Data Retention Policy
1. Introduction
Malta Digital Innovation Authority (‘MDIA’) is established by virtue of the Malta Digital Innovation Authority Act, Chapter 591 to seek the development of the innovative technology sector in Malta through proper recognition and regulation of relevant innovative technology arrangements and related services.
The purpose of this Data Retention Policy is to explain the legal requirement for MDIA to retain Personal Data, usually for a specified amount of time and to dispose of such data. This Policy also provides guidance on appropriate data handling and disposal.
It is of vital importance that this Data Retention Policy is read in conjunction with the Data Privacy Policy of MDIA which is available at https://www.mdia.gov.mt/privacy-policy/
2. Retention Period
Following a data landscaping exercise by MDIA to understand precisely what Personal Data it retains, MDIA listed such Personal Data in its Data Protection Policy available in the above-mentioned link.
MDIA shall not retain any Personal Data for any longer than is necessary in light of the purpose/s for which that data is collected, held and processed, subject to statutory periods of limitation.
When establishing the below retention periods, MDIA took into consideration the objectives and requirements of its business, the type of Personal Data in question, the purpose and legal basis for which the Personal Data is collected, held and processed, as well as the category of Data Subjects.
| CATEGORY OF DATA | RETENTION PERIOD | MANUAL / ELECTRONIC |
| Personal Information | ||
| MDIA Employees Personal Files | 10 years | Both |
| Application forms for calls for positions | 10 years | Both |
| CVs | 10 years | Both |
| Attendance Sheets | 10 years | Both |
| Vacation Leave Application Forms | 10 years | Both |
| Yearly Leave Balances | 10 years | Both |
| Sick Leave Certificates / Records | 10 years | Both |
| Medical History | 10 years | Both |
| Disciplinary Records | 10 years | Both |
| Disciplinary Charges | 10 years | Both |
| Financial Information | ||
| Tax and National Insurance Records | 10 years | Both |
| Accounting Records | 10 years | Both |
| Annual Financial Statements | 10 years | Both |
| Details of Applicants’ Financial Data, including bank account details and VAT numbers | 3 years | Both |
| Funding Programmes / Applications | ||
| Documentation relating to applications | 3 years from termination of programme | Both |
| Other | ||
| Minutes of Meetings | 10 years | Both |
| CCTV | Routine footage is deleted after 15 days. If MDIA is requested to retain specific footage due to ongoing legal proceedings, footage will be retained for a period of one (1) year or for any such period as requested by the MDIA requesting the footage. | Electronic |
Notwithstanding the above defined retention periods, certain Personal Data may be deleted or otherwise disposed of prior to the expiry of its defined retention period where a decision is made within MDIA to do so, whether in response to a request by a Data Subject as mentioned in the Data Protection Policy of MDIA, or otherwise.
On the other hand, in special circumstances, such as, in cases where the Personal Data is relevant to current or contemplated litigation, Government or regulatory investigation or audit, that Personal Data must be retained until the Data Protection Officer determines that that Personal Data is no longer required.
MDIA also ensures that it conducts periodical reviews of the Personal Data retained.
If Personal Data is not listed in the above table, it is likely that it should be classified as disposable information. Disposable information consists of data that may be discarded or deleted at the discretion of the user once it has served its temporary useful purpose and/or data that may be safely destroyed because it is not a formal or official record.
Examples include duplicates of originals that have not been annotated, preliminary drafts of letters, reports, worksheets and informal notes that do not represent significant steps or decisions in the preparation of an official record, materials obtained for reference purposes, spam and junk mail.
Nonetheless, if a Data Subject considers that there is an omission in the above table, or would like to request further clarifications, please contact the Data Protection Officer whose details are indicated below as well as in the MDIA's Data Protection Policy.
3. Storage and Back-up
The organisation will ensure that all Personal Data of Data Subjects is securely retained and stored.
With respect to hard or manual Personal Data, these are stored in locked cabinets and overnight, in locked premises as well. Personal Data stored electronically, will be subject to access controls and passwords. Where necessary, encryption software shall be used. All Personal Data, whether hard documents or electronically, are backed up and maintained off site.
For further details in relation to information technology security, kindly request the MDIA's IT Security Policy.
4. Disposal of Personal Data
The destruction of Personal Data which is in hard documentation shall be conducted by shredding, where possible. On the other hand, the destruction of electronic Personal Data shall be deleted entirely from the computer and any other software, application or program used by MDIA and where necessary, with the co-ordination of experts in the sector of information technology.
5. Breach Reporting
In the case of Personal Data breaches, MDIA shall upon its knowledge of this breach, inform immediately its Data Protection Officer whose details are further mentioned below, who will then take the necessary actions, where this would be required by law. Nonetheless, should a Data Subject feel that anyone could have breached this Data Retention Policy as well as the Data Protection Policy, this should be reported to MDIA’s Data Protection Officer whose details can be found below.
6. Data Protection Officer
MDIA has appointed a Data Protection Officer who can help Data Subjects with any questions that they may have about this Privacy Policy or any other related document, including any requests to exercise their legal rights. The contact details of the Data Protection Officer are the following:
- Address: MDIA, Twenty20, Business Centre, Triq l-Intornjatur, Zone 3, Central Business District, Birkirkara, CBD 3050, Malta.
- Email address: [email protected]
7. Conclusion
MDIA strives to conduct frequent audits and allocate appropriate resources to ensure that Personal Data of Data Subjects is being protected at all times in accordance with the legal requirements and in line with this Data Retention Policy. This version was last updated on 29th November 2022.
8. Disclaimer
The MDIA makes every effort to maintain the accuracy of the information that is published on its website but accepts no responsibility and expressly excludes liability for any direct, indirect or consequential loss or damage which may arise from the usage of, and/or reliance on, such information.