Data Protection Policy Acta Fidelia

1.0 Introduction and Scope

This is the Data Protection Policy (the ‘Policy’) of Acta Fidelia which includes Acta Fidelia Limited a company having its registered address at Suite 1, Sterling Building, Enrico Mizzi Street, Ta’ Xbiex, Malta and Acta Fidelia CH GmbH a company having its registered address in Gotthardstrasse 26, 6300 Zug, Switzerland hereinafter collectively the ‘Company’ ‘Firm’, ‘Acta Fidelia’. Acta Fidelia may, from time to time be required to collect, record, store, transfer or discard certain information about individuals. Information may be processed in hard or soft copy and may include all personal data and in certain circumstances special category data, data on criminal convictions and financial data.

This Policy applies to the staff members (the ‘Staff Members’) of the Company, whether these are employed by the Company including temporary staff, alternatively are covered by a contract of service with the Company or have some other type of engagement with the Company and third parties who have access to the Company’s systems and records and therefore may enter into contact with personal data of customers, suppliers, business contacts, employees, students and other individuals the Company has a business relationship with. This Policy ensures that the Company and all staff members, irrespective of their position within the Company process information by the terms of this Policy and with the principles of the General Data Protection Regulation (‘GDPR’).

  • Data retention policy

  • Computer use policy- email and internet usage guidelines- internet systems and access

  • Removable and mobile devices policy- mobile devices, company phones, laptops and other devices and their disposal

  • Email and internet usage guidelines

  • User access control policy-

  • Personal data breach procedure -reporting a security breach

  • Response to data subject requests procedure

  • Established laws and violations

  • Consequences of violating the policy

2.0 Objectives

The objectives of this policy are:

  1. To demonstrate the ways in which the Company ensures that data is handled effectively and securely, to meet the Company’s data protection standards and legislative requirements.

  2. To promote best practise during all stages of processing and storing personal information and detail the procedures for retention and disposal of information to ensure that this is carried out consistently and the actions taken are documented.

  3. To provide guidelines for management, the Board , and all remaining staff to understand their responsibilities and obligations in relation to personal data, security and privacy.

  4. To ensure that the Company and its employees protects itself from the risks of data breach.

3.0 Definitions, Roles and Responsibilities

i) Definitions

Data Controller

Shall mean the natural or legal person, public
authority, agency or other body which, alone or
jointly with others, determines the purposes and
means of the Processing of Personal Data.

Data Protection Officer


The data protection officer (DPO) ensures that the Company processes the personal data of its staff, customers, providers or any other data subjects in compliance with the applicable data subjects in compliance with the applicable data protection laws and policies of the Company.

Data Protection Laws


Shall refer to the General Data Protection Regulation (EU) 2016/679 (“GDPR”) together with all implementing laws and any other applicable data protection, privacy laws or privacy regulations.

Data Subjects

Any individual whose personal data is being collected, held or processed by the Company and who may be identified, directly or indirectly, , via an identifier such as a name, an ID number, location data, or via factors specific to the person’s physical, physiological, genetic, mental, economic, cultural or social identity.

Data Retention Policy

The policy of the company on how long it keeps data.

GDPR Principles

According to the GDPR, data should be processed in line with the following principles.

Lawfulness, Fairness and Transparency

Purpose Limitation

Data Minimisation

Accuracy

Storage Limitation

Integrity and Confidentiality

Personal Data

Means any information through which a Data Subject can be identified directly or indirectly. Examples of personal data may be Personal data that has been rendered anonymous in such a way that the individual is not or no longer identified is not considered personal data.

Processing

Means any operation or set of operations which is performed upon Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Processor

Means the party, which Processes Personal Data on behalf of the Controller.

Sub-processor

Means any data processor appointed by Processor to process Personal Data on behalf of the Controller.

Special Category of Personal Data

Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.

 

II) Roles & Responsibilities

Roles

Responsibilities

Board of Directors (BOD) and the Management Team

The BOD and the members of the management team (senior managers and managers) are responsible for ensuring that Acta Fidelia and its Employees adhere to the applicable laws and regulations and internal policies and honour legal and contractual obligations.


Data Protection Officer (DPO)

The Company currently does not have a DPO. Therefore the following will be assumed by the BOD:

  1. Keeping the Directors updated about data protection responsibilities, risks and issues.

  2. Reviewing all data protection procedures and related policies, in line with an agreed schedule.

  3. Arranging data protection training and advice for the Staff Members.

  4. Handling data protection related questions from Staff Members and anyone who is covered by this Policy.

  5. Dealing with requests from individuals to see the data that Acta Fidelia holds about them (the ‘Subject Access Requests’).

  6. Checking that any contracts or agreements with third parties that may handle the Company’s data and provide recommendations.

  7. Ensuring that all systems, services and equipment used for storing data meet acceptable security standards.

  8. Performing regular checks and scans to ensure security hardware and software is functioning properly.

  9. Acting as a point of contact between the data subjects and the Company, including overseeing that their rights are addressed in a timely manner.

Employees

Employees should be aware of their responsibilities in relation to the protection of information.

Staff Members

This includes all employees irrespective of their position within the Company. The responsibilities of the Staff Members include:

  1. To have know-how of and comply with the Company’s polices and procedures.

  2. To comply with instructions issued by their superiors or by the DPO in relation to data protection.

  3. To ensure confidentiality and security whenever handling personal data of colleagues, clients and any other third parties.

  4. To immediately forward any requests from data subjects exercised under the GDPR to the DPO.

  5. To comply with the principles of the GDPR in all operations of the Company.

To immediately report any suspicions of data breach to the immediate senior manager or DPO, without alerting other colleagues.

Responsibilities of the Company as a Controller

The company shall ensure that it follows the GDPR in relation to being a data controller and protect the data of data subjects.

Responsibilities of the Company as a Processor

The company shall ensure that an agreement is in place with the data controller to establish the company’s relationship with the data controller. The company shall protect the data provided through the data controller and ensure compliance with GDPR. Should there be any data breach, the data processor shall inform the data controller immediately through the Data Protection Officer.

 

4.0 Data Protection Officer

Due to the size of the operation, a DPO was not considered to be necessary at this point in time. Therefore, there is no DPO appointed. The Board of Directors will assume the role of the DPO. Any reference to the DPO within these policies and procedures shall be assumed by the Board.

5.0 Principles of GDPR

Staff Members must apply the following principles when processing personal data. These apply irrespective of whether personal information on the data subjects is publicly available.

5.1 Lawfulness, Fairness and Transparency

Acta Fidelia, as the data controller, is to process data in a lawful, fair and transparent manner. Members of Staff should clearly explain to data subjects the reason as to why their data is being processed in a concise, transparent and intelligible manner which is easily accessible, using clear and plain language. Personal data must be processed for one or more lawful purposes. This means that Staff Members should ensure that at least one of these must apply whenever they process personal data:

  1. Contract- the processing is necessary for a contract the Company has with that individual, or because you would need to take certain steps before entering the contract.

  2. Legal obligation- the processing is necessary for you to comply with the law to which Acta Fidelia is subject (not including contractual obligations).

  3. Vital interests- the processing is necessary to protect someone’s life.

  4. Public interest- the processing is necessary for you to perform a task in the public interest and the task or function has a clear basis in law.

  5. Legitimate interests- the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

  6. Consent- if none of the above lawful purposes apply, then the Staff Members should obtain consent from the data subject prior to processing of his personal data for one or more specific purposes. Consent must be given freely and informed at the time of collecting data and Members of Staff have to make it easy for data subjects to withdraw consent and tell them that they are free to revoke consent by sending an e-mail on info@actafidelia.com. Indeed, in every instance where a Staff Member requires consent from a Data Subject, that Staff Member should inform the data subject that he has the right to revoke the consent given. This right does not apply to data which is not processed on the basis of consent only (and hence is processed on the other lawful basis mentioned above). If the Company receives a request for a revocation of consent, then the DPO should be contacted who will assert whether the request of the data subject is valid. If consent was obtained to process that specific personal data, then the DPO will stop processing that data and inform the Board of Directors and the Management Team to enforce this. Any personal data which was collected at the time the consent was given will not have to be erased, but the Company will no longer process that personal data in the future unless new consent is obtained. If, however the personal data is not processed on consent, then the DPO will inform the data subject that the request is invalid and provide the lawful basis of processing that personal data.

5.2 Purpose Limitation

Personal data must be processed only for the relevant purposes which the data subjects are aware of. This means that Staff Members will not process data in other ways than what was communicated to them. In case personal data will be processed for another reason, the data subjects must be informed of the new reason for processing.

5.3 Data Minimisation

Acta Fidelia as the data controller, ensures that only personal data which is necessary for each specific purpose is processed. The GDPR stipulates that any personal data processed shall be adequate, relevant and limited to what is necessary. Staff Members should not request extra personal information “just in case” it will be requested in the future. This principle shall apply in terms of the amount of personal data collected, the extent of the processing, the period of storage and accessibility.

5.4 Accuracy

Acta Fidelia also ensures that personal data which is held in its possession is accurate and, where necessary kept up to date. Members of Staff should ensure that data is not outdate or incorrect and when collecting personal data, should check it against the existing data on systems and files and update or correct any outdated information.

5.5 Storage Limitation

If the purpose of processing data no longer applies, then the data should be erased where allowed and according to its retention period. This means that Acta Fidelia will not keep personal data for longer than needed and information which is not required should not be stored. If there is any doubt on how long a set of data should be kept after consulting the Data Retention Policy, do not erase it. Consult with the DPO or Board before deleting that data.

5.6 Integrity and confidentiality

Acta Fidelia ensures appropriate security of personal data, including protection against unauthorised or lawful processing against accidental loss, destruction or damage, using appropriate technical or organisational measures. Acta Fidelia abides by this GDPR principle by ensuring that only those employees that are required to process certain personal data are in fact given access to such personal data and has implemented IT measures to ensure that risks to any personal data in its possession are adequately mitigated.

5.7 Accountability

Acta Fidelia shall take responsibility for what it does with personal data and how it complies with the other principles mentioned above. The BOD should be able to provide evidence of compliance with the GDPR, and the DPO is responsible for bringing to management and the BOD’s attention any observed non-compliances. Additionally, any Members of Staff who are directly involved with collecting, handling and storing personal data should report any non-compliances or even just suspicions of non-compliances must be brought up to the DPO.

6.0 Type of Data Processed by the Company

We may collect, store and use the following kinds of personal information:

  1. Personal details as per our ‘Know Your Customer’ (KYC) forms and/or through our centralised INSCOPE system. Details will include your name, surname, address, identification details, date of birth, the service we are providing you, citizenship, nationality and similar information about you.

  2. We will keep a copy of your identification document(s) such as ID card, driving license, residency card, passport or any other identification document available to fulfil our obligations under the 4th and 5th AML Directives.

  3. We will keep a copy of information or documentation to proof residency of your address such as bank statement, bank reference, utility bill, fix telephone line bill, lease agreement or similar documentation. This is to fulfil our obligations in line with the 4th and 5th AML Directives.

  4. We will keep a copy of name checks, google searches and passport checks on you. Such ‘name screening’ is performed to prevent fraud, money laundering, sanctions, funding of terrorism, financial crime or any other type of crime. This is also in line with the 4th and 5th AML Directives and/or internal risk-based policy of the Group. Such screening services are performed when the relationship with the client or prospect has initiated and on an ongoing basis apply a risk-based approach.

  5. We will keep a record on whether you are a Politically Exposed Person (PEP), including your confirmation via a declaration, open sources and through our name screening platform.

  6. We shall use your personal data to perform, in a manual or automated manner, a risk classification/profiling which would classify you as ‘low risk’, ‘medium risk’ or ‘high risk’ in order to fulfil our obligations under the 4th and 5th AML Directives. Such classification will affect the level of ongoing monitoring we perform on you and/or the level of documentation we request.

  7. We will keep a copy of your communication with us, such as emails and letters, in line with our legal obligations under the 4th and 5th AML Directives or due to a legitimate interest.

  8. We may also process and hold information about your wealth, such as the value of your assets; details of bank accounts, inheritance information and similar related information to your global net worth. We shall use such information in line with our AML/CFT obligations.

  9. We shall process and hold certain declarations that we may ask you to provide, mostly referred to as ‘Client Onboarding Questionnaire’, in line with our legal obligations. The name of the questionnaire may differ depending on different circumstances and professional positions you may hold in relation to our client.

  10. We may hold and process any other information or documentation we provide to you to complete, whether in physical or digital format, in line with our legal obligations and/or internal risk-based approach policy.

  11. We may also ask for a copy of your employment contract as a supporting documentation on your source of wealth or funds, on a risk-sensitive basis. Other employment data may also be processed if these provide any value in terms of ML/FT risk mitigation.

  12. Furthermore, the company may act as a processor when providing outsourcing services, including but not limited to, compliance service, which includes the review of customers of a controller and performing duties in relation to Anti-Money Laundering, such as onboarding, ongoing due diligence, ongoing monitoring and/or name screening.

7.0 Processing of Special Categories of Personal Data

Acta Fidelia does not process special categories of personal data on a large scale per se, but there might be instances in which an identification document collected, such for instance a passport bears information which is to be considered as Special Category Data. We may also use tools which involves biometric data to validate an identity of a customer or UBO.

Special categories of personal data as defined by the GDPR include:

  1. Personal data revealing racial or ethnic origin

  2. Political opinions

  3. Religious or philosophical beliefs

  4. Trade union memberships

  5. Genetic and biometric data processed for the purpose of uniquely identifying a natural person

  6. Data concerning health

  7. Data concerning a natural person’s sex life or sexual orientation

If such Special Category Data happens to be on a passport for instance and is not required information, the Staff Member receiving such information from a data subject should ‘black-out’ this information and when saving or filing such documents in the system such information will not show and will not be visible and further processed by other Members of Staff.

If blacking out of such information is not possible, the Staff Member shall liaise with the Management Team who shall first ensure that there is a lawful basis for processing the personal data under and should then ensure that any processing of special categories of personal data is only carried out when one of the following applies:

  1. The data subject has given explicit consent to the processing of the personal data for one or more specified purposes.

  2. Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of Acta Fidelia or of the data subject.

  3. Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.

  4. Processing relates to personal data which is manifestly made public by the data subject.

  5. Processing is necessary for the establishment, exercise or defence of legal claims for reasons of substantial public interest, or reasons of public interest in the area of public health.

  6. Processing is necessary for reasons of substantial public interest, based on European or Maltese law.

  7. Processing is necessary for the assessment of the working capacity of the employee.

Acta Fidelia is committed to ensure that any processing is proportionate to the aim pursued and respects the right to data protection and provides for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. The Board should be consulted prior to taking any decisions in relation to Special Category Data.

8.0 Data Subject Rights

Every individual who is subject of personal data processed by Acta Fidelia has the following rights. Each of these rights triggers obligations, policies and procedures which must be adhered to by Acta Fidelia and members of the staff.

  1. Right of Access

  2. Right to Restriction of Processing

  3. Right to Rectification

  4. Right to be Forgotten

  5. Right to Object to Processing

  6. Right to be informed

  7. Right to data portability

  8. Rights in relation to automated decision making and profiling

8.1 Right of Access / Right to Portability

The data subject has the right to obtain from Acta Fidelia a confirmation as to whether or not personal data concerning him/her is being processed, and, where that is the case, a copy of the personal data undergoing processing. The data subject has a right to make a Data Subject Access Request (DSAR).

8.2 Right to Restriction of Processing

The data subject has the right to obtain from Acta Fidelia restriction of processing and hence limit the way the Company ‘uses’ their personal data where one of the following applies:

  1. The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data.

  2. The processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead.

  3. Acta Fidelia no longer requires the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.

  4. The data subject has objected to processing pending the verification whether the legitimate grounds of the controller, in this case Acta Fidelia override those of the data subject.

Once the data subject, informs the Member of Staff that he wishes to have his personal data rectified, then the Member of Staff should communicate this and any information available on this case to the management who should examine whether any of the above applies and consult the DPO (if applicable) where necessary. If there is a case for the restriction of data, then the Company is allowed to store that personal data but not to use it. So for instance, separate physical file from the other files so that it is not accessible and also electronically, restrict the right of use of such personal data.

8.3 Right to Rectification

In cases where any of the personal data processed by Acta Fidelia is incorrect or incomplete, the data subject can demand that such personal data is corrected or supplemented. In this case, where the data subject communicates to a Member of Staff that his/her data should be rectified, then the Member of Staff should communicate with management and ensure that electronic information and physical information have been updated in such a way that any Members of Staff who have access to the personal data are aware that the personal data of that particular data subject has been rectified.

8.4 Right to be Forgotten

The data subject has the right to obtain from Acta Fidelia the erasure of personal data concerning him/her without undue delay and Acta Fidelia has the obligation to erase personal data without undue delay where one of the following grounds applies:

  1. The personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed.

  2. The data subject objects to the processing and there are no overriding legitimate grounds for processing.

  3. The personal data has been unlawfully processed.

  4. The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.

The Members of Staff should be aware that this right to erasure does not apply if the process of the data is necessary for any of the following:

  1. For compliance with a legal obligation to which Acta Fidelia is subject or for the performance of a task carried out in the public interest or in the exercise of official authority.

  2. For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing.

  3. For the establishment, exercise, or defence of legal claims.

Thus, this means that once a request of this kind is made by a data subject, then the Member of Staff handling this request shall not delete such personal data immediately but shall first seek to identify whether that data ought to be erased in line with the above. Furthermore, the Members of Staff should refer to the Data Retention Policy when a request of this nature is made to them to check whether there is an obligation to retain personal records for some time. If the type of personal data in question is to be retained for some time, then the Member of Staff should inform the data subject (or any individual making the request on behalf of the data subject) that the data has to be kept for a specific time period and the reason for the retention as specified in the Data Retention Policy.

The DPO should be consulted beforehand and Members of Staff should not delete any information without the go ahead of the DPO, as this may cause disruptions in operations, unless the retention period of that data has passed as stipulated in the Data Retention Policy. In the absence of a DPO, the Board should be consulted instead.

8.5 Right to be Informed

The Company will inform the data subject of the use and type of information that is collected directly from him/her or collected from other sources and will be informed of their rights under the GDPR and other applicable laws. The Company will abide by this policy by providing a privacy notice to its data subjects.

The management of the Company shall maintain close communication with the DPO to ensure that the privacy notice:

  • Is kept updated

  • That the language is clear and simple for everyone’s understanding

  • That data subjects are aware of the privacy notice at the moment in which they are requested personal data

  • That any changes in the privacy notice are notified to the data subjects.

Data subjects are entitled to a free copy of the privacy notice if this is specifically requested. Should data subjects request more copies, the Staff Members should liaise with the DPO and those data subjects will be charged an administrative fee upon notice of this.

8.6 Right to Withdraw Consent

The Data Subject has the right to withdraw any previous consent given. Any Members of Staff who are requesting some consent from the Data Subjects must at the same time that consent is being provided, explain to the Data Subject that such consent may be withdrawn. However, this right to withdraw consent does not apply to data which is not processed on consent only.

In such cases, the DPO will assert whether the request of the data subject is valid. If it is valid, then the DPO will inform the Members of Staff to stop processing that data and inform the management to enforce this and communicate with the rest of the team. Personal data which was collected at the time the consent was provided, need not be deleted, but the Company will no longer process that personal data in the future unless new consent is obtained. In the event that personal data is not processed on the basis of consent, but on an other lawful basis, then the DPO will inform the Data Subject that the request is invalid and provide the lawful basis of processing that personal data.

8.7 Right to Object to Automated Processing

No automated processing (without human intervention) shall be processed by Acta Fidelia.

9.0 Transmission of Personal Data to a non-EU country

In principle, Acta Fidelia does not transmit personal data to non-EU countries.

However, if for any reason, Acta Fidelia is required to proceed with a cross-border transfer of personal data, then it would first need to determine whether there is an adequacy decision of the EU Commission. Where the third country is not covered by an adequacy decision, Acta Fidelia should consider one of the following alternatives: Standard Contractual Clauses and Binding Corporate Rules (BCRs). In the absence of these transfer of personal data mechanisms, there are limited circumstances when cross-border transfer of personal data can take place. These are the following:

  1. Explicit consent given by the data subject

  2. The transfer is necessary for the conclusion or performance of the contract

  3. There are important reasons of public interest

  4. It is necessary for the vital interest of data subject or other persons

  5. It involves public register data

Following the Schrems II judgement by the Court of Justice of the European Union, Acta Fidelia shall ensure that when data is transferred to a non-EU Country on an on-going basis with a third party (processor), the processor in the third country shall agree to be tested by Acta Fidelia in relation to data protection. Acta Fidelia may also consider, on a case-by-case basis, to use enhanced data protection procedures, such as the use of pseudonymisation of personal data when this is transferred outside of the EEA. The use of Standard Contractual Clauses and/or Binding Corporate Rules on their own is not enough to adequately protect the data. Acta Fidelia shall also analyse the legal structure of the third country which has no adequacy decision and/or is outside the EEA, to ensure that it is equivalent to that of the EEA when it comes to the protection of data, especially in the area of accessing personal data without a legal basis by foreign authorities.

Acta Fidelia shall seek the written approval of the Board before transferring data outside the EEA, unless the data is being transferred to a third country with an adequacy decision by the European Commission.

10.0 Data Subject Access Request (DSAR)

A Data Subject Access Request is a written request made by or on behalf of a data subject whereby the data subject requests the Company to send him/her a copy of such information which the Company holds on him/her or requests that a copy of such information is transferred to a third party in a machine-readable format. The request does not have to be in a particular form other than in writing, nor does it have to include the words ‘subject access’ or make any reference to the GDPR.

When making such request, a data subject is entitled to be:

  1. Given a copy of the personal data which the Company holds about them.

  2. Informed of the personal data which is being processed.

  3. Given a description of the personal data, the reasons it is being processed and whether it will be given to any other entities or individuals.

  4. Give the details of the source of the data (where this is available and provided such information will not infringe the data protection rights of third parties or prejudice the rights of the source of the data).

Certain personal data is exempt from the right of subject access and so cannot be obtained by making a Subject Access Request:

  1. Any information subject to professional privilege should not be disclosed.

  2. Information should not be disclosed where there is a statutory or court restriction on disclosure.

In order to comply with this type of request, the Members of Staff will provide electronic copies of personal data or, in the case of physical forms and files, will scan these and provide in pdf format. Members of Staff should ensure that such information provided does not include information on other data subjects- any such information on other third parties should be blacked out prior to having the scan made and information submitted.

Electronic files may be shared via e-mail having the attachments encrypted or alternatively the files will be password protected. In case there are documents which absolutely cannot be sent my email, then they will be send by registered mail to the address which the data subject will provide. The Board should be consulted in case of doubt.

Data subjects are entitled to one copy of their personal information free of charge; any other subsequent copies of the same data will be charged an administrative fee which should be determined by the management of the Company.

Management should review the documentation which will be sent to a third party before it is sent.

11.0 Providing personal data directly to a third party

Data is provided to a third party only if this is specifically requested by the data subject and if there would be no risk of a data breach occurring from the transfer of data by the Company.

In the event that the transfer is NOT technically possibly between the Company and the third party, or may create a risk of data breach the Company will

1) Provide the reason for denying the transfer, which may be as follows:

  1. That the Company will not transfer the personal data as it has identified a risk of data breach during the transfer, or

  2. That the Company will not transfer personal data cross- border outside the EU or the EEA (the Company will not accept any requests for transfers to third parties outside the European Union)

  3. That the Company and the third party do not have a common link to transfer the personal data securely.

2) Inform the data subject that a copy of the personal information will be provided directly to him/her and that she may personally forward it to the third party.

If the transfer is technically possible between the Company and the Third Party, and will not create a risk of data breach, the Company will inform the data subject of the following:

  1. That the Company will not be responsible for the way his/ her data will be treated by the other party

  2. That the Company has no obligation to ensure that the third party will accept the personal data

  3. Request that the data subject confirms that he/she understood the above and whether he/ she wants to proceed with the transfer and

  4. Personal data will be transferred using the same security measures mentioned above.

12.0 How to action a Subject Access Request

In order for Acta Fidelia to action a Subject Access Request, the following should take place:

1 Once a data subject makes a Subject Access Request, that Member of Staff receiving such a request shall inform the management about this request and the management will communicate this to the DPO or the BOD who shall provide the necessary guidance.

2 The Member of Staff should, after communicating the Subject Access Request to the management, ensure that a proper record is kept of the Data Subject Request and in he event that this is made verbally by the Data Subject, then the Member of Staff should inform the data subject that the request should be made in writing (in a letter or by email, social media is not acceptable). In the event that the request may only be received verbally, then a record of the request should be kept on the applicant’s file.

3 The Member of Staff handling the Data Subject Request should collect proof of the identity of the applicant and should have sufficient information to be able to locate the record or information requested.

4 Requests should be dealt within a maximum of 30 days subject to the necessity to seek clarification, identification and verification of the data subject. Where the requests are complex in nature, this timeframe may be extended by another 30 days. However, if this is the case, then the data subject must be duly informed on the complexity of the case and the reason of the extension.

12.1 Requests made about or on behalf of other individuals such as a legal representative

A representative such as a lawyer, may make a valid SAR on behalf of an individual. However, in the event that a request is made by the representative of a particular data subject, appropriate and adequate proof of that individuals consent or evidence of a legal right to act on behalf of that individual. For instance, a power of attorney must be provided by the representative.

If the Company has reason to believe that a data subject may not understand what information would be disclosed to a third party who has made a SAR on their behalf, you may send the response directly to the individual rather than to the third party. In certain circumstances, a representative acting as an advocate can seek access to personal information in so far as it is necessary or relevant to their role such as when a representative appointed by the courts to represent others without capacity to consent.

12.2 Requests in respect of Crime, AML and Taxation

Requests for personal information may be made by the above authorities for the following purposes:

  1. The prevention or detection of crime;

  2. The capture or prosecution of offenders; and

  3. The assessment or collection of tax or duty

  4. The court requiring the supply of information about an individual must be complied with

A formal documented request signed by a senior official from the relevant authority is required before proceeding with the request. This request must make it clear that one of the above purposes is being investigated and that not receiving the information would prejudice the investigation.

These types of requests must be considered by the DPO or the BOD and the decision on whether to share the information or not documented before any action is taken.