Before addressing any request You make with Us, We may first need to verify Your identity. In all cases We will try to act on Your requests as soon as reasonably possible.
As explained in the Retention Periods section above, We may need to keep certain Personal Data for compliance with Our legal retention obligations but also to complete transactions that You requested prior to the change or deletion that You requested.
In certain circumstances, the following rights may be available to You and You can exercise these rights by making a request to us. Where these rights are not available to You and we cannot fulfil Your request, we will inform You of this and provide our reasons for such refusal.
Your Right of Access
You may, at any time request Us to confirm whether or not We are processing Personal Data that concerns You and, if We are, You shall have the right to access that Personal Data and to the following information:
- What Personal Data We have,
- Why We process them,
- Who We disclose them to,
- How long We intend on keeping them for (where possible),
- Whether We transfer them abroad and the safeguards We take to protect them,
- What Your rights are,
- How You can make a complaint,
- Where We got Your Personal Data from and
- Whether We have carried out any automated decision-making (including profiling) as well as related information.
Upon request, We shall (without adversely affecting the rights and freedoms of others including Our own) provide You with a copy of the Personal Data undergoing processing within one month of receipt of the request, which period may be extended by two months where necessary, taking into account the complexity and number of the requests. We shall inform You of any such extension within one month of receipt of the request, together with the reasons for the delay.
Your Right to Rectification
You have the right to ask Us to rectify inaccurate Personal Data and to complete incomplete Personal Data concerning You. We may seek to verify the accuracy of the data before rectifying it.
Your Right to Erasure (The Right to be Forgotten)
You have the right to ask Us to delete Your Personal Data and We shall comply without undue delay but only where:
- The Personal Data are no longer necessary for the purposes for which they were collected; or
- You have withdrawn Your consent (in those instances where We process on the basis of Your consent) and We have no other legal ground to process Your Personal Data; or
- You shall have successfully exercised Your right to object (as explained below); or
- Your Personal Data shall have been processed unlawfully; or
- There exists a legal obligation to which We are subject; or
- Special circumstances exist in connection with certain children’s rights.
In any case, We shall not be legally bound to comply with Your erasure request if the processing of Your Personal Data is necessary:
- for compliance with a legal obligation to which We are subject (including but not limited to Our data retention obligations); or
- for the establishment, exercise or defence of legal claims.
There are other legal grounds entitling Us to refuse erasure requests although the two instances above are the most likely grounds that may be invoked by Us to deny such requests.
Your Right to Data Restriction
You have the right to ask Us to restrict (that is, store but not further process) Your Personal Data but only where:
- The accuracy of Your Personal Data is contested (see the right to data rectification above), for a period enabling Us to verify the accuracy of the Personal Data; or
- The processing is unlawful and You oppose the erasure of Your Personal Data; or
- We no longer need the Personal Data for the purposes for which they were collected but You need the Personal Data for the establishment, exercise or defence of legal claims; or
- You exercised Your right to object and verification of Our legitimate grounds to override Your objection is pending.
Following Your request for restriction, except for storing Your Personal Data, We may only process Your Personal Data:
- Where We have Your consent; or
- For the establishment, exercise or defence of legal claims; or
- For the protection of the rights of another natural or legal person; or
- For reasons of important public interest.
Your Right to Data Portability
You have the right to ask Us to provide Your Personal Data (that You shall have provided to Us) to You in a structured, commonly used, machine-readable format, or (where technically feasible) to have it 'ported' directly to another data controller, provided this does not adversely affect the rights and freedoms of others. This right shall only apply where:
- The processing is based on Your consent or on the performance of a contract with You; and
- The processing is carried out by automated means.
Your Right to Withdraw Consent (when We rely on consent)
See Our Special Note on Consent for detailed information on this right (which You may exercise at any time).
Your Right to Object to Certain Processing
In those cases where We only process Your Personal Data when this is 1.) necessary for the performance of a task carried out in the public interest or 2.) when processing is necessary for the purposes of the legitimate interests pursued by Us or by a third party, You shall have the right to object to processing of Your Personal Data by Us. Where an objection is entered, the processing of data shall cease, unless We as data controller provide compelling and legitimate grounds requiring the continuation of the data processing which outweigh the objections You may have raised.
When your data is processed for direct marketing purposes, You have the right to object at any time to the processing of Your Personal Data, which includes profiling to the extent that it is related to such direct marketing.
For the avoidance of all doubt, when We process Your Personal Data when this is necessary for the performance of a contract, when necessary for compliance with a legal obligation to which We are subject or when processing is necessary to protect Your vital interests or those of another natural person, this general right to object shall not subsist.
Your Right to lodge a Complaint
You also have the right to lodge complaints with the appropriate Data Protection Supervisory Authority. The competent authority in Malta is the Office of the Information and Data Protection Commissioner (OIDPC).
We kindly ask that You please attempt to resolve any issues You may have with Us first (even though, as stated above, You have a right to contact the competent authority at any time).
WHAT WE MAY REQIURE FROM YOU
As one of the security measures We implement, before being in the position to help You exercise Your rights as described above We may need to verify Your identity to ensure that We do not disclose to or share any Personal Data with any unauthorised individuals.
TIME LIMIT FOR A RESPONSE
We try to reply to all legitimate requests within one month from receiving them. In some particular cases (for example, if the matter is particularly complex or if You send Us multiple requests), it may take Us longer than a month. In such cases, we will notify You accordingly and keep You updated.