Privacy notice on the processing of Inspectorate Malta Ltd prospects personal data 

PRIVACY NOTICE ON THE PROCESSING OF INSPECTORATE MALTA LTD PROSPECTS PERSONAL DATA pursuant to Article 13 of EU Regulation 2016/679 

This policy (the "Policy") is provided pursuant to art. 13 of Regulation (EU) 679/2016 ("GDPR") in relation to the processing of potential clients’ personal data of Inspectorate Malta Ltd. (the “Potential clients”). 

  1. DATA CONTROLLER
    The Data Controller is Inspectorate Malta Ltd, with registered office in Spencer Hill, Marsa (MRS), 1959, Malta, VAT no. MT19326831 (hereafter “Bureau Veritas” or the “Controller”), part of the Bureau Veritas Group.
  2. DATA CONTROLLED
    The Data Controller processes your personal data – collected through the completion of certain forms, on-line forms or through telephone contacts and company contact details or through contacts made on social platforms (such as LinkedIn) – such as identification data (name, surname, company name, VAT number) and contact data (such as e-mail address and telephone number) and any further information provided spontaneously by the data subject (the "Data").

  3. PURPOSE AND LEGAL BASIS OF THE PROCESSING
    The Data Controller processes your Data according to the following purposes and legal bases:

    3.1 Execution of pre-contractual measures adopted at the request of the interested party
    Data will be processed to create a contact and evaluate the opportunity to establish a contractual relationship with the company, including by sending invitations to participate in meetings with the Data Controller and/or sending quotes at the request of the data subject.

    The provision of Data for the aforementioned purpose is necessary as it is instrumental to the potential establishment of a contractual relationship with the Data Controller. In the event of a total or partial refusal to provide the Data for these purposes, the Data Controller will not be able to assess the establishment of the contractual relationship.

    3.2 Compliance with legal obligations
    The Data may also be processed to allow the Data Controller to fulfil the obligations established by law, by a regulation, by EU legislation or by an order by Authorities.

    The provision of Data for this purpose is necessary to follow up on the legal obligations to which the Data Controller is subject.

    3.3 Legitimate interest (legal protection)
    The Data will be processed to exercise the rights of the Data Controller, such as the right of defence in court. This legitimate interest is to be considered prevailing because it corresponds to a constitutionally guaranteed right and, as such, is socially recognized as prevailing over the interests of the individual concerned. 

    Data provision for this purpose is necessary to allow the Data Controller to defend itself in legal and out-of-court proceedings.

    3.4 Legitimate interest (informative and promotional notifications)
    The Data will be processed in order to allow the Data Controller to contact Potential Clients to send individual notifications of an informative and promotional nature, on the basis of the contact already established with them, and concerning products and/or services of the same type with respect to those requested by the Potential Client, unless objected. The legal basis of this processing lies in the legitimate interest of the Data Controller to maintain and strengthen the human and professional relationships established with Potential Clients and in order to establish a contractual relationship with them. Legitimate interest that does not affect the rights and freedoms of Potential Clients as it finds its respective balance in the interest and reasonable expectation of Potential Clients to receive information on the products requested and on the activity of the Controller in order to evaluate the establishment of the contractual relationship with the latter.

    3.5 Consent (Marketing activities)
    The Data may be processed by the Data Controller to send Potential Customers via the channels authorised by them – such as, for example, mail, telephone or electronic notifications, such as e-mails – marketing notifications, of an advertising, informative and promotional nature regarding the products and services offered by Bureau Veritas. The legal basis of said processing is the consent given. Consent can always be freely revoked by using the appropriate "unsubscribe" link at the bottom of all notifications sent by e-mail, or by contacting Bureau Veritas at the addresses in paragraph 7 below. The provision of data is optional. Any refusal will result in the impossibility, even partial, of pursuing this purpose.  

    3.6 Consent (Transfer of data to Bureau Veritas Group companies to allow them to send their own advertising, informative and promotional material notifications)
    Potential Clients’ Data may be transferred to Bureau Veritas Group companies and used to send advertising, information and promotional material by the Bureau Veritas Group companies. The legal basis of said processing is the consent of the Potential Client. Consent may always be revoked freely by contacting the Data Controller at the addresses provided in paragraph 7 below. The provision of data is optional. Any refusal will result in the impossibility, even partial, of pursuing this purpose.

  4. DATA RECIPIENTS
    The Data will be processed by the Data Controller’s employees where necessary to carry out the activities referred to in paragraph 3 above.
    Personal Data may also be transferred to third parties where necessary for the establishment, management, execution and/or termination of the contractual relationship with the Data Controller. In this case, the third-party recipients of Personal Data – autonomous data controllers or duly appointed as data processors – belong to the following categories:
    (i) external subjects operating as autonomous controllers such as, for example, Authorities and supervisory and control bodies and in general to subjects, including private individuals, entitled to request the data (such as accounting consultants, legal consultants), Public Authorities that make an express request for administrative or institutional purposes, in accordance with the provisions of current national and European legislation;
    (ii) subjects outside the company who provide services to the company and who are useful for its activities (for example: IT service providers for the management of databases, including contacts and e-mails, digital service providers and IT consultants who provide technical assistance to the company, offices that provide payroll services, training institutions, banking and financial intermediaries); these subjects have received a specific assignment as data processors and their names are available upon request to the Data Controller, using the contact details indicated in Paragraph 7 below.
  5. DATA RETENTION PERIOD
    The Data processed for:

    (i) the execution of pre-contractual measures will be kept for 24 months from date of collection. The Data may be kept for a longer period, if a contract is signed with the Data Controller: in this case, the Data will be processed as described in the information that will be provided at the time of establishment of the relationship; 
    (ii) the fulfilment of legal obligations to which the Data Controller is subject are kept for the duration provided for by law (10 years for administrative-accounting obligations);
    (iii) the legitimate interest of the Data Controller, and specifically in the case of judicial litigation, will be kept for the entire duration of the same, until the expiration of the terms of practicability of appeals and for the purpose of sending commercial notifications until the request for opt-out by the interested party or for a period of 12 months from the last active contact with the interested party;
    (iv) marketing activities will be retained for a period of time not exceeding 24 months from the issue of consent by the Potential Client to carry out such processing, after which a request will be sent to confirm the will to continue receiving such processing: in case of refusal, the Data provided will be deleted; in case of consent, it will be retained and processed for a further period of 24 months. Potential Clients may, in any case, withdraw their consent as specified in paragraph 3 of this Policy.
    (v) the transfer of data to subsidiaries/parent companies and/or affiliates of the Bureau Veritas Group, will be kept for a period of time necessary to technically allow the correct transfer of data to third parties and subsequently as regulated in the information that will be issued by each owner.  
  6. TRANSFER OF DATA TO THIRD COUNTRIES 
    The Data Controller will not make transfers outside the European Union.
    Should this occur, the Data Controller will adopt adequate guarantees in accordance with the applicable legal and regulatory legislation on the protection of personal data, in order to ensure that its Data is adequately protected: in particular, such transfers will take place, on a case-by-case basis, after verification of the Standard Contractual Clauses approved by the European Commission pursuant to article 46, paragraph 2, letters c) and d) of the GDPR or of the binding rules for the company referred to in article 47 of the GDPR or, in the absence thereof, by virtue of one of the derogating measures referred to in article 49 of the GDPR.
  7. RIGHTS OF THE DATA SUBJECT 
    Potential Clients, as data subjects (i.e., subjects to whom the Data refers), are holders of rights conferred by the GDPR. In particular, pursuant to Articles 15-22 of the GDPR, data subjects have the right to request and obtain, at any time, access to their personal data, information on the processing carried out, the correction and/or updating of personal data, the deletion and limitation of the processing. Additionally, they also have the right to object to the processing and to request data portability (i.e. receive personal data in a structured, commonly used, machine-readable format). Finally, data subjects always have the right to revoke their consent at any time (this, in any case, will not affect the lawfulness of the processing carried out on the basis of the consent given before the revocation) and to lodge a complaint with a supervisory authority (in Italy: the Guarantor for the Protection of Personal Data).

    The above-mentioned rights may be exercised at any time by simply sending a request to the Data Controller:
    •    by post, Spencer Hill, Marsa (MRS), 1959, Malta; 
    •    through the portal for the exercise of rights, available at the link https://personaldataprotection.bureauveritas.com/#/HomePage .

Read the Maltese version