Data Protection Policy

Zammit Corporate Limited
Effective Date: 5/12/2025
Version: 1.0

1. Purpose

The purpose of this Data Protection Policy is to ensure that Zammit Corporate Limited (“the Company”) complies with its obligations under:

  • The EU General Data Protection Regulation (GDPR), Regulation (EU) 2016/679; and
  • The Maltese Data Protection Act (Chapter 586 of the Laws of Malta).

This policy defines principles, responsibilities, and procedures for the lawful, fair, and transparent processing of personal data.

 

2. Scope

This policy applies to all personal data processed by Zammit Corporate Limited in all formats (electronic, paper, cloud platforms) and applies to:

  • Directors, officers, and employees;
  • Contractors, consultants, and temporary staff;
  • Third-party service providers acting on behalf of the Company.

It covers personal data associated with clients, suppliers, partners, employees, and other identifiable individuals involved in corporate services, advisory, research, and messaging activities. 

 

3. Definitions

Personal Data: Information relating to an identified or identifiable natural person.

Processing: Any operation performed on personal data (collection, storage, retrieval, use, disclosure, destruction).

Controller: Entity that determines the “why” and “how” of processing; Zammit Corporate Limited is the Data Controller.

Processor: Third party that processes data on behalf of the Controller.

Data Subject: Natural person whose data is processed.

Special Category Data: Sensitive data (e.g., health, racial/ethnic origin); the Company does not collect such data unless strictly necessary and with explicit legal basis.

 

4. Principles of Data Processing

All personal data processing carried out by the Company shall adhere to the GDPR principles of:

  1. a) Lawfulness, Fairness, and Transparency
    b) Purpose Limitation
    c) Data Minimisation
    d) Accuracy
    e) Storage Limitation
    f) Integrity and Confidentiality
    g) Accountability

The Company shall be responsible for and demonstrate compliance with these principles.

 

5. Legal Bases for Processing

Zammit Corporate Limited processes personal data only when a valid legal basis exists:

  • Consent (freely given, informed, and revocable);
  • Performance of a Contract (to fulfil contractual obligations);
  • Legal Obligation (e.g., tax, employment, regulatory compliance);
  • Legitimate Interests of the Company, provided that such interests do not override data subject rights.

For any processing of special category data, the Company shall ensure a specific legal basis as required under Article 9 of GDPR.

 

6. Categories of Personal Data Collected

  • The Company may process the following types of personal data in the course of business:

    1. Client and Contact Data
      • Name, title, organisation, contact details (email, telephone)
      • Contractual records and transaction details
    2. Employee and HR Data
      • Name, contact, employment records, payroll information
      • Emergency contact information
    3. Supplier and Partner Data
      • Business contact details, contractual agreements
    4. Website Data
      • Visitor analytics

    The Company does not collect CCTV footage or biometric identifiers

 

7. Data Collection and Use

Personal data will be collected directly from data subjects or from publicly available/business sources. The Company uses personal data only for lawful purposes, including:

  • Providing corporate advisory, research, messaging, transformation, and commercial law services;
  • Employee administration;
  • Client service and communication;
  • Compliance with legal and regulatory obligations.

No data will be used for purposes incompatible with those originally communicated to the data subject.

 

8. Data Retention

Personal data will be retained only for as long as necessary for the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements. Retention periods shall be documented in an internal Data Retention Schedule, reviewed periodically.

 

9. Data Sharing and International Transfers

Personal data may be shared with:

  • Affiliates and partners under contractual data protection safeguards;
  • Service providers (e.g., payroll, IT services) bound by Data Processing Agreements;
  • Government and regulatory authorities if required by law.

Data transfers outside the European Economic Area (EEA) are permitted only where an adequate level of data protection is ensured (e.g., adequacy decisions, Standard Contractual Clauses).

 

10. Security Measures

The Company implements appropriate technical and organisational safeguards, including:

  • Access Controls and user authentication systems;
  • Encryption and secure data transmission where appropriate;
  • Anti-malware and firewalls for network security;
  • Regular backups and secure data storage;
  • Contractual confidentiality obligations for third parties;
  • Employee training on data protection and security.

 

11. Data Subject Rights

Zammit Corporate Limited recognises and facilitates the rights of data subjects under GDPR:

  1. Right to be Informed
  2. Right of Access
  3. Right to Rectification
  4. Right to Erasure
  5. Right to Restrict Processing
  6. Right to Data Portability
  7. Right to Object
  8. Rights related to Automated Decision Making

Requests shall be acknowledged and responded to within one month, extended by two months where complexity justifies.

 

12. Cookies and Online Tracking

Zammit Corporate Ltd uses cookies solely for basic website analytics through MonsterInsights, which operates on top of Google Analytics. These cookies are used only to track non-identifiable, aggregate visit data such as page views and session duration. No personally identifiable information is collected, stored, or associated with individual users. The cookies remain active only for the duration of the user’s session and expire automatically thereafter. This limited use of cookies is implemented strictly for performance monitoring and service improvement, in full alignment with GDPR principles of data minimisation and privacy-by-design.

 

13. Data Breach Managements

In the event of a personal data breach:

  1. The incident shall be promptly reported to the Data Protection Officer;
  2. A breach assessment is conducted;
  3. The Maltese Information and Data Protection Commissioner (IDPC) is notified within 72 hours where required;
  4. Data subjects are informed where there is a high risk to their rights and freedoms.

An internal breach response plan shall govern roles and procedures.

 

14. Data Protection Officer

Contact: dpo@zammitcorporate.com

The DPO is responsible for monitoring compliance, advising staff, and acting as the primary contact for data protection matters.

 

15. Training and Awareness

All personnel handling personal data must:

  • Complete mandatory GDPR and data protection training;
  • Follow internal procedures for data handling and reporting incidents;
  • Attend annual refresher programmes.

 

16. Data Protection Impact Assessments (DPIAs)

DPIAs are required for processing likely to result in high risk to data subjects (e.g., large data sets, sensitive data). DPIAs shall be documented, with mitigation measures implemented and reviewed.

 

17. Policy Review

This policy shall be reviewed at least annually or upon significant changes to data practices, technologies, or applicable law.

 

18. Regulatory Contact

For further information or to exercise rights, data subjects may also contact the Maltese regulator:

Office of the Information and Data Protection Commissioner (IDPC)
Level 2, Airways House, High Street, Sliema, Malta
Email: idpc.info@idpc.org.mt

Copyright © 2025 Zammit Corporate
Data Protection Policy - Data Retention & Disposal Policy - IT Security Policy