Malta Digital Innovation Authority (‘MDIA’) is established by virtue of the Malta Digital Innovation Authority Act, Chapter 591 to seek the development of the innovative technology sector in Malta through proper recognition and regulation of relevant innovative technology arrangements and related services.
The purpose of this Policy is to explain how MDIA collects, processes and store Personal Data of Data Subjects in order for the MDIA to fulfil the requirements of the Data Protection Act, Chapter 586 of the Laws of Malta and of the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council). This Policy also explains how MDIA uses Personal Data, who this information might be shared with and the ways in which the MDIA protects this Personal Data. Moreover, this Policy clarifies the rights that Data Subjects have and the decisions that they can make about their Personal Data held by the MDIA.
It is important that Data Subjects read this Policy together with any other related document so that Data Subjects are fully aware of how and why the Personal Data of the Data Subject is being used and what rights they have. This Policy supplements other documentation and is not intended to override them.
Personal Data means any information about an individual (‘Data Subject’) from which that individual can be identified, directly or indirectly. However, it does not include data where the identity has been removed (i.e. anonymous data). Personal Data can be in analogue form (such as, hard documents) or in digital form (such as, information systems, databases and emails).
The MDIA may collect, use, store and transfer different kinds of Personal Data which may include, but is not limited to:
The MDIA makes use of different methods to collect Personal Data. However, this is mainly done by means of the following:
The below table provides a description of the ways MDIA plans to use the Personal Data of Data Subjects, and which of the legal basis it relies on to do so. Where appropriate, the legitimate interests of MDIA have also been identified.
Legitimate Interest refers to the interest of MDIA in conducting and managing its operations to enable it to give Data Subject the best service and the best and most secure experience. MDIA makes sure to consider and balance any potential impact on Data Subjects (both positive and negative) and their rights, before it processes their Personal Data for its legitimate interests. MDIA does not use Personal Data of Data Subjects for activities where its interests are overridden by the impact on Data Subjects, unless MDIA would have the consent of that Data Subject or is otherwise required or permitted to by law.
MDIA may process Personal Data for more than one lawful ground depending on the specific purpose for which it is using the Personal Data.
| Purpose/Activity | Type of data | Lawful basis for processing including basis of legitimate interest |
| To allow Data Subjects to contact MDIA | (a) Identity (b) Contact | Necessary for MDIA’s legitimate interests such as, to allow it to contact the Data Subject once the Data Subject would have filled an online form or application. |
| To administer and protect the business of MDIA and its website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) | (a) Technical | (a) Necessary for legitimate interests of MDIA, such as, for providing our services, provision of administration and IT services, and network security; (b) Necessary to comply with a legal obligation. |
| To deliver relevant website content and advertisements to Data Subjects and measure or understand the effectiveness of the advertising we serve to Data Subjects | (a) Usage (b) Technical | Necessary for legitimate interests of MDIA, such as, to study how customers use its website, to develop them, to grow MDIA’s business and to inform its marketing strategy. |
| To use data analytics to improve MDIA’s website, products/services, marketing, customer relationships and experiences | (a) Technical (b) Usage | Necessary for legitimate interests of MDIA such as, to define types of applicants for its schemes, to keep its website updated and relevant, to develop its business and to inform its marketing strategy. |
| To allow Data Subjects to apply under schemes and other initiatives offered by the MDIA | (a) Identity (b) Contact (c) Employment (d) Financial (e) Sensitive | Necessary for legitimate interests of MDIA, such as, to determine eligibility of applicants who apply under the schemes of MDIA. Necessary to comply with a legal obligation. |
| To allow Data Subjects to benefit from any funding given by MDIA | (a) Identity (b) Contact (c) Financial | Necessary for the legitimate interests of MDIA such as, to be able to transfer funds that a Data Subject may be eligible to as an applicant under the MDIA’s schemes). |
| To allow employees to benefit from any internal schemes and other initiatives offered by the MDIA | (a) Identity (b) Contact (c) Financial (d) Sensitive | Necessary for the legitimate interests of MDIA such as, to be able to transfer funds that a Data Subject may be eligible to as an applicant under the Authority’s schemes. |
| To retain information on the employee file, which may also include information relating to insurance claims for employees of the MDIA | (a) Identity (b) Contact (c) Financial (d) Sensitive | Necessary for our legitimate interests such as, to be able to keep all up-to-date information on our employees, including financial information which relates to salaries, as well as to enable the Authority to process information on insurance claims with the insurance company). |
| To fulfil reporting duties to inter-governmental authorities | (a) Identity (b) Contact (c) Employment Data (d) Sensitive | Necessary for our legitimate interests such as, to be able to allow MDIA to comply with its duties at law with other governmental authorities. |
| Publications in the Government Gazette, annual report, and the publishing of beneficiaries of the schemes of MDIA | (a) Identity (b) Contact (c) Financial | Necessary for the legitimate interests of MDIA such as, to be able to allow MDIA to comply with its duties at law. |
| Procurement | (a) Identity (b) Contact (c) Financial | Necessary for the legitimate interests of MDIA such as, to be able to allow us to comply with our duties at law. |
| Tender | (a) Identity (b) Contact (c) Employment Data (d) Financial Data – including information on the company /supplier and information on employment, where relevant | Necessary for the legitimate interests of MDIA such as, to be able to allow MDIA to comply with MDIA’s duties at law. |
| Organisation of events and to allow you to participate in a prize draw, competition or complete a survey. | (a) Identity (b) Contact | Necessary for legitimate interests of MDIA such as, to develop and market our services. |
MDIA may have to process Personal Data for other legitimate interests as there would be a legal requirement or obligation to do so or if it is acting in the public interest and the interests and fundamental rights of the Data Subject do not override those interests.
MDIA will only use Personal Data for the purposes for which it collected it, unless it reasonably considers that it needs to use it for another reason and that reason is compatible with the original purpose or the above purposes.
MDIA may process Personal Data of Data Subjects without their knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
When determining the purposes and means of the processing of Personal Data, MDIA acts as the ‘Data Controller’ for the purposes of the law. Indeed, a ‘data controller’ is a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any Personal Data are, or are to be, processed.
MDIA may share Personal Data of Data Subjects with third parties for the purposes set out in this Policy. These third parties may include, service providers based in Malta and/or overseas, even outside the European Union such as, other governmental entities, contractors, auditors, Microsoft and Shireburn Software Limited which companies provide web-based services, programmes, applications and/or software.
MDIA requires all third parties to respect the security of the Personal Data of Data Subjects and to treat it in accordance with EU data protection regulations. MDIA does not allow such third-party service providers to use Personal Data of Data Subjects for their own purposes and only permit them to process Personal Data of Data Subjects for specified purposes and in accordance with its instructions.
The MDIA website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about the Data Subject. MDIA does not control these third-party websites and are not responsible for their privacy statements. When a Data Subject leaves MDIA’s website, MDIA encourages such Data Subject to read the privacy policy of every website that would be visited.
MDIA will not share Personal Data with any third parties for the purposes of direct marketing.
MDIA have put in place appropriate security measures to prevent Personal Data of Data Subjects from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, MDIA limits access to the Personal Data of Data Subjects to specific individuals. Third parties mentioned in the previous clause will only process Personal Data of Data Subjects on the instructions of MDIA and they are subject to a duty of confidentiality. Moreover, hard copies of Personal Data which are kept by MDIA are locked in a filing cabinet whilst Personal Data stored electronically will be subject to access controls, and passwords and encryption software will be used where necessary. For further information, kindly request for the IT Security Policy of MDIA.
In the case of Personal Data breaches, MDIA shall upon its knowledge of this breach, inform immediately its Data Protection Officer whose details are further mentioned below, and who will then take the necessary actions, where this would be required by law.
MDIA will only retain the Personal Data of Data Subjects for as long as reasonably necessary to fulfil the purposes for which that data would have been collected for in accordance with this Policy. The time periods of retention are set out in the Data Retention Policy of MDIA which can be found via https://www.mdia.gov.mt/data-retention-policy/. In some circumstances MDIA will anonymise the Personal Data of Data Subjects (so that it can no longer be associated with the Data Subject) for research or statistical purposes, in which case MDIA may use this information indefinitely without further notice to the Data Subject.
Subject Access Requests (SARs), can be made by Data Subjects where an organisation holds Personal Data about them. This can be done at any time, and the requests are made in order for the Data Subject to find out what Personal Data is being held, and what is being done with it.
SARS must be made by the Data Subject itself in writing and addressed to the Data Protection Officer, whose details are mentioned below, and who will deal with the request.
MDIA will usually respond to such requests within one (1) month, but it may need to extend such period for a period of up to a further two (2) months if it is a complex request or there are multiple requests. In that situation, the Data Subject will be informed accordingly.
It shall be at the discretion of MDIA whether to charge a fee in order to respond to the SAR and to enable the Data Subject to access its Personal Data.
Before providing Personal Data, MDIA may ask for proof of identity and sufficient information about your interactions with it. This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. MDIA may also contact the Data Subject to ask the same for further information in relation to its request.
MDIA may reserve its right to withhold the Data Subject’s right to access its Personal Data where any statutory exemptions apply.
If the information that MDIA holds about a Data Subject is incorrect, incomplete or needs to be updated, the Data Subject has the right to request in writing MDIA to correct any inaccuracies which will in turn rectify the inaccuracies and inform the Data Subject of the rectification within one (1) one month from the written request of the Data Subject to MDIA. The latter will also ensure that third parties are also informed accordingly.
MDIA has appointed a Data Protection Officer who can help Data Subjects with any questions that they may have about this Policy or any other related document, including any requests to exercise their legal rights. The contact details of the Data Protection Officer are the following:
MDIA ensures to keep its Data Privacy Policy under regular review. This version was last updated on the 29th of November 2022. It is important that the Data Subject keeps MDIA informed of any changes in his or her Personal Data.
MDIA undertakes to respect the legal rights of Data Subjects and apart from those legal rights already mentioned above, MDIA reminds Data Subjects of some of their other legal rights, such as the following:
The MDIA makes every effort to maintain the accuracy of the information that is published on its website but accepts no responsibility and expressly excludes liability for any direct, indirect or consequential loss or damage which may arise from the usage of, and/or reliance on, such information.
