Privacy Policy

1. Introduction

This Privacy Policy applies to the following entities within our Group of Companies:

EMCS International Services Limited, a company incorporated and registered under the law of Malta bearing company registration number C25114 and having its registered office at Centris Business Gateway II, Level 4, Triq is-Salib tal-Imriehel, Zone 3, Central Business District, Birkirkara CBD 3020, Malta (which is authorised by the Malta Financial Services Authority (“MFSA”) to act as a Trustee or Co-Trustee in terms of Articles 43(3), hereinafter referred to as (“EMCSI”);


EMCS Ltd, a company incorporated and registered under the law of Malta bearing company registration number C68521 and having its registered address at Centris Business Gateway II, Level 4, Triq is-Salib tal-Imriehel, Zone 3, Central Business District, Birkirkara CBD 3020, Malta (which is authorised by the Malta Financial Services Authority (“MFSA”) to act as a Class C Company Service Provider in terms of the Company Service Providers Act), hereinafter referred to as (“EMCS”);


EMCS Advisory Ltd, a company incorporated and registered under the law of Malta bearing company registration number C29798 and having its registered address at Centris Business Gateway II, Level 4, Triq is-Salib tal-Imriehel, Zone 3, Central Business District, Birkirkara CBD 3020, Malta (which is approved by the Malta Stock Exchange to act as a Corporate Advisor to companies listed on the Prospects Multilateral Trading Facility and providing ancillary advisory services), hereinafter referred to as (“EMCSA”);


Malta International Training Centre Ltd, a company incorporated and registered under the law of Malta bearing company registration number C5663 and having its registered address at Centris Business Gateway II, Level 4, Triq is-Salib tal-Imriehel, Zone 3, Central Business District, Birkirkara CBD 3020, Malta (hereinafter referred to as “MITC”) and/or


Bloom Research Limited, a company incorporated and registered under the laws of Malta bearing company registration number C42622 and having its registered address at Centris Business Gateway II, Level 4, Triq is-Salib tal-Imriehel, Zone 3, Central Business District, Birkirkara CBD 3020, Malta (hereinafter referred to as “Bloom”)


hereinafter together referred to as (“EMCS Group”) or (the “Firm”) and separately “each EMCS entity” and/or “We”.

This Personal Data Protection Policy (hereinafter “Privacy Policy”) outlines how we collect, use, disclose, and safeguard your personal data when you, the data subject, interact with EMCS Group through our website: www.emcs.com.mt, via electronic mail, by phone, and through any related social media applications. This Privacy Policy applies to all personal data we collect from individuals/entities who engage with our Group. The term “personal data” applies to all the personal data from which you, in your capacity as our data subject, are either identified or identifiable. The term “you” refers exclusively to those natural persons whose personal data We are processing for the purposes and in the manner described in this Privacy Policy.

2. About EMCS Group

EMCSI, EMCS, EMCSA, MITC and/or Bloom, separately, shall be the data controller (hereinafter “Data Controller”) for all personal data processed by each respective EMCS Entity. As Data Controller, each EMCS Entity is responsible for determining the type of data collected by each Entity separately, the purposes for which this data is utilized and the measures implemented to safeguard it.


Each EMCS Entity’s role as Data Controller does not only work steadfastly to ensure compliance with data protection legislation but also to ensure that all processing activities align with our commitment to lawfulness, good governance, transparency and accountability.

Centris Business Gateway II
Level 4, Triq is-Salib tal-Imriehel
Zone 3, Central Business District
Birkirkara CBD 3020 Malta

If you have any questions regarding how we process personal data or if you wish to exercise your data subject rights, please do not hesitate to reach us by sending an email to: data-protection@emcs.com.mt. We are dedicated to addressing your inquiries and ensuring that your rights concerning your personal information are respected and upheld. 

3. Processing of Personal Data

3.1 Purpose of Data Processing

We process your personal data for one or more of the following lawful purposes:

  1. To provide you with information requested if you have given your consent for that purpose;
  2. For the performance and fulfilment of any contracts which we may have entered into with you or to prepare for the performance and/or the conclusion of a contact as requested by you;
  3. If processing is necessary for compliance with a legal obligation to which We are subject;
  4. For the purposes of legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data, in particular where you are a child (i.e. a person under the age of 18 years);
  5. To protect the vital interests of its employees (in case of the processing of sensitive personal data such as allergy information and so on).

The table in Annex I offers detailed information about the personal data we collect for each purpose, the legal basis for its collection, and the retention period for each type of data.


3.2 How do we collect and process your personal data?

Your personal data are collected by us whenever you fill any form, you visit our offices, you send us an email, you request any quotation or somehow contact us in writing, whenever your images are captured on our closed circuit television system (when and if installed), whenever you sign an agreement with us and/or whenever you provide a service to us and/or whenever you visit our website. In this case, we collect your personal data directly from you.


We also receive your personal data if your personal data is sent to us by a third party such as the case of a recruitment agency or any other party which is not you. In this case, we collect your personal data from such third party.

We process your personal data in the following methods: collection, storage, access, printing, storing in paper format, storing on servers locally and within the European Union and destruction. We also store your Personal Data insofar as necessary within all our legal obligations, as shall be explained in this Privacy Policy.


3.3 Types of Personal Data processed

We process the following personal data:

If you are an employee. All the personal data necessary for us to be able to put the employment agreement in force. Essentially these include your name, address, telephone number, mobile number, email address, date of birth, social security number, your image (if a CCTV is deployed), any health conditions impinging on your employment, IBAN number, bank details and next of kin information, your image and your marital status, if relevant to your tax and fiscal treatment.

If you are a visitor to our offices. Your name, your signature and your image on our CCTV system (if installed).

If you are a contracting party with us. If you are providing a service to us, if you are a panellist, if you are acquiring a service from us and/or if you are in contact with us in any contracting capacity, We process all the personal data relating to you necessary for us to fulfil our legal obligations to you including your name, your contact details, your payment information and any and all other information as may be necessary for the fulfilment of any agreement between us.

Any other data subjects (including visitors to the website). Name, address, financial information if necessary, in the case of visitors to the website, any of the following:

  1. Log information about your use of this site including the type of browser you use, access times, pages viewed, your internet protocol (IP) address and the page you visited before navigating to our site, the Uniform Resource Locators (“URL’s) you access as well as your clickstream to, through and from our site;
  2. Information about the device and browser you are using whether it is a personal computer or a mobile device, including the hardware model, operating system and version, unique device identifiers and mobile network information (if applicable) and login information including browser type and version, time zone setting, browser plug-in types and versions, potentially geolocation;
  3. Information collected by Cookies and other tracking technologies. We use cookies and web beacons. Cookies are very small data files which are stored on the device memory (including a hard drive) that help us improve the way we serve you and how you experience our site. We also see which areas of our site or our services are most popular and we count visits to our website. Web beacons are also used – these are electronic images which may be used in our emails or services and help deliver cookies and also count visits and understand usage and any campaign effectiveness. Please, would you kindly see our cookie policy. You may choose to accept cookies or personalised your cookie experience by clicking here;
  4. Visit information. Data regarding your visit, including the Uniform Resource Locators (“URLs”) you access, as well as your clickstream to, through and from our site;
  5. the Personal Data you provide to us when you are filling out the form and emailing us through our website.

The above lists are as exhaustive as practically possible. However, technological updates may involve more or less personal data processed in which case, this Privacy Policy shall be updated by us as soon as practicable.

For more information on the lawful purpose/s (hereinafter “lawful purpose”) and data retention policy for personal data kindly see Annex I.


3.4 Principles relating to the processing by the Controller of Personal Data

We hereby declare and undertake that we process personal data in terms of and in full observance of the following principles:

  1. lawfully, fairly and in a transparent manner in relation to you;
  2. we collect personal data only for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with the lawful purposes. Hence, the Controller processes the data only for the lawful purposes described in this Privacy Policy;
  3. the personal data collected shall be adequate, relevant and limited to what is necessary in relation to the lawful purpose (‘data minimisation’); To this end, you shall only be required to provide all the personal data which are strictly necessary for the lawful purpose;
  4. We shall ensure that all personal data shall be accurate and, where necessary, kept up to date and every reasonable step shall be taken to ensure that personal data that are inaccurate, having regard to the lawful purpose for which they are processed, are erased or rectified without delay (‘accuracy’);
  5. We shall keep the personal data in a form which permits identification of your personal data for no longer than is necessary for the lawful purpose;
  6. All personal data processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR subject to implementation of the appropriate technical and organisational measures required by the Regulation in order to safeguard your rights and freedoms ‘storage limitation’);
  7. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

These principles essentially mean that:

  1. We shall not use the personal data in any manner without a lawful purpose;
  2. We shall not sell or use the personal data for any commercial purposes unless in line with the lawful purpose for which the personal data was originally provided to us;
  3. We shall not retain personal data for longer than necessary;
  4. We shall not destroy personal data unless we’re authorised to do so in accordance with the law;
  5. We shall not ignore any requests by you for restriction of processing or objection to process of your Personal Data;
  6. We shall accede to all requests made by you in exercise of their rights within and to the extent as permitted by Law.
  7. No EMCS Entity shall transfer the personal data to another EMCS Entity without a lawful purpose and if not in observance of the principles listed herein.

4. Storage of Personal Data

EMCS Group is a Malta domiciled organisation whose offices are in Malta. Our websites and web applications are hosted in the EU and are accessed only by our EU-based staff.

Our customer relationship management, marketing, market research, timekeeping and accounting systems for all our businesses are either EU-based or hosted by companies that participate in the EU-U.S. Data Privacy Framework.

We use a wide range of Cloud Service Providers (CSPs) to process and host our data. Unless we specifically state otherwise, we are, in respect of all these CSPs, the data controller and the CSPs that we use utilise EU-located processing facilities.

Our banking arrangements are based in the EU.

We regularly send documents to clients worldwide, therefore, we collaborate with logistics companies located outside the EU that operate in various countries. We maintain appropriate legal and security relationships with these partners.

We may share personal data with parties situated in the United States of America but only if such party is within the EU-US Data Privacy Framework. We shall not, in any case, transfer any personal data outside of the EEA without the appropriate safeguards and if not without a lawful purpose and in full compliance with the GDPR. In such cases, we shall update the present Privacy Policy.

We implement a data retention policy for all types of data, both paper-based and digital. The specific aspects related to personal data are detailed in the table provided in Annex I.

5. Data Security

We have implemented proportionately appropriate security controls to protect personal data, including conducting risk assessments to evaluate potential threats to the rights and freedoms of data subjects. However, we cannot control what occurs between your device and the boundary of our information infrastructure. It is important for you to be aware of the various information security risks which are beyond our control and which are beyond all the security measures which we may reasonably implement and that inherently exist in all communication systems and to take appropriate measures to safeguard your own information. We accept no liability for breaches that occur outside our control.


6. Your Rights As a Data Subject

As a data subject whose personal information we hold, you have certain rights. If you wish to exercise any of these rights, please email data-protection@emcs.com.mt or use the information provided in the "Contact Us" section below. Your rights are as follows:


6.1 Your right to be informed

As a data controller we ae obliged to provide clear and transparent information about our data processing activities. This information is detailed in this Privacy Policy and any related communications we may send you.

You may request a copy of the personal data we hold about you free of charge. Once we have verified your identity and, if applicable, the authority of any third-party requester, we will provide access to your personal data along with the following information:


  1. The purposes of the processing;
  2. The categories of personal data concerned;
  3. The recipients to whom the personal data has been disclosed;
  4. The retention period or envisioned retention period for that personal data;
  5. When personal data has been collected from a third party, the source of the personal data.

If there are exceptional circumstances that prevent us from providing this information, we will explain them. We reserve the right to refuse requests that are frivolous or vexatious. If fulfilling requests is likely to require additional time or incur unreasonable expenses (which you may be responsible for), we will inform you in advance.


6.2 The right to rectification

If you believe that we hold inaccurate or incomplete personal information about you, you have the right to request correction or completion of this data. You may also exercise this right in conjunction with the right to restrict processing to ensure that incorrect or incomplete information is not processed until it is corrected.


6.3 The right to erasure

If you believe that we hold inaccurate or incomplete personal information about you, you have the right to request correction or completion of this data. You may also exercise this right in conjunction with the right to restrict processing to ensure that incorrect or incomplete information is not processed until it is corrected.


6.4 The right to restrict processing

You may ask us to stop processing your personal data. While we will retain the data, we will not process it further. This right serves as an alternative to the right to erasure. You may exercise this right under the following conditions:

  1. The accuracy of the personal data is contested;
  2. Processing of the personal data is unlawful;
  3. We no longer need the personal data for processing, but it is required for part of a legal process;
  4. You have exercised your right to object, and processing is restricted pending a decision on its status.

6.5 The right to data portability

You may request that your set of personal data be transferred to another controller or processor in a commonly used and machine-readable format. This right applies only if the original processing was based on consent or contractual obligation and if it is conducted by automated means.


6.6 The right to object

You have the right to object to our processing of your personal data when:

  1. Processing is based on legitimate interests;
  2. Processing is for direct marketing purposes;
  3. Processing is for scientific or historical research;
  4. Processing involves automated decision-making and profiling.

7. Exercise of Data Subject Rights

In order to exercise any of the rights listed in Clause 6A, you shall send an email to: data-protection@emcs.com.mt and request the right and/or rights which you would want to exercise. We shall endeavour to accede to the request as soon as it is technically possible.

Likewise, if you have any comments questions or suggestions about this privacy policy or our handling of your personal data should be emailed to data-protection@emcs.com.mt.

Alternatively, you can contact us using the following postal address or telephone numbers:

Centris Business Gateway II
Level 4, Triq is-Salib tal-Imriehel
Zone 3, Central Business District
Birkirkara CBD 3020
Malta

Telephone: +356 2777 2777

Our phone operators are available between 09:00 to 17:30 CET, Monday to Friday and will take a message and ensure the appropriate person responds as soon as possible.

8. Breaches and Complaints

Should you wish to discuss a complaint, please feel free to contact us using the details provided above. All complaints will be treated in a confidential manner.

Should any You suspect a personal breach likely to result in a risk to your rights and freedoms you are invited to lodge a report to the Data Protection Officer on: data-protection@emcs.com.mt.

We shall investigate such report and take all the necessary measures in terms of the General Data Protection Regulation and the Data Protection Act, 2018 to ensure that your rights and freedoms and your personal data are fully protected, including but not limited to, all the measures in the General Data Protection Regulation. Should the circumstances so warrant in terms of the General Data Protection Regulation, we shall report the breach to the Information and Data Protection Commissioner in terms of the General Data Protection Regulation. Simply put, if a breach is confirmed and there is a risk for you, we shall inform the Information and Data Protection Commissioner within 72hrs of becoming aware of the breach. Immediate actions are to be taken to contain the breach and minimize further damage. Following this, measures are recommended and implemented to minimize the data breach from recurring.

In any case, you shall also have the right to inform and report the said breach to the Information and Data Protection Commissioner at the following website: https://idpc.org.mt/report-a-breach/

The full details of the Information and Data Protection Commissioner (Malta) may be obtained from the following website: https://idpc.org.mt/contact/



Other contact details of the Information and Data Protection Commissioner are as follows:

Address: Floor 2, Airways House, Triq Il-Kbira, Tas-Sliema SLM 1549

Telephone number: +356 2328 7100

Email address: idpc.info@idpc.org.mt

Furthermore, should you feel unsatisfied with our handling of your data, or about any complaint that you have made to us about our handling of your data, you are entitled to escalate your complaint to a supervisory authority within the European Union. For Malta, this is the Office of the Information and Data Protection Commissioner, who is also our lead supervisory authority. Its contact information can be found at https://idpc.org.mt/en/Pages/contact/Contact-Information.aspx.