Privacy Policy

Privacy Policy

This Privacy Policy applies to the following personal data controllers (“Compliance Partners” or “we”):

Compliance Partners LTD., registration number: C50867

If you have any questions about this privacy statement or how and why we process personal data, please contact us via email: info@compliancepartners.eu.

Please note that before we respond to your request, we may ask you to provide additional data to identify you.

General

We are strongly committed to protecting personal data. This Privacy Policy describes why and how we collect and use personal data and provides information about your rights as a data subject.

We process the personal data for the purposes described in this Privacy Policy or for the purposes indicated at the time the personal data was obtained.

Personal data is any information relating to an identified or identifiable natural person. Compliance Partners process personal data for various purposes, and the method of obtaining personal data, the legal basis for processing, use, as well as its further transfer and retention period may differ depending on the relevant purpose.

When processing your Personal Data, we comply with the provisions of the General Data Protection Regulation No. 2016/679 (ES) (hereinafter referred to as the GDPR) and the requirements of the legal acts of the Republic of Malta, as well as the instructions of the controlling authorities.

It is our policy to be transparent about why and how we process personal data. We take the security of the personal data that we process very seriously. We follow internationally recognized safety standards.

We have the right to change this Privacy Policy. We will notify you of any changes on the Website by posting an updated Privacy Policy. Additions or changes to the Privacy Policy will be effective from the date of updating specified in the Privacy Policy, unless a different effective date is specified.

Applicability

This Privacy Policy applies when you visit our website, available at www.compliancepartners.eu/io (hereinafter referred to as the “Website”), our social network accounts on Facebook and LinkedIn (hereinafter referred to as the “Social Network Accounts”), review the information we provide, enter into an advisory services agreement with us, and we provide you with our services, register and seek to use our services, supply or provide us with your goods or services, register and participate in events organised by us, subscribe to our newsletter, contact us by phone, e-mail communication channels, asking other questions, applying for a job we offer, etc.

The Website may contain links to external websites, such as the websites of our business partners or websites promoting us and our Services. By following such links to any of these websites, please note that these websites have their own separate privacy policies and that this Privacy Policy does not apply to them. Please review their privacy policies before submitting your Personal Data to these websites or using their offers.

Compliance Partners

The controller of your Personal Data is Compliance Partners Ltd., registration number C50867, based in Portomaso Complex, Block 14-91, STJ4019, St. Julians, Malta  (hereinafter referred to as Compliance Partners or we).

We operate the Website and Social Network Accounts, and we act as your controller of your Personal Data by offering and providing the Services, performing our day-to-day operations or complying with legal requirements.

Data Safety

Your Personal Data shall be handled responsibly, securely and is protected from loss, unauthorised use and alteration. We have put in place physical and technical measures to protect the information we collect from accidental or unlawful deletion, damage, alteration, loss, disclosure, as well as from any other unlawful processing. Security measures for the Personal Data shall be determined taking into account the risks arising from the processing of the Personal Data. Our employees have signed a written undertaking not to disclose or distribute your Personal Data to third parties, unauthorised persons.

What data we are processing

We are processing your Personal Data obtained in the following ways:

  • When you provide us with Personal Data, for example, you enter into an agreement with us, receive our Services, participate in events organised by us, contact us by e-mail or phone, subscribe to our newsletter, etc.;
  • When we collect your Personal Data during your use of the Website, Social Network Accounts, such as your IP address, history of visits to the Website, choices, URL links opened, etc. automatically.
  • When we receive the Personal Data from other persons, such as when we receive information about payments made, etc. from public registers, state or local government institutions or bodies, our partners, for example, other third parties, such as payment institutions.
  • When your Personal Data is provided to us by your relatives or acquaintances with your consent, as well as when your data is provided by companies (your employers), for example, specifying your contact information referring to you as an authorised person, etc.
  • We process your Personal Data in order to offer and provide you with the Services, to fulfil our contractual obligations, as well as to pursue our or third parties’ legitimate interest in carrying out instructions or obligations prescribed by the legal acts.

By providing Personal Data to us, you are responsible for the accuracy, completeness and relevance of such Personal Data. When providing us with their personal data, a person must provide complete, complete and correct information about themselves. If we are provided with inaccurate, false or misleading Personal Data, we have the right to delete such data or restrict access to the Website, the Services and so on.

When providing the Personal Data about other persons (e.g. your relatives, employees, other authorised persons), you shall be responsible for the accuracy, completeness and relevance of such Personal Data, as well as for such person’s consent to the disclosure of his or her Personal Data to us. When you provide such data, we may ask you to confirm that you have the right to provide it. If necessary (for example, such a person inquires us about the receipt of his or her Personal Data), we will identify you as the provider of such data.

Purposes and conditions of processing

We process your Personal Data for the following purposes and under the following conditions:

Purpose of processingPersonal Data being processedTerms of processingLegal Basis
Provision of advisory services, consultations before concluding a contract for the provision of company servicesName, surname, date of birth, personal identification number, individual activity certificate number, VAT payer code, signature, address / workplace address, telephone number, e-mail address, data of other communication channels (Skype, Facebook Messenger account data, etc.), place of work, position held, data related to the object of performance of the concluded legal services contract – contracts, procedural documents, company performance documents, financial documents, correspondence of any kind, decisions of state / local self-government institutions, courts, other similar institutions, any communication, extracts from registers, other documents and information), including data on persons other than the client (client’s representatives) (contractors, litigants, partners, information on the client’s activities, personal life, data on minors (when they are customers or when the provision of services requires such information), etc., data on the health of persons, religious beliefs, sexual orientation, data on the criminal record of persons, if directly related to the provision of legal services, name, surname of parents, guardians, caregivers, relation of these persons with the client, correspondence (e-mail correspondence, mail correspondence), the content of the power of attorney to represent the person, as well as other Personal Data presented or required for the provision of legal servicesFor the entire period of provision of legal services and 10 (ten) years after the end of the provision of services (last contact), unless a longer mandatory minimum retention period would apply in accordance with the Data Protection Legislation, and the National Archives Act, Cap 477, and other legal provisions in Maltese Law. If the Personal Data is processed on the basis of consent – for the period of validity of the consent, and if the consent to process Personal Data is revoked earlier, then the Personal Data shall be retained until the expiry of the consent  Processing of the data is necessary for the conclusion and performance of the contract (Article 6 (1) (b) of the GDPR) The processing is necessary for fulfilment of a legal obligation imposed on the controller (Article 6 (1) (c) of the GDPR)   Legitimate interests of the controller or a third party (Article 6 (1) (f) of the GDPR)   The data subject has explicitly consented to the processing of his or her special categories of personal data for one or more of the specified purposes (Article 9 (2) (a) of the GDPR)   Processing of special categories of personal data which are manifestly made public by the data subject (Article 9 (2) (e) of the GDPR)   Processing of special categories of personal data is necessary for the establishment, exercise or defence of legal claims (Article 9 (2) (f) of the GDPR)
Administration of queries received through electronic information delivery channels, by telephone and e-mailName, surname, user account name, other account information, phone number, email address, address, address / address of the work place, name of the company being represented, position, topic of the query, content of the queryData related to the queries is retained for the entire communication period and 1 (one) year after the end of the communication If the Personal Data is processed on the basis of consent – for the period of validity of the consent, and if the consent to process Personal Data is revoked earlier, then the Personal Data shall be retained until the expiry of the consent  Consent of the data subject to such processing of the data (Article 6 (1) (a) of the GDPR) Legitimate interests of the controller or a third party (Article 6 (1) (f) of the GDPR)    
Organisation and conducting of events, including invitations for persons to the events and informing them about the eventsName, surname, telephone number, e-mail address, organisation represented, image data (image captured by capturing moments of the event)Data is retained for the entire period of organisation and execution of the event and 1 (one) year after the date of the event If the Personal Data is processed on the basis of consent – for the period of validity of the consent, and if the consent to process Personal Data is revoked earlier, then the Personal Data shall be retained until the expiry of the consent  Consent of the data subject to such processing of the data (Article 6 (1) (a) of the GDPR) Processing of the data is necessary for the conclusion and performance of the contract (Article 6 (1) (b) of the GDPR) Legitimate interests of the controller or a third party (Article 6 (1) (f) of the GDPR)  
Execution of direct marketing, presentation and publicity of our activities and analysis of the quality of our activitiesName, surname, telephone number, e-mail address, position, organisation representedData is retained for 5 (five) years from the date of receipt, unless the person withdraws his or her consent. The personal data shall then be retained until the expiry of the validity of the consentConsent of the data subject to such processing of the data (Article 6 (1) (a) of the GDPR) Legitimate interests of the controller or a third party (Article 6 (1) (f) of the GDPR)    
Evaluation, selection and data processing of data of candidates for the offered job in order to offer a job in the future  Name, surname, telephone number, e-mail address, address / address of the place of work, education and activity data, content of the CV, other information required for the selection / evaluation of the candidate or the information provided by the candidate itselfData is retained for the entire period of the selection and for 3 (three) months after the end of the selection (if the consent of the data subject has been obtained), unless the person revokes his or her consent earlierConsent of the data subject to such processing of the data (Article 6 (1) (a) of the GDPR) Legitimate interests of the controller or of a third party (Article 6 (1) (f) of the GDPR)  
Provision of the Company primary advisory servicesName, surname, position, place of work, address of the place of work, telephone number, e-mail address, content of the power of attorney to represent the person, communication details, information about the ordered servicesFor the entire period of provision of services/validity of the agreement/maintenance of relations and 10 (ten) years after the end of the agreement/relations, unless a longer mandatory minimum retention period would apply in accordance with the Data Protection Legislation, and the National Archives Act, Cap 477, and other legal provisions in Maltese Law.Processing of the data is necessary for the conclusion and performance of the contract (Article 6 (1) (b) of the GDPR) Legitimate interests of the controller or a third party (Article 6 (1) (f) of the GDPR)  

You have the right to refuse or withdraw your consent to the processing of your data at any time when the data is processed on the basis of your consent.

In some cases, we may send you messages related to the provision of the Services or call you, for example, we may inform you about the performance of the Services, etc. Such messages are necessary for the proper provision of the Services and shall not be considered promotional messages.

We publish information about ourselves and our activities in Social Network Accounts. In addition to this Privacy Policy, the users of Social Network Accounts are also subject to the privacy policies and policies of the managers of social networks that contain Social Network Accounts. When you contact us on Social Network Accounts, we may see certain information about your account, depending on the social network privacy settings you choose. If you post information by communicating with us on Social Network Accounts, depending on the privacy settings you choose, the information you post may be made public (for example, displayed on our specific Social Network Account).

You have the right to change and update your information provided to us. In some cases, we need to have accurate, up-to-date information about you, so we may ask you to periodically confirm that the information we have about you is correct.

Personal data principles of use

  • We collect and process only such Personal Data which is necessary to achieve the purposes of the Personal Data processing we have specified.
  •  When processing your Personal Data, we:
  • Comply with the requirements of effective and applicable legislation, including the GDPR;
  • Process your Personal Data in a lawful, fair and transparent manner;
  • Collect your Personal Data for specified, clearly defined and legitimate purposes and do not process it in a way incompatible with those purposes, except to the extent permitted by law;
  • Take all reasonable steps to ensure that Personal Data that is inaccurate or incomplete, in accordance with the purposes for which it is processed, would be rectified, supplemented, suspended or deleted without delay;
  • Keep it in such a form that your identity can be established for no longer than it is necessary for the purposes for which the Personal Data is processed;
  • Do not provide the Personal Data to third parties or disclose it, in other ways than as set forth in the Privacy Policy or applicable law;
  • Ensure that your Personal Data is processed securely.

Personal Data transfers

We will only transfer your Personal Data as described in this Privacy Policy.

We may transfer your Personal Data to:

  • Our partners or consultants, such as auditors, other attorneys, tax consultants, etc., as well as Personal Data processors invoked by us, such as ancillary service providers, IT companies, advertising and marketing service companies, archive service providers, accounting services companies, companies providing insurance services or collecting payments, etc. We require the data processors to retain, process and handle the Personal Data as responsibly as we do and only in accordance with our instructions. You can find a list of our partners here:
  • Advertising, marketing;
  • Accounting and financial services;
  •  IT solutions;
  • Telecommunication services;
  • State or local self-government institutions and establishments, law enforcement and pre-trial investigation institutions, courts and other dispute resolution institutions, other persons performing functions assigned by law, in accordance with the procedure provided for by legal acts of the Republic of Malta.
  • Our partners in other countries (if required for the provision of the Services) who provide advisory services;
  • Other third parties (such as payment institutions, etc.);
  •  If necessary, to companies that would cooperate with us or cooperate in another form, as well as to companies established by us.

Outside EEA transfers

We normally process Personal Data in the EEA, but in some cases your Personal Data may be transferred outside the EEA. Your Personal Data will only be transferred outside the EEA under the following conditions:

  • The data is transferred only to our trusted partners, with whom we have signed standard contractual clauses approved by the European Commission, which ensure the security of your Personal Data;
  • A special permit has been obtained from the Office of Information and Data Protection Commissioner of the Republic of Malta to carry out such a transfer;
  • The European Commission has taken a decision on the suitability of the country in which our partner is established, i.e. an adequate level of security is ensured; or
  • You have given consent to the transfer of your Personal Data outside the EEA.

Your duties

When you receive personal data from us during the provision of the Services or cooperation with us, you agree to:

  • comply with the GDPR and other laws governing the processing of the Personal Data and cooperate with us in order to enable us to fulfil our obligations under the said legal acts;
  •  no later than within 4 hours from the incident having occurred, notify us about the personal data security breach related to the Personal Data transferred to you, by specifying at least the circumstances of the breach and the measures taken to mitigate the consequences of the breach.

When you provide us with Personal Data in the course of cooperation, you agree to:

  • inform all natural persons whose Personal Data you transfer (employees, agents, members of the management bodies, other persons), to the extent provided by the GDPR and before the transfer of the Personal Data, that their Personal Data may be transferred to us and may be processed by us for the conclusion and/or performance of the contract between you and Compliance Partners, and, upon our request, provide evidence to that effect without delay;
  • notify us of the obligation to update, delete or restrict the processing of the Personal Data transferred;
  • not to transfer to us the Personal Data of any persons who have not been notified of the processing of their data by us.

Your rights

As a data subject, you have the following rights with regard to your Personal Data:

Your rightImplementation and certain restrictions (depending on the situation and additional conditions imposed by the GDPR)
Be aware (informed) about the processing of your Personal Data (right to be aware);
(Article 13, Article 14 of the GDPR)
You have the right to receive information about the processing of your Personal Data in a concise, simple and comprehensible language.
Access to your Personal Data and be aware of how they are processed (right of access)
(Article 15 of the GDPR)
This right means that you can ask us to provide you with:
·       Confirmation that we are processing your Personal Data;
·       A list of your Personal Data being processed;
·       A list of the purposes and legal basis of the processing of your Personal Data;
·       A confirmation whether we are sending Personal Data to third countries and, if so, what safety measures have been taken;
·       The source of your Personal Data;
·       The information on whether profiling is applied; ·       The indication of the data retention period. We will provide the above information provided that this does not infringe on the rights and freedoms of others.
Right to request rectification or, depending on the purposes of the processing of personal data, supplementation of you incomplete Personal Data (right of rectification)
(Article 16 of the GDPR)
Applicable if the information we hold about your Personal Data is incomplete or inaccurate.
Require the erasure of your Personal Data or the suspension of the actions of processing of your Personal Data (except for retention) (the right to erasure and the right “to be forgotten”);
(Article 17 of the GDPR)
Applicable if:
·       The information we have is no longer needed to achieve the stated purposes;
·       We process the data with your consent and you withdraw your consent;
·       We process the data on the basis of legitimate interests and it is established, upon your request, that your private interests prevail; ·       The information has been obtained unlawfully.
Require us to restrict the processing of Personal Data for one of the legitimate reasons (right to restriction)
(Article 18 of the GDPR)
This right can be exercised for the period when will be analysing the situation, i.e.:
·       If you dispute the accuracy of the information;
·       If you object to the processing of Personal Data when it is done on the basis of a legitimate interest;
·       We are using the information unlawfully, but you object to its deletion; We no longer need the information, but you are asking to retain it for the purpose of litigation.
Right to data portability
(Article 20 of the GDPR)
This right can be exercised if you have provided your data and we process it in an automated manner based on your consent or a contract concluded with you.

Direct Marketing and communication

If you do not want your Personal Data to be processed for direct marketing purposes, including profiling, you can opt out of such processing without giving reasons for your refusal (opposition) by writing an e-mail to info@compliancepartners.eu or in any other way specified in the message provided to you (for example, by clicking on the relevant link in the newsletter).

We may waive your rights listed above, except for refusing to process your Personal Data for direct marketing purposes or in other cases where the Personal Data is processed with your consent, where the provisions of the GDPR allow us to disregard your request or where in the cases provided for in the laws it is required to ensure the prevention, investigation and detection of crimes, violations of official or professional ethics, as well as the protection of the rights and freedoms of the data subject, us and others.

You may always submit any request or instruction related to the processing of the Personal Data to us in writing by e-mail info@compliancepartners.eu. When making such a request, we may, in order to better understand the content of your request, ask you to complete the necessary forms, as well as provide an identity document or other information (e.g., to confirm your identity with an electronic signature) that will help us verify your identity. Upon request by e-mail, depending on its content, we may ask you to come to us or make a written request.

Upon receipt of your request or instruction regarding the processing of the Personal Data, we will, no later than within 1 month from the date of the request, provide a response and carry out the actions specified in the request or inform you on the reason behind our refusal to perform them. If necessary, the specified period may be extended by a further two (2) months, depending on the complexity and number of applications. In this case, we will notify you of such an extension within 1 month of the date of receipt of the request.

We undertake to make every effort to respond to your requests in a timely manner and free of charge, except to the extent that it requires a disproportionate effort. We may charge a reasonable fee if your requests are manifestly unfounded, repetitive, or excessive.

If the Personal Data is deleted at your request, we will retain only copies of information that is necessary to protect the legitimate interests of us and other persons, to comply with the obligations imposed by governmental authorities, to resolve disputes, to identify disruptions, or to comply with any agreements you have concluded with us.

Please, note that withdrawal of the consent to receive any marketing communication from us, shall not automatically oblige us to delete your Personal Data or provide you with information about the Personal Data processed by us, therefore you must make such a request separately in order for us to take these steps as well.

Complaints

We hope that you won’t ever need to, but if you do want to complain about our processing of personal data, please contact us via email info@compliancepartners.eu. We will look into and respond to any complaints we receive.

You also have the right to lodge a complaint with Information and Data Protection Commissioner, File a complaint – IDPC.

Changes to this privacy statement

We recognise that transparency is an ongoing responsibility so we will keep this privacy statement under regular review.

 This privacy statement was last updated on 15th February 2023.