|The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In the case of this Policy, the term Data Controller shall refer to Zampa Debattista (Civil Partnership Registration Number: AB/2/14/04) and/or ZD Assurance Limited (Company Registration Number C-66286) having their registered office situated at 230, 230 Second Floor Triq Il-Kungress Ewkaristiku Mosta MST 9039 Malta.
References to “us”, “our” and “we” shall refer to Zampa Debattista and/or ZD Assurance Limited in our capacity as joint controllers, and, unless the context requires otherwise, any one of our directors, partners, officers, employees, associates, contractors, trainees or interns.
|Data Subject||Any natural person being one of our past, present or potential customers, including students at “ZD Academy” (being a trade name of ZD), as well as any visitors to our Website.
Reference to “you” or “your” shall refer to the Data Subject.
|DPO||Our Data Protection Officer, as indicated in Section 3 of this Policy.|
|GDPR||Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.|
|Website||Our website, zampadebattista.com, including any page or sub-page, and if the context so requires may include any of our social media pages.|
|ZD||Zampa Debattista (Civil Partnership Registration Number: AB/2/14/04) of 230, 230 Second Floor Triq Il-Kungress Ewkaristiku Mosta MST 9039 Malta.|
|ZDA||ZD Assurance Limited (Company Registration Number C-66286) of 230, 230 Second Floor Triq Il-Kungress Ewkaristiku Mosta MST 9039 Malta.|
|ZDG||ZD and/or ZDA and/or any group entity that is associated with ZD or ZDA.|
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
- Who we are and how to contact us
230, 230 Second Floor
Triq Il-Kungress Ewkaristiku
Mosta MST 9039, Malta
- What personal data do we process?
We always process personal data lawfully, fairly and in a transparent manner and we only collect personal data which is adequate, relevant and limited to what is necessary in relation to the purposes listed in Section 6 of this Policy.
The personal data that we process depends on our relationship to the Data Subject in question, but may include the following:
- Name and surname
- Residential and/or office/business/work address
- Place of birth
- Date of birth
- Social security and tax identification number
- Marital status
- Bank / payment account details, such as IBAN and account numbers
- Copies of identification documentation, such as national identity cards and/or passports
- IP Address
- Qualifications, employment history and any other information listed on a resume or CV
- Personal data relating to criminal convictions and offences
- Contact details
- Details of your income and businesses
- Tax residency information
- When do we collect your personal data?
We collect personal data from you in a number of ways, such as:
- when you request that we provide you with services
- when you apply to join any programme or course offered by ZD Academy
- when you contact us via email, social media, or other means of communication
- when you sign up to receive emails or other communications from us
- when you access and interact with our Website (through cookies or online forms)
In order to fulfil our duties in the public interest, protect our employees and assets, improve our service and/or comply with legal obligations, such as anti-money laundering, bribery and corruption laws and other regulatory requirements, we may carry out checks on existing or potential clients both prior to the establishment of a business relationship and post-establishment of such relationship on an ongoing basis.
We may verify the background of individuals and we may check the information you provided against:
- publicly available information about your company or business activities
- any government’s issued sanctions lists
- media sources – including social media
- Why do we process personal data?
The reason why we process personal data largely depends on our relationship to the Data Subject, but this purpose is limited generally to:
- providing you with services;
- complying with our legal obligations;
- complying with or enforcing a contract to which we are a party;
- for litigation and defence of legal claims;
- financial management, account management, customer service, implementation of controls, management reporting, analysis;
- registering you for events and courses that we may organise from time to time;
- for accepting payments from you;
- internal audits and investigations
- complying with law or regulation or direction from any enforcement agency, court of law or regulatory body;
- promotion of the security and protection of staff, the public, our offices, systems and assets;
- monitoring of compliance with contractual agreements, internal policies and procedures;
- in pursuit of our legitimate interest in seeking to detect fraud, harassment or the commission of a criminal offence (such as theft, the destruction of private or public property, etc);
- in the administration of our relationship with you;
- investigating or responding to incidents and complaints;
- to provide information requested by you;
- to promote our services, including sending updates, publications and details of courses or events.
Should we need to process your personal data for any other reason we will request your consent in writing. You may withdraw such consent at any time, provided that the withdrawal of consent shall not affect the lawfulness of processing before such withdrawal.
- Do we share your personal data with third parties?
There are certain instances when we may need to transfer your personal data to third parties. This would typically take place in the following circumstances.
- With a firm within the ZD network
We may share your data with any firm or entity within the ZD network or any associated entity.
- Sharing of personal data with our suppliers
We may, for example, engage a supplier to carry out professional, administrative and/or operational work in support of our relationship with you or to comply with our legal obligations. The supplier(s) will be subject to contractual and other legal obligations to preserve the confidentiality of your data and to respect your privacy, and will only have access to the data they need to perform their functions. These suppliers are typically lawyers, consultants, accountants, auditors, software providers, IT suppliers (who host or support our IT systems, including information about you), premises management service providers (who look after physical security at our offices and, therefore, may need to know about you to allow you access) and back-office finance and accounting staff (who might need to handle details of a Data Subject in order to process salaries).
- Sharing of personal data with government, police, regulators, courts or tribunals, or law enforcement agencies
We will share your data with government, police, regulators or law enforcement agencies if, at our sole discretion, we consider that we are legally obliged or authorised to do so or it would be prudent to do so.
- Sharing of personal data in the case of a business transaction or restructuring activity
We may need to disclose your data to the prospective seller or buyer and their advisers as part of the due diligence process for a proposed merger, acquisition, restructuring or other business transaction.
We do not sell, rent or otherwise make personal data commercially available to any third party, except with your prior permission.
- Your rights with respect to your personal data
8.1. Correcting and completing of personal data
We take every reasonable step to ensure that the personal data we have in our possession is accurate and kept up to date. However, it is still possible for certain personal data to be incorrect or incomplete. Should you, therefore, wish to correct or complete any inaccurate or incomplete personal data that we hold, you may do so by sending us an email, highlighting the data that requires correction or completion, as the case may be, and we will update our records without undue delay and inform you once this has been done.
8.2. The right of access and the right to be forgotten
As a data subject, you have the right to access your personal data and, in certain situations, the right to request that we erase your personal data without undue delay. Should you like to access your personal data that we hold on you or should you wish that we erase your personal data, you are kindly requested to contact us by email. It should be noted that we will erase your personal data as soon as possible, provided that such personal data are no longer necessary in relation to the purposes (as specified in Section 6 of this Policy) for which they were collected or processed. Should you request that we erase your personal data, we may have no other option but to terminate our relationship with you. Please note that even after you have chosen to withdraw your consent we may be able to continue to process your personal data to the extent required or otherwise permitted by law, in particular in connection with exercising and defending our legal rights or meeting our legal and regulatory obligations.
8.3. Data portability
You may also request a copy of your personal data, which will be supplied in any machine-readable format selected by us. This will be released either to yourself or, if technically feasible, to a controller designated by yourself.
8.4. Restriction of processing
You may also request that we restrict the processing of your personal data in the following situations. Should we agree to restrict the processing of your personal data pursuant to any of the grounds listed below, we shall inform you in writing before the restriction of processing is lifted.
- the accuracy of the personal data is contested, for a period enabling us to verify the accuracy of the personal data;
- the processing is unlawful, and you oppose the erasure of the personal data and request the restriction of their use instead;
- we no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims.
8.5. Opting out
Where personal data are processed for direct marketing purposes, you have the right to object at any time to such processing. You can do this by (i) asking us to stop sending marketing communications (unsubscribe) by clicking on the “unsubscribe” hyperlink included in all marketing communications sent to you; or (ii) requesting that we cease the processing of personal data for direct marketing purposes by sending an email to the Data Protection Officer at MZ@zampadebattista.com with the subject set as “UNSUBSCRIBE”.
- Can we transfer your personal data outside the EEA?
There may be instances where we need to transfer your personal information to locations outside the jurisdiction in which you provide it or where you are viewing our Website for the purposes set out in this Policy. This may entail a transfer of your information from a location within the European Economic Area (the “EEA”) to outside the EEA (i.e., a third country), or from a third country to a location within the EEA.
In cases where we transfer your personal data to third countries we shall ensure that such transfer is performed in compliance with the provisions of the GDPR governing third country data transfers. This means that we may transfer your personal data to third countries:-
- if such third country has been declared to offer an adequate level of protection through a European Commission decision (‘Adequacy Decision’), meaning that data can be transferred with another company in that third country without the data exporter being required to provide further safeguards or being subject to additional conditions;
- in the absence of an Adequacy Decision, a transfer can take place through the provision of appropriate safeguards and on condition that enforceable rights and effective legal remedies are available for individuals, for example through contractual arrangements with the recipient of the personal data, using the standard contractual clauses approved by the European Commission; or
- if a transfer of personal data is envisaged to a third country that isn’t the subject of an Adequacy Decision and if appropriate safeguards are absent, a transfer can be made based on a number of derogations for specific situations for example, where an individual has explicitly consented to the proposed transfer after having been provided with all necessary information about the risks associated with the transfer.
- How long do we keep your personal data?
We make every effort to ensure that personal data are kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the personal data are processed. However, we are also subject to legislation that prescribes time-frames for retention of certain data relating to classes of our Data Subjects such as customers, employees and suppliers. We typically erase the personal data we have on record within ten (10) years from last interaction we have with Data Subject in question. For a customer, this could be 10 years from the end our business relationship.
- How will we notify you of changes to this Policy?
Certain provisions in this Policy may be amended from time to time. The latest version of this Policy shall always be available on our website. Data Subjects should therefore ensure that they have the latest version of this Policy by visiting www.zampadebattista.com/privacy-policy
- How can I complain?
If you are a Data Subject and you feel that your rights under the GDPR have been violated by us, you have the right to lodge a complaint with the relevant supervisory authority for data protection. In Malta, this is the Data Protection Commissioner (https://idpc.org.mt). We would also welcome the opportunity and make every effort to satisfactorily deal with your complaint amicably before you approach any such supervisory authority.