1.1 Prime Care Ltd, bearer of company registration number C-69123 having its registered address at 106, Vjal il-Ħaddiem, Rabat, Għawdex;
To ensure that we fulfil all our legal obligations towards you, we need to process certain types of personal data. These personal data must be processed appropriately irrespective of the medium on which they are held or stored, whether in paper or electronic format. Hence, we have created this policy for you to know the what, how, when and why of our data processing.
2.1. This document is the Data Protection Policy, which is also referred to commonly as the privacy policy. For the purposes of this Data Protection Policy (hereinafter “the Policy”) the definitions contained in Article 4 of the General Data Protection Regulation, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), (hereinafter “GDPR”) shall apply. More specifically, the following words shall have the following meanings:-
“the Controller” refers to any of the companies listed in Article 1 of this Policy and the words “we”, “ours” and “us” shall refer to the Controller.
“you” shall refer to all the data subjects of the Controller, including but not limited to prospective residents, residents, visitors of any of the establishments of the Controller and any other individuals who provide their Personal Data to the Controller, medical professionals, service providers, past residents and all other natural persons who provide (or may have provided) the Controller with their own Personal Data for any reason whatsoever in relation to the services provided by the Controller and “you” and “your” shall refer to all said natural persons and “your” and “yours” shall be construed accordingly.
“Personal Data” shall refer to means any information relating to an identified or identifiable natural person (‘data subject’); identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The Controller may be contacted as follows:-
Postal Address: Farrugia Group
Telephone Number: +356 2799 2797
Email address: [email protected]
Your Personal Data are acquired by us whenever you fill any form, you visit our residential care homes, you send us an email, you request any quotation or somehow contact us in writing, whenever your images are captured on our closed circuit television system, whenever you sign an agreement with us, you provide a service to us. In this case, we collect your Personal Data directly from you.
We also receive your Personal Data if you’re a resident with us if you’re referred to us by a third party such as a public health institution, a relative or any other party which is not you. In this case, we collect your Personal Data from such third party.
We process your Personal Data in the following methods:- collection, storage, access, printing, storing in paper format, storing on servers locally and within the European Union and destruction. We also store your Personal Data insofar as necessary within all our legal obligations, as shall be explained in this Policy.
We also collect your Personal Data whenever you access any of our websites.
We process the following information:-
If you’re an employee:- All the personal data necessary for us to be able to put the employment agreement in force. Essentially these include your name, address, telephone number, mobile number, email address, date of birth, social security number, any health conditions impinging on your employment, IBAN number, bank details and next of kind information, your image and your marital status.
If you are a visitor to our care homes:- Your name, name of the person you are visiting, your signature, your image on our CCTV system.
If you are a resident:- - your name, image, bank details, identity card number, health information, health history, next of kin information, date of admission, date of birth and date of departure from the home (when applicable); your signature (if applicable).
Any other data subjects (such as sub processors and visitors to the website):- name, address, financial information, duties performed and, in the case of visitors to the website, any of the following:-
When you access or use our website, we automatically collect information about you including:-
(a) Log information about your use of this site including the type of browser you use, access times, pages viewed, your IP address and the page you visited before navigating to our site;The
(b) Information about the device your are using:- whether it is a personal computer or a mobile device, including the hardware model, operating system and version, unique device identifiers and mobile network information (if applicable);
(c) Information collected by Cookies and other tracking technologies. We use cookies and web beacons. Cookies are very small data files which are stored on the device memory (including a hard drive) that help us improve the way we serve you and how you experience our site. We also see which areas of our site or our services are most popular and we count visits to our website. Web beacons are also used – these are electronic images which may be used in our emails or services and help deliver cookies and also count visits and understand usage and any campaign effectiveness. Please, would you kindly see our cookie policy. You may choose to accept cookies or personalised your cookie experience by clicking here.
(d) the Personal Data you provide to us when you are filling out the form and emailing us through our website.
The above lists are not exhaustive.
The purposes of processing by the Controller (hereinafter “the Purposes”) shall be the following:-
a. Residents:- Contract - You becoming a resident in our care homes and for us to be able to give you the sterling care you are entitled to receive from us;
b. Employees:- Contract - You becoming our employee and working with us and our being able to live up to our legThal obligations (such as paying you, contacting your next of kin in case of issues, contacting medical help if you have any medical issues on the job and so on);
c. Website Visitors:- Consent – by logging onto our websites, you’re giving us the consent to process your data.
d. Other data subjects such as personal data processors – to process Personal Data on behalf of the Controller for a particular Purpose and the basis is contractual.
e. Particularly, we retain your personal information to comply with all our legal obligations, prevent and detect fraud, collect any money owed to us, resolve any disputes which you may have with us, troubleshoot any problems and/or issues, enforce our contractual rights with you and honour our legal obligations to you, prevent fraud, collect any fees owed, resolve disputes, troubleshoot problems, and take other actions as permitted by law, and, more specifically, the GDPR and the Data Protection Act, 2018 (Chapter 586 of the Revised Edition of the Laws of Malta).
3.1. We hereby declare and undertake that we process personal data in terms of and in full observance of the following principles:-
(i) lawfully, fairly and in a transparent manner in relation to you;
(ii) we collect personal data only for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with the Purposes. Hence, the Controller processes the data only for the Purposes;
(iii) the Personal Data collected adequate, relevant and limited to what is necessary in relation to the Purposes. (‘data minimisation’); To this end, you shall only be required to provide all the Personal Data which are strictly necessary for the Purposes.
(iv) You shall ensure that all Personal Data shall be accurate and, where necessary, kept up to date; every reasonable step shall be taken to ensure that Personal Data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(v) You shall keep the Personal Data in a form which permits identification of yours for no longer than is necessary for the Purposes
(vi) All Personal Data shall be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR subject to implementation of the appropriate technical and organisational measures required by the Regulation in order to safeguard the rights and freedoms of you(‘storage limitation’);
(vii) processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
These principles essentially mean that:-
1. We shall not use the Personal Data in any manner which is not in line with the Purposes;
2. We shall not sell or use the Personal Data for any commercial purposes, other than any of the Purposes;
3. We shall not retain Personal Data for longer than necessary;
4. We shall not destroy Personal Data unless we’re authorised to do so in accordance with the law.
5. We shall not ignore any requests by you for restriction of processing or objection to process of your Personal Data.
6. We shall accede to all requests made by you in exercise of their rights within and to the extent as permitted by Law.
4.1. The Controller undertakes that all processing of Personal Data shall be lawful and the processing shall only be executed and performed:-
(i) wherever you have given consent to the processing of his or her Personal Data for the Purposes; and/or
(ii) processing is necessary for the performance of a contract to which you and we are parties and/or in order to take steps at the request of you prior to entering into a contract;
(iii) processing is necessary for compliance with a legal obligation to which we are subject.
5.1. We hereby declare that you shall have the following rights with respect to your personal data and, further, undertakes to protect and promote same:-
(a) Transparency: the present Data Protection Policy is aimed at providing you with all the relative information necessary for you to have all information in relation to how your Personal Data is being processed and all the rights available to him.
(b) The right to access your own Personal Data and the right to request that you be provided with a copy of their data free of any charges, unless such requests become repetitive, frivolous or vexatious, in which case a charge shall be levied.
(c) The right to rectify your Personal Data, should there be any incomplete or out-dated data or data which is, somehow, inaccurate.
(d) The right to erasure of your Personal Data unless there are legal rights and/or policy obligations which impose on us any retention periods. You hereby declare that, in any case, no Personal Data shall be retained for longer than is necessary. With this declaration we confirm that we not be retaining any Personal Data for longer than is strictly necessary in terms of the law. This essentially means that as soon as the prescriptive period for the exercise of a potential action elapses, then we shall destroy the Personal Data. It is also to be noted that no Personal Data shall be deleted and/or destroyed during the validity of a warranty period.
(e) The right to restriction of processing in either of the following cases:-
(i) the accuracy of the Personal Data is contested by you for a period enabling the Controller to verify the accuracy of the Personal Data; or
(ii) the processing is unlawful and you oppose the erasure of the Personal Data and request the restriction of their use instead;
(iii) we no longer need the Personal Data for the purposes of the processing, but they are required for the establishment, exercise or defence of legal claims;
(iv) you have objected to processing pursuant to Article 21(1) of the General Data Protection Regulation pending the verification whether the legitimate grounds of the controller override those of you.
(f) The right to have data portability in a machine-readable format and this essentially shall mean that you have the right to receive the Personal Data concerning you, in a structured, commonly used and machine-readable format and also you have the right to transmit those data to another controller without hindrance from us. Furthermore, you shall have the right to have the Personal Data transmitted directly by us to any other controller indicated by you in writing one controller to another, where technically feasible.
(g) The right to object to processing, should processing be no longer justified on the basis given in Clause 5.1. of this Policy.
(h) The right not to be subjected to automated decision making. The Controller declares that there is no automated decision making which is being carried out on the Personal Data.
In order to exercise any of the rights listed in Clause 6A, you shall send an email to Ms Michelle Mercieca and request the right and/or rights which you would want to exercise. We shall endeavour to accede to the request as soon as it is technically possible
6.1. Should any You suspect a Personal Data breach likely to result in a high risk to your rights and freedoms he shall lodge a report to the Data Protection Officer on: [email protected]
6.2. We shall investigate such report and take all the necessary measures in terms of the General Data Protection Regulation and the Data Protection Act, 2018 to ensure that your rights and freedoms and your Personal Data are fully protected, including but not limited to, all the measures in the General Data Protection Regulation. Should the circumstances so warrant in terms of the General Data Protection Regulation, the Controller shall report the breach to the Data Protection Commissioner in terms of the General Data Protection Regulation. Simply put, if a breach is confirmed and there is a risk for you, the data protection officer informs the Information and Data Protection Commissioner within 72hrs of becoming aware of the breach.
Immediate actions are to be taken to contain the breach and minimize further damage. Following this measures are recommended and implemented to minimize the data breach from recurring.
The Controller hereby declares that it does not transfer any Personal Data to any processor and/or controller who do not offer the same levels of protection to Personal Data as that obtaining in terms of the General Data Protection Regulation.
However, we may need third party processors to have access to your Personal Data. Auditors, financial institutions (in case of payment gateways), medical professionals, IT support persons and all other persons we need to rely on to provide our services are data processors and we always ensure that such processors are fully cognizant of their legal obligations arising out of the fact that they are engaged by us and they have access to your Personal Data. Processing activities by such processors shall always be made exclusively in pursuance of the Purposes. Consequently, we may share your
Personal Data:-
(i) With and among our employees and any hired sub-contractors such as our delivery team members, outsources workers, temporary agency workers and such like;
(ii) In response to a request for information if we believe disclosure is in accordance with, or required by, any applicable law, regulation or legal process;
(iii) To any other company which may be wholly owned by the Controller and/or in which the Controller has the sole controlling interest.
We take reasonable precautions to protect your personal information from unauthorized access, use or disclosure, hacking and misuse. We are aware of our responsibilities to protect the security, confidentiality and integrity of your Personal Data. We cannot guarantee that the physical and security systems we employ are impenetrable, cannot fail and are foolproof. However, we will do all that is feasible and possible to ensure that all the Personal
Data you provide us with shall remain private, secure and safe.
The Personal Data is yours. It is not ours and it will never be ours. It is only yours. Consequently, we will only process the Personal Data if and up till the extent necessary to ensure that all our legal obligations and rights are observed and satisfied and only to the extent explained in this Policy.
With respect to cookies, please note that most web browsers have the default setting of accepting cookies. If you prefer, you can usually choose to set your browser to remove or reject browser cookies by configuring your browser’s settings. Please be aware, however, that if you choose to disable cookies entirely, a portion of this site or specific functions of this site may not function properly.
We shall not make use of Personal Data for marketing purposes unless you would have first obtained your prior written consent.
Should our legal relationship with you terminate, we retain Personal Data as follows:-
In the case of Employees:- Personal is processed for a period of five years following termination of employment. In this case, records are kept for 5 years on the grounds that most records include resident’s personal records which might be required for legal purposes. Online usage activity of employees and exceptions are not monitored and stored. However, security events are logged and recorded. The system keeps up to 50,000 entries as dictated by the Microsoft standard rationale for retention.
Visitors:- Two years from date of visit; and
Residents/clients/Subprocessors: - Five years from termination of residence/provision of service.
Website Visitors:- you can withdraw your consent at any time and you can delete any cookies from your website at any point. If we just receive an email from you and no legal relationship is entered into, those emails are deleted at the end of the calendar year during which they were received.
We reserve the right to modify or amend this Data Protection Policy at any time by posting the amended Policy publicly available All amended terms take effect upon such making available. Each time you use this site, the current version of the Data Protection Policy will govern your use. Accordingly, when you use this site, you should check the date of this Data Protection Policy (which appears at the top) and review any changes since the last version.
We welcome your comments regarding this Data Protection Policy. If you believe that we have not adhered to this Data Protection Policy, please contact us on +356 2799 2797. This will not affect your statutory rights.
We shall observe the General Data Protection Regulation in its entirety. In case of any inconsistencies between the provisions of this Policy and the General Data Protection Regulation, the latter shall prevail.