The Office of the Ombudsman is an independent and impartial institution that promotes the right to good public administration and investigates citizens’ grievance allegations arising from maladministration.
Regular updates can be found on our website www.ombudsman.org.mt
Last updated: 13th March 2020
For the avoidance of all doubt, “We”, “Us”, “Our” and “Ourselves” includes the Parliamentary Ombudsman as well as all other entities forming part of the Office of the Ombudsman (for example, the Commissioner for Education, the Commissioner for Environment and Planning and the Commissioner for Health) and any references to such terminology below shall be construed accordingly depending on context.
Our full details, including contact details, can be read below.
PLEASE DO NOT HOLD BACK FROM CONTACTING US FOR ANY CLARIFICATION YOU MAY NEED. For example, if you need clarification on a specific legal basis the Office of the Ombudsman relies on to process Your Personal Data for a specific processing operation, We would be happy to provide You with any such information You may need.
- APPLICABLE LAWS
- WHAT IS MEANT BY PERSONAL DATA?
- PERSONAL DATA WE COLLECT ABOUT YOU
- ADDITIONAL INFORMATION AND EXEMPTIONS FROM DISCLOSURE OF PROCESSING
- SOCIAL MEDIA
- HOW AND WHY WE COLLECT PERSONAL DATA
- PERSONAL DATA RELATING TO THIRD PARTIES
- WHAT WE USE YOUR PERSONAL DATA FOR (PURPOSE OF PROCESSING)
- SPECIAL NOTE ON CONSENT
- ACCURACY OF PERSONAL DATA
- NEWSLETTERS & SIMILAR COMMUNICATIONS
- TRANSFERS TO THIRD COUNTRIES
- INTERNET COMMUNICATIONS
- AUTHORISED DISCLOSURES
- SHARING OF PERSONAL DATA WITH OTHER CATEGORIES OF RECIPIENTS
- SECURITY MEASURES
- RETENTION PERIODS
- PROCESSING FOR RESEARCH & STATISTICAL REASONS & ARCHIVING IN THE NATIONAL INTEREST
- LINKS TO THIRD PARTY SOURCES
- AUTOMATED DECISION-MAKING
- YOUR RIGHTS UNDER THE DATA PROTECTION LAWS
- OFFICE OF THE OMBUDSMAN DETAILS
As an entity established in Malta, EU, the main privacy laws that are applicable to Us in so far as You are concerned, are as follows:
- The Maltese Data Protection Act (Chapter 586 of the Laws of Malta) as well as the various subsidiary legislation issued under the same – the ‘DPA’;
- The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – the ‘GDPR’.
All the above, as may be amended from time to time, referred to together as the “Data Protection Laws”
We are an independent and impartial institution that promotes the right to good public administration and investigates citizens’ grievance allegations arising from maladministration. In doing so, We derive Our authority from the Maltese Ombudsman Act (Chapter 385 of the Laws of Malta) and Article 64A of the Constitution of Malta.
WHAT IS MEANT BY PERSONAL DATA?
“PERSONAL DATA” means any information that identifies you as an individual or that relates to an identifiable individual.
Whenever it is not possible or feasible for Us to make use of anonymous and/or anonymised data (in a manner that does not identify any Users or visitors of the Site, Complainants, entities being investigated by Us and/or other relevant data subjects), We are nevertheless committed to protecting Your privacy and the security of Your Personal Data at all times.
We collect Personal Data in various ways both digitally via the Site, either when You choose to provide Us with certain data (for example as part of a complaint and/or complaints You choose to file via Our Site) or in some cases, automatically or from third parties (for example, as part of information We collect from third parties as part of Our investigations) as well as non-digitally, for example when You fill in a physical form to file a complaint and/or request any other service We may provide and again, when We collect information from third parties as part of Our investigations.
PERSONAL DATA WE COLLECT ABOUT YOU
There are various categories of Personal Data that We collect about You, namely:
- ID Card Number/Passport Number
- Mailing address,
- Telephone or mobile number
- Email address
- a username
- date of birth
- country of residence
SPECIAL CATEGORIES OF PERSONAL DATA:
- Any ‘sensitive’ personal data that We might collect and otherwise process as part of a complaint and/or investigation namely: any personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
In addition to the above, as part of Our investigations We may also collect ancillary information about You and/or third parties that may constitute personal data. For example, we may collect and/or otherwise process data relating to Your organization and/or Your employment details as well as the details of certain contractual arrangements to which You are a party. We may also may require details such as financial information, tax details, academic and professional qualifications, information on legal disputes (both criminal and civil) and any such data that We might collect or otherwise process as part of a complaint and/or investigation.
ADDITIONAL INFORMATION AND EXEMPTIONS FROM DISCLOSURE OF PROCESSING:
In some cases, (for example, if You are a Complainant, via the Site, or otherwise) We may request additional Personal Data as a means of securely identifying You or for another similar lawful purpose (which will be explained in the table below and/or in a condensed policy/notice that may have directed You here). The additional information We may request from You to be able to provide You with Our services includes:
- More secure identification methods
- Details of Your next of kin.
Many of the categories of Personal Data above are collected directly from You (for example, Your Contact Details). However, WE MAY ALSO COLLECT PERSONAL DATA FROM OTHER SOURCES, including data companies, publicly accessible databases, social media platforms and other third parties including, in particular, entities who disclose information to Us during the course of an investigation. We may also receive Personal Data about you from third parties when We need to confirm Your Contact Details. Should this be the case and unless we are precluded by law, We will take all measures as required by law to further inform You about the source of such Personal Data as well as the categories of Personal Data We collect and process.
For a detailed description of the reasons why We process the categories of Personal Data above (and any other specific Personal Data We process) as well as the corresponding legal ground(s) for doing so, please see the ‘What We Use Your Personal Data For (Purpose of Processing)’ below.
For information/Personal Data that We may collect automatically via the Site, please see the Cookies section below.
If You choose to connect one or more of Your social media accounts with Our Site (if this option is available now or at any time in the future) to enable the sharing of Personal Data via social media platforms, certain categories of Personal Data relating to You from Your social media account(s) will be shared with Us.
HOW AND WHY WE COLLECT PERSONAL DATA
As a general rule, We do not collect any Personal Data, that is, information that identifies You as an individual other than that which You choose to provide to Ussuch as the data (including Contact Details and Registration Data) You provide when registering with Our Site, when submitting a complaint or query via Our Site and/or via the physical forms available for download from the Site as well as from Our offices as well as when providing Us with information as part of Our investigations (see Personal Data We Collect About You above) including when You communicate with Us directly via email, post or otherwise.
Unless otherwise specified and subject to various controls, as a general rule, We only collect Personal Data (from You or elsewhere) that We:
- Need to be able to investigate Your complaint(s) or a complaint made against You and/or Your organisation;
- Are legally required to collect/use and to keep for a predetermined period of time in the discharge of Our mandate in accordance with the Ombudsman Act (Chapter 385 of the Laws of Malta) and the discharge of Our responsibilities towards corporate governance and financial administration regulations;
- Believe to be necessary in the public interest and/or when exercising Our official authority.
For a detailed description of the reasons why We process specific categories of personal data as well as the corresponding legal ground(s) for doing so, please seethe ‘What We Use Your Personal Data For (Purpose of Processing)’ below.
Please note that due to the nature of the role and function of the Office of the Ombudsman there may be instances where You and/or third parties may be compelled to provide Us with necessary information as part of Our investigation(s).
PERSONAL DATA RELATING TO THIRD PARTIES
In certain instances, You may be compelled to disclose certain Personal Data as part of Our investigations. Whenever possible, this fact will also be communicated to You before You make such disclosure.
WHAT WE USE YOUR PERSONAL DATA FOR (PURPOSE OF PROCESSING)
The following is a description (in a clear and plain manner) of what We use Your Personal Data for and the corresponding legal ground(s) we rely on for doing so.
For more detail on what is meant by terms such as ‘Contact Details’, ‘Registration Data’, ‘Special Categories of Personal Data’ and other categories of Personal Data used in the tables below, please see the section above relating to Personal Data We Collect About You.
Please note that WHERE (AND IF) WE RELY ON YOUR CONSENT, THIS CAN BE WITHDRAWN AT WILL (See Special Note on Consent below).
USERS OR VISITORS OF THE SITE/ COMPLAINANTS/ ENTITIES INVESTIGATED BY US (INCLUDING THIRD PARTIES):
|PURPOSE OF THE PROCESSING||CATEGORIES OF PERSONAL DATA||LEGAL BASIS FOR PROCESSING|
|Evaluating the complaints relating to You and/or complaints You send Us (via Our Site or otherwise) for Us to investigate and subsequently carrying out the said investigations (where necessary) including the drafting of case notes and reports. NB: ‘You’ includes authorised representatives of complainants (such as an associate, family member or legal representative) as well as third parties who We may investigate.||Contact Details Registration Data (where applicable) Log in data (where applicable) Ancillary data discovered/collected/processed during the course of Our investigations||Legal Obligation (in the fulfilment of Our role and function) Public Interest/Official Authority|
|Replying to general queries You may have about Our Site and/or Our practices/role & function and/or any of Our services||Contact Details Registration Data (where applicable) Log in Data||Public Interest/Official Authority Legal Obligation (in the fulfilment of Our role & function)|
|Handling specific enquiries submitted by You to and/or administered by Our Public Relations Officer (including any meetings You may hold with the same).||Contact Details Ancillary data discovered/collected/processed during the course of the said enquires||Public Interest/Official Authority Legal Obligation (in the fulfilment of Our role & function)|
|Set up and maintain a record on Our systems & or in databases administered by entities having a legal right to request from Us any report/information about You and/or third parties||Registration Data Contact Details Any information relating to the investigation in question as may be contained in reports We prepare or otherwise||Legal Obligations (to ensure we have an accurate record/report(s) relating to the personal data and facts in question) Public Interest/Official Authority|
|Providing the House of Representatives with unredacted annual reports relating to investigations carried out by Us||Any information relating to the investigation in question as may be contained in the said reports (which may include personal data and even special categories of personal data)||Legal Obligations Public Interest/Official Authority Substantial Public Interest (Re Special Categories of Personal Data)|
|Processing of certain specific data as necessarily part of Our investigations||Special Categories of Personal Data||Substantial Public Interest Special Laws authorising/obliging Us to investigate matters involving the said data For example, Maltese Subsidiary Legislation 385.01 (Commissioners Regulations) specifically empowering the Commissioner for Health to investigate health related matters)|
|To establish and investigate any suspicious behaviour in order to protect Our Site from any risk and fraud and to be in line with the law||Registration Data Contact Details Identification and verification Data Log in Data||Public interest (detection and prevention of fraud) Compliance with the legal obligations|
|Subscribing to a newsletter or mailing list||Registration Data Contact Details||Your consent|
|To monitor our premises via CCTV for security purposes||CCTV footage (deleted after 7 days)||Legitimate Interests|
WHEN PUBLISHING REPORTS RELATING TO AN INVESTIGATION/INVESTIGATIONS FOLLOWING A COMPLAINT YOU AND/OR A THIRD PARTY FILED WITH US AND/OR A COMPLAINT RELATING TO YOU AND/OR THIRD PARTIES, WE WILL ENDEAVOUR TO ANONYMISE SUCH REPORT(S) UNLESS THE DISCLOSURE OF PERSONAL DATA RELATING TO YOU AND/OR A THIRD PARTY IS, IN OUR EXCLUSIVE DISCRETION, IN THE PUBLIC INTEREST. IF ANY SUCH DISCLOSURE INVOLVES SPECIAL CATEGORIES OF DATA (AS DEFINED ABOVE AND UNDER THE GDPR) WE SHALL, A PRIORI, ENDEAVOUR TO VERIFY THAT SUCH PUBLIC INTEREST IS ‘SUBSTANTIAL’.
Should We need to process Your data for a new purpose in the future, which is entirely unrelated to the above, We will inform You of such processing in advance and You may exercise Your applicable rights (as explained below) in relation to such processing.
Finally, do note that without certain Personal Data relating to You, We may not be in the position to provide some or all of the services You expect from Us or carry out Our legal obligations or even guarantee the full functionality of Our Site.
SPECIAL NOTE ON CONSENT
For the avoidance of all doubt, We would like to point out that in those limited cases (if any) where We cannot or choose not to rely on another legal ground (for example, the public interest ground), We will process Your Personal Data on the basis of Your consent. In some cases, We will require Your explicit consent, for example, when, on the basis of Your explicit consent We will process special categories of data concerning You and where We have no other legal ground to rely upon (see table above for the grounds We currently rely upon when processing such data).
In those cases where We process on the basis of Your consent (which We will never presume but which We shall have obtained in a clear and manifest manner from You), YOU HAVE THE RIGHT TO WITHDRAW YOUR CONSENT AT ANY TIME and this, in the same manner as You shall have provided it to Us.
Should You exercise Your right to withdraw Your consent at any time (by writing to Us at the physical or email address below), We will determine whether at that stage an alternative legal basis exists for processing Your Personal Data (for example, on the basis of a legal obligation to which We are subject) where We would be legally authorised (or even obliged) to process Your Personal Data without needing Your consent and if so, notify You accordingly.
When We ask for such Personal Data, You may always decline, however should You decline to provide Us with necessary data that We require to exercise Our legal obligations as the Maltese Ombudsman, We may in certain cases be authorised to compel You to provide Us with the requested information (which may include personal data relating to You and/or third parties).
Just to clarify, consent is not the only ground that permits Us to process Your Personal Data. In the last preceding section above We pointed out the various grounds that We rely on when processing Your Personal Data for specific purposes.
ACCURACY OF PERSONAL DATA
All reasonable efforts are made to keep any Personal Data We may hold about You up-to-date and as accurate as possible. You can check the information that We hold about You at any time by contacting Us in the manner explained below. If You find any inaccuracies, We will correct them and where required, delete them as necessary. Please see below for a detailed list of Your legal rights in terms of any applicable data protection law.
NEWSLETTERS & SIMILAR COMMUNICATIONS
We only send mail, messages and other communications relating to newsletters and similar matters where We are authorised to do so at law. In most cases We rely on Your consent to do so (especially where We use electronic communications). If, at any time, You no longer wish to receive such optional communications from Us please let Us know by contacting Us at the details below or update Your preferences on any of Our Site(s) or Apps (where applicable).
In the case of optional newsletters sent via electronic communications (where We are legally authorised to do so) You will be given an easy way of opting out (or unsubscribing) from any such communications.
Please note that even if You withdraw any consent You may have given Us or if You object to receiving such material from Us (in those cases where We do not need Your consent), from time to time We may still need to send You certain important communications relating to Our role and function from which You cannot opt-out (for example, follow-ups relating to any complaints You may have submitted to Us or even, by way of example, important changes to Our internal procedures).
TRANSFERS TO THIRD COUNTRIES
As a general rule, the data We process about You (collected via the Site, any of our Apps or otherwise) will be stored and processed within the European Union (EU)/European Economic Area (EEA) or any other non-EEA country deemed by the European Commission to offer an adequate level of protection (the so-called ‘white-listed’ countries listed here: https://ec.europa.eu/info/law/law-topic/data-protection_en).
In some cases, it may be necessary for Us to transfer Your Personal Data to a non-EEA country not considered by the European Commission to offer an adequate level of protection (for example to one or more of Our data processors located there).
In such cases, apart from all appropriate safeguards that We implement, in any case, to protect Your Personal Data, We have put in place additional adequate measures. For example, We have ensured that the recipient is bound by the EU Standard Contractual Clauses (the EU Model Clauses) designed to protect Your Personal Data as though it were an intra-EEA transfer. You are entitled to obtain a copy of these measures by contacting Us as explained below.
You will be aware that data sent via the Internet may be transmitted across international borders even where sender and receiver of information are located in the same country. We cannot be held responsible for anything done or omitted to be done by You or any third party in connection with any Personal Data prior to Our receiving it including but not limited to any transfers of Personal Data from You to Us via a country having a lower level of data protection than that in place in the European Union, and this, by any technological means whatsoever (for example, WhatsApp, Skype, Dropbox etc.).
Moreover, We shall accept no responsibility or liability whatsoever for the security of Your data while in transit through the internet unless Our responsibility results explicitly from a law having effect in Malta.
- For the purpose of preventing, detecting or suppressing fraud (for example, if You provide false or deceptive information about Yourself or attempt to pose as someone else, We may disclose any information We may have about You in Our possession to the Malta Police so as to assist any type of criminal investigation into Your actions);
- in the event of the Office of the Ombudsmanbeing involved in a restructure, transfer or absorption into another entity;
- to protect and defend Our rights (including the right to property), safety, or those of Our affiliates, of Users of Our Site or even Your own;
- to protect against abuse, misuse or unauthorised use of Our Site;
- for any purpose that may be necessary for the performance of any agreement You may have entered into with Us (including the request for provision of services by third parties) or in order to take steps at Your request prior to entering into a contract;
- to comply with any legal obligations such as may arise by way of response to any Court subpoena or order or similar official request, including from the Maltese House of Representatives, for Personal Data but only in those cases where We are obliged by law to cooperate with and/or disclose of information to such other entities (for example, Our functions under the Whistle-blower Act); or
- as may otherwise be specifically allowed or required by or under any applicable law (for example, where another constitutional and/or public and/or state authority has a direct mandate to investigate any complaint sent to Us and/or powers in the area which the said complaint refers to).
For the avoidance of all doubt, all the above shall be without prejudice to Our legal obligations to keep all investigations We carry out strictly confidential. Any disclosures as stated above will only be carried out (on the basis of necessity for compliance with Our legal obligations or in the public interest or in the exercise of Our official authority) if permitted in terms of Our confidentiality obligations.
SHARING OF PERSONAL DATA WITH OTHER CATEGORIES OF RECIPIENTS
Any such authorised disclosures will be done in accordance with the Data Protection laws (for example all Our data processors (such as the entity that administers Our Site) are contractually bound by the requirements in the said Data Protection Laws, including a strict obligation to keep any information they receive strictly confidential and to ensure that their employees/personnel are also bound by similar obligations). The said service providers (Our processors) are also bound by a number of other obligations (in particular, Article 28 of the GDPR).
YOUR PERSONAL DATA WILL NEVER BE SHARED WITH THIRD PARTIES FOR MARKETING PURPOSES
|CATEGORY OF RECIPIENT||PURPOSE OF PROCESSING|
|Cloud Service Providers||Hosting of data under state-of-the-art security protocols and our exclusive control|
|IT Service Providers||Maintenance and support of our IT systems/Website(s) – with restricted access and under our strict controls|
|Auditors||Compliance with our auditing obligations – with access granted only to essential personal data|
|Legal Advisors||Compliance with our legal obligations or when necessary for the establishment, exercise or defence of legal claims.|
|Constitutional and/or Public and/or State Authorities including but not limited to: – The Malta Police The House of Representatives The Commission for the Rights of Persons with Disability The National Audit Office The Commission Against Corruption The Commissioner for Public Standards||Compliance with legal obligations, in the public interest and/or our exercise of official authority (for example, where collaboration with and/or disclosure of information to such entities is necessary as part of Our role and functions and/or where investigation(s) by such other entities may be more appropriate) only after verifications are made into necessity, lawfulness and extent of disclosure. In the case of annual reports (regarding investigations We carry out) provided to the House of Representatives, the necessity to disclose certain personal data to the said entity on the basis of public interest and/or substantial public interest (the latter in the case of special categories of personal data) as part of the said report(s) shall be done on a case-by-case basis. Once the [unredacted] report(s) reach the House of Representatives, it shall be the House of Representatives (acting as data controller) that will determine what will be made publicly available (electronically or otherwise) and not the Office of the Ombudsman.|
The personal information which We may hold (and/or transfer to any affiliates/partners/subcontractors as the case may be) will be held securely in accordance with Our internal security policy and the law.
We use reasonable efforts to safeguard the confidentiality of any and/or all Personal Data that We may process relating to You and regularly review and enhance Our technical, physical and managerial procedures so as to ensure that Your Personal Data is protected from:
-improper use or disclosure
-unlawful destruction or accidental loss.
To this end We have implemented security policies, rules and technical and organisational measures to protect the Personal Data that We may have under Our control. All our members, staff and data processors (including specific subcontractors, including website service providers established within the European Union), who may have access to and are associated with the processing of Personal Data, are further obliged (under contract) to respect the confidentiality of Our Users’ or clients’ Personal Data as well as other obligations as imposed by the Data Protection Laws.
Despite all the above, We cannot guarantee that a data transmission or a storage system can ever be 100% secure. For more information about Our security measures please contact Us in the manner described below.
As stated above, the said service providers (Our data processors) are also bound by a number of other obligations in line with the Data Protection Laws (particularly, Article 28 of the GDPR).
We will retain Your Personal Data only for as long as is necessary (taking into consideration the purpose for which they were originally obtained). The criteria We use to determine what is ‘necessary’ depends on the particular Personal Data in question and the specific relationship We have with You (including its duration).
Our normal practice is to determine whether there is/are any specific EU and/or Maltese law(s) permitting or even obliging Us to keep certain Personal Data for a certain period of time (in which case We will keep the Personal Data for the maximum period indicated by any such law).
We would also have to determine whether there are any laws and/or contractual provisions that may be invoked against Us by You and/or third parties and if so, what the prescriptive periods for such actions are (for example, any rights You may have to challenge any decision We may issue). After this period, We shall delete most or all unnecessary records but for historical and statistical purposes We may retain the Complainant’s details (though in some cases these may even be anonymised where possible), the nature of the complaint, the name of the organisation/entity complained against and any final decision taken by Us. In any case, We will keep any relevant Personal Data that We may need to defend Ourselves against any claim(s), challenge(s) or other such action(s) by You and/or third parties for such time as is necessary.
Once a file or files in connection with any investigation is closed, the personal data in any such file(s) will be retained for a period of five (5) years from when the case in question is closed. For the avoidance of all doubt, any annual reports that We are duty bound to compile and present to the Maltese Parliament as well as any final decisions/opinions We would have taken in connection with such case will be retained indefinitely. This is without prejudice to what is stated below in connection with archiving in the national interest.
In some instances, depending on the nature of the investigation in question as well as the entity investigating the case, the retention periods may be longer. In case of any doubt, please do not hesitate to contact Us to enquire further into this point.
Also for the avoidance of all doubt, We will not delete any relevant personal data relating to a complaint You may have initiated and/or a complaint relating to You and/or any third party for as long as any investigation and related proceedings remain active.
WHERE YOUR PERSONAL DATA ARE NO LONGER REQUIRED BY US, WE WILL EITHER SECURELY DELETE OR ANONYMISE THE PERSONAL DATA IN QUESTION. THIS IS WITHOUT PREJUDICE TO ANY OBLIGATION(S) WE MAY HAVE TO RETAIN CERTAIN INFORMATION IN OUR RECORDS AND/OR TO SHARE CERTAIN PERSONAL DATA (FOR EXAMPLE ANY RELEVANT PERSONAL DATA IN REPORTS WE COMPILE) WITH OFFICIAL AUTHORITIES AND/OR RELATED ENTITIES (SEE SHARING OF PERSONAL DATA WITH OTHER CATEGORIES OF RECIPIENTS SECTION ABOVE FOR MORE INFORMATION).
PROCESSING FOR RESEARCH & STATISTICAL REASONS & ARCHIVING IN THE NATIONAL INTEREST
Research and Statistics
Research and statistics using User/visitor and/or Complainant information is only generally carried out so that We may understand Our Users’ and/or Complainants’ needs, to develop and improve Our services/activities (especially via the Site) and/or for philanthropic goals representative of the Office of the Ombudsman’s purpose. In any case, We will always ensure to obtain any consent We may legally require from You beforehand.
Archiving in the National interest
As agreed with the National Archives of Malta, on an annual basis, five per cent (5%) of all complaints that are followed up by an investigation and in respect of which an investigative report is drawn up by Us, are selected by Us for archiving in the national/public interest. The said reports selected by Us in the national/public interest are sealed by Us in such a manner that the reports will not accessible by anyone for a period of one hundred (100) years after which the said reports would be transferred to the National Archives of Malta.
As You will appreciate, since the reports will be sealed for such period, We will not be able to discuss the content of any such complaints/investigations as included in any such reports (and this to ensure full confidentiality of such reports until the lapse of the said one hundred (100) years from the date of sealing.
Since the archiving in question is done/will be done in the public interest, the said processing of personal data by Us is subject to a legal derogation found in Article 6(2) of the Maltese Data Protection Act (Chapter 586 of the Laws of Malta) which states that in connection with such processing of personal data, You shall not be entitled to exercise:
- Your Right of Access (Article 15, GDPR),
- Your Right to Rectification (Article 16, GPDR),
- Your Right to Restriction of Processing (Article 18, GDPR),
- Your Right to Data Portability (Article 20, GDPR) as well as
- Your right to Object to such processing (Article 21, GDPR).
Moreover, we shall have no notification obligations arising under Article 19, GDPR in so far as rectification and erasure of personal data or restriction of processing are concerned.
In addition, Your right to Erasure (Right to be forgotten) shall also not apply, and this on the basis of Article 17(3), GDPR.
The derogations above are necessary for the fulfilment of the archiving purposes (in the national/public interest) stated above because the exercise of any of the rights above would likely render impossible or seriously impair the achievement of the said archiving purposes (in the public interest).
As in all other cases, We will also ensure to implement all appropriate safeguards as may be necessary.
LINKS TO THIRD PARTY SOURCES
Links that We provide to third-party websites are clearly marked and We are not in any way whatsoever responsible for (nor can We be deemed to endorse in any way) the content of such websites (including any applicable privacy policies or data processing operations of any kind). We suggest that You should read the privacy policies of any such third-party websites.
The Site and Our services are not generally intended to be used by any persons under the age of eighteen (18) and therefore, We will never intentionally collect any Personal Data from such persons unless:
- Under a specific legal exemption (if any); or
- The matter relates to a complaint and/or query involving a minor.
In the case of B) above, the complaint and/or query (usually addressed to the Commissioner for Education) may be made with Us by the minor him/herself with the written consent of the parent/guardian. We shall consider that any Personal Data of persons under the age of eighteen (18) received by Us, shall be sent with the proper authority and that the sender can demonstrate such authority at any time, upon Our request. For example, if the chosen method of communication with Us does not permit the parent/guardian to provide Us with his/her signature manifesting his/her consent and/or other suitable method of identification, We may ask for additional information, including the said signature of the parent/guardian acting on behalf of the minor.
In all cases, if You are under the age of consent, please consult and get Your parent’s or legal guardian’s permission to use the Site and to use Our services.
If You feel that Your particular circumstances require direct contact with Us, and if You are thirteen (13) years of age or older, please contact us by calling the following number +356 2248 3221 and We will then make a case-by-case determination as to whether Your consent alone would suffice. In doing so, We may need to consult the Office of the Information and Data Protection Commissioner.
We do not rely on any decisions taken solely by automated means (in other words, without significant human intervention) – including any profiling. Should this position change in the future (and only as We may be legally permitted to do), You will be notified accordingly.
YOUR RIGHTS UNDER THE DATA PROTECTION LAWS
Before addressing any request You make with Us, We may first need to verify Your identity. In all cases We will try to act on Your requests as soon as reasonably possible.
As explained in the Retention Periods section above, We may need to keep certain Personal Data for compliance with Our legal retention obligations but also to complete transactions that You requested prior to the change or deletion that You requested.
The rights below are subject to certain legal derogations as explained above (see PROCESSING FOR RESEARCH & STATISTICAL REASONS & ARCHIVING IN THE NATIONAL INTEREST for more information)
Your various rights at law include:
Your Right of Access
You may, at any time request Us to confirm whether or not We are processing Personal Data that concerns You and, if We are, You shall have the right to access those Personal Data and to the following information:
- What Personal Data We have,
- Why We process them,
- Who We disclose them to,
- How long We intend on keeping them for (where possible),
- Whether We transfer them abroad and the safeguards We take to protect them,
- What Your rights are,
- How You can make a complaint,
- Where We got Your Personal Data from and
- Whether We have carried out any automated decision-making (including profiling) as well as related information.
Upon request, We shall (without adversely affecting the rights and freedoms of others including Our own) provide You with a copy of the Personal Data undergoing processing within one month of receipt of the request, which period may be extended by two months where necessary, taking into account the complexity and number of the requests. We shall inform You of any such extension within one month of receipt of the request, together with the reasons for the delay.
Please note that this right may not be used to circumvent Our legal obligation to keep investigations We carry out strictly confidential (to ensure that the rights and freedoms of other are not adversely affected). It would need to be determined, on a case-by-case basis which information as explained above You are entitled to receive and what You are not.
Your Right to Rectification
You have the right to ask Us to rectify inaccurate Personal Data and to complete incomplete Personal Data concerning You. We may seek to verify the accuracy of the data before rectifying it.
Your Right to Erasure (The Right to be Forgotten)
You have the right to ask Us to delete Your Personal Data and We shall comply without undue delay but only where:
- The Personal Data are no longer necessary for the purposes for which they were collected; or
- You have withdrawn Your consent (in those instances where We process on the basis of Your consent) and We have no other legal ground to process Your Personal Data; or
- You shall have successfully exercised Your right to object (as explained below); or
- Your Personal Data shall have been processed unlawfully; or
- There exists a legal obligation to which We are subject; or
- Special circumstances exist in connection with certain children’s rights.
In any case, We shall not be legally bound to comply with Your erasure request if the processing of Your Personal Data is necessary:
- for compliance with a legal obligation to which We are subject (including but not limited to Our data retention obligations as well as obligations imposed on Us taking into account Our role and function);
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as your exercise of this right to erasure is likely to render impossible or seriously impair the achievement of the objectives of such processing; or
- for the establishment, exercise or defence of legal claims.
There are other legal grounds entitling Us to refuse erasure requests although the three instances above are the most likely grounds that may be invoked by Us to deny such requests.
Your Right to Data Restriction
You have the right to ask Us to restrict (that is, store but not further process) Your Personal Data but only where:
- The accuracy of Your Personal Data is contested (see the right to data rectification above), for a period enabling Us to verify the accuracy of the Personal Data; or
- The processing is unlawful and You oppose the erasure of Your Personal Data; or
- We no longer need the Personal Data for the purposes for which they were collected but You need the Personal Data for the establishment, exercise or defence of legal claims; or
- You exercised Your right to object and verification of Our legitimate grounds to override Your objection is pending.
Following Your request for restriction, except for storing Your Personal Data, We may only process Your Personal Data:
- Where We have Your consent; or
- For the establishment, exercise or defence of legal claims; or
- For the protection of the rights of another natural or legal person; or
- For reasons of important public interest.
Your Right to Data Portability
You have the right to ask Us to provide Your Personal Data (that You shall have provided to Us) to You in a structured, commonly used, machine-readable format, or (where technically feasible) to have it ‘ported’ directly to another data controller, provided this does not adversely affect the rights and freedoms of others. This right shall only apply where:
Your Right to Withdraw Consent (when We rely on consent)
See Our Special Note on Consent for detailed information on this right (which You may exercise at any time).
Your Right to Object to Certain Processing
In those cases where We only process Your Personal Data when this is:
1.) necessary for the performance of a task carried out in the public interest OR when We exercise Our official Authority or
2.) when processing is necessary for the purposes of the legitimate interests pursued by Us or by a third party,
You shall have the right to object to processing of Your Personal Data by Us. Where an objection is entered, the processing of data shall cease, unless We as data controller provide compelling and legitimate grounds requiring the continuation of the data processing which outweigh the objections You may have raised.
For the avoidance of all doubt, when We
- process Your Personal Data when this is necessary for the performance of a contract,
- when necessary for compliance with a legal obligation to which We are subject or
- when processing is necessary to protect Your vital interests or those of another natural person,
this general right to object shall NOT subsist.
Your Right to lodge a Complaint
You also have the right to lodge complaints with the appropriate Data Protection Supervisory Authority. The competent authority in Malta is the Office of the Information and Data Protection Commissioner (OIDPC).
We kindly ask that You please attempt to resolve any issues You may have with Us first (even though, as stated above, You have a right to contact the competent authority at any time).
WHAT WE MAY REQUIRE FROM YOU
As one of the security measures We implement, before being in the position to help You exercise Your rights as described above We may need to verify Your identity to ensure that We do not disclose to or share any Personal Data with any unauthorised individuals.
TIME LIMIT FOR A RESPONSE
OFFICE OF THE OMBUDSMAN DETAILS
If You have any questions/comments about privacy or should You wish to exercise any of Your individual rights, please contact Us at: firstname.lastname@example.org or by writing to 11, St Paul Street, Valletta, VLT 1210, Malta (at the address above) by phoning Us using telephone number (+356) 2248 3200 (during normal office hours) or by contacting Our Data Protection Officer.
The Office of the Ombudsman’s Data Protection Officer is Mr Gordon Fitz who can be contacted directly at (+356) 2248 3221.
Last Updated on 13th March 2020