Data Protection Policy

Data Protection Policy

The General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data Protection Act (Cap 440) regulate the processing of personal data whether held electronically or in manual form. The Malta Council for Science and Technology (MCST) is set to fully comply with the Data Protection Principles as set out in such data protection legislation.

Purposes for collecting data
The MCST collects and processes information to carry out its obligations in accordance with present legislation.  All data is collected and processed in accordance with Data Protection Legislation and the Electronic Communications Networks and Services (General) Regulations, S.L. 399.28.

Recipients of data
Personal Information is only accessed by those MCST employees who are assigned to carry out the functions of the Authority in line with its duties prescribed at law. Personal Data will be disclosed to third parties when necessary but only as authorised by law.

Your rights
You are entitled to know, free of charge, what type of information the MCST holds and processes about you and why, who has access to it, how it is held and kept up to date, for how long it is kept, and what the MCST is doing to comply with data protection legislation.

The GDPR establishes a formal procedure for dealing with data subject access requests.  All data subjects have the right to access any personal information kept about them by the MCST, either on a computer or in manual files. Requests for access to personal information by data subjects are to be made in writing and sent to the Data Controller of the MCST, whose contact details are provided below.  Your identification details such as ID number, name and surname must be submitted with the request for access.  In case we encounter identification difficulties, you may be required to present an identification document.

The MCST aims to comply as quickly as possible with requests for access to personal information and will ensure that it is provided within a reasonable timeframe and in any case not later than one month from receipt of a request, unless there is a good reason for the delay. When a request for access cannot be met within a reasonable time, the reason will be explained in writing to the data subject making the request.  Should there be any data breaches, the data subject will be informed accordingly.

All data subjects have the right to request that their information is amended, erased or not used in the event the data results to be incorrect. In case you are not satisfied with the outcome of your access request, you may refer a complaint to the Information and Data Protection Commissioner, whose contact details are provided below.

The Data Controller’s Contact Details:

The Chairman of the MCST as the Data Controller of the Authority may be contacted at the:

Esplora, Interactive Science Centre
Triq il-Marina
Kalkara KKR 1320
Telephone:  (+356) 2360 2300 / 1        Email: info@esplora.org.mt

 The Information and Data Protection Commissioner’s Contact Details:

The Information and Data Protection Commissioner may be contacted at:
Level 2, Airways House,
High Street,
Sliema SLM 1549
Telephone:  23287100                    Email: idpc.info@gov.mt

Policy regulating the Retention of External Documentation

1. Scope

The General Data Protection Regulation (GDPR) (EU) 2016/679 and the Data Protection Act (DPA), Cap. 586 of the Laws of Malta put forward the principle that personal data and sensitive personal data should not be retained for periods that are longer than necessary. In this context, the Malta Council for Science and Technology (‘MCST’) has drawn up a retention policy for all external documentation that it collects and processes, with the purpose of ensuring compliance and to ensure that no resources are utilised in the processing and archiving of data which is no longer of relevance.

This policy is aimed at regulating the retention, maintenance and disposal of external documentation in accordance with the principles of data protection legislation, and other legal provisions in Maltese Law.

2. Objectives

This policy aims to achieve the following objectives:

1. Regulate the retention of and disposal of the various types of documentation whether held in manual or automated filing systems within the MCST, while adhering to the data protection principle that personal data should not be retained for a longer period than necessary.
2. Dispose of unnecessary documentation that is no longer relevant and is taking up useful storage space.
3. Promote the digitisation of documentation as may be reasonably possible in order to minimize the use of storage space required to store documentation, as well as to promote a sustainable use of paper and printing consumables.

3. Administration

Documentation is held and recorded by the MCST. This policy is therefore applicable to all such documentation. It will be the responsibility of the Chief of the relevant Unit and the Authority’s Data Controller to ensure that all provisions of this policy are adhered to.

4. Documentation held within the MCST and their Retention Period

As part of its operating requirements the MCST, requests, keeps and maintains a wide range of documentation including personal information. The retention of different categories of documents is governed by different requirements and different legislation and regulations and may be categorised as follows:

EU funded projects:

• Documentation in relation to EU funded projects: 10 years

Financial Documentation:

• Tax and National Insurance Records: 10 years
• Procurement Records: 10 years
• Accounting Records: 10 years
• Inventory Records: 10 years
• Yearly Financial Statements: 10 years

General Authorisations and Licences to provide commercial service (Electronic Communications and Posts):

• Active authorisations and licences (all): unlimited for as long as the authorisation or licence exists
• Cancellation of authorisation and licence (all): 25 years

Litigation:

• Documentation in relation to all forms of litigation including arbitration: 7 years from the final judgement (includes Court of Appeal were applicable)

Recruitment:

• Documentation in relation to the recruitment process i.e. published calls for posts, application forms/letters, CV of the chosen applicant, related correspondence, attendance at interviews, publication of results etc.: 1 year from publication of the call for the post.
• Documentation related to CVs of persons who applied for a post but were not chosen. The MCST shall request such applicants if they would like to grant their consent to the Authority to keep their CVs in case of any future similar posts: 1 year from the end of the recruitment process.
• Jobsplus report: 5 years from the end of the recruitment process.
• Application Forms for the filling of positions co-financed from EU Funds: 8 years from the end of the recruitment process.

Other:

• CCTV monitoring: 45 days
• Visitors Log: 3 months
• Affidavits: 10 years

5. Security of Documentation

1. Documentation is maintained in an accessible but secure location with adequate access provided to MCST officials who have the clearance level to access the relevant documentation. In the case of documents with sensitive personal data with higher clearance levels, access control protocols are fully adhered to, to ensure that only those that have the required security clearance have access to such documentation.
2. In the case of personal information, the GDPR also stipulates that only those required to process personal information should have access to personal records.
3. Personnel who are found to be in breach of these security protocols, and thus in breach of the GDPR, will be subject to disciplinary action.

6. Manual vs Electronic Records

In terms of retention periods, it needs to be pointed out that the same retention period will apply for both electronic and manual information.

7. Conclusion

This data retention policy aims to achieve a good working balance between the retention of useful and meaningful information in line with the provisions of the relevant legislation and the disposal of information which is no longer required and is being archived unnecessarily. Data that needs to be destroyed after the noted timeframes will be disposed of in an efficient manner to ensure that such information will no longer be available within the MCST. Data Protection Controllers and Data Protection Officers are aware of the noted retention periods and will instruct all relevant personnel to follow the indicated procedures accordingly.

It is to be noted that anonymised or statistical data do not fall within the parameters of this data retention policy, since they do not constitute identifying personal data.

Privacy Policy

We take data protection very seriously and endeavour to ensure that all personal data is protected through processes that are by-design targeted to keep personal data private, safe and secure. The processing of personal data, such as the name, address, e-mail address, or telephone number of a data subject shall always be in line with the General Data Protection Regulation (GDPR). By means of this data protection declaration, we are informing visitors to this website of the nature, scope and purpose of the personal data we collect, use and process. Furthermore, data subjects are informed, by means of this data protection policy declaration, of the rights to which they are entitled.

Data controller 

As the data controller, we take all the technical and organisational measures necessary, to ensure that all personal data is processed in the most correct, complete and accurate manner. The Controller for the purposes of the General Data Protection Regulation (GDPR), and other provisions related to data protection is:
Esplora, Interactive Science Centre
Villa Bighi,
Kalkara KKR1320
Malta
+356 2360 2300
info@esplora.org.mt

Collection of Information

We may collect, store and use the following kinds of personal data:
1. We may collect information about your computer and your visits to this website such as your IP address, geographical location, browser type, referral source, length of visit and number of page views. We may use this information in the administration of this website, to improve the website’s usability, and for marketing purposes.
2. Information that you provide to us for the purpose of registering with us and/or subscribing to our website services and/or email notifications.

Use of Cookies

This website uses cookies. A cookie is a text file sent by a web server to a web browser, and stored by the browser. The text file is then sent back to the server each time the browser requests a page from the server. This enables the web server to identify and track the web browser.

We may send a cookie which may be stored on by your browser on your computer’s hard drive. We may use the information we obtain from the cookie in the administration of this website, to improve the website’s usability and for marketing purposes. We may also use that information to recognise your computer when you visit our website, and to personalise our website for you in some ways.

Most browsers allow you to refuse to accept cookies. (For example, in Internet Explorer you can refuse all cookie by clicking “Tools”, “Internet Options”, “Privacy”, and selecting “Block all cookies” using the sliding selector.) This may, however, have a negative impact upon the usability of many websites, including this one.

Use of Personal Data

Personal data submitted on this website will be used for the purposes specified in this privacy policy or in other relevant parts of the website. In addition to the uses identified elsewhere in this privacy policy, we may use your personal information to:
1. Improve your browsing experience by personalising the website;
2. Send information to you which we think may be of interest to you by post or by email or similar technology;
3. Send you marketing communications material relating to our business (or the businesses of carefully-selected third parties) which we feel may be of interest to you by post or, where you have specifically agreed to this, by email or similar technology (you can inform us at any time if you no longer require marketing communications to be sent by emailing us.
4. Provide other companies with statistical information about our users, but this information will not be used to identify any individual user.

Newsletter Subscriptions

Visitors to our premises and website as well as contacts coming through email or other methods of communication may have the opportunity to opt-in to subscribe to our newsletter. When a user subscribers, a confirmation e-mail will be sent to the e-mail address to have a double opt-in procedure to confirm that the owner of the e-mail address as the data subject is desiring to receive the newsletter. During the registration process, our system stores the IP address of the data subject’s computer used at the time of registration, as well as the date and time of the registration. The collection of this data is necessary in order to understand the (possible) misuse of the e-mail address of a data subject at a later date, and is done for our own legal protection as the data controller.

We will NEVER provide your personal information to any third parties for the purpose of direct marketing without your express prior consent.

Personal data is retained for the period when the data subject is considered to be our client or until such time that the data subject chooses to opt-out of the mailing list. Every email post we send out to our subscribers includes options to opt-out very easily or update the user profile with any new information.

Your Rights

As the data subject, The General Data Protection Regulation provides you with the following rights:
1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision making and profiling.

Other Disclosures

In addition to the disclosures reasonably necessary for the purposes identified elsewhere in this privacy policy, we may disclose information about you to the extent that we are required to do so by law in connection with any legal proceedings or prospective legal proceedings, except as provided in this privacy policy, we will not provide your information to third parties.

International Data Transfer

Information that we collect may be stored and processed in and transferred between any of the countries in which we operate in order to enable us to use the information in accordance with this privacy policy.

Security of Personal Data

We will take reasonable precautions to prevent the loss, misuse or alteration of your personal information. Of course, data transmission over the internet is inherently insecure, and we cannot guarantee the security of data sent over the internet.

Policy Amendments 

We may update this privacy policy from time-to-time by posting a new version on our website. You may want check this page occasionally to ensure you are happy with any changes.

Third Party Websites

This website may contains links to other websites. We are not responsible for the privacy policies (or content) of third party websites.
Enquiries on personal data processing may be address to us on info@esplora.org.mt

Contact Information:
Esplora
Interactive Science Centre
Villa Bighi,
Kalkara KKR1320
Malta
+356 2360 2300
info@esplora.org.mt

Version 2018.02 | Last Update: 25th October 2018