time. Any new or modified policy will be circulated to the employees before being adopted.
It is our Data Protection Officer that have overall responsibility for the day-to-day implementation of this policy. However, in all cases, Senior Management may be consulted by any employee if a query and/or request for data information arises. In line with this clause, the Company reserves the right to request third-party legal assistance when it comes to specific requests for processing or for any other requests by clients, customers, employees and any other Data Subject. The policy of the Company is to process personal data fairly and lawfully in accordance with the rights available to all individuals, which rights are made available by the GDPR but which shall be without prejudice to any other rights available to any other individual pursuant to any other relevant law and/or regulation. We shall not process personal data unless the individual whose details we are processing has consented to this happening, whether directly or indirectly.
- Reviewing all data protection procedures and policies on a regular basis;
- Keeping the board of directors updated about data protection responsibilities, risks and issues;
- Addressing queries on data protection from employees, board members and other stakeholders within the Company;
- Addressing queries on data protection from clients/customers, suppliers, service providers and relevant entities or authorities;
- Reviewing contracts, agreements or other arrangements in the context of data collection and data processing;
- Reviewing IT processes and website contents in the context of GDPR;
- Ensure all systems, services, software and equipment meet acceptable security standards;
- Reviewing policies, terms and conditions of third-party service providers engaged by the Company for data storing and data processing;
- Approving data protection statements forming part of emails and other marketing material both in hard and soft copy;
- Arranging data protection training and advice for all employees and those included in this policy;
- Directly or indirectly connected to our Business and to our operational procedures;
- Directly or indirectly connected to your needs and requests in the context of you being a client/customer or service provider;
- Necessary and specific to deliver our services;
- In line with the right of any individual’s privacy and confidentiality;
- In line with the Data Protection Act of Malta, the GDPR or any other relevant regulation issued by relevant authorities from time to time.
- Sets out the purposes for which we hold personal data on customers and the relationship with the Company;
- Highlights that our work may require us to give information to third parties such as expert witnesses and other professional advisers;
- Provides that customers have a right of access to the personal data that the Company holds about them;
- Contains an ‘exit clause’ in case the client/customer requests to retrieve the consent being given.
In most cases where we process sensitive personal data the Company shall endeavor to obtain the explicit consent of the client, customer or data subject unless exceptional circumstances apply, or unless we are required to process such by any relevant law and/or regulation. Any such consent will need to clearly identify what the relevant data is, why it is being processed and to whom it will be disclosed. This specific consent letter shall also apply to employees of the Company when the Company is requested to provide such sensitive personal data
We will ensure that any personal data we process is accurate, adequate, relevant and not excessive, given the purpose for which it was obtained. We will not process personal data obtained for one purpose for any unrelated purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this. Individuals may ask that we correct inaccurate personal data relating to them. The Company encourages any client, customer, employee and/or service provider to approach us should any information that we hold is inaccurate by emailing the DPO on email@example.com
You must take reasonable steps to ensure that personal data we hold about you is accurate and updated from time to time, as required. For example, if your personal circumstances change, please inform the DPO firstname.lastname@example.org any other officer of the Company so that they can update your records.
The Company endeavors to keep personal data secure against loss, misuse or destruction thereof. In the context of where we engage third party organizations to process personal data on our behalf, the DPO or any other senior management will establish what, if any, additional specific data security arrangements need to be implemented in the contracts or arrangements with those third-party organizations. It is to be noted however that the responsibility for the data storage and data protection shall remain of the Company even in the context of such being delegated to other third-party organisations.
In cases when data is printed and stored away in hard copies, the Company shall keep such in a secure place where only authorised personnel (as recorded by the Board of Directors from time to time) can access it. When no longer needed, and in line with the principle of the ‘right to be forgotten’, printed hard copy data shall be shredded by the Company. Any data which is stored electronically on any server, computer or using cloud systems shall be protected by strong passwords that are changed regularly by our IT Department/IT Administrator. We encourage all employees to periodically create, amend and store away their passwords. Any cloud system or storage media shall be approved by the Board of Directors or the DPO. The servers that contain personal data of clients, customers, employees and service providers shall be kept in a secure location within the premises of the Company or elsewhere as agreed to by the Board of Directors from time to time. These servers are being backed up via external hard disks and in line with the IT Policy of the Company. The servers that contain sensitive data shall have approved and protected security software and strong firewall. The DPO shall be responsible to review such security systems from time to time. Data stored on CDs or memory sticks must be locked away securely when they are not being used. The Company does not allow any employee or service provider engaged by the Company to store any personal data directly to mobile devices such as laptops, tablets or smartphones.
The Company endeavors to retain personal data on any data subject for no longer than is necessary. What is necessary will depend on the circumstances of each case, taking into consideration the reasons why the personal data was obtained, but shall in all cases be determined in a manner consistent with our data retention guidelines. The employee, at the termination of his/her engagement with the Company, may request that the personal data is removed and/or destroyed. Likewise, any client, customer or third-party provider may request the Company to delete and/or remove all data pertaining to itself.
The forum encapsulated by the GDPR is the European Union Member States and therefore all employees of the Company may not transfer personal data anywhere within the EU without first consulting the Data Protection Officer or a member of the Senior Management. The Company has taken the position that even though the GDPR applies to European Union member States, all employees of the Company may not transfer personal data internationally outside the EU without first consulting the Data Protection Officer or a member of the Senior Management.
All employees of the Company shall have a right to request from the Company information on the data being held about them. Likewise, clients, customers and/or service providers are entitled to request the Company what information is being held about them or about their company which they have a beneficial interest in. However, no employee of the Company shall provide information on another employee or on one client or customer or service provider unless this is accepted by the DPO or, in exceptional cases, by one of the members of Senior Management in writing. If an employee receives a subject access request, the employee should refer that request immediately to the DPO. Please contact the DPO if you would like to correct or request information that we hold about you. There might also be restrictions on the information to which you are entitled to receive under applicable law.
Employees, client, customers and/or service providers might request the Company not to use their personal data for direct marketing purposes. All employees, clients, customers and/or service providers are encouraged to contact the DPO about such request. Unless a business relationship already exists and the client or customer has already consented to information and marketing material, all employees are precluded from sending direct marketing material to someone electronically (e.g. via email). Please contact the DPO for advice on direct marketing before starting any new direct marketing activity.
The Company endeavors to provide training about this Data Protection Policy to all employees. Moreover, ongoing training may be provided every two (2) years or whenever there is a substantial change in the relevant laws or our policies and procedures. Training to be provided will cover, amongst other things:
- The law relating to data protection under Maltese Law;
- The GDPR and any changes thereafter;
- Our data protection and related policies and procedures.
Where not specified previously within this policy, the following provisions will be effective as at the 25th May 2018 onwards
Being transparent and providing accessible information to individuals about how we will use their personal data is important for our organisation. The following are the questions the Company asks itself when collecting data and what we do with such: What information is being collected? Who is collecting it? How is it collected? Why is it being collected? How will it be used? Who will it be shared with? Identity and contact details of any data controllers Details of transfers to third country and safeguards Retention period.
The Company shall ensure that any use of personal data is justified using at least one of the conditions for processing and this will be specifically documented. All staff who are responsible for processing personal data shall be aware of the conditions for processing.
Any personal data that shall be processed by the Company will be in compliance with all the data protection principles and envisaged by the GDPR and, where applicable, in line with any other principles as emanating from relevant authorities. The Company shall document any additional justification for the processing of sensitive data and shall ensure that any biometric and genetic data is considered sensitive and processed only after specific consent is gathered by the Company.
The personal data that we collect shall be subject to an active consent by the data subject providing such information and data. This consent can be revoked by the data subject at any time by contacting the DPO on email@example.com
The Company may be obliged to conduct due diligence on any data subject, particularly in the fields of Anti-Money Laundering and Terrorist Financing which are ‘Criminal’ in nature. Any criminal record checks are justified by relevant law and therefore the Company shall have a right to request information from reputable authorities on any data subject in view of the Anti-Money Laundering regulation of other criminal laws.
Upon request, a client, customers, service provider, an employee, or any data subject shall have the right to receive a copy of their data in a structured format. These requests should be processed within two (2) weeks, provided there is no undue burden and provided it does not compromise the privacy of other individuals. A data subject may also request that their data is transferred directly to another system.
A client, customers, service provider, employee or any data subject may request that any information held by the Company relating to them is deleted or removed, and any third parties who process or use that data must also comply with such requests. An erasure request may only be refused by the Company if an exemption based on applicable laws, apply.
‘Privacy by design’ is an approach to projects that promote privacy and data protection compliance from the initial stages or any relationship. The DPO shall be responsible for conducting Privacy Impact Assessments, where necessary, and shall ensure that all IT projects of the Company commence with a privacy plan. By default, when relevant and when it does not have a negative impact on the data subject, privacy settings will be set to the optimum level of privacy and confidentiality.
The Company may provide in-house regular data audits to manage and mitigate risks which shall include information on what data is held, where it is stored, how it is used, who is responsible and any further regulations or retention timescales that may be relevant. Such audits shall be recorded and stored away.
All employees shall have an obligation to report actual or potential data protection compliance failures. Amongst other things, this will allow the Company to:
- Investigate the failure and take remedial steps if necessary;
- Maintain a register of compliance failures;
- Notify the relevant authority of any compliance failures that are material either in their own right or as part of a pattern of failures.
All employees shall be obliged to observe this policy. The DPO has overall responsibility for this policy and he/she shall monitor it regularly to make sure it is being adhered to.
The Company takes compliance with this data protection policy very seriously. Failure to comply in a strict manner shall put you and the organisation at risk. Any failure by any employee to comply with this data protection policy may lead to disciplinary action and, in exceptional cases, may lead in dismissal. We encourage all employees that should they have any questions or concerns about the contents of this data protection policy, they should contact the DPO or any other member of Senior Management. We will only do this when you would have given consent to receive such information. You agree to receive marketing information:
- from us about our products and services by choosing to opt-in on the relevant registration form of the relevant website or service or through other means of engagement
- from us about third party products and services by choosing to opt-in on the relevant registration form of the relevant website, service or other forms of engagement.
Cookies are text files placed on your computer when you use a website. We use analytics cookies to collect information about how visitors use our site, such as the pages visitors go to most often and where they have come to the site from. This information is collected anonymously and is only used to improve how our websites work. On the other hand, marketing and advertising cookies are used to deliver adverts more relevant to the user and his/her interests. Such cookies remember that the user has visited our website and are also used to limit the number of times you see an advertisement as this would help measure the effectiveness of the advertising campaign. It is important to note that this information is not shared.
Our websites may include links to other sites. We will make every effort to provide links to high quality, reputable sites but are not responsible for their privacy practices, site content, or the services they offer.
Our Data Protection Officer oversees how we collect, use, share and protect your information to ensure your rights are fulfilled. You may contact our Data Protection Office at the details indicated below:
Finesse, Valley Mansions,
Triqil-Wied ta’ l-Imsida,