Compliance 360 Limited of Vision Exchange Building Level 2, Territorials Street, Zone 1, Central Business District, Birkirkara CBD 1070, Malta (“Compliance 360”; “we”; “us”; “our”) respects your privacy and values its importance, and is wholly committed to protecting your personal data. The purpose of this Statement is to set out the basis on which we will process your personal data when you engage us to provide you with the “Services” as defined in the Letter of Engagement.
This Statement informs you about the items of personal data that we may collect about you, how we will use it and informs you of our obligations and your rights. We process your data in accordance with the Data Protection Act (Chapter 586 of the Laws of Malta) (the “Act”), as may be amended or replaced from time to time, and the General Data Protection Regulation (Regulation (EU) 2016/679) (the “Regulation” or the “GDPR”).
By engaging us, you enter into a contractual relationship with Compliance 360, as subject to and governed by our Letter of Engagement. This Letter of Engagement stipulates that we will process your personal data in accordance with the practices set out in this Statement.
1. Data Controller
Compliance 360 is the data controller of any personal data which it collects or receives and which it processes in connection with the Services. If you have any question about this Statement, including any requests to exercise your legal rights, please contact us using the contact details set out below.
Our full details are as follows.
Full name of legal entity: Compliance 360 Limited
Email address: email@example.com
Postal address: Vision Exchange Building Level 2, Territorials Street, Zone 1, Central Business District, Birkirkara CBD 1070, Malta.
You have the right to lodge a complaint at any time to a competent supervisory authority on data protection matters, such as in particular the supervisory authority in the place of your habitual residence or your place of work. In the case of Malta, this is the Office of the Information and Data Protection Commissioner (the “IDPC”) (https://idpc.org.mt/en/Pages/Home.aspx).
Below are key definitions of certain data protection terms which appear in this Statement.
“Consent Form” refers to separate documents which we might from time to time provide you where we ask for your explicit consent for any processing which is not for purposes set out in this Statement.
“Data subjects” means natural persons about whom we collect and process personal data.
“Data controller” or “controller” means any entity or individual who determines the purposes for which, and the manner in which, any personal data is processed.
“Data processor” or “processor” means any entity or individual that processes data on our behalf and on our instructions (we being the data controller).
“Personal data” means data relating to a natural person who can be identified from the data (information) we hold or possess. The term “personal information”, where and when used in this Statement, shall be taken have the same meaning as personal data.
“Processing” means any activity that involves use of personal data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including, organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties.
“Sensitive personal data”, “sensitive data” or “special categories of personal data” includes information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life, or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings. This type of sensitive data can only be processed under strict conditions.
3. Duty to inform of changes
Your Personal Data should be accurate and up to date at all times. In default, it will negatively affect our ability to provide you with the Services. It is your obligation to keep us informed if your Personal Data changes at any time during our appointment.
4. Personal Data
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed that is anonymous data.
In the course of its appointment, Compliance 360 will need to collect, use, and sometimes, disclose various items of personal data about you for various purposes associated with the scope of the Services that we provide, as requested and directed by you or by your organization, including identity data, contact data, compliance data (AML and KYC), assistance data, financial data, transaction data, technical data, profile data, usage data and marketing and communications data.
We will also collect, use and process any other personal information that you voluntarily choose to provide or disclose to us where relevant and necessary in order to provide the Services.
Where we need to collect personal data by law, or pursuant to our terms of business and engagement, and you fail to provide that data when requested, we may not be able to assist you or provide you with your requested Services. In certain cases, particularly where it relates to Compliance Data, we may even need to exercise our prerogative to terminate the Services and your engagement with us, or otherwise decline to enter into professional relationship with you (as applicable). We will notify you if this is the case at the time.
We may occasionally need to collect and process certain special categories of personal data, including potentially information relating to your criminal convictions and offences. When this data concerns you, by engaging us you will be providing us with your unambiguous consent to process the data in order to provide you with the requested services. We may also process third party special categories of data where authorised by, and in accordance with our obligations at law.
5. Collection of Personal Data
We generally use different methods to collect data from and about you including through direct interactions. You may give us your identity, contact, compliance, financial, assistance and marketing and communications data by completing our Letter of Engagement or by corresponding with us by post, phone, email or otherwise or during face-to-face meetings.
6. Use of your Personal Data
We will only use your personal data when allowed by law, as well as when you formally engage us to provide you with the Services, where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests, and where we need to comply with our legal and professional obligations to third parties. We do not generally rely on consent as a legal basis for processing your personal data.
We may process your personal data pursuant to more than one lawful ground or basis, depending on the specific purpose for which we are using your data. Please contact us at firstname.lastname@example.org if you need details or wish to enquire about the specific lawful basis we are relying on to process your personal data. The purpose for which we use your Personal Data is set out below –
Where the purpose is to determine whether we will provide you with the Services, we may request you to provide identity, contact, compliance, assistance and financial data. The lawful basis for the processing is, in such cases, performance of a contract with you or in order to take steps at your request prior to entering into such a contract and /or where it is necessary for our legitimate interests.
Where the purpose is to establish your identity, fulfil our other internal compliance policies and requirements, comply with our obligations under the PMLA, PMLFTR and others laws or regulations that may be applicable to us in terms of client due diligence and AML requirements, and to fulfil external mandatory reporting obligations that we may have to the FIAU, the MFSA, the Police and any other (including overseas) public, regulatory, law enforcement or tax authorities, we may request you to provide us with identity, contact, compliance and assistance data (provided that we are exempted from professional secrecy obligations in case of disclosure and reporting). The lawful basis for processing such data is necessity to comply with a legal obligation and/or necessity for our legitimate interests.
Where the purpose is to provide you or your organisation with the requested Services and / or to improve the provision of the Services to you or your organisation, we might request you to provide us with identity, contact, compliance data. The lawful basis for processing such data will be performance of a contract with you and / or necessity to comply with professional obligations and ethical duties.
Where the purpose is for billing and invoice purposes and / or for debt recovery and / or internal record keeping, we may request you to provide identity, contact, assistance, financial and transaction data. The lawful basis for processing such data will be performance of a contract with you, necessity to comply with a legal obligation, necessity for our legitimate interests to recover debts due to us, to keep track of the Services provided to the client and their status or outcome.
Where the purpose is to manage our professional relationship with you, we may request you to provide us with identity, contact, assistance, usage, profile and marketing and communications data. The lawful purpose will be the performance of a contract with you and / or the necessity for our legitimate interests.
Where the purpose is to detect, prevent and/or report fraud or any other criminal activity that comes to our knowledge and attention and to assist and cooperate in any criminal or regulatory investigations against you, as may be required of us, we may request you with identity, contact, compliance, assistance, financial and transaction data. The lawful purpose will be to comply with a legal obligation.
Where the purpose is to administer and protect our firm, business and any website, we may request your identity, contact, technical and usage data. The lawful basis for processing such data will be the necessity for our legitimate interests for running and administering our firm and business, systems administration, network security, to prevent fraud and to maintain the confidentiality of communications and / or the necessity to comply with a legal obligation.
Where the purpose is to carry out market research campaigns, to market our Services to you by email or other means if you have subscribed to one of our mailing lists (where you are not a client) and to deliver any relevant website content and advertisements to you, we may request you to provide us with identity, contact, technical, usage and profile and marketing and communications data. The lawful basis for such processing will be the necessity for our legitimate interests to develop our Services and grow our business, to keep our Services and any website updated and to inform our marketing strategy and / or on the basis of your consent, in the absence of a client relationship.
Where the purpose is to permit Compliance 360 to pursue available remedies or limit any damages that Compliance 360 may sustain, we may use identity, contact, assistance, financial transaction and marketing and communications data. The lawful basis for processing such data will be performance of a contract with you.
“Legitimate Interest” means our interest to conduct and manage our business affairs appropriately and responsibly, to protect the reputation of our business and firm, and to provide our clients with the best possible service. We make sure we consider and balance any potential impact on you and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you unless we have your consent or are otherwise required or permitted to by law.
“Performance of Contract” means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract. This includes our Letter of Engagement or other terms of business.
“Comply with a legal or regulatory obligation” means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.
8. Change of purpose
We will only use your personal data for the purposes for which we collected it, unless we consider that we need to use it for another reason so long as such reason is compatible with the original purpose, or we are obliged to process your data by applicable laws or court / enforceable orders.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without the need to obtain your consent, in compliance with the above rules, where this is required or permitted by law.
9. Disclosures of your personal data
We may have to grant access to, disclose or share your personal data with the following for the purposes set out in Clause 7 above:
Other firms involved in the provision of the Services to you;
Suppliers and external agencies that we engage to process information on our and/or your behalf, including to provide you with the information and/or materials that you have requested;
Service providers, including those that provide IT support and system administration services for Compliance 360;
Professional advisers such as consultants, bankers, professional indemnity insurers, brokers and auditors;
The Commissioner for Revenue, regulators and other authorities, including the Courts of Malta, the Financial Intelligence Analysis Unit, the Police Authorities and the Malta Financial Services Authority; and
Our successors in title or any third parties whom we acquire business of or merge with. If a such a change happens, the new owners may use your personal data in the same way as set out in this Statement.
We take measures to ensure that all third parties respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our documented instructions.
10. International transfers
We do not generally transfer your personal data to entities outside the European Economic Area (“EEA”) except as may be necessary to: (i) provide you with the requested Services, (ii) fulfil our contractual obligations to you or exercise our contractual obligations against you, (iii) comply with our legal or regulatory obligations or (iv) assert, file or exercise a legal claim.
Where we do need to transfer your personal data to outside the EEA (whether for these stated purposes or any other purpose listed in Clause 7 above), we will ensure a similar degree of protection is afforded to that personal data by ensuring at least one of the following safeguards applies or is otherwise implemented:
We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
In the absence of an adequacy decision, we will use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.
Where we use providers based in the U.S., we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US.
Please contact us at email@example.com if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.
Note however that when you instruct us to transfer or share your personal data, including with other law firms (based in or outside the EEA), we will perform any processing activity required to fulfil such instructions as your mandatories and not as an autonomous controller. As your mandatories, we will not be required to enter into a contractual mechanism, joint controller agreement or otherwise, with the recipient to whom you have instructed us to share or transfer your personal data.
11. Data Security
There are appropriate security measures in place meant to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed with a view to safeguarding its integrity and confidentiality. We also regularly review and, where practicable, improve upon these security measures.
In addition, we limit access to your personal data to those employees, agents, contractors and other professional third parties who strictly need to know this information. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. All our employees and agents have received appropriate training on data protection.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
12. Data Retention
Please note that Compliance 360 considers its professional relationship with clients to be an ongoing and continuous engagement, until such time that it is terminated in accordance with our Letter of Engagement.
We will only retain your personal data for as long as necessary to fulfil the purposes for which we collected it and, thereafter, for the purpose of satisfying any legal, accounting, tax, anti-money laundering and regulatory reporting requirements or obligations to which we may be subject and / or to the extent that we may also need to retain your personal data to be able to assert, exercise or defend possible future legal claims against or otherwise involving you.
Our retention of your personal data shall not exceed the period of six (6) years from the termination of your engagement with us. This retention period enables us to make use of your personal data for potential AML reporting obligations to the FIAU and/or for the assertion, filing or defence of possible legal claims by or against you.
We may need to retain your personal data for a period of up to eleven (11) years in order to comply with applicable accounting and tax laws. There may also be instances where the need to retain personal data for longer periods is dictated by the nature of the services provided.
In some circumstances you can ask us to delete your data. See Request erasure below for further information.
13. Data Minimisation
To the extent possible, we may anonymise the data which we hold about you when it is no longer necessary to identify you from the data which we hold about you. In some circumstances, we may even pseudonymise your personal data.
14. Your legal rights
Under certain circumstances, you have rights under data protection laws in relation to your personal data. Please contact us for further information about these rights, namely –
Request access to your personal data.
Request correction (rectification) of your personal data.
Request erasure of your personal data.
Object to processing of your personal data.
Request restriction of processing your personal data.
Request transfer of your personal data.
Right to withdraw consent.
If you wish to exercise any of the rights set out above, please contact us at firstname.lastname@example.org
No fee will be charged to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is unfounded, repetitive or excessive. Alternatively, we may simply refuse to comply with your request in such circumstances. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). We aim to respond to all legitimate requests within a period of one month from the date of receiving your request.
You have the right to request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it. You have the right to information when collecting and processing personal data about you from publicly accessible or third party sources. You may request correction or rectification of the personal data that we hold about you. You may also request erasure of your personal data. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. You have the right to object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. In some cases, we may demonstrate that we have compelling legitimate grounds to process your personal information that override your rights and freedoms. You may request restriction of processing of your personal data and the transfer of your personal data to you or to a third party. You may withdraw your consent at any time where we are relying on consent to process your personal data (which will generally not be the case).
None of these data subject rights are absolute. Account shall be taken of our own legal obligations and legitimate interests. If a decision is taken to override your data subject request, you will be informed of this.
15. Changes to the Privacy Statement
We reserve the right to make changes to this Statement from time to time, which will be duly notified to you.
This Privacy Statement was last updated on 6th July 2021.