THE FOUNDATION FOR THE PROMOTION OF ENTREPRENEURIAL INITIATIVES (FPEI)
PRIVACY NOTICE
1. INTRODUCTION
This Privacy Notice (the “Notice”) is a statement of the practices of the Foundation for the Promotion of Entrepreneurial Initiatives (FPEI) in connection with the processing of personal data and the steps taken to protect personal data and safeguard an individual’s right to privacy.
The FPEI (the “Foundation”, “we”, “us” or “our”) is committed to protecting the privacy and security of your personal data. This Privacy Notice is addressed to our current, former and prospective Members and explains how we process personal data about them (also referred to in this notice as “you”).
This Notice is being provided to you since you are a current or former member of the Foundation or are otherwise in the process of applying to become one. It aims to ensure that you are fully informed on how we, the Foundation, will collect and process your personal data. It informs you about the items of personal data which we will collect about you and describes how we will handle it (regardless of the way you interact with us, whether through our website, by email, phone, or otherwise), and in turn, also tells you about:
(i) our obligations in regard to processing your personal data responsibly;
(ii) your data protection rights as a data subject; and
(iii) how the law protects you.
This Notice does not form part of any contract to provide services. We may update this Notice at any time. It is important that you read this Notice, together with any other privacy notice that we may provide on specific occasions when we are collecting or processing personal data about you, so that you are fully aware of how and why we are using your data.
2. DATA CONTROLLER
The Foundation is the “data controller” of your personal data as a member or applicant. This means that we are responsible for deciding how we hold and use personal data about you. We will process it at all times in an appropriate and lawful manner, in accordance with the Data Protection Act, Cap. 586 of the Laws of Malta and the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”).
If you have any questions relating to this Notice, including any requests to exercise your legal rights (which are outlined below in this Notice), please contact us, by email or in writing, using the contact details set out below.
Contact details:
a. Full name of Foundation: Foundation for the Promotion of Entrepreneurial Initiatives (FPEI)
b. Email Address: info@fpei.mt
c. Postal address: Dar Guzeppi Zahra, University of Malta, Msida MSD 2080
Please use the words ‘Data Protection Matter’ in the subject line.
3. THE DATA WE COLLECT ABOUT YOU
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data) or information relating to a legal person (such as a company name or registration number or its registered office).
There are also “special categories of personal data” which require a higher level of protection. These include information about a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health or condition or sexual life.
As a member or applicant, we may collect, store and use the following categories of personal data about you:
4. CATEGORY OF PERSONAL DATA EXAMPLES
A. Identity Data: your first name, last name, title, date of birth, gender, membership number, job title, position in your organisation.
B. Contact Data: your work address, home address, email address, telephone number, mobile number, place of work.
C. Application Data: your identity card number or other national identifier, relevant educational and professional certificates, C.V., reference letters, and course enrolment information/confirmation.
D. Subscription Data: your date of application and membership, length of membership, renewals and information about any positions held within the Foundation, including on any committees.
E. Profile Data: your username, password, membership of any professional associations or institutes, areas of interest and specialisation, survey responses, records of participation in Foundation events and activities, records of our communication/s with you.
F. Transaction Data: details about your membership subscription payments (including invoices issued, payments made and received, amounts outstanding), bank account details and payment history.
G. Marketing Data: your preferences in receiving marketing from us and our third-party service providers and your communication preferences.
We also collect, use and share Aggregate Data such as statistical or demographic data for any purpose (including to understand the demographics of our members). Aggregate Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity.
However, if we combine or connect Aggregate Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Notice.
5. IF YOU FAIL TO PROVIDE PERSONAL DATA
Where we need to collect personal data about you by law, or pursuant to our terms of business, and you fail to provide that data when requested, we may not be able to (i) process or accept your membership application, or (ii) administer and continue your membership (if already commenced).
We will duly inform and notify you if this is the case at the time.
6. SPECIAL CATEGORIES OF PERSONAL DATA
We do not, outside of truly exceptional cases, collect or process special categories of personal data about our members or applicants. However, if (in addition to being a member) you are also enrolled as a student in any of our courses and/or attend or act as a lecturer, tutor or speaker on any of our courses, conferences, seminars or events, then there may be instances where we may need, or you may otherwise wish us, to collect and process certain special categories of personal data about you (such as, for instance, any medical conditions which you may wish us to cater for by making the appropriate adjustments at the venue where the particular course or event is being held).
4. HOW IS YOUR PERSONAL DATA COLLECTED?
The personal data that we process about you, as listed above, is collected and generated from a variety of sources, in accordance with applicable laws and regulations.
We will collect data directly from you (for example from membership forms, through communication with us) and will create some data internally (e.g., if we assign you a member ID).
We will also collect additional personal data throughout the period you remain a member of the Foundation.
We may also collect some data from external sources. For example, from:
• Employers or educational institutions may provide the Foundation with relevant information on where you are employed and/or your professional or academic qualifications (e.g., in reference letters);
• From publicly available resources (e.g., from social media).
5. HOW WE USE YOUR PERSONAL DATA
We process your personal data in order to run and manage the operations of the Foundation and to provide you with the associated benefits of your membership. In particular, we process your personal data to:
- fulfil the mission of the Foundation and to further its objects;
- process your application and manage your membership;
- manage our relationship with you (including renewals);
- manage our relationship with your employer/member firm when and if they pay your membership fees;
- keep membership records;
- process membership fee payments;
- send out surveys, or other information relevant to our functions and obligations;
- establish and maintain communication with you;
- provide content or services you request from us;
- invite you to attend our committees, working groups, seminars and to run such committees, working groups and seminars;
- send you our publications, brochures, newsletters, reports and other materials;
- for classification of our members (including their areas of expertise);
- invite you to our events, conferences and workshops;
- organise and handle annual meetings, extraordinary annual meetings and coordination group meetings;
- manage complaints and conduct investigations and disciplinary or dispute resolution activities.
We will generally base our processing on the following grounds or lawful bases:
(i) For the performance of a contract with you in terms of art. 6(1)(b), GDPR (the “contract” of membership); and
(ii) Necessary for our legitimate interests in terms of art. 6(1)(f), GDPR.
Change of purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose, or we are obliged to process your data by applicable laws or court or regulatory orders. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
6. MARKETING
We regularly send marketing communications to our registered members and to do so, we rely on our legitimate (business) interests and your legitimate expectations. An “unsubscribe” or “opt-out” option is however included in each marketing communication that we send, and we regularly review our mailing and marketing lists to ensure that it is current, up to date and does not include any individuals who have unsubscribed.
7. DISCLOSURE OF YOUR PERSONAL DATA
Why might you share my personal data with third parties?
We will share your personal data with third parties where required by law, where it is necessary to administer your membership, or where we have another legitimate interest in doing so.
We may also share your personal data with:
- affiliate associations with whom the Foundation operates;
- your employers where they are paying your membership fees;
- third-party payment processors such as payment service providers and banks;
- our professional and legal advisors and other third parties, such as to investigate complaints and disciplinary matters or to establish, exercise or defend our legal rights;
- third party companies that distribute our publications on our behalf; and
- third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets.
We may also need to share your personal data with a regulator, law enforcement authorities or to otherwise comply with the law, as applicable.
8. INTERNATIONAL TRANSFERS
We may transfer your personal data outside the European Economic Area (EEA). If we do, we will ensure that at least one of the following safeguards applies or is otherwise implemented:
(i) the European Commission has issued a decision confirming that the country to which we transfer the personal data ensures an adequate level of protection for your rights and freedoms; or
(ii) appropriate safeguards are in place such as binding corporate rules, standard contractual clauses, an approved code of conduct or a certification mechanism, a copy of which can be obtained from us; or
(iii) you have provided explicit consent to the proposed transfer after being informed of any potential risks; or
(iv) the transfer is necessary for one of the other reasons set out in the GDPR including the performance of a contract between us and you, for reasons of public interest, to establish, exercise or defend legal claims or to protect your vital interests where you are physically or legally incapable of giving consent and, in some limited cases, for our legitimate interest.
Should this arise, we will update this Notice and/or notify you.
9. DATA SECURITY
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed (safeguard its integrity and confidentiality). We also regularly review and, where practicable, improve upon these security measures.
Additionally, we have also put procedures in place to deal with any suspected personal data breach and will notify any applicable regulator of a breach where we are legally required to do so.
10. DATA RETENTION
How long will you use my personal data for?
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. We may retain your personal data for a longer period in the event of a complaint, investigation or disciplinary action or if we reasonably believe there is a prospect of litigation in respect of our relationship with you.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means and the applicable legal requirements.
In regard to Members, we will only retain your personal data for as long as necessary to fulfil the purposes for which we collected it, i.e., the management of your membership (whilst ongoing), and following its termination:
• to satisfy any legal, accounting, tax or reporting obligations to which we may be subject; and/or
• to the extent that we may also need to retain your personal data in order to be able to assert, exercise or defend possible future legal claims against or otherwise involving you.
By and large though, we generally apply the following retention timeframes:
• a one (1) year period for applicants whose membership applications are not accepted by the Foundation (starting from the date when the non-acceptance of that application is communicated); and
• up to a ten (10) year period for registered members who terminate their membership (starting from the date of expiry/termination of that relationship). This period takes into account applicable prescriptive periods and legal and regulatory obligations to retain accounting and taxation records for set periods (i.e., record-keeping requirements in relation to membership payments).
Note, however, that not all the data will be retained for the full ten (10) years and some of your data will be deleted at an earlier stage (such as your subscription data which, unless there are exceptional or compelling reasons, will only be kept for five (5) years from when the relationship ends).
In some circumstances you can ask us to delete your data. See Request erasure below for further information.
Data Minimisation
Whenever and to the extent possible, we anonymise the data we hold about you when it is no longer necessary to identify you from the data held. In some circumstances, we may even anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
Kindly contact us for further details about the retention periods that we apply.
11. YOUR LEGAL RIGHTS
Under certain circumstances, you have rights under data protection laws in relation to your personal data.
No fee is usually charged
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may simply refuse to comply with your request in such circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Time limit to respond
We try to respond to all legitimate requests within a period of one month from the date of receiving your request.
Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
i. REQUEST ACCESS
You have the right to request access to your personal data. This enables you to request information on whether or not your personal data is being processed by us, and to also request a copy of the information that we hold about you (to check, for instance, that we are processing it lawfully).
You may send an email requesting information as the personal data which we process.
Generally, you shall receive one copy free of charge via email of the personal data which is undergoing processing.
Any further copies of the information processed will typically incur a charge of €10.00.
You are only entitled to request access to personal data that relates to you.
ii. RIGHT TO INFORMATION
You have the right to information when collecting and processing personal data about you from publicly accessible or third-party sources. When requested and possible we will inform you, within a reasonable and practicable timeframe, about the third party or publicly accessible source from whom we have collected your personal data.
iii. REQUEST CORRECTION (RECTIFICATION)
You have the right to request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected and/or updated, though we may need to verify the accuracy of the new data you provide to us.
iv. REQUEST ERASURE
You have the right to request erasure of your personal data.
This enables you to ask us to delete or remove personal information where:
• there is no good reason for us continuing to process it;
• you have successfully exercised your right to object to processing (see below);
• we may have processed your information unlawfully; or
• we are required to erase your personal data to comply with local law.
Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. These may include instances where the retention of your personal data is necessary to:
• comply with a legal or regulatory obligation to which we are subject; or
• establish, exercise or defend a legal claim (including policy claims).
v. OBJECT TO PROCESSING
You have the right to object to processing of your personal data where we are relying on a legitimate interest or those of a third party to do so, and you wish to object to that processing as you feel that it impacts on your fundamental rights and freedoms.
In such cases, we will cease processing your personal data for the ‘objected purposes’, unless we can demonstrate compelling legitimate grounds for such processing which override your interests, rights and freedoms of the data subject, or for the establishment to exercise or defend legal claims.
You also have the right to object where we are processing your personal data for direct marketing purposes (as, for instance, described under the ‘Marketing’ in Section 6 above – the unsubscribe option).
vi. RESTRICTION OF PROCESSING
You also have the right to request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
• if you want us to establish the data’s accuracy;
• where our use of the data is unlawful but you do not want us to erase it;
• where you need us to hold onto the data even if we no longer require it, as you need it to establish, exercise or defend legal claims; or
• where you have objected to our use of your personal data, but we need to verify whether we have overriding legitimate grounds to use it.
vii. DATA PORTABILITY
You have the right to request the transfer (data portability) of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
viii. WITHDRAWAL OF CONSENT
You may withdraw your consent at any time where we are relying on consent to process your personal data. This will not however affect the lawfulness of any processing which we carried out before you withdrew your consent.
Any processing activities that are not based on your consent will remain unaffected.
Kindly note that none of these data subject rights are absolute or unreservedly guaranteed, and must generally be weighed against our own legal obligations and legitimate interests. If a decision is taken to override your data subject request, you will be informed of this along with the reasons for our decision.
12. COMPLAINTS
You have the right to lodge a complaint at any time to a competent supervisory authority on data protection matters, such as in particular the supervisory authority in the place of your habitual residence or your place of work. In the case of Malta, this is the Office of the Information and Data Protection Commissioner (the “IDPC”):
• https://idpc.org.mt/en/Pages/Home.aspx)
We would, however, appreciate the opportunity to deal with your concerns before you approach the supervisory authority, so please contact us in the first instance.
If you have any questions regarding this Notice, or if you would like to send us your comments, please contact us using the Contact Details indicated in this Notice.
Updated 27.02.2024
Last modified: 22/05/2024