In accordance with the duties set forth by the EU General Data Protection Regulation 2016/679 (GDPR), please be advised that IT Legals Ltd, with registered office at 23, Level 1, Triq Giuseppe Calleja, MSD2270, Swatar, Msida (Malta), Reg. N. C67394, VAT N. MT22077612, E-mail info@itlegals.com, as Data Controller, will process your personal data as may have been, or may hereafter be submitted/disclosed to us (whether by you or by another party) over the course of your dealings with our company.

The processing of data voluntarily submitted by you, or otherwise collected, shall be conducted in a manner that complies with all applicable privacy laws; such processing shall further be performed in an ethical, lawful, and transparent manner, according to the principles of relevance, completeness, and tailoring to purpose.

Therefore, and pursuant to Article 13 of the EU General Data Protection Regulation (EU 2016/679, the “GDPR”), we would like to inform you of the following:
  1. Your data shall be processed for the following purposes:
    • As part of the ordinary course of our institutional affairs and/or in pursuit of our corporate purpose;
    • For needs relating to the execution of a contract or engagement, performance thereunder, or amendments thereto, or any duty we are bound to under the same;
    • Operational, organisational, management, tax, financial, insurance, or bookkeeping issues relating to any established contractual or pre-contractual relationship;
    • To discharge any statutory or regulatory duty (national or EU);
    • To record, manage, and retain access logs for any company website, intranet, database, or visitor/access logs at company locations;
    • To monitor access and company security;
    • Needs relating to monitoring how products are distributed or services rendered, vendor relationships, and for contract-risk analysis/management;
    • Traditional marketing, online marketing, web marketing, and web advertising (with your express consent).
  2. Processing shall be completed in the following manner:
    • Processing shall be performed in a non-automated or semi-automated manner, and may include the following operations: collection, recording, organisation, retention, review, use, development, modification, selection, excerpting, comparison, mining, disclosure, dissemination, erasure, destruction, blocking, or limitation.
    • Processing shall be conducted using hard-copy or electronic instruments sufficient to ensure the security and privacy of such data in accordance with Art. 32 of the EU General Data Protection Regulation (EU 2016/679, the “GDPR”) with respect to adequate safeguards.
    • In carrying out processing operations, those technical, IT, organisational, logistical, and security-protocol procedures needed to comply with the minimum statutory requirements shall be implemented. The aforementioned methodologies, applicable to processing, ensure that data shall only be accessed by those parties named in point 4 hereof.
  3. Submission of data for processing is:
    • Mandatory (not requiring your consent) for the pursuit of purposes relating to statutory, or regulatory (national or EU) compliance.
    • Necessary (not requiring your consent) for all personal data essential to the correct institution, management, and performance of the sales and/or contractual agreement. Optional and requires your express consent for any personal data collected for purposes relating to marketing, and those not directly and/or indirectly relating to contractual, pre-contractual, statutory, regulatory duties, or for the safeguarding of vital interests, to carry out a public function, to exercise a public power, or to pursue a legitimate interest.
    • Any refusal, however legitimate, to provide the data described supra, whether in whole or in part, might compromise the proper functioning of your relationship with our business and moreover, for those personal data defined as mandatory and essential in sections appearing supra, it may make it impossible for our business to properly perform company operations and to distribute the products and/or render the services requested.
  4. The entities/individuals or categories of entities/individuals who might have access to the data, or to whom the data might be disclosed, are as follows:
    • Data Processors: Consultants, or consultancy firms, freelance professionals, independent contractors, technical and engineering firms, agents and sales agents, banking institutions, and insurance companies, credit-collection companies, auditors and auditing firms, qualified accounting firms, HR specialist firms, law firms, transport/logistics companies, contractors.
    • Data Supervisors: Management, finance and accounting, administrative office, HR, marketing, sales, technical office, and IT office.
    • System administrators
    • Personal data may also be disseminated, but only in aggregate, pseudonymised form, for statistical purposes.  Personal data may further be disclosed to government agencies, the police force, or other public- and private-sector entities, but only for purposes of statutory or regulatory compliance (national and EU). The data in question shall not be disclosed to any parties other than those identified herein; data that might reveal the data subject’s health status shall never be disseminated.
  5. Processed data may be processed and transferred, for those purposes set forth in point 1, supra, and according to the methods set forth in point 2, supra, to the parties noted in point 4 hereof who are located in countries that are members of the European Union and/or outside the EU, but only pursuant to an Adequacy Decision by the European Commission, of Adequate Privacy Safeguards, or an authorisation issued by the Data Protection Authority.
  6. Data shall be collected and recorded solely for those purposes appearing in point 1, supra, for no longer than ten (10) years from the date of their collection for accounting/bookkeeping purposes, and no longer than twenty-four (24) months for marketing purposes.
  7. Regardless, you may always request information regarding the location where your personal data is being processed, and an updated list with the identifiers for all Data Processors and the System Administrators authorised to process your data.
    You may, at any time, freely revoke your consent as granted, free of charge; such revocation shall not prejudice any processing completed prior to such revocation. You may further exercise your data-subject rights as against the Data Controller as set forth in EU General Data Protection Regulation EU/2016/679 (the “GDPR”): Access, Correction, Erasure, Limitation, Objection, Data Portability, Complaints with the Data Protection Authority.

Msida, 01 September 2018