PERSONAL DATA PROCESSING POLICY
Valid from July 27, 2019.
1.1. This personal data processing policy is drawn up in accordance with the requirements of the Federal Law of July 27, 2006. No. 152 Federal Law “On Personal Data” and Regulation (EU) 2016/679 (GDRP) (please carefully read the information below in English) and determines the procedure for processing personal data and measures to ensure the security of personal data in the commercial project Natalia Coleiro registered at 126, FATIMA APTS,Fl 1 Triq San Pawl, Zurrieq ZRQ 1632 Malta (hereinafter referred to as the Operator).
1.2. The operator sets as his most important goal and condition for the implementation of his activities the observance of the rights and freedoms of man and citizen when processing his personal data, including protecting the rights to privacy, personal and family secrets.
1.3. This Operator policy regarding the processing of personal data (hereinafter referred to as the Policy) applies to all information that the Operator can receive about visitors to the website https://maltatravelguide.pl/
1.4. By this Regulation, the recipient of the Operator’s services or the visitor of the Site as the subject of personal data is notified and gives his consent about the objective need arising in the process of the operation of the Site and the receipt of the Operator’s services to allow access to your personal data or third party data in whose interests the visitor of the Site acts as the recipient of the Operator’s services , for the software of the Operator and third parties (partners or service providers of the Operator). This access is provided solely for the purposes defined by this Regulation.In case of disagreement of the subject of personal data in whole or in part with the terms of this Regulation – the use of the Site and its services should be immediately stopped.
1.5. The main concepts used in the Policy:
- Automated processing of personal data – processing of personal data using computer technology;
- Blocking of personal data – temporary suspension of the processing of personal data (unless the processing is necessary to clarify personal data);
- Website – a set of graphic and information materials, as well as computer programs and databases, ensuring their availability on the Internet at the network address https://maltatravelguide.pl/
- Personal data information system – a set of personal data contained in databases, and ensuring their processing of information technologies and technical means;
- Anonymization of personal data – actions, as a result of which it is impossible to determine without the use of additional information the ownership of personal data to a specific User or other personal data subject;
- Personal data processing – any action (operation) or a set of actions (operations) performed using automation tools or without using such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data;Operator – a legal entity or an individual, independently or jointly with other persons, organizing and (or) processing personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data;
- Personal data – any information relating directly or indirectly to a specific or determined User of the website https://maltatravelguide.pl/ or to the recipient of the Operator’s services;
- User, subject of personal data – any visitor to the website https://maltatravelguide.pl/ who provides his personal data, including when receiving the services of the Operator;
- Provision of personal data – actions aimed at disclosing personal data to a specific person or a certain circle of persons;
- Dissemination of personal data – any actions aimed at disclosing personal data to an undefined circle of persons (transfer of personal data) or familiarizing oneself with personal data of an unlimited circle of persons, including disclosing personal data in the media, posting on information and telecommunication networks or providing access personal data in any other way;Cross-border transfer of personal data – the transfer of personal data to the territory of a foreign state, to a foreign state authority, to a foreign individual or foreign legal entity;
- Destruction of personal data – any actions as a result of which personal data is irrevocably destroyed with the inability to further restore the content of personal data in the personal data information system and (or) as a result of which material carriers of personal data are destroyed.
2. Composition of personal data
2.1. The Operator may process the following personal data of the User
- Surname, first name, patronymic (last name and first name);
- Phone number;
- E-mail address;
- data of a foreign passport and permits for visiting the respective country of residence in the form of a scanned copy (photocopy) of the relevant documents of both the User and minors, whose interests he represents as the legal guardian.
The above data are further incorporated in the text of the Policy by the general concept of Personal Data.
2.2. The Operator does not intentionally process the personal data of minors, unless it is necessary to obtain such information in order to properly fulfill obligations to the User who purchased the corresponding Project service in the interests of minors, of which they are legal representatives.
The provision referred to in this paragraph equally means that:
a) any decisions regarding the processing of personal data of minor children by the Operator are made only by the relevant decision (consent) of their legal representative.
b) the responsibility for the actions of minor children, including their purchase of services on the Site, lies with the legal representatives of minors. All visitors under the age of 18 are required to obtain permission from their legal representatives before providing the Operator with any personal information about themselves.
c) if the Operator becomes aware that he has received personal information about a minor without the consent of legal representatives, such information will be deleted as soon as possible. In this case, the Operator is not responsible for the failure to provide (improper provision) of services in favor of the minor User, for which the consent of his legal representatives was not obtained in the prescribed manner.
2.3. The collection and processing of any special categories of personal data, such as information about nationality, religious or philosophical beliefs, sexuality, sexual orientation, political beliefs, information about health and genetic and biometric data, information about criminal sentences and crimes, the Operator does not carried out.
The personal data subject may at any time change the settings of his browser so that all cookies are blocked or notification of their sending is carried out. In this case, the subject must understand that some of the functions and services of the Project will not be able to work properly.
3. Purpose of processing personal data
3.1. The processing of personal data is carried out for the following purposes:
a) for the proper execution of the contract for the provision of services (another contract) concluded between the Operator and the User;
b) to identify the subject of personal data;
c) to improve and personalize the services of the Operator;
d) for the provision of advertising and marketing materials of the Operator, including via email and sms mailing to email and phone numbers indicated by the relevant subject of personal data when filling out subscription forms (service orders) on the Operator’s website;
e) to detect, prevent, mitigate the consequences and investigate fraudulent or illegal actions against the Operator, including with the aim of protecting the legal rights and interests of the Operator.
3.2. Only those personal data that meet the purposes of their processing are subject to processing (clause 3.1.). Personal data cannot be used for the purpose of causing property and moral harm to the subjects of personal data.
4. Legal grounds for the processing of personal data
4.1. All personal data is provided (collected) directly from the subject of personal data or their legal representatives. The subject independently makes a decision on the provision of personal data and agrees to their processing by the Project freely, by his will and in his interest.
4.2. The consent specified in clause 4.1 of these Regulations also means the consent of the subject to transfer to third parties, to the order to process his personal data by third parties, the consent of the subject to cross-border data transfer via the Internet (when such transfer is necessary for the effective provision of services by the Project or is necessary for achievement of other goals established by this Regulation), as well as to receive email and sms mailings within the framework of a service agreement concluded with the Operator.
At the same time, under the cross-border data transfer, the Parties understand the transfer of data to third parties both in countries with an adequate level of data protection, and not related to such countries. The necessary level of protection of personal data in any case is provided by the Operator by observing the conditions specified in this Regulation.
4.3. Consent to the processing of personal data is provided when filling out special subscription forms on the Operator’s website, when filling out an application for the conclusion of an appropriate contract for the provision of services (accepting a public offer) or directly when paying for services under this contract (accepting a public offer) by ticking a special box “Checkbox” “I agree to the processing of my personal data” or by indicating a different notice similar in meaning. However, separate written consent is not required.
4.4. For the convenience of using the Site or receiving the Operator’s services, personal data can be obtained automatically using special software, including from third parties (for example, social networks) with notification of the personal data subject before sending a request for their receipt in this way and for what goals.
4.5. Consent to the processing of personal data can be revoked by the subject of personal data at any time by contacting the project support service email@example.com
In this case, in case of withdrawal of consent to the processing of personal data:
- The project does not guarantee that in the event of such an appeal, the services of the Project that had not yet been provided at the time of receipt of the said review will be provided properly.
- Remote data can be stored in third-party systems: in the cache, search engines, interconnected proxy servers, etc.
5. Duration of processing personal data
5.1. The time period for processing personal data is determined by the purposes of their receipt and processing and, as a general rule, is unlimited.
5.2. For certain categories of data necessary for the execution of a contract for the provision of services for a fee or another contract between the Operator and the User, such as data of a foreign passport and visa to visit the respective country of residence in the form of a scan copy (photocopy) of the relevant documents, the processing time for this information is limited by the term fulfillment of obligations under the relevant Agreement.
6. Rights and obligations of the parties in the processing of personal data
6.1. Personal data subjects are obliged to provide the Operator with only reliable personal data and notify in a timely manner of a change in their personal data. At the same time, the Operator does not verify the accuracy of personal data, and does not monitor the legal capacity of subjects of personal data, and assumes that the subject provides reliable and sufficient personal information on issues proposed in the application form (subscription) on the Site, and maintains this information in current status.
The risk of providing inaccurate personal data in this case lies with the subject of personal data.
6.2. Each personal data subject has the right to:
- to receive full information about their personal data and to free free access to their personal data, with the exception of cases provided for by applicable law, when such access to information violates the rights of third parties;
- to receive information regarding the processing of his personal data (which third parties gained access to personal information, in which databases, using which information systems they are processed, etc.);
- require the Operator to clarify its personal data, block it or destroy it if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, and also take measures prescribed by law to protect their rights;
- other rights provided by applicable law.
6.3. The personal data subject has the right to make the necessary changes to the personal data specified during registration on the Site by sending a corresponding application to the project support service firstname.lastname@example.org or independently in a personal account in a closed section of the Site (corresponding service) used by the Operator to process data.
6.4. The project is obliged to provide free of charge to the subject of personal data the opportunity to familiarize himself with personal data related to this subject, as well as to make necessary changes to them when the subject provides personal data with information confirming that the personal data is incomplete, outdated, inaccurate or illegally obtained. The Operator is obliged to notify the subject or his representative about the changes and measures taken and take reasonable measures to notify third parties to whom the personal data of this subject were transferred.
6.5. The Operator has the right to establish a reasonable fee if the User’s request regarding the processing of his personal data is repeated or excessive. Otherwise, the Operator has the right to refuse to satisfy the request in the presence of circumstances.
6.6. Consideration of the subject’s request regarding his personal data is carried out by the Operator within 30 (thirty) calendar days from the date of such appeal, unless otherwise specified by this Regulation.
At the same time, all correspondence on such requests is carried out through the Project support service by sending messages to the email address of the personal data subject indicated upon contact.
7. Transfer of personal data
7.1. In order to efficiently and properly process personal data and fulfill obligations under an agreement with the User, the Operator has the right to entrust the processing of personal data to other legal or physical persons on the basis of an agreement (hereinafter referred to as the Project order), including through cross-border data transmission via the Internet. In this case, the separate consent of the subject of personal data for such a transfer is not required.
7.2. A person who processes personal data on behalf of the Project is required to comply with the principles and rules for the processing of personal data provided for by the legislation on personal data and is responsible for violation of the confidentiality of such data that occurred through his fault.
7.3. The transfer of personal data of the entities with which the Operator interacts is carried out only for the proper fulfillment of obligations under the concluded agreements (agreements) within which the Operator and these entities interact, or for the fulfillment of other obligations by the free email newsletter to which the User has subscribed.
7.4. When transmitting the personal data of the subject, the Operator warns persons receiving personal data of the subjects that these data can only be used for the purposes for which they were communicated, and require these persons to ensure the confidentiality of the received personal data.
8. Storage of personal data
8.1. The storage of personal data is carried out in electronic form in the relevant personal data information systems placed in databases on the territory of the European Union.
8.2. The storage of personal data is carried out in a form that allows you to determine the subject of personal data in terms that ensure compliance with and achievement of the personal data processing goals established by this Regulation.
8.3. Storage of personal data is carried out with restriction of access, including by creating appropriate access levels.
8.4. Personal data contained in various electronic databases and the processing of which is carried out for various purposes are stored separately.
9. Termination of processing and destruction of personal data
9.1. In the event that inaccurate personal data is detected during the application of the personal data subject, the Project is obliged to block personal data related to this personal data subject immediately from the moment of such request for the period of verification, if the blocking of personal data does not violate the rights and legitimate interests of the personal data subject or third parties.
9.2. In case of confirmation of the inaccuracy of personal data, the Operator, on the basis of information provided by the subject of personal data, is obliged to clarify personal data within 7 (seven) business days from the date of submission of such information and to remove the blocking of personal data.
9.3. In the event that unlawful processing of personal data by the Project is detected, the latter must stop the unlawful processing of personal data within a period not exceeding 3 (three) business days from the date of this identification.
If it is impossible to ensure the legitimacy of the processing of personal data, the Project must destroy such personal data within a period not exceeding 10 (ten) business days from the date of detection of illegal processing of personal data. The project is obliged to notify the subject of personal data about the elimination of violations or the destruction of personal data.
9.4. In the event that the subject of personal data withdraws consent to their processing, the Project is obliged to stop processing it and if personal data is no longer required for the processing of personal data, destroy personal data within a period not exceeding 30 (thirty) business days from the date of receipt feedback.
9.5. The operator sends a notification about the results of the consideration of requests of personal data subjects specified in this section through the support service email@example.com by sending messages to the email address of the personal data subject specified in the request.
10. Protection of personal data
10.1. When processing personal data, the project takes the necessary legal, organizational and technical measures from unlawful or accidental access to them, destruction, alteration, blocking, copying, provision, distribution of personal data, as well as from other illegal actions in relation to personal data.
10.2. Ensuring the security of personal data is achieved, in particular:
- assessment of the effectiveness of measures to ensure the security of personal data before using such measures;
- detection of facts of unauthorized access to personal data and taking measures to eliminate them and prevent repetition;
- restoration of personal data modified or destroyed due to unauthorized access to them;
- the establishment of rules for access to personal data processed in the personal data information system, as well as the registration and recording of all actions performed with personal data in the personal data information system;
- verification of the availability in the contracts concluded in the Project, and the inclusion, if necessary, in the clauses of clauses on ensuring the confidentiality of personal data;
- monitoring of measures taken to ensure the security of personal data and the level of security of personal data information systems.
10.3. The following measures are used as technical measures for protecting personal data in the Project: anti-virus protection, firewalls, specialized means of protecting information from unauthorized access, provided by the relevant services and software used by the Operator in the provision of its services.
10.4. Third parties who have access to personal data on behalf of the Operator undertake to take the necessary organizational and technical measures to ensure the confidentiality of such information on their personal device from which they process personal data.
10.5. In the event that a violation of the confidentiality of personal data is discovered, the Operator shall notify the User of this within 48 hours from the moment of detection of such a violation, and also inform about the measures taken to eliminate the consequences of such violation – within 10 (ten) business days from the date of elimination.
Notification of a breach of confidentiality is not required if one of the following conditions exists:
- necessary organizational and technical measures have been taken to eliminate such a violation, as a result of which the use of data whose privacy has been violated cannot be used, for example, in the form of encryption;
- follow-up measures have been taken to ensure that the high risk for repeated violation of the confidentiality of personal data will no longer be realized;
- such notification would require a disproportionate effort. In this case, instead, the Project carries out a public message through the Site, in accordance with which the data subjects will be informed equally effectively.
11. Responsibility for the disclosure of confidential information containing personal data.
11.1. The Supervisory Authority for the Operator is the Office of the Information and Data Protection Commissioner (IDPC), the Malta Data Protection Supervisory Authority (https://idpc.org.mt/).
However, the Operator undertakes to make every effort to resolve the emerging comments on the part of the User in order to resolve the problems without having to contact IDPC.
11.2. Third parties who have gained access to the personal data of the subjects of personal data of the Project and are guilty of violating their confidentiality are liable in the manner prescribed by the legislation of the Russian Federation, including in accordance with agreements concluded with the Operator under which such access was granted.
11.3. The operator is not responsible for the possible misuse of personal data and causing any damage to the subject of personal data resulting from:
- technical malfunctions in software and in hardware and networks that are beyond the control of the Operator;
- in connection with the intentional or unintentional use of the Operator’s Website not for their intended purpose by third parties;
- failure to ensure the confidentiality of access passwords or the intentional transfer of access passwords, other information from the Site by the subject of personal data upon receipt of the Operator’s services (using the Site) to other persons who do not have access to this information;
- unlawful actions of third parties to access the Site data, including personal data.
11.4. The Operator is not responsible for the processing of personal data of third parties that the recipient of the Operator’s services has reported as his own. In this case, the risk of holding liable is borne by the recipient of the Operator’s services, who provided inaccurate data.
11.5. The Operator does not control and is not responsible for the processing of information by third-party websites, to which the personal data subject can click on the links available on the Operator’s Website.
12. Settlement of disputes
12.1. Before applying to the court with a claim for disputes arising from the relationship between the personal data subject and the Operator, it is mandatory to submit a claim (a written proposal for the voluntary settlement of the dispute).
12.2 The recipient of the claim, within 30 (thirty) calendar days from the date of receipt of the claim, shall notify the claimant in writing of the results of the consideration of the claim.
12.3. If an agreement is not reached, the dispute will be referred to the judicial authority at the place of registration of the Operator.