1. Purpose, Scope and Users
Thomas Smith Group hereinafter referred to as “TS” strives to comply with applicable laws and regulations related to Personal Data protection in countries where TS operates. This Policy sets forth the basic principles by which TS processes the personal data of consumers, customers, suppliers, business partners, employees and other individuals, and indicates the responsibilities of its business units and employees while processing personal data.
Personal data is used by us and by third parties on our behalf:
- To improve the quality of the services for our users;
- To comply with licensing and regulatory requirements as are applicable to us;
- For anti-money laundering, prevention of terrorist financing and identity verification;
- To detect or suppress fraud;
- For statistical and research purposes;
- For market research, marketing and data analysis purposes;
- To analyse your credit risk (if applicable);
This Policy applies to the entire TS Group and includes the following subsidiaries :
SHIPPING
Thomas Smith and Co. Ltd. ( C- 860 )
T C Smith Agencies Ltd. ( C- 8590 )
T S Container Agencies Ltd. ( C- 47639 )
The above companies registered at Polidano Buildings, Triq Hal Farrug, Luqa LQA 3078 provide :
Freight Forwarding services specialising in all areas of Cargo movement.
Container Liner Agency services as the local representatives of Maersk Line ( AP Moller Group )
Port Agency services catering for Leisure, Business, Naval and Oil & Gas industries
Navigational charts as the official local distributor for the Hydrographic Office of the British Admiralty
INSURANCE
Thomas Smith Insurance Agency Ltd. ( C- 5637 ) registered at Polidano Buildings, Entrance A, Triq Hal Farrug, Luqa LQA 3078, Malta, provides insurance agency services for both Personal and Commercial Lines.
Thomas Smith Insurance Brokers Ltd. ( C- 40721 ) registered at Thomas Smith Insurance Brokers Ltd. Polidano Buildings, Entrance B, Triq Hal Farrug, Luqa LQA 3078, Malta, provides insurance brokerage services to both individuals and businesses.
The users of this document are all employees, permanent or temporary, and all contractors working on behalf of TS.
For the purposes of the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR), TS is the ‘controller’ of Data Subject data.
If you have any queries about this Policy, the way in which we process personal data, or about exercising any of your rights, you may contact our Data Protection Officer (or designate) by sending an email to [email protected] or writing to our Data Protection Officer at Triq Hal Farrug, Luqa LQA 3078.
2. Reference Documents
- EU GDPR 2016/679 (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC)
- CAP 440 – Data Protection Act
- Inventory of Personal Data Processing Activities
- Data Retention Policy
- Data Subject Access Request Procedure
- Incident and Breach Management Procedure
3. Definitions
The following definitions of terms used in this document are drawn from Article 4 of the European Union’s General Data Protection Regulation:
Personal Data: Any information relating to an identified or identifiable natural person (“Data Subject“) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Sensitive Personal Data: Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those personal data include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Data Controller: The natural or legal person, public authority, agency or any other body, which alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Processor: A natural or legal person, public authority, agency or any other body which processes personal data on behalf of a Data Controller.
Processing: An operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of the data.
Cross-border processing of personal data: Processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the European Union where the controller or processor is established in more than one Member State; or processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State;
Supervisory Authority: An independent public authority which is established by a Member State pursuant to Article 51 of the EU GDPR; In Malta this is represented by the Information and Data Protection Commissioner (IDPC).
4. Basic Principles Regarding Personal Data Processing
The data protection principles outline the basic responsibilities for organisations handling personal data. Article 5(2) of the GDPR stipulates that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
4.1. Lawfulness, Fairness and Transparency
Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
4.2. Purpose Limitation
Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
4.3. Data Minimization
Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
4.4. Accuracy
Personal data must be accurate and, where necessary, kept up to date; reasonable steps must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified in a timely manner.
4.5. Storage Period Limitation
Personal data must be kept for no longer than is necessary for the purposes for which the personal data are processed.
4.6. Integrity and confidentiality
Taking into account the state of technology and other available security measures, the implementation cost, and likelihood and severity of personal data risks, TS must use appropriate technical or organisational measures to process Personal Data in a manner that ensures appropriate security of personal data, including protection against accidental or unlawful destruction, loss, alternation, unauthorized access to, or disclosure.
4.7. Accountability
Data controllers must be responsible for and be able to demonstrate compliance with the principles outlined above.
5. Organisation and Responsibilities
The responsibility for ensuring appropriate personal data processing lies with everyone who works for or with TS and has access to personal data processed by the Company.
The key areas of responsibilities for processing personal data lie with the following organisational roles:
The board of directors makes decisions about, and approves the Company’s general strategies on personal data protection.
The Data Protection Officer (DPO) or designate, is responsible to safeguard the protection of personal data of all data subjects and oversee the management of the Data Protection Management System to ensure that this policy is implemented effectively. He/she monitors and analyses personal data laws and changes to regulations, develops compliance requirements, and assists business departments in achieving their Personal data goals.
The IT Manager is responsible for:
- Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
- Performing regular checks and scans to ensure security hardware and software is functioning properly.
The Marketing Manager, is responsible for:
- Approving any data protection statements attached to communications such as, but not limited to, emails, letters, and social media pages, namely Thomas Smith Insurance Facebook Page, Thomas Smith Shipping Facebook Page, Thomas Smith Shipping LinkedIn Page, as well as our social media page dedicated to the annual Thomas Smith Christmas Charity Swim.
- Addressing any data protection queries from journalists or media outlets like newspapers.
- Where necessary, working with the Data Protection Officer to ensure marketing initiatives abide by data protection principles.
The Human Resources Manager is responsible for:
- Improving all employees’ awareness of user personal data protection.
- Organising Personal data protection expertise and awareness training for employees working with personal data.
- End-to-end employee personal data protection. It must ensure that employees’ personal data is processed based on the employer’s legitimate business purposes and necessity.
The Departmental Manager is responsible for passing on personal data protection responsibilities to suppliers, and improving suppliers’ awareness levels of personal data protection as well as flow down personal data requirements to any third party supplier they are using. Departmental Managers must also ensure that TS reserves a right to audit suppliers.
6. Building Data Protection in Business Activities
In order to demonstrate compliance with the principles of data protection, TS has built data protection into its business activities.
6.1. Collection
TS strives to collect the least amount of personal data possible. If personal data is collected from a third party, Departmental Managers must ensure that the personal data is collected lawfully. In the event that direct data subjects (e.g. clients, suppliers or employees) disclose the personal data of a third party to us, the data subject warrants to us that he/she shall obtain the consent of such person to the use by us of their personal data in accordance with this policy and the Terms and Conditions.
Thomas Smith does not sell, rent, exchange, or otherwise disclose personal information collected from the normal business processes or from internet platforms such as website or social media. Personal information is collected only with the data subject’s permission. The information collected by Thomas Smith is used to process data subjects’ requests effectively.
6.2. Use, Retention, and Disposal
The purposes, methods, storage limitation and retention period of personal data must be consistent with the information contained in the Privacy Notice. TS must maintain the accuracy, integrity, confidentiality and relevance of personal data based on the processing purpose. Adequate security mechanisms designed to protect personal data must be used to prevent personal data from being stolen, misused, or abused, and prevent personal data breaches.
6.3. Disclosure to Third Parties
Whenever TS uses a third-party supplier or business partner to process personal data on its behalf, the Departmental Head must ensure that any third party handling personal data on behalf of TS shall receive ( at the last known address ) the Declaration of GDPR Compliance in order to commit to security measures to safeguard personal data that are appropriate to the associated risks.
Rights of Access by Data Subjects
As a data controller and processor, TS is responsible to provide data subjects with a reasonable access mechanism to enable them to access their personal data, and must allow them to update, rectify, erase, or transmit their Personal Data, if appropriate or required by law. The access mechanism will be further detailed in the Data Subject Access Request Procedure.
6.4. Data Portability
Data Subjects have the right to receive, upon request, a copy of the data they provided to us in a structured format and to transmit those data to another controller, for free. TS is responsible to ensure that such requests are processed within one month, are not excessive and do not affect the rights to personal data of other individuals.
6.5. Right to Rectification
We aim to keep your personal data accurate and complete. We encourage you to contact us using the contact details provided to let us know if any of your personal data is not accurate or has changed, so that we can keep your personal data up-to-date.
6.6. Right to be Forgotten
Upon request, Data Subjects have the right to obtain from TS the erasure of its personal data. This may be done by sending an email request to [email protected] . When TS is acting as a Controller, the DPO or designate must take necessary actions (including technical measures) to inform the third-parties who use or process that data to comply with the request.
7. Fair Processing Guidelines
Personal data must only be processed when explicitly authorised by DPO or designate.
TS decides whether to perform the Data Protection Impact Assessment for each data processing activity.
7.1. Obtaining Consents
Whenever personal data processing is based on the data subject’s consent, or other lawful grounds, the Departmental Manager is responsible for retaining a record of such consent. The Manager is responsible for providing data subjects with options to provide the consent and must inform and ensure that their consent (whenever consent is used as the lawful ground for processing) can be withdrawn at any time.
When requests are received to correct, amend or destroy personal data records, the Departmental Manager must ensure that these requests are handled within a reasonable time frame. The Manager must also record the requests and keep a log of these.
Personal data must only be processed for the purpose for which they were originally collected. In the event that TS wants to process collected personal data for another purpose, TS must seek the consent of its data subjects in clear and concise writing. Any such request should include the original purpose for which data was collected, and also the new, or additional, purpose(s). The request must also include the reason for the change in purpose(s). The Departmental Manager is responsible for complying with the rules in this paragraph.
The DPO or designate must ensure that collection methods are compliant with relevant law, good practices and industry standards.
8. Response to Personal Data Breach Incidents
When TS learns of a suspected or actual personal data breach, the DPO must perform an internal investigation and take appropriate remedial measures in a timely manner, according to the Data Breach Policy. Where there is any risk to the rights and freedoms of data subjects, TS must notify the relevant data protection authorities without undue delay and, when possible, within 72 hours. This is covered in the Incident and Breach Management Procedure.
9. Audit and Accountability
The DPO or internal audit team is responsible for auditing how well business departments implement this Policy.
Any employee who violates this Policy will be subject to disciplinary action and the employee may also be subject to civil or criminal liabilities if his or her conduct violates laws or regulations.
10. Conflicts of Law
This Policy is intended to comply with the laws and regulations in the place of establishment and with the laws and regulations of the countries with which TS transacts. In the event of any conflict between this Policy and applicable laws and regulations, the latter shall prevail.
11. Managing records
A Data Retention Policy has been designed and implemented to ensure that established retention periods are founded on legitimacy (based on legal, contractual and/or consent).