The Energy and Water Agency forms part of the Ministry for Energy and Water Management and therefore data collated from and by the Agency may be shared with the Ministry. Furthermore, if the Agency merges with another agency or governmental entity, your information may be transferred to the new (merged) entity.
This policy is made compliant with the General Data Protection Regulation EU 2016/679 (“GDPR”, “Regulation”), and the Data Protection Act (Chapter 586 of the Laws of Malta).
1.3 This policy is based on the following data protection principles:
- The processing of personal data shall take place in a lawful, fair and transparent way;
- The collecting of personal data shall only be performed for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- The collecting of personal data shall be adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed;
- The personal data shall be accurate and where necessary, kept up to date;
- Every reasonable step shall be taken to ensure that personal data that are inaccurate having regard to the purposes for which they are processed, are erased or rectified without delay;
- Personal data shall be kept in a form which permits identification of the data subject for no longer than it is necessary for the purpose for which the personal data are processed;
- All personal data shall be kept confidential and stored in a manner that ensures appropriate security;
- Personal data shall not be shared with third parties except when necessary for them to provide services upon agreement;
- Data subjects shall have the right to request access to and rectification or erasure of personal data, or restriction of processing, or to object to processing as well as the right of data portability.
- WHAT INFORMATION WE COLLECT?
2.1 Any information we collect which you can be personally identified by shall be considered as Personal Data. As such your name, email address, home address, telephone number and date of birth are all considered as Personal Data. When you browse our website, we also automatically receive your computer’s internet protocol (IP) address to provide us with information that helps us learn about your browser and operating system.
2.2 We collect different types of information from or through the following Services:
- By using online forms;
- When you email us your details;
- Through surveys which we, or companies engaged by us for such purpose, undertake;
- With your explicit consent when signing up for our Newsletter.
- LEGAL BASIS
All information provided to the Agency will be solely used as may be necessary to provide you with the required service. The Agency processes your personal data on the basis of the following legal bases:
- Official authority vested in the Controller – we process your personal data on the basis of Article 6(1)(e) of the GDPR i.e. the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
- Entering into and performing a contract – we process your personal data on the basis of Article 6(1)(b) of the GDPR, in particular to provide you with the services you have requested from us and as necessary for the performance of a contract;
- Compliance with legal obligations – we process your personal data on the basis of Article 6(1)(c) of the GDPR, in particular obligations imposed on us to adequately carry out our functions related to the design, implementation and dissemination of water, conventional energy and alternative energy policy;
- Our legitimate interests – we process your personal data on the basis of Article 6(1)(f) of the GDPR, in particular legitimate interests which may arise directly or indirectly in relation to the services provided e.g. we may process your personal data for the purposes of establishing, exercising or defending legal proceedings. The Agency shall always ensure that your own interests, rights and freedoms are safeguarded.
- Consent – we process your personal data on the basis of Article 6(1)(a) of the GDPR, in particular when the data subject has given consent to the processing of his or her personal data for one or more specific purposes, for example, to share our Newsletter with our subscribers. Should the data subject, after opting-in change his/her mind, s/he may withdraw his/her consent at any time by clicking here and filling the form. By doing so, all information we hold about you in relation to the Newsletter subscription shall be deleted.
- WHAT DO WE DO WITH YOUR INFORMATION?
4.1 Your Personal Data is processed by us to provide you with the requested Services and for the following Purposes:
- Set-up, administer and manage your records;
- Provide and personalise the Services;
- Receive and respond to your communications and requests;
- Ensure that we can fulfil our statutory obligations regarding your records, including by verifying the accuracy of any information you give us;
- Carry out market research campaigns;
- Preparing statistics relating to the use of the Services by you and other customers;
- Support any other purpose necessary for the performance of our contractual obligations or specifically stated at the time at which you provided your Personal Data.
5.1. Except as described in this Policy, we will not intentionally disclose the Personal Data that we collect or store on the Service to third parties without your consent. We may disclose information to third parties if you explicitly consent to us doing so, as well as in the following circumstances:
- Any company which assists us in providing the Services or which otherwise has a need to know such information;
- Any third party which assists us in providing the Services;
- Any third party which can assist us in verifying the accuracy of your Personal Data, including financial institutions and credit reference agencies (a record of the search may be retained by such third party);
- Any third party which assists us in monitoring use of the Services;
- Any contractors or other advisers auditing any of our business processes or who have the need to access such information for the purpose of advising us;
- Any law enforcement body which any reasonable requirement may have to access your Personal Data;
- With the responsible Ministry under which the Agency forms part of and reports to;
- In the event of the Agency merging with another agency or governmental entity, your information may be transferred to the new (merged) entity; and
- Any statutory body or authorised entity which have any reasonable requirement to access your Personal Data.
5.2. If at any time you wish us to stop processing your Personal Data for the above purposes, then you must contact us, and we will take the appropriate steps to stop doing so. Please note that this may mean that you may not be able to use all our Services.
- DATA SUBJECT RIGHTS
6.1 As a data subject you have certain rights in relation to your personal data including:
- Right of Access – you have the right to ask us for copies of your personal data that is being processed. There are some restrictions which means you may not always receive all the information we process;
- Right to Erasure – you have the right to ask us to delete your personal data in certain circumstances. This is not an absolute right and shall depend on our established retention periods;
- Right to Object – you have a right to object and request that we cease the processing of your personal data where we rely on our, or a third party’s legitimate interests for processing your personal data or a task carried out in the public interest;
- Right to Portability – you may request that we provide you with certain personal data which you have provided to us in a structured, commonly used and machine-readable format. Where technically feasible, you may also request that we transmit such personal data to a third-party controller indicated by you;
- Right to Rectification – you have the right to update or correct any inaccurate personal data which we hold about you;
- Right to Restriction – you have the right to request that we stop using your personal data in certain circumstances including if you believe that we are unlawfully processing your personal data or the personal data that We hold about you is inaccurate;
- Right to withdraw your consent – where our processing is based on your consent, you have the right to withdraw your consent. Withdrawal of your consent shall not affect the lawfulness of the processing based on your consent prior to the withdrawal of your consent;
- Right to be informed of the source – where the personal data we hold about you was not provided to us directly by you, you may also have the right to be informed of the source from which your personal data originates; and
- Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority, you shall also have the right to an effective judicial remedy where you consider that your rights under the Regulation have been violated as a result of the processing of your personal data in contravention of the Regulation.
6.2 Your rights in relation to your personal data are not absolute. If you intend to exercise one or more of your rights, please send your request to firstname.lastname@example.org
6.3 No fees are applicable when exercising your rights. Moreover, you will be provided with a response without undue delay, and in any event within one month from which starts running as soon as your identity is verified.
Following your request to exercise your rights, the Agency may need to request specific information from you to help verify your identity. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
- THIRD-PARTY WEBSITES
7.1 The Service may contain features or links to websites and services provided by third parties.
7.2 The Agency will not send you unsolicited information regarding any third party’s products or services.
7.4 When you click on links on our website, they may redirect you away from our site. We are not responsible for the privacy practices of other sites and encourage you to read their privacy statements.
- We take appropriate security measures to protect against the loss, misuse and unauthorised access, alteration, disclosure, or destruction of your information. The Agency has taken steps to ensure the ongoing confidentiality, integrity, availability, and resilience of systems and services processing Personal Data, and will restore the availability and access to information in a timely manner in the event of a physical or technical incident.
- The Website is protected by industry-standard SSL (Secure Socket Layer) encryption. This technology encrypts all personal data transferred between you and us.
- However, no method of transmission over the Internet, or method of electronic storage, is 100% secure. If you believe your Personal Data has been compromised, please contact the Agency’s Data Protection Officer at email@example.com.
- If we learn of a security systems breach, we will inform you of the occurrence of the breach in accordance with Applicable Law.
- DATA RETENTION
9.1 This Section sets out our data retention policies and procedure, designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of personal data.
9.2 Personal Data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
9.3 We only retain the Personal Data collected from a User for as long as we need it to fulfil the purposes for which we have initially collected it, unless otherwise required by law. We will retain and use information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements, after which point your data will be erased.
9.4 In some cases, it is not possible for us to specify in advance the periods for which your personal data will be retained. In such cases, we will determine the period of retention based on the following criteria:
- What the purpose(s) was for which your information was collected in the first place;
- Whether there are any statutory obligations, obliging us to continue to process your information;
- Whether we have a legal basis in place to continue to process your information, including but not limited to consent;
- What the value attached to your information is;
- Whether there are any industry practices stipulating how long information should be retained;
- The risk, cost and liability attached to such retention; and
- Any other relevant circumstances.
- INTERNATIONAL TRANSFERS
- CONTACT INFORMATION
The Agency has a Data Protection Officer who is responsible for matters relating to privacy and data protection. The Agency’s DPO can be reached at the following address:
Data Protection Officer
Energy & Water Agency
Luqa, LQA 9043
Version 2019.01| Last Update: 13th August 2019