Table of Contents
1. Foreword 4
2. Personal data 4
3. Processing of personal data 5
4. Maintaining and keeping your data 6
5. Security of your personal data 7
6. Sharing your personal data 7
7. Your data protection rights 8
8. Data Protection Officer 9
Astra Consulting Malta Limited (hereinafter referred to as “ACM”) is committed to protecting our customer privacy and takes its responsibility regarding the security of customer information very seriously.
ACM, having its company registration number C50423 and registered office at 36, Fl3, Abbate Savoia Street, NXR1141, Naxxar, Malta is the entity responsible for the collection and processing of personal data for the purposes set out below:
ACM has adopted the best practices in personal data security and protection.
2. Personal data
Personal data means any information relating to you which allows us to identify you, such as but not limited to, your name, gender, nationality, home address, passport or ID number, bank records and personal references.
Personal data shall be:
• processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);
• adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
• accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
• processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
3. Processing of personal data
In our role as an corporate services provider, licensed by the Malta Financial Services Authority (hereinafter referred to “MFSA”), most of the data required and collected will be determined by the rules and regulations imposed by the MFSA and/or the Malta Business Registry (hereinafter referred to “MBR”), pertinent at the time of data collection and the need for ongoing data collection.
Your data may be used for the following purposes:
• Providing the products and services you request. We use the information you give us to perform the services you have asked for in relation to setting up companies, opening bank accounts, running and administrating companies, providing bookkeeping and financial services and communicating with the various financial and legal authorities as detailed under law.
• Invoicing and payment for our services.
• Managing our relationship with you as our customer and to improve our services to you.
• Administrative or legal purposes as directed by the relevant authorities and the MFSA and MBR.
• From time to time we will contact you with information we believe may be of interest to you. You will be given the opportunity on every e-communication that we send you to indicate that you no longer wish to receive our marketing material.
Processing shall be lawful only if and to the extent that at least one of the following applies:
• the data subject has given consent for the processing of his or her personal data for one or more specific purposes;
• processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
• processing is necessary for compliance with a legal obligation to which ACM is subject;
• processing is necessary in order to protect the vital interests of the data subject or of another natural person;
• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in ACM;
• processing is necessary for the purposes of the legitimate interests pursued by ACM or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. In case where the data subject is a child, as additional safeguard the consent for processing of the holders of the parental responsibility is to be obtained.
Where processing is based on consent, ACM shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
4. Maintaining and keeping your data
We will not retain your data for longer than is necessary to fulfil the purpose it is being processed for.
We must also consider periods for which we might need to retain personal data in order to meet our legal obligations under the legal requirements of the MFSA the Financial Services Authority (hereinafter referred to the “FIAU”), and other Maltese regulatory bodies and or to deal with complaints, queries and to protect our legal rights.
We are required to keep your data for a minimum period of 5 years after the end of the business relationship.
When we no longer need your personal data, we will securely delete or destroy it.
Your personal data will be processed and stored in electronic means and paper format. ACM follows strict security procedures in the storage and disclosure of your personal data.
We ensure the security and protection of personal data submitted by adopting the appropriate measures necessary. Namely: (a) password protection, (b) cloud encryption, (c) physical entry restrictions to the premises where the personal data storage servers are located, (d) firewalls, (e) secure communication via https protocol.
These security measures are reviewed and updated as appropriate. If, for any reason, there is a breach of security or violation of personal data, ACM undertakes to notify the relevant authorities without undue delay and to report the violation of personal data to the respective holder of said data in accordance with the applicable legislation.
6. Sharing your personal data
ACM may share your personal data with government authorities, enforcement bodies and regulators where appropriate and required and as directed by law.
In the course of its business, ACM may use third parties to provide certain services (located inside or outside the European Union), which may imply, in some cases, access by said entities to personal data of our clients. Where third parties are not located in countries that have an adequacy decision by the European Union, appropriate technical and organisational measures, based on the Standard Contractual Clauses, will be in place to ensure secure transfer and (sub-)processing of data.
ACM undertakes to take the necessary and appropriate measures to ensure that entities that have access to such personal data are reputed and offer high guarantees in this regard. In any case, ACM remains responsible for the processing of personal data.
ACM may share your personal data if specified in the Customer Service Agreement, sharing will be restricted to Astra Assurance Limited for providing audit services.
7. Your data protection rights
The data subject shall have the right to obtain from ACM, confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
• the purposes of the processing;
• the categories of personal data concerned;
• the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
• where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
• the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
• the right to lodge a complaint with a supervisory authority;
• where the personal data are not collected from the data subject, any available information as to their source;
• the existence of automated decision-making, including profiling, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.
ACM shall provide a copy of the personal data undergoing processing.
For any further copies requested by the data subject, ACM may charge a reasonable fee based on administrative costs.
Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
The right to obtain a copy referred to in the above shall not adversely affect the rights and freedoms of others.
8. Data Protection Officer
ACM has not appointed a Data Protection Officer since the customers of ACM are corporate customers and the operations of ACM do not consist of processing personal information on a large scale.
You have the right to make a complaint at any time to the board of Directors or a supervisory authority.
We open your company in Malta in 2 to 5 working days.
We keep things simple so you understand the process.
We are easy to deal with and always available for you.