Damask requires the collection and use of certain personal data on various individuals. These include customers, suppliers, business contacts, employees and other natural persons and/or entities with whom Damask has a relationship with or whom we may need to contact.
Should you require further information regarding our privacy practices, kindly do not hesitate to contact us via e-mail at email@example.com.
“Controller” or “Data Controller” means any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Data subject” refers to any living person (natural person) whose personal data is being collected, held or processed.
“Personal Data” or “Personal Information” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
“Processor” or “Data Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
“Processing” means any operation/s which is/are performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
NB: Information in relation to legal persons (e.g. company, other legal entities) does not constitute personal data in terms of both the Act and the GDPR. Nonetheless, the aforesaid information will still be handled in a confidential manner, in accordance with Our standard internal practices and professional secrecy obligations.
Collection of Personal Data
On a general note, we collect personal data pertaining to our employees, suppliers and customers on a regular basis to be able to conduct business activities. We typically collect personal data:
- At the initial stages of the business relationship;
- Throughout the course of the business relationship, whenever a legitimate need arises;
- When so is required to satisfy any statutory obligations to which we are subject;
- For the performance of a contract to which the data subject is party;
- When one accesses and uses our website www.damaskinvestment.eu;
- When a person voluntarily approaches us in other circumstances, for example when seeking employment or any information on our services and business.
When processing your personal data for the purposes indicated in this Policy, we are generally qualified as data controllers.
Personal Data which is Collected
The following is an indicative (but non-exhaustive) list of the personal data that we collect and process:
- The personal data (including information provided verbally, due diligence documents if applicable etc.) collected for the establishment of the business relationship;
- Details of identity including name, surname, employer, title, position and marital status;
- Contact data such as e-mail address, residential address, skype contact, telephone and mobile numbers;
- In case of corporate clients; we may collect identity and contact data in relation to directors and/or legal and judicial representatives;
- Technical data encompassing internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices which you (irrespective of whether you are a client or otherwise) use to access and browse the our website;
- Information regarding how one who accesses our website makes use of it;
- Any other personal information which may be provided to us by the data subject voluntarily.
Lawfulness of Processing
Personal data will be processed based on the following legal grounds:
- Performance of contracts to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- To carry out one or more of our legal obligations;
- When the data subject has given consent to the processing of his/her personal data for one or more specific purposes;
- When we have a legitimate interest to process the data, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Kindly note that special categories of data, which include information about the data subject’s racial or ethnic original, political views, religious or political beliefs, trade union membership, genetic, biometric or health data, sexual orientation and data related to your conviction and offences; are not typically processed. However, we may come across some of the above mentioned information when collecting data of our employees when we are required by applicable laws and obligations to collect and store such information (e.g. for processing of payroll)
Purposes for Processing Personal Data
We may process your personal data for the following purpose/s:
- Establishing and maintaining the business relationship, including use for the purposes of processing payments, accounting, auditing, billing and collection and other support services;
- To provide services, as engaged and/or instructed or authorised by you or your organisation;
- To ensure compliance with our legal obligations;
- To log, deal and track any complaints received;
- To ensure business policies are adhered to, e.g. policies covering security and internet use and to prevent unauthorized access and modifications to systems;
- To update and enhance client records;
- For marketing our services;
- To identify representatives of our clients, suppliers and/or service providers;
- For recruitment and employment purposes and compliance with statutory requirements such as payroll, social security contributions and income tax deductions;
- Securing access to our office.
Irrespective of how we have collected the data subject’s personal data, we undertake that we will only process such data only for the purpose for which we have collected it or for other purposes which are inherently related thereto, including also any fulfilment of any legal or regulatory obligation imposed on us. When processing personal data for purposes other than the purpose for which personal data was collected, and still strictly connected to the purpose for which such data was collected, we shall inform you accordingly.
Sharing the Personal Data
In the course of conducting business, it might be necessary for us to share the data subject’s personal data with the following third-party recipients:
- Other entities within the Damask group;
- Selected professionals and employees within the entity, on a need to know basis;
- Other entities or institutions that are involved in the process of facilitating our services / billing (e.g. banks, IT and accounting service providers);
- Third parties to whom disclosure may be essential in light of the relationship with the data subject;
- Any business partners to whom the data subject may have requested that his/her personal data will be transferred;
- Third parties to whom disclosure may be required to comply with legal requirements. Personal data will not be transferred to third-parties located outside the EU or European Economic Area (EEA) unless specifically instructed to do so by the data subject. However, there are instances whereby it would be necessary to transfer personal data to countries which are not subject to the same level of data protection legislation, such as:
- When the services providers are located outside the EU/EEA;
- If the data subject is situated outside the EU/EEA;
- If there is a dispute in foreign jurisdictions.
Personal data will only be retained exclusively for the period which is necessary to fulfil the purposes for which we collected it (the provision of the services and the ongoing business relationship with you) and thereafter, for the purpose of satisfying further legal and regulatory requirements or obligations to which we are subject. This period may also be extended further to be able to assert, exercise or defend possible future legal claims against or otherwise involving the data subject.
In the context of a contractual relationship between us and the data subject, the latter’s personal data will be retained for a period of five (5) years from the termination date of the contractual relationship on the basis of legitimate interests to protect ourselves against any civil disputes in relation to the aforementioned contractual relationship. With reference to invoices, credit notes and other similar documentation or information, including all personal information collected for compliance with our legal obligations in terms of applicable laws and regulations with respect to accounting, audit, tax and VAT, these will be normally retained for a period of ten (10) years from the date of the relevant submissions based upon legal obligations to which we are subject.
Moreover, the above-mentioned time periods may be extended for longer periods when we have a legitimate interest related to exercising or defending legal claims or in case of inspections by relevant authorities.
Personal data which was provided based upon the data subject’s consent, shall only be exclusively retained up until the data subject withdraws his/her consent.
Data Subject’s Legal Rights
Data subjects have various rights vis-a-vis their personal data:
- The right to access personal data: The data subject may send us a request to access all the personal data we hold in his/her respect. To avail yourself of this right, kindly contact us at firstname.lastname@example.org. We will do our best to attend to the data subject’s request within one (1) month. In case of more complex requests, the timeframe will be extended by a further one (1) month. Should the data subject disagree with our judgement, s/he can complain to the Information and Data Protection Commissioner (IDPC) on https://idpc.org.mt/en/Pages/contact/complaints.aspx.
- The right to rectification: The data subject can also request that any inaccurate or incomplete personal data which we hold in his/her regard be corrected. Kindly contact us at email@example.com
- The right to erasure: there are certain instances where data subject may also elect to request deletion of his personal data. On a general note, we will comply with the data subject’s request in this regard. However, we may have the necessity not to comply if retention of the data is required for us to be compliant with a legal obligation and/or such data would be required by us to exercise or defense of any legal claims.
- The right to stop direct marketing messages
- The right to object: the data subject may object regarding his/her personal data being processed including when such processing is based on legitimate interest.
- The right to data portability: the data subject has the right to put forward a request asking us to provide him/her with certain personal data which s/he had provided us with in a structured, commonly used and machine-readable format. When technically feasible, the data subject may also request that his/her personal data be transferred to a third party controller of his/her choice.
- The right to withdraw consent: the data subject can also retract his/her previously given consent to any other consent-based processing at any time.
- The Right to Lodge a Complaint: Please be informed that you have the right to lodge a complaint against any personal data breach by communicating such breach to the Information and Data Protection Commissioner (“IDPC”) by filling in the complaint form available at https://idpc.org.mt/en/Pages/contact/complaints.aspx.
Security of Personal Data
Keeping the data subject’s personal data secure is of utmost importance to us. We undertake to put in our best efforts to keep any disclosed personal information secure by implementing the appropriate technical and organisational measures with the aim of protecting the data subject’s personal data against unauthorized or unlawful processing, encompassing also accidental losses, destruction, storage or access. We would appreciate if you could please understand that no system is perfect or can fully guarantee that the above-mentioned events will not occur.
Accuracy of information
It is important that personal information we hold about you is accurate and when necessary kept up to date. Kindly keep us informed if your personal information changes during our business or employment relationship.