Privacy Policy
INTRODUCTION
This Master Privacy Policy (“Privacy Policy”) relates to the portalmbr.mt and/or any website/sub-website and/or associated domains (and/or sub-domains) of mbr.mt hereinafter referred to as the “Site”) the services provided by Malta Business Registry the owner of the Site, (“We”, “Us”, “Our”, “Ourselves”, and/or “MBR”) and any related software applications (‘Apps’), where Personal Data are processed by the same (via the Site, any of Our Apps or otherwise) relating to You. Please note that Our website may be hosted and operated using a third-party website platform/provider (currently Wix.com Ltd. and its affiliated companies (“Wix”)). In addition, when We host events or similar activities for which an online payment is required (and only while event registration is open), We will use a third-party payment service provider (currently Stripe – including Stripe Payments Europe, Limited and/or Stripe, LLC (“Stripe”)) to process online payments. In such cases, certain Personal Data will be processed by Wix and/or Stripe (as further explained in this Privacy Policy) in order for Us to operate the Site, administer event registrations and process payments securely. In this Master Privacy Policy, “You”, “Your” and “User” refer to an identified or identifiable natural person being the User of the Site, and/or recipient (or prospective recipient) of any of Our services and/or identifiable natural person whose information (in his/her personal capacity and not when acting as representative of a legal entity) is stored on Our database(s) and which may or may not be publicly available. Our full details, including contact details, can be read below. Please see the sections “WHAT ARE PERSONAL DATA” and “WHAT ABOUT INFORMATION RELATING TO COMMERCIAL PARTNERSHIPS (INCLUDING COMPANIES) AND OTHER LEGAL ENTITIES?” below.
You may be reading this Privacy Policy as a User or visitor of the Site or You may have been directed here by one (or more) of Our condensed privacy policies or Our other notices (digital or otherwise) found in one of Our forms or other similar documents.
Although this Privacy Policy provides detailed, layered information on how and why We generally process Personal Data (via the Site, any of Our Apps, or otherwise) as well as detailed information about Your various rights, the specific and tailor-made content of such condensed policies or other notices will, in most cases, provide You with more focused and detailed information on specific processing operations (for example, the specific legal basis for processing certain categories of Personal Data and the specific purpose for doing so depending on the matter at hand).
Although at MBR, Our goal is to always be as clear and transparent as possible, We appreciate that legal documents can sometimes be difficult to read. However, We strongly encourage You to read this Privacy Policy (which is layered for Your convenience) with care. Please do not hold back from contacting Us for any clarification You may need. For example, if You need clarification on a specific legal basis, We are relying on to process Your Personal Data for a specific processing operation, We would be happy to provide You with any such information You may need.
CONTENTS OF THIS MASTER PRIVACY POLICY
APPLICABLE LAWS
The MBR is the controller of personal data in terms of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – “the GDPR”) and the Data Protection Act (Chapter 586 of the Laws of Malta – “the DPA”).
The MBR ensures that personal data are processed in accordance with the GDPR, the DPA and any other relevant European Union (“EU”) and national law. The MBR ensures, inter alia, the confidentiality and security of such personal data.
All the above, as may be amended from time to time, referred to together as the “Data Protection Laws”
WHAT ARE PERSONAL DATA?
The term “PERSONAL DATA” means any information that identifies You as an individual or that relates to an identifiable individual. Information relating to legal persons (such as companies) does not amount to Personal Data. For more information on this important distinction, please read the section “WHAT ABOUT INFORMATION RELATING TO COMMERCIAL PARTNERSHIPS (INCLUDING COMPANIES) AND OTHER LEGAL ENTITIES?” below.
Whenever it is not possible or feasible for Us to make use of anonymous and/or anonymised data (in a manner that does not identify any Users of the Site or recipients of Our services), We are nevertheless committed to protecting Your privacy and the security of Your Personal Data at all times.
We collect Personal Data in various ways both digitally via the Site (either when You choose to provide Us with certain data or in some cases, automatically or from third parties) as well as non-digitally (for example when a statutory form is submitted to Us or You fill in a physical form to benefit from one or more of Our services).
WHAT ABOUT INFORMATION RELATING TO COMMERCIAL PARTNERSHIPS (INCLUDING COMPANIES) AND OTHER LEGAL ENTITIES ?
Information relating to legal persons (having a Juridical Personality) as opposed to natural persons does not amount to personal data. Limited liability companies and other legal entities have a distinct legal personality that is separate from that of their owners or even their directors or administrators. This means that information relating to such legal entities (as opposed to the details of the owners, shareholders or even directors or administrators) will not, in most cases, constitute personal data and falls outside the scope of the GDPR.
Having said the above, in all those cases where natural persons (such as company directors, shareholders, partners, administrators, founders, controllers, supervisory council members, protectors and even sole traders inter alia ) are individually identifiable, and where information relates to such individuals in their personal capacity as opposed to them acting as representatives of a legal person, MBR will treat such information as personal data and will afford to such individuals (who would be deemed as data subjects) all the data protection rights listed below, as may be applicable.
PERSONAL DATA MBR COLLECTS ABOUT YOU
There are various categories of Personal Data that We collect about You, namely:
CONTACT DETAILS (WITHOUT NEED FOR REGISTRATION ON THE SITE):
Name
Email
Comments containing any personal data You choose to send us.
REGISTRATION DATA:
Title
First Name
Surname
Date of birth
Residential Address
E-mail address
Telephone
Mobile (optional)
Fax Number (optional)
Nationality
ID/Passport Number
Username
Password
INCORPORATION/DECLARATION DATA:
Identification details (ID) which shall include but are not limited to the nationality and country of residence. In line with Article 2(5) of the Companies Act, Chapter 386 (“the Companies Act’’), article 29(1)(e) and article 49(2)(f) of the Second Schedule to the Civil Code (CAP 16) (the “Schedule”)“For the purposes of the above-mentioned legislation, where a document required to be delivered to the Registrar for registration is required to state the name and residence or address of a person, it shall be deemed to require further the official identification, by number or otherwise of such person, as may be applicable. Moreover, Article 401(1)(d) paragraph (i) of the Companies Act and the second proviso to Regulation 7 (1)(c) paragraph (i) of the Companies Act (Register of Beneficial Owners) Regulations ( S.L. 386.19) regulation 4(1)(a) of Civil Code (Second Schedule) (Register of Beneficial Owners – Associations) (S.L. 16.17) and regulation 4(1)(a) of Civil Code (Second Schedule) (Register of Beneficial Owners – Foundations) (S.L. 16.18) further allows for the Registrar to obtain identification details and any other information supported by documents including, certified true copies of ID cards, passports, residence cards and other identification documents in order to verify the identification details being disclosed to the Registry.
Nationality
Country of Residence
Registered Office (only considered personal data if this is the home address of the individual sending Us this information).
Contact details of shareholders, directors, company secretaries, and other members of the applicant including as applicable:
Name
Residential address
Email address
Nationality
Business Occupation
Contact details of persons liaising and submitting documents on behalf of applicant (for example, a legal representative) including:
Name
Email address
Police conduct and/or certificate of good standing processed in line with Article 10 of the GDPR and the DPA, as authorised by Maltese company law and anti-money-laundering legislation).) (only in specific circumstances)
Bank references (only in specific circumstances)
Evidence that the commercial partnership (including companies) and other legal entities can use the address as the registered office (only in specific circumstances)
TRACKING DATA:
IP address Location Data
Location Data
FINANCIAL INFORMATION:
Bank account details (for example, where required for refunds or for other payment-related administration, where applicable) Billing details (for example, billing address, invoice details, receipt details, and similar payment administration data) Payment transaction details (for example, amount, date/time, payment status, and transaction reference/identifier)
For the avoidance of doubt, where online payments are processed through Our payment service provider (currently Stripe), Your full card number and card security code (CVC/CVV) are processed directly by Stripe (and/or relevant financial institutions/payment method providers) and are not stored by MBR.
EVENT / TRAINING INFORMATION (WHERE APPLICABLE):
Event registration details
Attendance information
Communications relating to an event
CPE/CPD ACCREDITATION DATA (where applicable): the minimum attendee information required to verify attendance and to issue/record CPE/CPD accreditation
Please note that the online payment functionality will only be made available when an event is approaching and registrations are open; once the event ends (or registration closes), the online payment functionality will be switched off.
ADDITIONAL INFORMATION:
In some cases, (for example, if You are a recipient [or prospective recipient] of Our services, via the Site, any App or otherwise – even if the service in question is merely information You request from Us), We may request additional Personal Data as a means of securely identifying You or for another similar lawful purpose (which will be explained in the table below and/or in a condensed policy/notice that may have directed You here). The additional information We may request from You to be able to provide You with Our services includes:
More secure identification methods
Credentials/references
Details of Your next of kin
Certain special categories of data (sensitive Personal Data) such as health conditions/status/details or trade union membership (only where necessary and with the necessary safeguards in place) in terms of Article 9 (2) of the GDPR
Your police conduct and/or certificate of good standing which We may require for the incorporation of legal entities in certain cases, and which We process, primarily for verification purposes in line with Article 10 of the GDPR and the DPA, as authorised by Maltese company law and anti-money-laundering legislation..
Many of the categories of Personal Data above are collected directly from You (for example, Your Contact Details and Your Registration Data). However, WE MAY ALSO COLLECT PERSONAL DATA FROM OTHER SOURCES, including authorised members (e.g. directors, administrators or company secretaries) of the company or other legal entities You may be associated with, third party data companies, publicly accessible databases, social media platforms, other Government agencies and Government bodies (both local as well as foreign bodies within the EU) and other third parties.
We may also receive Personal Data about You from third parties when We need to confirm Your Contact Details or even certain Financial Information. Should this be the case, We will take all measures as required by law to further inform You about the source of such Personal Data as well as the categories of Personal Data We collect and process (unless We are satisfied that You already have that information). There are certain instances at law where We are specifically forbidden from disclosing to You such activity (for example, when carrying out due diligence for anti-money laundering purposes).
For a detailed description of the reasons why We process the categories of Personal Data above (and any other specific Personal Data We process) as well as the corresponding legal ground(s) for doing so please see the ‘What We Use Your Personal Data For (Purpose of Processing)’ below.
For information/Personal Data that We may collect automatically via the Site, please see the Cookies section below.
HOW AND WHY WE COLLECT PERSONAL DATA
As a general rule, We do not collect any Personal Data, that is, information that identifies You as an individual other than that which You choose to provide to Us such as the data (including Contact Details and Registration Data) You provide when contacting Us via Our Site (where registration is not required) or registering with the said Site (where this is available), when registering a company or other entity with MBR (if this applies to You as an identifiable natural person), when filing documents with Us on behalf of any legal entity (if this applies to You as an identifiable natural person) when otherwise contacting Us with enquiries relating to Our services, when subscribing to any service offered by Us or via Our Site, such as any newsletters as may be issued by Us from time to time (see Personal Data We Collect About You above).
Unless otherwise specified and subject to various controls, as a general rule, we only collect Personal Data (from You or elsewhere) that we:
need to be able to provide You with the services/information You request from Us.
are legally required to collect/use and to keep for a predetermined period of time.
believe to be necessary for the performance of a task carried out in the public interest and
believe it to be necessary for the performance of a task carried out in the exercise of official authority vested in Us (as a Government agency).
For a detailed description of the reasons why We process specific categories of Personal Data as well as the corresponding legal ground(s) for doing so, please see the ‘What We Use Your Personal Data For (Purpose of Processing)’ below.
PERSONAL DATA RELATING TO THIRD PARTIES
By providing Us with or allowing Us to access Personal Data relating to individuals other than Yourself (such as when You list other involved persons pertaining to company registration or registration of other legal entities with MBR), You are letting Us know that You have the authority to send Us those Personal Data or the authority to permit Us to access those data in the manner described in this Privacy Policy.
WHAT WE USE YOUR PERSONAL DATA FOR (PURPOSE OF PROCESSING)
The following is a description (in a clear and plain manner) of what We use Your Personal Data for and the corresponding legal ground(s) We rely on for doing so.
For more detail on what is meant by terms such as ‘Contact Details’, ‘Registration Data’ and other categories of Personal Data used in the tables below, please see the section above relating to Personal Data We Collect About You.
Please note that in the rare instances (if any) where We rely on your consent, this can always be withdrawn at will.
GENERAL PROCESSING OPERATIONS
PROSPECTIVE RECIPIENTS / USERS OF THE SITE / NEW RECIPIENTS OF OUR SERVICES:
PURPOSE OF THE PROCESSING | CATEGORIES OF PERSONAL DATA | LEGAL BASIS FOR PROCESSING |
Evaluating application(s)/requests You send Us to use/receive any of Our services) |
|
|
Set up a record on our systems |
|
|
To manage our relationship with You |
|
|
To carry out mandatory verification in compliance with applicable laws (anti- money laundering and combatting the financing of terrorism legislation) |
|
|
To establish and investigate any suspicious behaviour in order to protect Our systems from any risk and fraud |
|
|
To keep an accurate and up to date legal entities database (open to the public) |
|
|
To monitor our premises via CCTV for security purposes, when not exercising any of Our official tasks |
|
|
To ask visitors to enter their name and surname when entering Our premises |
|
|
To administer event/training registrations and attendance (including related communications), where applicable |
|
|
To verify attendance and to issue/record CPE/CPD accreditation (where applicable), including sharing the minimum necessary attendee information with the relevant professional accreditation body |
|
|
ONGOING RECIPIENTS OF OUR SERVICES:
PURPOSE OF THE PROCESSING | CATEGORIES OF PERSONAL DATA | LEGAL BASIS FOR PROCESSING |
To be able to continue providing You with (some or all of) Our services |
|
|
Maintain records on our systems |
|
|
Continue to manage Our relationship with you |
|
|
To pass on certain information to public authorities (including the Malta Financial Services Authority and National Statistics Office) & compile internal statistics and reports |
|
|
To process and manage payments transactions (where applicable) |
|
|
To help you with your specific concerns/requests, including any requests/applications relating to any entity |
|
|
To administer event/training registrations and attendance (including related communications), where applicable |
|
|
To verify attendance and to issue/record CPE/CPD accreditation (where applicable), including sharing the minimum necessary attendee information with the relevant professional accreditation body |
|
|
OTHER SPECIFIC PROCESSING OPERATIONS:
Register of Companies and Register of Legal Persons:
PURPOSE OF THE PROCESSING |
|
|
Evaluating any request to register any commercial partnership (including companies) and other legal entities and to be able to keep an accurate database of such (including their members) in line with Our obligations at law (Cap 386 and Subsidiary Legislation 386.18 and CAP 16 and S.L. 16.17 & S.L. 16.18) |
|
|
Register of Beneficial Owners:
PURPOSE OF THE PROCESSING | CATEGORIES OF PERSONAL DATA | LEGAL BASIS FOR PROCESSING |
To be able to keep an accurate database of beneficial owners of legal entities in line with Our obligations at law (S.L 386.19, S.L 16.17 and S.L 16.18) |
|
|
Disclosures Re Commercial Partnerships (including Companies) and other Legal Entities. To disclose relevant details of the beneficial owners of commercial partnerships (including companies) and other legal entities to persons requesting the same (where permitted or required and subject to applicable restrictions).
| For persons listed in S.L. 386.19 (7) (1) and regulation 10 of S.L. 16.17 & S.L. 16.18 to the following categories. (a) competent authorities in terms of the above mentioned regulation including but not limited to the Malta FIAU, national tax authorities, etc. that request information about the beneficial owners of commercial partnerships (including companies) and other legal entities: Personal Data shall be disclosed by Us without any restriction and without alerting the legal entity/ies concerned. (b) subject persons/obliged entities: For this category, Personal Data may be disclosed by Us provided that the request We receive must relate to purposes of carrying out due diligence for the prevention, detection and combating of money laundering or the associated predicate offences or the financing of terrorism. (c) general public: Provided they have a Legitimate Interest as explained in the below Legitimate Interest section. | Compliance with Legal Obligations (S.L. 386.19 (7)) and regulation 10(9) of S.L. 16.17 & S.L. 16.18 – Provided that the registrar may refuse access to subject persons/obliged entities and the general public (as stipulated as outlined in terms of the above mentioned regulations), in full or in part, where in exceptional circumstances to be justified by means of documentary evidence and to be determined on a case by case basis, access to such beneficial ownership information would expose the beneficial owner to the risk of fraud, kidnapping, blackmail, violence or intimidation, or where the beneficial owner is a minor or otherwise incapable. |
Should We need to process Your data for a new purpose in the future, which is entirely unrelated to the above, We will inform You of such processing in advance and You may exercise Your applicable rights (as explained below) in relation to such processing.
Finally, do note that without certain Personal Data relating to You, We may not be in the position to provide some or all of the services You expect from Us , as well as commercial partnerships (including companies)and other legal entities registration/incorporation and requests for information from Us) or even to guarantee the full functionality of Our Site.
Legitimate Interest:
Commercial Partnerships (including companies)
The MBR shall grant access to the Register of Beneficial Owners (“RBO”) upon the demonstration of legitimate interest in the prevention and combating of money laundering, its predicate offences, or the financing of terrorism in terms of regulation 7 (1) (c) of the Companies Act ( Register of Beneficial Owners) Regulations ( S.L.386.19). Such requests for access based on Legitimate Interest would have to be made to the MBR via email on accesstobo@mbr.mt, along with the filing of a Request Form and a Declaration. These would have to be further accompanied by supporting documentation (including, but not limited to, identification documents). Such identification documents shall not be made publicly available and are required for the purpose of making an assessment on the veracity of the individual filing the request for access to beneficial ownership information. MBR shall not retain identification documentation once the necessary data is collected but it shall retain your data in accordance with the retention period for Personal Data mentioned below. The terms of this Privacy Policy shall mutatis mutandis apply to You unless it is otherwise deemed inconsistent. In gaining such access, the persons claiming Legitimate Interest and, therefore, gaining access to the RBO, would be confirming also that they are assuming the role of a data controller under the applicable laws and regulations relating to data protection as in force in Malta.
Foundations and Associations
In respect of S.L 16.17 and S.L 16.18, a similar process is undertaken where persons or organisations forming part of the general public, provided that they have a legitimate interest, are granted BO information as requested on satisfactory compliance with the above mentioned respective subsidiary legislations. The requests are sent via email on foundations.associations@mbr.mt, along with the filing of the supporting documentation, including but not limited to identification documents. Such identification documents shall not be made publicly available and are required for the purpose of making an assessment on the veracity of the individual filing the request for access to beneficial ownership information. MBR shall retain your data in accordance with the retention period for Personal Data mentioned below. The terms of this Privacy Policy shall mutatis mutandis apply to You unless it is otherwise deemed inconsistent. All persons entitled to access and receive information in terms of S.L. 16.17 and S.L. 16.18 are duty bound to comply with the applicable laws and regulations relating to data protection as in force in Malta.
DATA WHICH WE MAKE PUBLICLY AVAILABLE:
MBR is required by Article 401 (1) (d) of the Companies Act () and article 31C of the Second Schedule to the Civil Code, as well as by the Companies Act (System of Interconnection of Registers) Regulations (S.L 386.18 ) and regulation 14 of S.L. 16.17 & S.L. 16.18 to make certain information, which You may provide to Us inter alia for the purposes of commercial partnerships (including companies) and other legal entities incorporation, including any Personal Data, where applicable, (such as those pertaining to the name and address of the directors and other relevant persons of the legal entity) relating thereto, publicly available. Thus, whenever MBR makes such information public it relies on its legal obligation to do so as a legal basis for processing Personal Data.
The Personal Data that We make public in relation to all commercial partnerships (including companies) and other legal entities registered with Us includes the following:
A list of shareholders, directors, company secretaries and other persons vested with administration including such details as:
Name
Residential address
Nationality
Business occupation
In the case of foundations and associations, information on beneficial owners is not made publicly searchable or openly available to the general public. Access to information held in the Register of Beneficial Owners is granted only to the categories of persons and under the conditions set out in the applicable regulations. Any access granted to subject persons/ onbliged entities or to members of the public is provided on a case-by-case basis following a written request and submission of the required documentation, and is limited to the specific foundation/association and the relevant beneficial owner(s). Only competent authorities as stated in regulation 10 of S.L. 16.17 & 16.18 have access without restriction to the information on the beneficial owners of the organisations.
When a commercial partnership (including companies) and other legal entities is struck off the register, such data shall no longer be available to the public. Please note that although such Personal Data will no longer be available to the public, MBR will still retain such information, and this according to Our retention policy.
For more background information, please read the sections WHAT ARE PERSONAL DATA and WHAT ABOUT INFORMATION RELATING TO COMMERCIAL PARTNERSHIPS (INCLUDING COMPANIES) AND LEGAL ENTITIES? Above.
Please see the table above regarding the Register of Beneficial Owners for more information regarding the rules for how We may disclose information regarding ultimate beneficial owners of companies, foundations and associations and how, in certain instances, We are obliged to do so.
ACCURACY OF PERSONAL DATA
All reasonable efforts are made to keep any Personal Data We may hold about You up-to- date and as accurate as possible. You can check the information that We hold about You at any time by contacting Us in the manner explained below. If You find any inaccuracies, We will correct them and where required and in accordance with the law (provided that the law permits such deletion), delete them as necessary. Please see below for a detailed list of Your legal rights in terms of any applicable data protection law.
TRANSFERS TO THIRD COUNTRIES
As a general rule, the data We process about You (collected via the Site, any of our Apps or otherwise) will be stored and processed within the European Union (EU)/European Economic Area (EEA) or any other non-EEA country deemed by the European Commission to offer an adequate level of protection (the so-called ‘white-listed’ countries listed here: https://ec.europa.eu/info/law/law-topic/data-protection_en.
In some cases, it may be necessary for Us to transfer Your Personal Data to a non-EEA country not considered by the European Commission to offer an adequate level of protection (for example to one or more of Our data processors located there).
In such cases, apart from all appropriate safeguards that We implement, in any case, to protect Your Personal Data, We have put in place additional adequate measures. For example, We have ensured that the recipient is bound by the EU Standard Contractual Clauses (the EU Model Clauses) designed to protect Your Personal Data as though it were an intra-EEA transfer. You are entitled to obtain a copy of these measures by contacting Us as explained below.
INTERNET COMMUNICATIONS
You will be aware that data sent via the Internet may be transmitted across international borders even where sender and receiver of information are located in the same country. We cannot be held responsible for anything done or omitted to be done by You or any third party in connection with any Personal Data prior to Our receiving it including but not limited to any transfers of Personal Data from You to Us via a country having a lower level of data protection than that in place in the European Union, and this, by any technological means whatsoever (for example, WhatsApp, Dropbox, etc.)
Moreover, We shall accept no responsibility or liability whatsoever for the security of Your data while in transit through the Internet unless Our responsibility results explicitly from a law having effect in Malta.
AUTHORISED DISCLOSURE
Without prejudice to anything contained in this Privacy Policy and in the interest of full transparency, We reserve the right to disclose (and otherwise process) any relevant Personal Data relating to You which We may be processing (including in certain cases relevant IP addresses) to authorised third parties in or outside the EU/EEA if such disclosures are allowed under the Data Protection Laws (whether or not You have provided Your consent) including but not limited to:
For the purpose of preventing, detecting or suppressing fraud (for example, if You provide false or deceptive information about Yourself or attempt to pose as someone else, We may disclose any information We may have about You in Our possession so as to assist any type of investigation into Your actions);
In the event of MBR being involved in a restructure, transfer or absorption into another Government department (or similar event analogously applicable to Government agencies);
To protect and defend Our rights (including the right to property), safety, or those of Our affiliates, of Users of Our Site, of Our members or even Your own;
To protect against abuse, misuse or unauthorised use of Our Site;
For any purpose that may be necessary for the performance of any agreement You may have entered into with Us (including the request for provision of services by third parties) or in order to take steps at Your request prior to entering into a contract;
To comply with any legal obligations such as may arise by way of response to any Court subpoena or order or similar official request for Personal Data; or
As may otherwise be specifically allowed or required by or under any applicable law, for example, under anti-money laundering legislation or as part of MBR’s obligation to make certain information available to the public through the system of interconnection of EU Business registers at: https://e-justice.europa.eu/content_business_registers_at_european_level-105–maximize-en.do (S.L 386.18 S.L. 16.17 and S.L. 16.18)
SHARING OF PERSONAL DATA WITH OTHER CATEGORIES OF RECIPIENTS
Relevant data will also be disclosed or shared as appropriate (and in all cases in line with the Data Protection Laws) to/with staff/employees and/or officials of MBR, and/or to/with entities within the Maltese Central Government and/or to/with other Government agencies, departments, or similar entities (including such entities of other EU Member States) and/or other entities considered as competent authorities in terms of PMLFTR including but not limited to the Financial Intelligence Analysis Unit, the Malta Police Force, the Malta Financial Services Authority, Asset Recovery Bureau and also entities such as credit reference agencies and/or sub-contractors established within the European Union if pertinent to any of the purposes listed in this Privacy Policy (including to/with Our service providers who facilitate the functionality of the Site and/or any service You may require). Personal information will only be shared by Us to provide the services You request from Us or for any other lawful reason (including authorised disclosures not requiring Your consent) such as Our legal obligation to make available electronic copies of the documents which We are required to retain and register in terms of the Companies Act and S.L. 16.17 and S.L. 16.18 and through the system of interconnection of EU Business Registers at: https://e-justice.europa.eu/content_business_registers_at_european_level-105--maximize- en.do).
Any such authorised disclosures will be done in accordance with the Data Protection laws (for example all Our processors are contractually bound by the requirements in the said Data Protection Laws, including a strict obligation to keep any information they receive confidential and to ensure that their employees/personnel are also bound by similar obligations). The said service providers (Our processors) are also bound by a number of other obligations (in particular, Article 28 of the GDPR).
In certain cases, the recipients of Your Personal Data with whom We share Personal Data will not be acting on Our behalf but will be acting in their own capacity as entities/data controllers separate and independent from Us (e.g. Government agencies, Malta Financial Services Authority, Financial Intelligence Analysis Unit etc.). We are not responsible for whatever these entities may do with Your Personal Data and encourage You to read through their respective privacy policies to find out more about how they handle Your Personal Data.
YOUR PERSONAL DATA WILL NEVER BE SHARED WITH THIRD PARTIES FOR THEIR MARKETING PURPOSES.
The third parties who We may disclose to and/or share Your Personal Data with are, at the date of this Privacy Policy, the following:
Category of Recipient | Purpose of Processing |
Cloud Service Providers | Hosting of data under state-of-the-art security protocols and our exclusive control |
IT Service Providers | Maintenance and support of our IT systems/Website(s) – with restricted access and under our strict controls` |
Auditors | Compliance with our auditing obligations – with access granted only to essential Personal Data |
Legal Advisors | Compliance with our legal obligations or when necessary for the establishment, exercise or defence of legal claims. |
Other EU Member State Business Registers under the Business Registers Interconnection System (Directive 2017/1132/EU) and Regulation 2015/884) | Compliance with Our legal obligations |
Other Government agencies, departments or entities (including the Malta Financial Services Authority and the National Statistics Office) Credit Reference Agencies (e.g. Malta Association of Credit Management or CreditInfo, The Malta Police Force) | Compliance with legal obligations, in the public interest and/or Our exercise of official authority as necessary in the public interest
|
Website platform / hosting provider | Wix.com Ltd. (and its affiliated companies), which processes data of visitors/Users of the Site on Our behalf in order to provide and operate the website and related services. |
Payment service provider | Stripe (including Stripe Payments Europe, Limited and/or Stripe, LLC, and their affiliates/sub-processors) for the processing of online payments and related payment operations. |
Professional accreditation bodies (CPE/CPD) (where applicable) | Where an event is accredited for CPE/CPD purposes, We may share the minimum necessary attendee information with the relevant professional accreditation body solely to verify attendance and facilitate the issuance/recording of accreditation. Such bodies will process that information as separate controllers in accordance with their own privacy notices. |
SECURITY MEASURES
The personal information which We may hold (and/or transfer to any affiliates/partners/subcontractors as the case may be) will be held securely in accordance with Our internal security policy and the law.
We use reasonable efforts to safeguard the confidentiality of any and/or all Personal Data that We may process relating to You and regularly review and enhance Our technical, physical and managerial procedures so as to ensure that Your Personal Data is protected from:
Unauthorised access
Improper use of disclosure
Unauthorised modification
Unlawful destruction or accidental loss
To this end We have implemented security policies, rules and technical and organisational measures to protect the Personal Data that We may have under Our control. All Our members, staff and data processors (including specific subcontractors, such as cloud service providers established within the European Union), who may have access to and are associated with the processing of Personal Data, are further obliged (under contract) to respect the confidentiality of Our Users’ or recipients’ Personal Data as well as other obligations as imposed by the Data Protection Laws.
Despite all the above, We cannot guarantee that a data transmission or a storage system can ever be 100% secure. For more information about Our security measures please contact Us in the manner described below.
Authorised third parties, and external/third party service providers acting as Our data processors, with permitted access to Your information (as explained in this Privacy Policy) are specifically required to apply appropriate technical and organisational security measures that may be necessary to safeguard the Personal Data being processed from unauthorised or accidental disclosure, loss or destruction and from any unlawful forms of processing.
As stated above, the said service providers (Our data processors) are also bound by a number of other obligations in line with the Data Protection Laws (particularly, Article 28 of the GDPR).
RETENTION PERIODS
We will retain Your Personal Data only for as long as is necessary (taking into consideration the purpose for which they were originally obtained). The criteria We use to determine what is ‘necessary’ depends on the particular Personal Data in question and the specific relationship We have with You (including its duration).
Our normal practice is to determine whether there is/are any specific EU and/or Maltese law(s) permitting or even obliging Us to keep certain Personal Data for a certain period of time (in which case We will keep the Personal Data for the maximum period indicated by any such law). For example, S.L 386.19, S.L. 16.17 and S.L. 16.18 obliges Us to retain Personal Data relating to beneficial owners until the lapse of five (5) years after the name of the concerned commercial partnership (including companies) and other legal entities has been struck off the register and in the case of a private foundation for ten (10) years.
Incorporation/Declaration Data (as defined above will be kept for as long as the legal entity is active. Once the legal entity is struck off, only minimal information will be kept publicly accessible and this, in line with the principle of data minimisation.
We would also have to determine whether there are any laws and/or contractual provisions that may be invoked against Us by You and/or third parties and if so, what the prescriptive periods for such actions are. In this case, We will keep any relevant Personal Data that We may need to defend Ourselves against any claim(s), challenge(s) or other such action(s) by You and/or third parties for such time as is necessary.
Where Your Personal Data are no longer required by Us (in line with all applicable laws), We will either securely delete or anonymise the Personal Data in question.
Please note that certain laws oblige Us to disclose some Personal Data to other Government entities (for example, the Malta Financial Services Authority and National Statistics Office) or to other EU Member State Central Registries as part of the Central Registers Interconnection System in which case, such entities (as separate controllers) would then determine their own retention policies (which in such cases may be much longer than those described above).
PROCESSING FOR RESEARCH AND STATISTICAL REASONS
Research and statistics using User or recipient information is only carried out so that We may understand Our Users’ and/or recipients’ needs, to develop and improve Our services/activities and/or for tasks carried out in the public interest or under the exercise of official authority representative of MBR’s purpose. In any case, where applicable, We will always ensure to obtain any consent We may legally require from You beforehand. As in all other cases, We will also ensure to implement all appropriate safeguards as may be necessary.
LINKS TO THIRD PARTY SOURCES
Links that We provide to third-party sources (such as websites) are clearly marked and We are not in any way whatsoever responsible for (nor can We be deemed to endorse in any way) the content of such sources (including any applicable privacy policies or data processing operations of any kind). We suggest that You should read the privacy policies of any such third-party sources (including the websites and respective policies or data processing operations of any kind).
COOKIES
When You visit Our Site, We collect certain categories of Personal Data automatically using cookies and similar technologies.
For more detailed information including what cookies are and how and why We process such data in this manner (including the difference between essential and non-essential cookies) please read Our detailed but easy-to-read Cookie Policy.
MINORS
The Site and Our online services (entering into contracts with MBR) are not intended to be used by any persons under the age of eighteen (18) and therefore We will never intentionally collect any Personal Data from such persons unless under a specific legal exemption. If You are under the age of consent, please consult and get Your parent’s or legal guardian’s permission to use the Site and to use Our services.
We shall consider that any Personal Data of persons under the age of eighteen (18) received by Us, shall be sent with the proper authority and that the sender can demonstrate such authority at any time, upon Our request. Provided that persons who have attained the age of sixteen (16) are eligible to be appointed as administrators of voluntary organisations enrolled with the office of voluntary organisations in terms of article 16B(3) of the Voluntary Organisations Act (CAP 492) and hence, are not required to submit authorisation.
With respect to Personal Data of minors that We process as part of Our legal obligations (for example, where a minor or minors appear as shareholder(s) and/or ultimate beneficial owner(s)), such Personal Data will be processed by Us with additional layers of protection as required by law. For example, when members of the public enquire about the beneficial owner of a commercial partnerships (including companies) or other legal entities, should this owner be a minor, We are not obliged to disclose the said information save as otherwise stated above. On the contrary We will examine the facts of the case very carefully before making any disclosure (in whole or in part) and in any case, the general principles of the GDPR will be adhered to at all times.
AUTOMATED DECISION-MAKING
We do not rely on any decisions taken solely by automated means (in other words, without significant human intervention) – including any profiling. Should this position change in the future (and only as We may be legally permitted to do), You will be notified accordingly.
YOUR RIGHTS UNDER THE DATA PROTECTION LAWS
Before addressing any request you make with Us, We may first need to verify Your identity. In all cases We will try to act on Your requests as soon as reasonably possible.
As explained in the Retention Periods section above, We may need to keep certain Personal Data for compliance with Our legal retention obligations but also to complete transactions that You requested prior to the change or deletion that You requested. Your various rights at law include:
Your Right of Access: [RG1]
You may, at any time request Us to confirm whether or not We are processing Personal Data that concerns You and, if We are, You shall have the right to access that Personal Data and to the following information:
What Personal Data We have,
Why We Process Them,
Who We disclose them to,
How long We intend on keeping them for (where possible),
Whether We transfer them abroad and the safeguards We take to Protect them,
What Your Rights are,
How You can make a complaint,
Where We got Your Personal Data from,
Whether We have carried out any automated decision-making (including profiling) as well as related information.
Upon request, We shall (without adversely affecting the rights and freedoms of others including Our own) provide You with a copy of the Personal Data undergoing processing within one month of receipt of the request, which period may be extended by two months where necessary, taking into account the complexity and number of the requests. We shall inform You of any such extension within one month of receipt of the request, together with the reasons for the delay.
Your Right to Rectification:
You have the right to ask Us to rectify inaccurate Personal Data and to complete incomplete Personal Data concerning You. We may seek to verify the accuracy of the data before rectifying it.
Your Right to Erasure (The Right to be Forgotten):
You have the right to ask Us to delete Your Personal Data and We shall comply without undue delay but only where:
The Personal Data are no longer necessary for the purposes for which they were collected; or
You have withdrawn Your consent (in those rare instances where We process on the basis of Your consent) and We have no other legal ground to process Your Personal Data; or
You shall have successfully exercised Your right to object (as explained below); or
Your Personal Data has been processed unlawfully; or
There exists a legal obligation to which We are subject; or
Special circumstances exist in connection with certain children’s rights.
In any case, We shall not be legally bound to comply with Your erasure request if the processing of Your Personal Data is necessary:
for compliance with a legal obligation to which We are subject (including but not limited to Our duty to retain an accurate database of commercial partnerships (including companies) and other legal entities records and Our data retention obligations);
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as Your exercise of this right to erasure is likely to render impossible or seriously impair the achievement of the objectives of such processing;
for the establishment, exercise or defence of legal claims.
There are other legal grounds entitling Us to refuse erasure requests although the three instances above are the most likely grounds that may be invoked by Us to deny such requests.
Your Right to Data Restriction:
You have the right to inform Us to restrict (that is, store but not further process) Your Personal Data but only where:
The accuracy of Your Personal Data is contested (see the right to data rectification above), for a period enabling Us to verify the accuracy of the Personal Data; or
The processing is unlawful, and You oppose the erasure of Your Personal Data; or
We no longer need the Personal Data for the purposes for which they were collected but You need the Personal Data for the establishment, exercise or defence of legal claims; or
You exercised Your right to object and verification of Our legitimate grounds to override Your objection is pending.
Following Your request for restriction, except for storing Your Personal Data, We may only process Your Personal Data:
Where We have Your consent (if any exists); or
For the establishment, exercise or defence of legal claims; or
For the protection of the rights of another natural or legal person; or
For reasons of important public interest.
Your Right to Data Portability:
You have the right to ask Us to provide Your Personal Data (that You shall have provided to Us) to You in a structured, commonly used, machine-readable format, or (where technically feasible) to have it ‘ported’ directly to another data controller, provided this does not adversely affect the rights and freedoms of others. This right shall apply in relation to where:
the legal basis is consent or contract and
the processing is carried out by automated means.
(Portability is separate from the rights below. It does not apply to all processing—only the above scenarios.)
Your Right to Withdraw Consent (when We rely on consent) In the rare instances where We may have relied on Your consent to process Your Personal Data (which, in any case, We would have obtained in the manner required by the GDPR), You may withdraw any such consent at any time in a manner that is as easy as when You first provided the said consent to Us.
Your Right to Object to Certain Processing
In those cases where We only process Your Personal Data when this is;
1.) necessary for the performance of a task carried out in the public interest or in the exercise of Our official authority, OR
2.) when processing is necessary for the purposes of the legitimate interests pursued by a third party,
You shall have the right to object to processing of Your Personal Data by Us. Where an objection is entered, the processing of data shall cease, unless We as data controller provide compelling and legitimate grounds requiring the continuation of the data processing which outweigh the objections You may have raised.
For the avoidance of all doubt, when We process Your Personal Data when this is necessary for the performance of a contract, when necessary for compliance with a legal obligation to which We are subject or when processing is necessary to protect Your vital interests or those of another natural person, this general right to object shall not subsist.
Your Right to Lodge a Complaint
You also have the right to lodge complaints with the appropriate Data Protection Supervisory Authority. The competent authority in Malta is the Office of the Information and Data Protection Commissioner ‘’IDPC’’).
We kindly ask that You please attempt to resolve any issues You may have with Us first even though, as stated above, you have a right to contact the competent authority at any time.
WHAT WE MAY REQUIRE FROM YOU
As one of the security measures We implement, before being in the position to help You exercise Your rights as described above, We may need to verify Your identity to ensure that We do not disclose to or share any Personal Data with any unauthorized individuals.
TIME LIMIT FOR A RESPONSE
We try to reply to all legitimate requests within one month from receiving them. In some particular cases (for example, if the matter is particularly complex or if You send Us multiple requests), it may take Us longer than a month. In such cases, We will notify You accordingly and keep You updated.
MBR DETAILS
The Malta Business Registry is a Government Agency registered in Malta whose address is Malta Business Registry, AM Business Centre, Triq il-Labour, Zejtun ZTN 2405, Malta and is the data controller responsible for processing Your Personal Data that takes place via the Site or in the manner explained above (or in one of Our condensed privacy policies or notices that directed you here).
If you have any questions/ comments about privacy or should you wish to exercise any of your individual rights, please contact Us at: info.mbr.@mbr.mt or by writing to Malta Business Registry, AM Business Centre, Triq il-Labour, Zejtun ZTN 2405 or by phoning Us using telephone number (+356) 2258 2300 (during normal office hours Monday – Thursday: 09:00 – 12:00 & 13:00 – 14:30 and Friday: 09:00-13:00) or by contacting Our Data Protection Officer directly at dpo.mbr@mbr.mt
UPDATES
We reserve the right, at Our complete discretion, to change, modify, add and/or remove portions of this Privacy Policy at any time. If you are an existing natural person with whom We have a contractual relationship you shall be informed by Us of any changes made to this Privacy Policy (as well as other terms and conditions relevant to the Site). We shall also archive and store previous versions of the Privacy Policy for Your review.
As a User of the Site with which We have no contractual relationship or even a lawful way of tracing, it is in your interest to regularly check for any updates to this Privacy Policy (which are usually deemed to be effective on the date they are published on the Site), in the event that Our attempts to notify you of of such updates do not reach you.