Introduction

This privacy policy (the “Policy”) sets out information about how Grant Thornton (hereinafter referred to as the “Firm”, “We” or “Our”) processes and uses your Personal Information. We are firmly committed to respecting your privacy and the confidentiality of your Personal Information. All Personal Data will be processed in accordance with the Data Protection Act (Chapter 586 of the Laws of Malta) and subsidiary legislations thereunder (the “Act”) and the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the “General Data Protection Regulation” or “GDPR”).

Contact Us

This Policy outlines Our internal practices to ensure that Personal Data collected in relation to Data Subjects is protected. Furthermore, it also provides that Our operations are subject to continuous review to maintain alignment with GDPR. We must emphasize that We will only be using and/or disclosing any Personal Data collected from Data Subjects in accordance with the manner set out in this Policy.

Should you require further information regarding Our privacy practices, kindly contact us via e-mail at gdpr@mt.gt.com.

Key Definitions

“Controller” or “Data Controller” means any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Data subject” refers to any living person (natural person) whose personal data is being collected, held or processed.

“Online Forum” refers to an online medium through which discussions will take place and be made available to the registered attendees.

“Personal Data” or “Personal Information” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

“Processor” or “Data Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

‘Processing’ means any operation/s which is/are performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

NB: Information in relation to legal persons (e.g. company, other legal entities) does not constitute personal data in terms of both the Act and the GDPR. Nonetheless, the aforesaid information will still be handled in a confidential manner, in accordance with Our standard internal practices and professional secrecy obligations.

Data controller
When processing Personal Data of Data Subjects for the purposes indicated in this Policy, the Firm is generally qualified as a Data Controller.

Purposes for Processing Personal Data

The Firm requires the collection and use of certain Personal Data on Data Subjects primarily to facilitate the participation in the Online Forum, including communication in relation to the system access and the communication of any possible matters that were not addressed throughout the conference which will be sent after the conference. Furthermore, Personal Data shall be collected and used for the following purposes:

• to process actions to determine any troubleshoot problems that may arise;
• to subscribe to the Firm’s newsletter;
• to subscribe to the Firm’s marketing communications;
• to send out communication related to the Online Forum;
• for statistical use;
• as is required by law; and
• should the Firm determine to be necessary to ensure the safety of the users, clients, employees, third parties and the public.

The collected Personal Data shall only be processed for the purposes outlined to the Data Subject or any ancillary purposes.

We shall inform data subjects accordingly in cases where we are required to process Personal Data for any other purpose.

Collection of personal data

Specific data is collected directly from Data Subjects. This consists of the general data information provided directly by the Data Subject upon registration to the Online Forum. Personal Data will include:

• full name;
• year of birth; and
• email address.

However, upon registration, Data Subjects may opt to provide additional information which will not be required in order to access the Online Forum. Information which would be processed include:

• company name;
• LinkedIn profile;
• zip code;
• information as to how the Data Subject got to know about the event; and
• information about the conference theme that interests the Data Subject.

The above information, should it be provided, will be processed specifically for statistical purposes. Furthermore, the provision of the LinkedIn profile will be used solely for networking purposes by cross-linking the Data Subject’s profile.

Once the Data Subject creates a profile upon registration, the information in relation to the username will be retained for profile personalization. It is important to note that said information will be publicly available to other users. Additionally, the Online Forum registration allows you to participate and interact with other users as well as being able to share content and information through chat messaging which will be made available to all users.

Data Subjects may opt to receive the Firm’s monthly newsletter as well as other marketing material. In such instances, Personal Information provided by the Data Subject will be processed to send out same.

Collection of data of minors

We recognize the interest that may arise in relation to the topics and speakers that are presented throughout the Online Forum. Hence, as a means of providing the best possible experience to all those interested, including minors, participation may take place from 16 years of age or older.

Personal Data collected from minors (i.e. Data Subjects who are less than 18 years of age) requires further protection. As a result, the Firm will process such Personal Data as a result of their consent. Consequently, the Firm has the right to process the data for the purpose of the Online Forum and for marketing purposes should the minor provide consent.

In the event that We become aware of any Personal Data collected from a minor who is under 16 years of age, without parental consent, the necessary steps will be taken to ensure that the information is removed expeditiously and efficiently. Should the public be aware or believe that We may be holding any information collected with regards to a minor (a person who did not attain 16 years of age), kindly inform us as soon as possible on gdpr@mt.gt.com

Lawfulness of Processing

Personal Data will be processed on the basis of the following legal grounds:

• when the Data Subject has given consent to the processing of his/her personal data for one or more specific purposes;
• when We have a legitimate interest to process the data, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

Kindly note that special categories of data, which include information about the data subject’s racial or ethnic original, political views, religious or political beliefs, trade union membership, genetic, biometric or health data, sexual orientation and data related to the Data Subject’s conviction and offences will not be processed by the Firm.

Sharing Personal Data

In order to ensure that Data Subjects are provided with the best possible experience throughout the Online Forum, the collected Personal Data will be accessed by the organizing committee. Personal Data will also be shared with the Economic Research team as a survey(s) is (are) being prepared as a means to support the proposed discussions as well as by way of follow up to same. The members of the organizing committee as well as the Economic Research team are employees and personnel of the Firm.

It is important to note that due to the technological requirements of the Online Forum, Personal Data may be shared with the Firm’s IT team to help resolve any technical issues that may arise as a result of the Online Forum.

Moreover, should consent have been obtained in relation to marketing purposes, your data shall be utilised by the Firm’s marketing team in order to provide you with our monthly newsletter, industry news, services marketing and other information.

The Firm shall not transfer personal data to any third party without the prior consent of the Data Subject, except where We are required to do so by operation of law.

Personal data shall not be transferred to third parties located outside the EU or European Economic Area (EEA) unless specifically instructed to do so in writing by the Data Subject or mandated by provision of law or ordered by a duly empowered competent body.

Data Retention

Personal Information provided solely for the participation within the Online Forum without the provision of any other optional information or consent for marketing purposes provided upon registration will be retained for a period not exceeding one year from the participation in the Online Forum. Such Personal Information includes the full name, email address and year of birth.

Personal data collected and processed on the basis of the Data Subject’s consent shall be retained until the Data Subject withdraws his/her consent.

Moreover, the Data Subject’s LinkedIn profile shall be retained by the Firm for the purpose of networking until the Data Subject withdraws his/her consent.

The indicated time periods may be further extended when We have a legitimate interest related to exercising or defending legal claims or in case of inspections by relevant authorities or where empowered by law or regulation.

Data Subject’s legal rights

Data Subjects have various rights vis-à-vis their Personal Data:

• the right to be informed: the Data Subject has the right to be given clear information regarding how his/her Personal Data is processed. We do this by means of this Policy which will be duly revised from time to time and by means of and any future communications directly with the Data Subject on a case by case basis.
• the right to access Personal Data: the Data Subject may send Us a request to access all Personal Data that the Firm holds in his/her respect. To avail of this right, kindly send an email to gdpr@mt.gt.com. We will do Our best to attend to the Data Dubject’s request within one (1) month. In case of more complex requests, the timeframe will be extended by a further one (1) month. Should the Data Subject disagree with Our judgement, s/he can complain to the Information and Data Protection Commissioner (hereinafter referred to as the “IDPC”) on https://idpc.org.mt/en/Pages/contact/complaints.aspx
• the right to rectification: the Data Subject can also request that any inaccurate or incomplete Personal Data held by the Firm is corrected accordingly. In such instances, kindly send an email to gdpr@mt.gt.com.
• the right to erasure: there are certain instances where Data Subjects may also request the deletion of his/her Personal Data. On a general note, We will comply with the Data Subject’s request in this regard. However, We may have the necessity not to comply with the request if retention of the data is required for us to be compliant with a legal obligation and/or such data would be required by Us to exercise or defend any legal claims.
• the right to stop direct marketing messages.
• the right to object: the Data Subject may object regarding his/her Personal Data being processed including when such processing is based on legitimate interest.
• the right to data portability: the Data Subject has the right to put forward a request asking Us to provide him/her with certain personal data which s/he had provided the Firm in a structured, commonly used and machine-readable format. When technically feasible, the Data Subject may also request that his/her personal data be transferred to a third-party controller of his/her choice.
• the right to withdraw consent: the Data Subject can also withdraw any consent given at any time.
• the right to lodge a complaint: the Data Subject has the right to lodge a complaint against any Personal Data breach by communicating such breach to the IDPC. The IDPC may be notified by filling in the complaint form available at https://idpc.org.mt/en/Pages/contact/complaints.aspx

Security of Personal Data

Keeping the Data Subject’s Personal Data secure is of utmost importance to Us. We undertake to put in Our best efforts to keep any disclosed Personal Information secure by implementing the appropriate technical and organizational measures with the aim of protecting such Personal Data against unauthorized or unlawful processing, encompassing also accidental losses, destruction, storage or access.

Notwithstanding Our efforts to protect personal data, no system can guarantee that the aforementioned scenarios will not occur.

Accuracy of information

The Firm undertakes to hold accurate and where necessary up-to-date Personal Information. In view of this, Data Subjects are asked to keep Us informed of any changes that might occur to Personal Data throughout the previously stipulated data retention timeframes.