1.2 “Controllers” – this shall mean the natural or legal person or body (i.e. Fides) which/who shall determine the purpose and means of processing data;
1.3 “Processors” – this shall mean the natural or legal person or body which/who shall process the personal data on behalf of the controller;
1.4 “Personal Data” – this shall be defined as any information relating to an identifiable natural person which may be directly or indirectly identified. This shall apply to both automated personal data as well as manual filing systems;
1.5 “Sensitive Personal Data” – means special categories of personal data which include but are not limited to genetic and biometric data used to identify a specific individual;
1.6 “Data Subject” – means an identifiable natural person to whom the information gathered or the data collected belongs to – our clients in this case - you;
1.7 “Engagement Pack” – means our Engagement Letter and our Proposal Form as signed by the client upon the engagement of Fides‘s services;
1.8 “PMLFTR” – means the Prevention of Money Laundering and the Funding of Terrorism Regulations;
1.9 “PMLA” – means the Prevention of Money Laundering Act (Chapter 373 of the laws of Malta);
1.10 “FIAU” – means the Financial Intelligence Analysis Unit of Malta;
2.1 The scope and purpose of this policy is that of providing the Data Subject with the basis on which the personal data will be processed when Fides shall be engaged for its legal and advisory services. Upon the engagement of Fides‘s services the Data subject shall receive our engagement pack documents which establishes the contractual relationship between Fides and the client and which shall specifically, clearly, directly and unequivocally refer to this policy. It is for this reason that we strongly suggest that you read and understand this policy so that you are fully informed of how Fides shall gather, handle and use your personal data and also be informed of the rights that you have at law in this regard.
2.2 Fides falls both within the Material Scope as well as the Territorial scope of the provisions inherent in the GDPR. The scope is that of providing a set of rules common to all EU Member States relating to the protection of natural persons in relation to the processing of personal data and rules relating to the free movement of personal data.
3. Lawful basis for Processing Data and how it is Used
3.1 Fides at all times processes clients‘ data in an appropriate and lawful manner and at all times in compliance with the rights and obligations of the Data Protection Act (chapter 440 of the Laws of Malta), the General Data Protection Regulation (Regulation EU 2016/679) (hereinafter referred to as “GDPR”) albeit while complying with the obligations imposed upon Fides by virtue of the PMLFTR, PMLA and FIAU to gather adequate data and personal documents belonging to the client when the latter engages Fides for their services. In the exercise of its functions as engaged by the Data Subject, Fides may also require such data processing to fulfil external mandatory reporting obligations as may be set by regulatory authorities, MFSA, ITU, Identity Malta, Transport Malta, FIAU and other similar entities. It is to be understood that the necessary Data Subject consent shall be sought prior to any such data processing.
3.2 In short, Fides shall at all times ensure that Personal Data is processed lawfully and collected in a fair and transparent manner for specific and legitimate purposes and interest, such as but not limited to internal record keeping, billing purposes and debt recovery, accounts and audit, and all other ancillary acts deemed necessary for the proper administration of Fides.
3.3 While Fides shall do its utmost to ensure that the data requested is adequate, relevant and accurate/up to date, it is also imperative that the client keeps Fides informed of any changes to the data provided as also mentioned in the Disclaimers in this policy. It is our internal policy to discard/destroy any inaccurate data given that this is in any case deemed inadequate for the services Fides is engaged for.
4. Security Measures and Internal Policies
4.1 Fides has security procedures in place, both internally as well as from an IT perspective whereby we ensure that your data is processed in a manner that ensures appropriate security, including but not limited to protection against unauthorised personnel or third parties (confidentiality), and also protection against accidental loss or destruction. Any data held in soft copy is duly encrypted and only limited authorised personnel have access to such server files as deemed strictly necessary. All data is backed up on cloud in a segregated folder so as to ensure retrievable measures against any possible damage or loss of data. All hard copies of any Data are held under lock and key and Fides has also adopted a “Clear Desk Policy” whereby outside office hours no hard documents containing client data are left on employees‘ desks.
Furthermore, CCTV is also in place in all filing rooms wherein such data is available so as to have an added safeguard in the event of any unlikely breach of security. Another added security feature is that access to our offices is by virtue of two separate access codes which are only known to Fides employees and which are changed periodically, particularly, in the event of any change of staff. The aforementioned security measures are in place for your peace of mind – as the clients‘ peace of mind is our peace of mind. It is the duty of the Data Protection Officer to ensure that all of the above measures are adhered to on a daily basis by the Fides staff.
5. Methods of Data Processing and Requesting
5.1 The main method of obtaining data by Fides is through direct and email interactions held between Fides and the Data Subject or any such intermediary duly appointed by the Data subject. Fides has internal policies in place to ensure that the correct and necessary volume of required data is requested from the client in order to satisfy our legal and regulatory obligations in relation to the services we are engaged for.
5.2 As part of our Engagement Pack the Data Subject will be expected to complete our “Fides Proposal Form” and sign this form accordingly. It is by virtue of the information transmitted through this form that Fides shall become fully aware of the services required as part of the new contractual obligation coming into place with the Data Subject. The Fides Proposal Form contains detailed information as to data that would be required by Fides in accordance with the services sought by the client.
5.3 Once data is obtained Fides may have to grant access to or share the Data Agent‘s personal data with any one of the following as the case may be and as may be strictly necessary in accordance with our contractual obligations in accordance with the engagement of our services:
- Professional advisers and consultants;
- Bankers and financial institutions;
- Government Regulators including the Income Tax Department, Identity Malta Agency, Transport Malta , MFSA, the Courts of Malta, and Police authorities;
- Service Providers such as our IT services providers
6.1 In all our business operations which involve processing your personal data, we shall ensure that we have your free and explicit consent and where necessary, you shall be asked to indicate the exact forms of data processing that you are consenting to.
6.2 You are free to refuse consent at all times and you will not be again requested to give your consent, having formerly refused, in order to avoid undue pressure.
6.3 When requesting your consent, we shall clearly indicate that the consent shall be relied on by our organization and if any third party controllers will be involved, such persons shall be clearly identified. If the need to involve a third party arises at a later date then consent shall be sought once again albeit implied by our contractual relationship.
6.4 You shall have the right to withdraw any type of consent at any time and we will facilitate and simplify such withdrawal. Data subjects will by no means be penalised for any withdrawal.
6.5 All forms of consent shall be recorded in the exact wording given by the data subjects at the time when the consent was given.
6.6 Your consent shall be reviewed at regular intervals to ensure that the consent which was given at a particular time is still relevant and did not exceed the purpose/s for which it was granted.
6.7 Management tools required in order to facilitate records of consent and regular reviews are implemented by Fides.
6.8 When personal data of minors (below the age of sixteen years) is required, the consent of their parents or legal guardians will be explicitly requested.
7. Rights of Data Subjects
7.1 The Right to be informed
Fides shall at all times inform the Data Subject of the personal data required and such information shall be as concise, transparent and written in plain and intelligible language.
7.2 The Right of Access
Data Subjects shall have the right (upon specific request made to Fides/Data Protection Officer) to access their personal data and supplementary information. This may be made by sending an email to the Data Protection Officer clearly containing your request to exercise your Right of Access. A “Right of Access of Data Form” will be requested from you as we have a system whereby we register your Request. Applicable charges may apply in the event of the request for additional services such as the request of hard copies or certified copies of the data held. A copy via email of the information is free of charge. Excessive and repetitive requests could incur charges for the Data Subject. While we strive to meet your requests in the shortest time possible, response times of a maximum of one (1) calendar month may apply between the moment the request is obtained and the moment Fides provides the assistance sought.
7.3 The Right to Rectification
Data Subjects shall have the right to have personal data rectified and usually this right is exercised when the personal data is inaccurate and/or incomplete. Should the personal data being rectified have already been notified to third parties (after appropriate consent has been sought), then Fides shall do all in its power to ensure that the third party is likewise notified of the rectification. While we strive to meet your requests in the shortest time possible, response times of a maximum of one (1) calendar month may apply between the moment the request is obtained and the moment Fides provides the assistance sought.
7.4 The Right to Erasure
This is commonly referred to as “the right to be forgotten”. The underlying principle is that the Data Subject shall have the important right to be forgotten and to have their personal data erased and destroyed in as long as no legal/regulatory obligations to the contrary exist and where there is no other compelling reason for the need to retain such personal data by Fides. Fides may also not be in a position to meet such request in the event that such data is required by a Court of Law in the exercise of a legal claim. Should Fides have unlawfully processed the personal data in question, then the Data subject may immediately exercise his/her right to erasure. Should the personal data being erased have already been notified to third parties (after appropriate consent has been sought), then Fides shall do all in its power to ensure that the third party is likewise notified of the erasure. While we strive to meet your requests in the shortest time possible, response times of a maximum of one (1) calendar month may apply between the moment the request is obtained and the moment Fides provides the assistance sought.
7.5 The Right to Restrict Processing
The Data Subject will have the right to ask Fides to block the processing of the personal data. In such events, Fides shall have the right to retain such data but shall not have the right to further process it. Genuine grounds for requesting this right include the scenario when the data subject contests the accuracy of the personal data and where the Data Subject objects to the processing as the client feels that he has a legitimate interest to do so. The right to restrict processing clearly applies in the event that such processing of data is deemed unlawful and also in the event where Fides no longer needs to retain the personal data. Should the personal data being restricted have already been notified to third parties (after appropriate consent has been sought), then Fides shall do all in its power to ensure that the third party is likewise notified of the restriction to process further. While we strive to meet your requests in the shortest time possible, response times of a maximum of one (1) calendar month may apply between the moment the request is obtained and the moment Fides provides the assistance sought.
7.6 The Right to Data Portability
The Data Subject will have the right to request the Right to transfer the data held by Fides to themselves or to a third party clearly identified by the Data subject. Such right may be exercised by contacting the Data Protection Officer with clear instructions to proceed with the Data Portability. A “Transfer of Data Form” will be requested from the client to be completed for our appropriate record keeping. Fides shall bind itself to provide the requested data in a structured and machine readable form. Such information shall be provided free of charge. While we strive to meet your requests in the shortest time possible, response times of a maximum of one (1) calendar month may apply between the moment the request is obtained and the moment Fides provides the assistance sought.
7.7 The right to Object and Withdraw Consent at any Time
The Data subject shall have the right to object and also withdraw consent in those circumstances wherein the Data Subject‘s consent is necessary in order for Fides to process the client‘s data. Any actions processing undertaken by Fides prior to the withdrawal of consent shall remain legitimate. Should the personal data being withdrawn have already been notified to third parties (after appropriate consent has been sought), then Fides shall do all in its power to ensure that the third party is likewise notified of the withdrawal of consent in relation to the data in question. While we strive to meet your requests in the shortest time possible, response times of a maximum of one (1) calendar month may apply between the moment the request is obtained and the moment Fides provides the assistance sought.
7.8 All of the above rights may be actioned at all times by contacting the Data Protection Officer at the contact details provided herein. Fides reserves the right to ask the individual seeking to exercise the above rights certain identification questions to ascertain the identity of the individual requesting to exercise such right. Apart from exceptional circumstances wherein the act being done goes beyond the mere exercise of the Data Subject‘s Rights, no fees shall be charged for the service of assisting in the exercise of the Data Subject‘s rights as mentioned above. Exceptional circumstances mentioned in this paragraph are to be understood as repetitive/excessive requests and requests which go beyond the mere exercise of the Client‘s rights as found in the GDPR and this policy. While Fides shall at all times ensure that you have a right to exercise your rights in accordance with the GDPR, each individual request shall be assessed by Fides and should your request be rejected then you shall be duly notified in writing of the legitimate reasons for not complying to your request.
8. Data Retention
8.1 Fides shall retain such personal data for such periods as expressly provided by the laws of Malta in relation to personal data gathered in the exercise of our functions as Corporate Service Providers so as to respect all our legal and regulatory requirements.
8.2 General practice dictates that Fides shall not retain your personal data for a period longer that six (6) years which period shall commence from the day on which the contractual relationship with the Data Subject is terminated and our engagement is dissolved. Such right is retained by Fides as the latter might need to satisfy reporting obligations vis-à-vis FIAU and AML.
8.3 In some circumstances data may need to be retained by Fides for up to eleven (11) years primarily due to accounting and tax obligations.
9. Data Breaches
In the undesirable and unlikely event of a personal data breach (meaning the breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data) Fides has put in place an internal policy whereby a detailed written report (“Fides Data Breach Report”) is filed with the Data Protection Officer within twenty-four (24) hours of the breach taking place. A notifiable breach shall be accordingly reported to the relevant supervisory authority within seventy-two (72) hours commencing from when Fides has become aware of the breach. Fides shall cooperate with the supervisory authority as best as possible in order to remedy the undesirable situation/breach. Should Fides deem that the risk constitutes a high risk to the rights and freedoms of the Data Subject, then the latter shall also be notified of the breach concurrently with the notification being made to the supervisory authority.
10.1 While you are entitled not to comply with requests for Personal Data that Fides may from time to time request in accordance with this policy and for the fulfilment of its services mandate, it is to be understood that in the event of non-compliance from your part, Fides may not be in a position to effectively complete the services it was engaged for and Fides shall not be held responsible for the non-completion of its services as per our client contractual relationship.
10.2 It is the Client‘s duty to at all times keep Fides informed of any changes to the Personal Data which Fides already holds on the Data subject/Client. Failure to comply with this obligation on the part of the Client may result in the situation where Fides shall not be in a position to effectively complete the services it was engaged for and Fides shall not be held responsible for the non-completion of its services as per our client contractual relationship. Such obligation shall no longer subsist with the termination of our contractual relationship/engagement.
11. Amendment to the Policy
12. Main Point of Contact for all Data Processing and Privacy Matters
12.1 Fides has appointed a Data Protection Officer who serves as our data protection contact point in relation to the exercise of any of your rights in accordance with the GDPR and in relation to any queries you may hold in relation to this policy. The Data Protection Officer is entrusted to ensure that any necessary reporting is being done and to ensure that the employees are efficiently conducting their Data Processing functions ensuring full compliance with GDPR. The Data Protection Officer directly reports to the highest management level within Fides and also serves as the main point of contact for the supervisory authority.
12.2 While we strive to be as clear and transparent as possible we understand that you may still require clarifications and appreciate your questions. Any complaints to the related matter of this policy may also be directly addressed to the Data Protection Officer. All complaints are properly documented and treated with the necessary serious approach as the matter deserves. Our Data Protection Officer may be reached at the following contact details:
“Data Protection Officer” – Fides Corporate Services Limited
Address: 5/1, Merchants Street, Valletta VLT1171, Malta