Privacy Notice for Entities exchanging information with Enemalta plc
Enemalta plc (“Enemalta” or “We” or “Us” or “Our”) is a Maltese public limited company bearing registration number C 65836 and having its registered address at Triq Belt il-Ħażna, Marsa, MRS 1571, Malta.
This Privacy Notice applies to Enemalta’s processing of personal data relating to entities (natural persons and/or companies) (hereinafter referred to as Entity or Entities) which:
i) May prospectively enter into a contract for the provision of works and/or goods and/or property and/or services and/or lease (hereinafter collectively referred to as ”) to Enemalta;
ii) Have entered into a contract for the provision of deliverables to Enemalta;
iii) May prospectively enter into a contract for the provision of deliverables from Enemalta;
iv) Have entered into a contract for the provision of deliverables from Enemalta;
v) Have damaged Enemalta assets, and for which Enemalta is making a claim for reimbursement; and
vi) Had assets damaged by Enemalta infrastructure/services/operations and are making a claim for reimbursement.
If you are data subjects whose relation to Us is in relation to the provision of electricity service, please refer to the Privacy Notice for Electricity Customers, available at https://www.enemalta.com.mt/uncategorised/privacy-notices/.
References to “you” or “your” shall accordingly be deemed to refer to the Entities’ data subjects, including but not limited the people employed, contracted or otherwise engaged by such Entities.
We are committed to respecting your privacy. If you have questions about Our processing of your personal data, you may contact Enemalta at the address Central Administration Building, Church Wharf, Marsa, MRS 1000, or by email at [email protected] or by telephone on +356 8007 2224.
Enemalta’s Data Protection Officer may also be contacted at Central Administration Building, Church Wharf, Marsa MRS 1000, or by email at [email protected] and +356 22980583.
Please read this Privacy Notice carefully to understand Our practices with respect to your personal data.
1. Updates
We may update this Privacy Notice at Our sole discretion including as a result of a change in applicable law or processing activities. Any such changes will be communicated to you prior to the commencement of the relevant processing activity.
2. What amounts to personal data?
The term “personal data” refers to all information through which you can be personally identified or identifiable, such as name, surname, address and billing information.
3. How do We collect personal data?
We typically collect your data:
• From you (or your employer/person who engaged you) directly as part of the process of entering into a contract with Us such as through forms, contracts, business cards, correspondence and information submitted in tenders and request for quotation; and
• Through information which arises in the course of Our working relationship with the Entity.
We might also collect your data from third parties as part of the process of entering into a commercial contractual relationship with Us or during the duration of Our contractual relationship such as through credit checks or trade references. Information from public sources might also be collected about you.
4. What personal data do We process?
The personal data that We collect and process generally but not only relates to:
• Personal details such as names, surnames, date and place of birth and ID/Passport numbers;
• Personal details of father and mother such as name and surname;
• Contact details such as address, telephone/mobile numbers and email;
• Documentation relating to your identity such as ID/Passport copies;
• Photos and documents illustrating/outlining your assets such as property and vehicles that are required to investigate and process your claims for damages in connection with Our infrastructure, services and operations;
• Work location;
• Work times;
• Car registration numbers;
• Documentation relating to your experience, qualifications and skills such as CVs, warrants and educational certificates;
• Financial information such as bank account details, tax details, dues on Automated Revenue Management Services Limited’s (ARMS’) accounts;
• Personal data that We collect and process as a result of legal obligations imposed on Us;
• Any information which is voluntarily provided to Us by you or by the Entity; and
• Security information when you visit Our premises such as through CCTV, Visitor
Management Systems and number plate recognition system. For more information in this respect, please refer to Our Privacy Notice for Visitors available at https://www.enemalta.com.mt/uncategorised/privacy-notices/.
5. How do We use your personal data?
Irrespective of the manner that We have collected your personal data, We will only process such data for the purposes of the relationship with the Entity or for purposes which are inherently related thereto, including the fulfilment of any legal or regulatory obligations imposed on Us.
Typically, your personal data will be processed for:
• Contacting the Entity to possibly engage in a working business relationship with Us;
• Evaluation of suitability of deliverables prior to entering into a commercial contract with the Entity;
• Management of Our relationship with the Entity including performance of the contract therewith and steps necessary to enter into or amending such contract;
• Billing, invoicing, debtor transaction processing and debt collection (including set-offs for electricity dues with ARMS as Our Processor, where applicable);
• Supporting the relationship with the Entity;
• General administration purposes;
• Compliance and reporting;
• Defending Ourselves in the event of a legal claim or dispute;
• Processing of claims submitted by you in relation to damages sustained on your assets due to Enemalta’ s infrastructure, services or operations;
• The purposes which you or the Entity requested when providing the data to Us;
• The purpose of a legitimate interest pursued by Us or by a third party, provided such interest is not overridden by your interests, fundamental rights and freedoms; and
• Any other purposes imposed or permitted by law which are inherently related to the relationship with the Entity.
6. Legal Basis
We primarily process your personal data for the performance of our contract with the Entity, including any steps which may be necessary to enter into such contract (such as tenders).
We may also process personal data on the following legal basis:
• Compliance with legal obligations imposed on Us – in particular obligations imposed on Us as a result of financial or environmental legislation and health and safety;
• To protect Our or a third party’s legitimate interests – in particular interests which may arise directly or indirectly in relation to the execution of the contract with Enemalta. This can also include any claims for damages to/from third parties for damages to/by Our infrastructure/services/operations. When We process your personal data on the basis of Our legitimate interests, We ensure that the legitimate interests pursued are not overridden by your interests, rights and freedoms;
• For the purposes of establishing, exercising or defending legal proceedings; and
• For the purposes of public interests in providing Our electricity services which is a critical universal service.
Note that special categories of personal data include data revealing your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic, biometric or health data, sexual orientation and data related to your conviction and offences. Processing special categories of your personal data is not envisaged unless We have reason to institute proceedings or investigations with respect to theft of Our services. Should the processing of special categories of personal data become envisaged, We will ensure that We have additional grounds for such processing.
7. Recipients
We may share your personal data with third party recipients who typically are:
• selected individuals within Our companies, on a need-to-know basis;
• any service providers that may require access to your personal data in rendering Us with their services, including legal, accounting, billing, audit, insurance providers, consultants, and IT service providers;
• Banks;
• Local regulatory authorities or agencies such as Regulator for Energy and Water Services;
• Authorised consultative bodies and agencies dealing with financial and accounting matters including the Court of Auditors, Financial Irregularities Panel, Internal Audit Service and AntiFraud Office; and
• third parties, including but not limited to governmental institutions and authorities that may be of an executive, judicial or legislative nature, to whom disclosure may be required as a result of legal obligations imposed on Us.
We are a member (‘Member’) of a registered Credit Referencing Agency (‘CRA’) in Malta. The Member shall process Personal Data found herein according to applicable legislation, particularly, the Regulation [EU] 2016/679 (‘GDPR’) as well as the Data Protection Act, amongst others. If you as our client is in default of Our agreement, the Member has the right to pass on any of your personal information to the CRA as well as to any legally entitled third party.
Where such a disclosure is carried out, the relevant CRA, shall be deemed to be a Data Controller of the personal data it processes within its systems, in pursuance of its legitimate interests, such as promoting responsible lending, amongst others.
We do not share your personal data with any entity located outside of the EU or EEA unless required to do so at law.
8. Automated Decision-Making and Profiling
Your personal data will not be used for any decision solely taken on the basis of automated decision making processes, including profiling.
9. Data Retention
We retain your personal data exclusively for the period in which We may lawfully retain your personal data. Thereafter, your personal data shall be immediately and irrevocably destroyed. Typically, due to the contractual relationship with the Entity, We retain personal data for up to five (5) years from the end of Our contractual relationship with the Entity on the basis of Our legitimate interests to protect Ourselves from civil cases which might institute against Us in relation to such contractual relationship.
As a result of legal obligations imposed on Us, personal data related to accounting, transactions and tax records may be kept for up to ten (10) years.
We may have a legitimate interest to hold your data for longer periods such as when your data is required for exercising or defending legal claims.
10. Your Rights
For as long as We retain your personal data, you may exercise certain rights in relation to your personal data including:
– Right of access – you have the right to ascertain the personal data We hold about you and to receive a copy of such personal data;
– Right to Erasure – in certain circumstances you may request that We delete the personal data that We hold on you, or you withdraw your consent for Us to hold your personal data;
– Right to Object – you have a right to object and request that We cease the processing of your personal data where we rely on Our, or third party’s legitimate interests for processing your personal data or a task carried out in the public interest;
– Right to Portability – you may request that We provide you with certain personal data which you have provided Us in a structured, commonly used and machine-readable format. Where technically feasible, you may also request that We transmit such personal data to a thirdparty controller indicated by you;
– Right to Rectification – you have the right to update or correct any inaccurate personal data which We hold about you;
– Right to Restriction – you have the right to request that We stop using your personal data in certain circumstances including if you believe that We are unlawfully processing your personal data or the personal data that We hold about you is inaccurate; and
– Right to be informed of the source – where the personal data We hold about you was not provided to Us directly by you, you may also have the right to be informed of the source from which your personal data originates.
Your rights in relation to your personal data are not absolute. You will not have to pay a fee to access your personal data (or to exercise any of the other rights specified above). However, We may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, We may refuse to comply with your request in these circumstances. We may need to request specific information from you to help Us confirm your identity and ensure the exercise of your rights. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up Our response.
11. Keeping your data secure
We take pride in keeping your data secure and will take appropriate technical and organisational measures to protect your data against unauthorised or unlawful processing, storage or access, including against accidental loss or destruction. Your personal data will be stored in paper files or electronically on Our technology systems or those of Our IT service providers.
12. Complaints
If you have any complaints regarding Our processing of your personal data, please note that you may contact Us or Our Data Protection Officer at the details indicated above. You also have a right to lodge a complaint with the Office of the Information and Data Protection Commissioner in Malta (www.idpc.gov.mt).
____________________________ _______________________________________
Company Name Name and Surname of Company Representative
____________________________ ____________________________
Signature Date