DATA PROTECTION POLICY
Pick Mister Ltd (hereinafter referred to as the “Company”) shall endeavour in complying with the applicable laws related to the General Data Protection Regulation (GDPR 2016/679) in countries where the Company operates.
This Policy sets forth the basic principles by which the Company collects, retains, transfers, discloses and disposes the Personal Data of consumers, customers, suppliers, business partners, employees, users, visitors to the website and other individuals (hereinafter referred to as the “Data Subjects”), and indicates the responsibilities of its business departments and employees while processing personal data.
This Policy applies to the Company and its subsidiary companies whether directly or indirectly controlled within the European Economic Area (EEA) or processing Personal Data of Data Subjects within the EEA.
The Company ensures that any Personal Data of Data Subjects that is transferred outside of the EU and EEA countries or an international organisation, that the legal regime is deemed to provide an “adequate” level of Personal Data protection as stipulated by the European Commission.
The Company warrants that all Personal Data of the users of its services and visitors of the website Pickmister.com processed under the applicable regulations governing the protection of Personal Data (GDPR 2016/679).
Personal Data is processed only when there is a legal basis for such an act: legal obligation, contractual relationship, and user consent, protection of key user interests or legitimate interest of the Company.
- Why this Policy exists
This data protection policy ensures Pick Mister Ltd:
- Complies with data protection law and follows good practice.
- Protects the rights of staff, customers and partners.
- Is open about how it stores and processes individuals’ data.
- Protects itself from the risk of a data breach.
The following terms “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing Activity/ies”, “Pseudonymisation”, “Cross-Border processing of Personal Data”, “Supervisory Authority” used in this document shall have the same meaning as in the GDPR.
- Basic Principles Regarding Personal Data Processing
The Company shall adhere to Article 5(2) of the GDPR which stipulates that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
Personal Data must:
1. Be processed fairly and lawfully;
2. Be obtained only for specific, lawful purposes;
3. Be adequate, relevant and not excessive;
4. Be accurate and kept up to date;
5. Not be held for any longer than necessary;
6. Be protected in appropriate ways;
And the Company must:
7. Be Accountable;
8. Disclose information;
9. Not to transfer Personal Data outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection.
10. Process Data in accordance with the rights of Data Subjects;
- Lawfulness, Fairness and Transparency
The Company shall ensure that the Personal Data in relation to Data Subjects is processed lawfully, fairly and in a transparent manner.
- Purpose Limitation
The Company shall collect Personal Data for specified, explicit and legitimate purposes such as the prevention of money laundering and the funding of terrorist activity and will not further process Personal Data in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research or statistical purposes shall not be deemed incompatible with the initial purposes.
- Data Minimisation
The Company shall keep Personal Data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. The Company shall apply anonymization or pseudonymisation to Personal Data where possible to reduce the risks to the Data Subjects.
- Accuracy of Personal Data
The Company strives to keep Personal Data accurate, and, where necessary, is to be kept up to date. The Company shall take reasonable steps to ensure that Personal Data is accurate, having regard to the purposes for which it is processed, and any inaccurate Personal Data shall be erased or rectified without undue delay.
- Personal Data Retention
The Company warrants that the Personal Data will not be kept for longer than is necessary and only kept for the purposes for which it is processed.
Taking into account the state of technology and other available security measures, the implementation cost, and likelihood and severity of Personal Data risks, the Company endeavours to use appropriate technical or organizational measures to process Personal Data in a manner that ensures appropriate security of Personal Data, including protection against accidental or unlawful destruction, loss, alternation, unauthorized access to, or disclosure.
The Company shall be responsible for and be able to demonstrate compliance with the principles outlined above.
- Disclosure of Information
In the event that the Company uses a third-party supplier or business partner to process Personal Data on its behalf, the Company shall ensure that this processor will provide security measures to safeguard Personal Data that is appropriate to the associated risks.
The Company shall endeavour that the supplier or business partner is to provide the same level of data protection. The Company shall ensure that the supplier or business partner shall process Personal Data only to carry out its contractual obligations towards the Company or upon the instructions of the Company and not for any other purposes.
When the Company processes Personal Data jointly with an independent third party, the Company will explicitly specify its respective responsibilities of and the third party in the relevant contract or any other legal binding document, such as the Supplier Data Processing Agreement.
- Cross-border Transfer of Personal Data
The Company shall ensure that before transferring Personal Data out of the European Economic Area (EEA), adequate safeguards will be used including but not limited to the signing of a Data Transfer Agreement/Addendum, as required by the European Union. Authorisation may be obtained from the relevant Data Protection Authority where required. Furthermore, the entity receiving the Personal Data shall comply with the principles of Personal Data processing set forth in Cross Border Data Transfer Procedure.
- Rights of Access by Data Subjects
The Company acting as Data Controller shall provide Data Subjects with a reasonable access mechanism to enable the same to access their Personal Data. The Data Subject shall be allowed to update, rectify, erase, or transmit their Personal Data, if appropriate or as required by law.
i. Notices to Data Subjects
At the time of collection or before collecting Personal Data for any kind of Processing Activities including but not limited to selling products, services, or marketing activities, the Company shall inform the Data Subjects of the following:
- the types of Personal Data collected;
- the purposes of the processing and the processing methods;
- the Data Subjects’ rights with respect to their Personal Data;
- the retention period including any potential international data transfers;
- if data will be shared with third parties; and
- the Company’s security measures to protect Personal Data.
This information shall be provided through a Privacy Notice. All Data Subjects, regardless of the type and legal basis of processing, may file a complaint against Personal Data processing to this email address – firstname.lastname@example.org
Where Personal Data is being transferred to a third country, the Privacy Notice should reflect this and clearly state to where, and to which entity Personal Data is being transferred.
ii. Data Subject’s Consent
The Company shall ensure that whenever Personal Data is processed, such processing is carried out based on the Data Subject’s consent, or other lawful grounds. The Company shall retain record of such consent.
The Company shall provide Data Subjects with different options to provide their consent and must inform and ensure that their consent (apart from whenever consent is used as the lawful ground for processing) can be withdrawn at any time.
iii. Fair Processing Guidelines
Personal Data will only be processed when explicitly authorised by the Company.
It is in the Company’s remit to decide whether to perform the Data Protection Impact Assessment (DPIA) for each data processing activity following the Data Protection Impact Assessment Guidelines.
iv. Right to be forgotten
Upon request, Data Subjects have the right to have their Personal Data erased by the Company. The Company acting as a Controller will take all necessary actions (including technical measures) to inform third-party Data Processors to comply with the request.
v. Data Portability
Data Subjects have the right to receive, upon request, a copy of the Personal Data they provided to the Company in a structured, commonly used and machine-readable format and to transmit such Data to another Controller, for free. The Company shall endeavour to ensure that such requests are processed within one month, subject that it is not excessive and does not affect the rights of other individuals’ Personal Data.
vi. Disposal of Personal Data
When the Company receives requests to dispose of Personal Data records by Data Subjects, The Company shall ensure that these requests are handled within a reasonable time frame. The Company shall keep record including a log of these requests.
The Company shall also strive in obtaining adequate disposal mechanisms to ensure no Personal Data is leaked outside of the organisation.
The Company shall maintain the accuracy, confidentiality and relevance of Personal Data based on the processing purpose. The Company shall ensure that adequate security mechanisms designed to protect Personal Data will be used to prevent Personal Data from being stolen, misused or abused, and to prevent Personal Data breaches.
The Company shall be responsible for the requirements in this section and that any present and future collection, retention, transfer, disclosure and disposal methods are compliant with relevant law, good practices and industry standards.
- The Company’s Responsibilities
The Company shall ensure appropriate Personal Data processing from all its employees and all those who have access and process data on behalf of the Company. Everyone who works for or with the Company has some responsibility for ensuring that Personal Data is collected, stored and handled appropriately. Each team that handles Personal Data must ensure that it is handled and processed in line with this Policy and data protection principles.
However, these people have key areas of responsibility:
- The board of directors is ultimately responsible for ensuring that the Company meets its legal obligations.
- The Data Protection Officer or person in charge, Michael M., is responsible for:
- Keeping the board updated about data protection responsibilities, risks and issues;
- Reviewing all data protection training and advice for the people covered by this Policy;
- Arranging data protection training and advice or the people covered by this Policy;
- Handling data protection questions from staff and anyone else covered by this Policy;
- Dealing with requests from individuals to see the data the Company holds about them (also called ‘subjects access requests’ [SAR]);
- Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data.
- The IT Manager, is responsible for:
- Ensuring all systems, services and equipment used for storing data meet acceptable security standards;
- Performing regular checks and scans to ensure security hardware and software is functioning properly;
- Evaluating any third-party services the company is considered using to store or process data. For instance, cloud computing services.
- The Marketing Manager, is responsible for:
- approving any data protection statements attached to communications such as emails and letters;
- Addressing any data protection queries from journalists or media outlets like newspapers;
- Where necessary, working with other staff to ensure marketing initiatives abide by data protection principles.
- Personal Data collected
Use of Web Page: Pickmister.com and Elmister.com
The Company collects information from the visitors and users of the website in order to better understand the needs of users and to improve their products and services.
The following data is collected for the above stated purposes:
- Time and date of the page visit
- Visited pages
- Type and version of the Internet browser
- Visitor’s IP address.
- Data Subject’s Registration
While registering a user the Company shall collect the following information:
We may collect personal identification information from Data Subjects in a variety of ways, including, but not limited to, when Data Subjects visit our site, register on the site, place an order, subscribe to the newsletter, respond to a survey, fill out a form, and in connection with other activities, services, features or resources we make available on our site. Data Subjects may be asked for, as appropriate, name, email address, mailing address, phone number, credit card information, and social security number. Data Subjects may, however, visit our site anonymously. We will collect personal identification information from Data Subjects only if they voluntarily submit such information to us. Data Subjects can always refuse to supply personally identification information, except that it may prevent them from engaging in certain site related activities.
- Data Subject’s Support
The Company shall provide its users with user support through emailing with an agent. Username and email address shall be necessary to sign up for online chat. The data collected in this manner shall be processed exclusively for the purpose of providing user support.
The Company, in compliance with the given consent, may periodically notify Data Subjects of the new benefits of The Company. The Data Subject may always decide to decline from receiving the above notifications and may cancel the service by sending an e-mail to email@example.com
- Personal Data Users
Personal Data is also passed on to trusted partners and/or third parties (Data Processors/Sub-Processors) for the purpose of providing user support, information system maintenance or similar needs. The Company shall keep the Data Subjects informed and ensure that these trusted partners and/or third parties will abide with the mandatory data protection measures.
Prior any Personal Data transmission the Company shall ensure that the legal regime is deemed to provide an “adequate” level of Personal Data protection as stipulated by the European Commission.
During such data transmission the Company shall take all appropriate organizational, technical and legal protection measures.
- Response to Personal Data Breach Incidents
When the Company learns of a suspected or actual Personal Data breach, the Company shall perform an internal investigation and take appropriate remedial measures in a timely manner. Where there is any risk to the rights and freedoms of Data Subjects, the Company will notify the relevant Supervisory Authorities without undue delay and, when possible, within 72 hours from when it learns of such breach.
- Audit and Accountability
The administration department or other relevant department is responsible for auditing how well business departments implement this Policy.
Any employee who violates this Policy will be subject to disciplinary action and the employee may also be subject to civil or criminal liabilities if his or her conduct violates laws or regulations.
- Governing Law
This Policy is intended to comply with the laws and regulations in the place of establishment and of the country in which the Company operates. In the event of any conflict between this Policy and applicable laws and regulations, the latter shall prevail.
- Personal Data Protection Contact
Requests, complaints or inquiries relating to processing and protection of Personal Data can be sent to the e-mail address – firstname.lastname@example.org
In accordance with the applicable legal regulations governing the protection of Personal Data, each request/inquiry will be resolved without undue delay and at the latest within 30 days of receipt.
When contacting and posting such requests, we will invest reasonable efforts to confirm your identity and to prevent unauthorized Personal Data processing.
- Changes to this Policy
As the Company evolves, there may be the need to update this Policy to keep pace with changes to the website, software, services, business and Applicable Laws. The Company will however, always maintain its commitment to respect the Data Subject’s privacy. The Company ensures that it will notify the Data Subjects with any material changes under this Policy by email (the most recent email provided by the Data Subject) or post any other revisions to this Policy along with their effective date, in an easy-to-find area of the website.
This document was updated on March 27, 2019 and is effective from that date.
Contact: Data Protection Officer
Company Address: 23, Office 2, Triq Giuseppe Calleja, Swatar, Malta