DATA PROTECTION POLICY
Company Name: CME Co. Limited
Company Number: C 96091
Company Address: 264, Saint Thomas Street, Fgura, Malta
[Hereinafter referred to as the ‘Company’ and/or ‘We’ and/or ‘Our’]
Last updated: 31st July 2021
1. Introduction
In view of the business and the industry in which we operate, being importation and distribution of apertures, the Company, as data controller, collects, holds, and processes personal data about the following individuals: (a) Employees, (b) Clients/Customers, (c) Suppliers/Service Providers, and (d) other individuals whether related directly or indirectly to the Company.
(Together hereinafter referred to as ‘Data Subject/s’)
This Data Protection Policy sets out how the Company seeks to protect relevant personal data, how personal data is processed and moreover how we ensure that our employees and/or service providers appointed by ourselves understand the rules governing personal data to which they have access in the course of their work or in the course of their engagement.
This Data Protection Policy is prepared in line with the Data Protection Act (Chapter 586 of the Laws of Malta), the General Data Protection Regulation (Regulation EU 2016/679 of the European Parliament and of the Council dated 27th April 2016) (the “GDPR Regulation”) and any other applicable regulation under Malta law.
2. Definitions
The following definitions shall apply without prejudice to the definitions given by the GDPR Regulation, by the Data Protection Act (Chapter 586 of the Laws of Malta) and any other applicable rules and regulations. Moreover, these definitions shall apply where relevant and in the context of the Company and its business operations.
(a) Business purpose; the purposes for which personal data may be collected and processed:
- Administrative reasons;
- Warranty information;
- Payroll;
- for payment of service providers;
- to provide our services; and
- other business development purposes.
The Business purposes of the Company shall include the following:
- The importation, storage, filling and distribution of PVC, Aluminum and Wood apertures and importation, storage and installation of apertures for both domestic and industrial users;
- Gathering information as part of investigations by regulatory bodies or in connection with legal proceedings or requests;
- Managing warranty;
- Ensuring business policies are adhered to (such as policies covering email and internet use);
- Operational and Administrative reasons;
- Managing payroll for our employees;
- Managing complaints;
- Monitoring staff conduct, disciplinary matters (in the context of the Employer‐ Employee relationship); and
- Development of our business.
(b) Personal data; any information relating to identifiable individuals, such as clients, customers, service providers, suppliers, current and former employees, job applicants, agencies, and other staff and marketing contacts.
Personal data may include:
- name and surname of individuals;
- identification number (both local and international);
- contact details (which could include residential address, mobile phone, telephone and/or email address);
- educational background;
- financial and payment details;
- details of certificates and diplomas;
- details of licences applicable to the Company’s business;
- marital status;
- nationality; and
- Curriculum Vitaes.
(c) Sensitive personal data; any personal data which is, in its nature, particularly sensitive in relation to fundamental rights and freedoms consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Any processing of sensitive personal data by the Company is strictly controlled in accordance with
this policy and the applicable law.
3. Scope
This Data Protection Policy applies to our customers, suppliers and collaborators, and our employees.
This policy supplements other relevant policies. We may supplement or amend this Data Protection Policy by additional policies and/or guidelines from time to time. Any new or modified policies will be circulated or updated online before being adopted.
4. Who is responsible for this policy?
It is our Data Protection Officer that have overall responsibility for the day‐to‐day implementation of this policy.
In line with this clause, the Company reserves the right to request third‐party legal assistance when it comes to specific requests for processing or for any other requests by clients, customers, employees and any other data subject.
The policy of the Company is to process personal data fairly and lawfully in accordance with the rights available to all individuals, which rights are made available by the GDPR but which shall be without prejudice to any other rights available to any other individual pursuant to any other relevant law and/or regulation.
Generally speaking, we shall not process personal data unless the individual whose details we are processing has given consent, or in furtherance of the provision of a service.
5. The processing
The processing of all data by the Company must be:
‐ Directly or indirectly connected to our Business purpose and to our operational
procedures;
‐ Directly or indirectly connected to your needs and requests in the context of you being a client/customer, service provider, supplier or employee;
‐ Necessary and specific to deliver our services;
‐ In line with the right of any individual’s privacy and confidentiality;
‐ In line with the Data Protection Act of Malta, the GDPR or any other relevant regulation issued by relevant authorities from time to time.
We may disclose personal data legally to third parties for accounting and/or payroll purposes.
6. Accuracy and relevance
We will ensure that any personal data we process is accurate, adequate, relevant, and not excessive, given the purpose for which it was obtained. We will not process personal data obtained for one purpose for any unrelated purpose unless the individual concerned has agreed to this or it is necessary for the original purpose to be fulfilled.
Individuals may ask that we correct inaccurate personal data relating to them. The Company encourages any client, customer, employee and/or service provider to approach us should any information that we hold is inaccurate by emailing to hr@cmefinishes.com.
7. Your Personal Data
You must take reasonable steps to ensure that personal data we hold about you is accurate and updated from time to time, as required. For example, if your personal circumstances change, please inform the DPO on hr@cmefinishes.com or any other officer of the Company so that they can update your records.
8. Data Security
The Company endeavours to keep personal data secure against loss, misuse or destruction thereof. In the context of where we engage third party organizations to process personal data on our behalf, the DPO or any other senior management will establish what, if any, additional specific data security arrangements need to be implemented in the contracts or arrangements with those third‐party organizations. It is to be noted however that the responsibility for the data storage and data protection shall remain of the Company even in the context of such being delegated to other third party organisations.
9. Storing data securely
In cases when data is printed and stored away in hard copies, the Company shall keep such in a secure place where only authorised personnel (as recorded by the Board of Directors from time to time) can access it.
When no longer needed, and also in line with the principle of the ‘right to be forgotten’, printed hard copy data shall be shredded by the Company.
Any data which is stored electronically on any server, computer or using cloud systems shall be protected by strong passwords that are changed regularly by our IT Department/IT Administrator. We encourage all employees to periodically create, amend and store away their passwords.
Any cloud system or storage media shall be approved by the Board of Directors or the DPO. The servers that contain personal data of clients, customers, employees and service providers shall be kept in a secure location within the premises of the Company or elsewhere as agreed to by the Board of Directors from time to time. These servers are being backed up via external hard disks and in line with the IT Policy of the Company. The servers that contain sensitive data shall have approved and protected security software and strong firewall. The DPO shall be responsible to review such security systems from time to time.
Data stored on CDs or memory sticks must be locked away securely when they are not being used.
The Company does not allow any employee or service provider engaged by the Company to store any personal data directly to mobile devices such as laptops, tablets or smartphones.
10. Data Retention
The Company endeavours to retain personal data on any data subject for no longer than is necessary. The Company will maintain retention policies and procedures to ensure personal data is deleted after a reasonable time for the purposes for which it was being held, unless a law requires that data to be kept for a minimum time. Our retention policy is that of keeping personal data in terms of minimum time requirements and/or prescription at law, or for a period of ten (10) years whichever longer.
The employee, at the termination of his/her engagement with the Company, may request that the personal data is removed and/or destroyed. Likewise, subject to our retention policies, any client, customer or third‐party provider may request the Company to delete and/or remove all data pertaining to itself.
11. Transferring data internationally
The Company and its employees may not transfer personal data anywhere within the EU or outside of the EU without first consulting the Data Protection Officer or a member of the Senior Management.
12. Subject access requests
All employees of the Company shall have a right to request from the Company information on the data being held about them. Likewise, clients, customers and/or service providers are entitled to request the Company what information is being held about them or about their company which they have a beneficial interest in.
Please contact the DPO if you would like to correct or request information that we hold about you. There might also be restrictions on the information to which you are entitled to receive under applicable law.
13. Processing data in accordance with the individual’s rights
Direct marketing shall only be carried out in terms of applicable law. Explicit consent from the clients, customers, providers or suppliers shall be given prior to any marketing or solicitation.
Unless a business relationship already exists and the client or customer has already consented to information and marketing material, all employees are precluded from sending direct marketing material to someone electronically (e.g. via email). Please contact the DPO for advice on direct marketing before starting any new direct marketing activity.
14. Training
The Company endeavours to provide training in relation to data protection to all its employees. Employees will regularly review all the systems and processes under their control to ensure they comply with this Data Protection Policy and check that adequate governance controls and resources are in place to ensure proper use and protection of personal data.
The Company reserves the right to appoint third party professionals to provide such training.
15. Privacy notice – transparency of data protection
Being transparent and providing accessible information to individuals about how we will use their personal data is important for the Company and shall be done with utmost care and diligence.
16. Conditions for processing
The Company shall ensure that any use of personal data is justified using at least one of the conditions for processing and this will be specifically documented. All staff who are responsible for processing personal data shall be aware of the conditions for processing. Examples of such conditions, most commonly used, are:
- with consent which shall not be presumed and can be withdrawn at any time;
- for the performance of a contract or to take steps to enter into a contract in particular when our services are requested, or one is an employee, a collaborator or a supplier;
- in furtherance of any legal obligation or regulation; and/or
- for legitimate interest, primarily to protect us from legal action or claims from third parties, including data subjects and/or to protect our legal rights and/or those of our employees, collaborators and/or suppliers.
17. Justification for personal data
Any personal data that shall be processed by the Company shall follow all the data protection principles envisaged by the GDPR and, where applicable, in line with any other principles as emanating from relevant authorities.
The Company shall document any additional justification for the processing of sensitive data and shall ensure that any biometric and genetic data is considered sensitive and processed only after specific consent is gathered by the Company.
18. Consent
The personal data that we collect shall be subject to an active consent by the data subject providing such information and data. This consent can be revoked by the data subject at any time by contacting the DPO on hr@cmefinishes.com.
19. Criminal record checks
The Company may be obliged to conduct due diligence on any data subject, particularly in the fields of Anti‐Money Laundering and Terrorist Financing which are ‘Criminal’ in nature. Any criminal record checks or other relevant checks on the data subject are justified by relevant law and therefore the Company shall have a right to request information from reputable authorities on any data subject considering the Anti‐Money Laundering regulation of other criminal laws.
20. Data portability
Upon request, a client, customers, service provider, an employee, or any data subject shall have the right to receive a copy of their data in a structured format. These requests should be processed within one (1) week, provided there is no undue burden and provided it does not compromise the privacy of other individuals. A data subject may also request that their data is transferred directly to another system.
21. The Right to be forgotten
A client, customers, service provider, employee or any data subject may request that any information held by the Company relating to them is deleted or removed, and any third parties who process or use that data must also comply with such requests. An erasure request may only be refused by the Company if an exemption based on applicable laws, apply.
22. Data audit and register
The Company may provide in‐house regular data audits to manage and mitigate risks which shall include information on what data is held, where it is stored, how it is used, who is responsible and any further regulations or retention timescales that may be relevant. Such audits shall be recorded and stored away.
23. Breaches
All employees shall have an obligation to report actual or potential data protection compliance failures. Amongst other things, this will allow the Company to:
- Investigate the failure and take remedial steps if necessary;
- Maintain a register of compliance failures; and
- Notify the relevant authority of any compliance failures that are material either in their own right or as part of a pattern of failures, in terms of applicable law.
24. Monitoring
All employees shall be obliged to observe this policy. The DPO has overall responsibility for this policy, and he/she shall monitor it regularly to make sure it is being adhered to.
25. Consequences of non‐compliance
Compliance with the policy is of utmost importance for the Company and the Company understand that failure to comply with this policy shall put the Company at risk of breaching Data Protection regulations which bring about serious consequences.
Any failure by any employee to comply with this data protection policy may lead to disciplinary action and, in exceptional cases, may lead in dismissal.
26. Cookies
Cookies are text files placed on your computer when you use a website.
We use analytics cookies to collect information about how visitors use our site, such as the pages visitors go to most often and where they have come to the site from. This information is collected anonymously and is only used to improve how our websites work. On the other hand, marketing and advertising cookies are used to deliver adverts more relevant to the user and his/her interests. Such cookies remember that the user has visited our website and are also used to limit the number of times you see an advertisement as this would help measure the effectiveness of the advertising campaign. It is important to note that this information is not shared.
You herein consent to cookies in accordance with applicable law.
27. Marketing
You herein explicitly agree to receive marketing information:
• from us about our products and services by choosing to opt‐in on the relevant registration
form of the relevant website or service or through other means of engagement.
• from us about third party products and services by choosing to opt‐in on the relevant registration form of the relevant website, service or other forms of engagement.
28. Contact us
Our Data Protection Officer oversees how we collect, use, share and protect your information to ensure your rights are fulfilled. You may contact our Data Protection Office at the details indicated below:
DPO
Address: 264, Saint Thomas Street, Fgura
Telephone: 21807000
Email: hr@cmefinishes.com
29. Changes to the Data Protection Policy
We will keep our policy under regular review and will place any updates on our web page.