Data Protection Policy. Malta Gaming Authority

Similar documents
Art. I Right to Access to Personal Data

closer look at Rights & remedies

PROCEDURE RIGHTS OF THE DATA SUBJECT PURSUANT TO THE ARTICLES 15 TO 23 OF THE REGULATION 679/2016

PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2017 ARRANGEMENT OF SECTIONS PART I PRELIMINARY

General Data Protection Regulation

General Rules on the Processing of Personal Data SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)...

Law Enforcement processing (Part 3 of the DPA 2018)

SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)... 16

5418/16 AV/NT/vm DGD 2

16 March Purpose & Introduction

STATOIL BINDING CORPORATE RULES - PUBLIC DOCUMENT

SUBSIDIARY LEGISLATION DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) REGULATIONS

(1) General information

COMP Article 1. Article 1 Subject matter and objectives

THE DATA PROTECTION BILL (No. XIX of 2017) Explanatory Memorandum

DATA PROCESSING AGREEMENT. between [Customer] (the "Controller") and LINK Mobility (the "Processor")

Act CXII of on the Right of Informational Self-Determination and on Freedom of Information 1 CHAPTER I GENERAL PROVISIONS. 1.

Official Gazette No. 55 issued on 8 May Data Protection Act. of 14 March 2002

Privacy policy. 1.1 We are committed to safeguarding the privacy of our website visitors.

Information leaflet about processing of personal data for Newsletter Recipients (hereinafter Data Subject)

Adequacy Referential (updated)

***I DRAFT REPORT. EN United in diversity EN 2012/0010(COD)

Interest Balancing Test Assessment regarding data processing for the purpose of the exercise of legal claims

An Bille um Chosaint Sonraí, 2018 Data Protection Bill 2018

A Legal Overview of the Data Protection Act By: Mrs D. Madhub Data Protection Commissioner

An Bille um Chosaint Sonraí, 2018 Data Protection Bill 2018

SKILLSTAR 2018 NONPROFIT KFT. DATA PROTECTION POLICY

DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. of 24 October 1995

DATA PROTECTION (JERSEY) LAW 2018

Port Glasgow St Andrew s Data Protection Policy

Charter on personal data

Mannofield Parish Church. Registered Scottish Charity No: SC (the Congregation ) Data Protection Policy

Data Protection Policy

Data Protection Bill [HL]

The Act on Processing of Personal Data

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April on the protection of natural persons

REGULATION (EU) 2016/679 General Data Protection Regulation

The Ministry of Technology, Communication and Innovation and The Data Protection Office. Workshop On DATA PROTECTION ACT 2017

Data Protection Bill [HL]

EUROPEAN COMMISSION DIRECTORATE-GENERAL JUSTICE

LAW OF THE REPUBLIC OF ARMENIA ON PROTECTION OF PERSONAL DATA CHAPTER 1 GENERAL PROVISIONS

This unofficial translation is provided for information purposes only and has no legal force. Data Protection Act.

Principles and Rules for Processing Personal Data

9091/17 VH/np 1 DGD 2C

Annex - Summary of GDPR derogations in the Data Protection Bill

THE PROCESSING OF PERSONAL DATA (PROTECTION OF INDIVIDUALS) LAW 138 (I) 2001 PART I GENERAL PROVISIONS

The NATIONAL CONGRESS decrees: CHAPTER I PRELIMINARY PROVISIONS

European Data Protection Supervisor Your personal information and the EU administration: What are your rights?

Policy To Protect Personal Information

Individual Rights (Data Privacy) Policy

BINDING CORPORATE RULES PRIVACY policy. Telekom Albania. Çaste që na lidhin.

ASSEMBLEIA DA REPÚBLICA [PORTUGUESE PARLIAMENT]

The legal framework and guidance on data protection under the. Cross-border ehealth Information Services (CBeHIS) T6.2 JAseHN draft v.2 (20.10.

Brussels, 16 May 2006 (Case ) 1. Procedure

Data Processing Agreement

SUPPLIER DATA PROCESSING AGREEMENT

FUJITSU Cloud Service K5: Data Protection Addendum

OTrack Data Processing Terms

RESTREINT UE/EU RESTRICTED

Information about the Processing of Personal Data (Article 13, 14 GDPR)

ARTICLE 29 DATA PROTECTION WORKING PARTY

Declaration on the protection of personal data in the company TAJMAC ZPS, a.s.

DocuSign Envelope ID: D3C1EE91-4BC9-4BA9-B2CF-C0DE318DB461

How we use Personal Information

DATA PROTECTION LAWS OF THE WORLD. Romania

EU GDPR - DATA PROCESSING ADDENDUM INSTRUCTIONS FOR CDNETWORKS CUSTOMERS

PE-CONS 71/1/15 REV 1 EN

How to read the analysis?

CONSULTATIVE COMMITTEE OF THE CONVENTION FOR THE PROTECTION OF INDIVIDUALS WITH REGARD TO AUTOMATIC PROCESSING OF PERSONAL DATA

PERSONAL DATA PROCESSING AGREEMENT

Aalto Summer continuing education

the Commisslone Mazionale per le Sodeta e la Borsa in ItaJy and the Public Company Accounting Oversight Board In the United States

AIA Australia Limited

Federal Act on Data Protection (FADP) Section 1: Aim, Scope and Definitions

CHAPTER [INSERT] DATA PROTECTION BILL Acts [insert] ARRANGEMENT OF SECTIONS PART I PART II

AmCham EU Proposed Amendments on the General Data Protection Regulation

THE PERSONAL DATA PROTECTION BILL, 2018: A SUMMARY

Opinion on a notification for Prior Checking received from the Data Protection Officer of the European Commission regarding the database ARDOS

Data Processing Agreement. <<Health Service Provider>> The National Message Broker Service known as Healthlink

BASECONE DATA PROCESSING AGREEMENT (BASECONE AS PROCESSOR)

DATA PROTECTION LAWS OF THE WORLD. Ireland

DATA PROCESSING ADDENDUM. 1.1 The User and When I Work, Inc. ("WIW") have entered into the Terms of Service, for the provision of the Service.

8557/16 SHO/ra 1 DGD 2

Brussels, 3 May 2006 (Case ) 1. Procedure

SSLI \6.0 v1.0

Appendix 1 Data Processing Agreement

EDPS Opinion on the proposal for a recast of Brussels IIa Regulation

ARTICLE 29 DATA PROTECTION WORKING PARTY

DATA SHARING AND PROCESSING

GDPR. EU General Data Protection Regulation. ebook Version 1.2

Fit and Proper Guidelines

Charities & Not-for-Profits Overview of Data Protection Law

1. Processing of personal data legal basis, purpose and scope Legal basis fulfillment of statutory legal requirements

European College of Business and Management Data Protection Policy

Reports of Cases. JUDGMENT OF THE COURT (Second Chamber) 20 December 2017 *

Template Commission pursuant to Section 11 BDSG

DATA PROCESSING ADDENDUM

INVESTIGATION OF ELECTRONIC DATA PROTECTED BY ENCRYPTION ETC DRAFT CODE OF PRACTICE

The Rental Exchange. Contribution Agreement for Rental Exchange Database. A world of insight

Factsheet on the Right to be

Transcription:

Data Protection Policy Malta Gaming Authority

Contents 1 Purpose and Scope... 3 2 Data Protection Officer... 3 3 Principles for Processing Personal Data... 3 3.1 Lawfulness, Fairness and Transparency... 3 3.2 Data Minimisation... 3 3.3 Accuracy... 3 3.4 Storage Limitation... 4 3.5 Integrity and Confidentiality... 4 3.6 Accountability... 4 4 Lawfulness of Processing... 4 4.1 Data related to Licensees... 5 4.1.1 Processing of Data Collected at Application Stage... 5 4.1.2 Processing of Data Collected or Created at any Stage During the Duration of the Licence... 5 4.1.3 Processing of Data for the purpose of Audits... 5 4.1.4 Processing of Licensees Data for Regulatory and Enforcement Purposes... 6 4.1.5 Sharing Licensee s Data with Other Entities, Bodies or Authorities... 6 4.2 Player Data... 6 4.2.1 Processing of Player Data provided through Player Complaints... 6 4.2.2 Processing of Player Data gathered via Land-Based Inspections... 7 4.2.3 Processing of Player Data collected via the Self-Exclusion System... 7 4.2.4 Processing of Player Data for the Purposes of any Investigation... 7 4.3 Data included within Generic Complaints... 7 5 Processing of Special Categories of Personal Data... 8 6 Transmission of Personal Data to a non-eu country... 8 7 Rights of the Data Subject... 9 7.1 Right of Access... 9 7.2 Right to Restriction of Processing... 9 7.3 Right to Rectification... 10 7.4 Right to Erasure... 10 7.5 Right to Object... 10 8 Processing Security... 11 Public Page 2 of 11

1 Purpose and Scope The purpose of this policy is to ensure that everyone handing personal information at the Malta Gaming Authority is fully aware of the requirements emanating from the General Data Protection Regulation (Regulation (EU) 2016/679) and complies with appropriate data protection procedures. This Data Protection Policy ensures that the Malta Gaming Authority: Protects the data and the rights of customers, employees and other persons; Ensures that responsibilities to protect personal data are defined, communicated, and effectively complied with; and Manages the risks associated with handling of personal data and of potential breaches. This policy applies to all of MGA s employees, contractors and interns. 2 Data Protection Officer The Authority s Data Protection Officer (DPO) can be reached on dpo.mga@mga.org.mt. Alternatively, you may direct any correspondence to: Data Protection Officer Malta Gaming Authority Level 4, Building SCM03-04 Smart City Malta, Kalkara Malta. SCM1001 3 Principles for Processing Personal Data 3.1 Lawfulness, Fairness and Transparency The GDPR requires that the MGA, as the data controller, provides data subjects with information about his/her personal data processing in a concise, transparent and intelligible manner, which is easily accessible, distinct from other undertakings between the controller and the data subject, using clear and plain language. 3.2 Data Minimisation The MGA, as the data controller, ensures that only personal data which is necessary for each specific purpose is processed. The GDPR stipulates that any personal data processed shall be adequate, relevant and limited to what is necessary. This principle shall apply in terms of the amount of personal data collected, the extent of the processing, the period of storage and accessibility. 3.3 Accuracy The MGA also ensures that personal data in its possession is accurate and, where necessary, kept up-to-date. The Authority takes every reasonable step to comply with this principle. Periodic exercises are carried out by the Authority to ensure data accuracy and to rectify any inaccurate data in its possession. Public Page 3 of 11

3.4 Storage Limitation The MGA ensures that when the need to keep any of the personal data in its possession ceases to exist, such personal data is deleted or anonymised. The MGA has a detailed Data Archiving and Retention Policy which details the way in which the Authority abides by this storage limitation principle. Retention periods are generally determined on the basis of the periods mandated by applicable laws. 3.5 Integrity and Confidentiality The GDPR requires personal data to be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. The MGA abides by this principle by ensuring that only those employees that are required to process certain personal data are in fact given access to such personal data. Furthermore, the MGA has information security measures in place to ensure that risks to any of the personal data in its possession are adequately mitigated. The MGA constantly abides by its Information Security Policies detailing the information security measures that are in place at the Authority. 3.6 Accountability The MGA, as the data controller, is able to demonstrate compliance with the GDPR and with all the principles for processing personal data that are hereby stipulated. This data protection policy outlines the organisational measures that are in place at the Malta Gaming Authority and that aim at ensuring compliance with the GDPR. 4 Lawfulness of Processing While fulfilling its role as the regulatory body responsible for the governance and supervision of all gaming activities in and from Malta, the MGA processes certain personal data relating to both licensees, players, and complainants. The MGA ensures that it only processes personal data if at least one of the following applies: a) The data subject has given consent to the processing of his or her personal data for one or more specific purposes; b) The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; c) The processing is necessary for compliance with a legal obligation (i.e. European or Maltese law) to which the MGA is subject; d) The processing is necessary in order to protect the vital interests of the data subject or of another natural person; e) The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the MGA by European or Maltese law; f) The processing is necessary for the purposes of the legitimate interests pursued by the MGA, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Public Page 4 of 11

4.1 Data related to Licensees In most cases, the processing of personal data relating to data subjects that have a role within entities licensed by the MGA is either based on the fact that such processing is necessary for complying with a legal obligation to which the MGA is subject or on the fact that such processing is necessary for the performance of a task in the public interest or in exercise of official authority that is vested in the MGA by virtue of Maltese or European law. 4.1.1 Processing of Data Collected at Application Stage The MGA routinely processes personal data pertaining to licensees and some of their members, including but not limited to their shareholders, ultimate beneficial owners, and any employees performing key roles as determined by the Authority. This data, sourced to the Authority by the licensee s legal representative (s) or by the persons concerned or by any relevant third parties or bodies, is systematically provided at application stage, but may also be requested by the Authority at any other stage throughout the licensing relationship. The Lotteries and Other Games Act (CAP.438 of the Laws of Malta) 1 assigns to the MGA the power and responsibility to request any data it deems necessary to carry out its functions as prescribed by law. The MGA ensures that the type and extent of any such data processing is necessary for the legally authorised data processing activity, and that it complies with all applicable requirements. Hence, the above-detailed data processing is carried out on the basis of the MGA s legal obligation to regulate gaming services offered to and from Malta. 4.1.2 Processing of Data Collected or Created at any Stage During the Duration of the Licence Throughout the duration of a valid licence, the Authority may deem it necessary to collect further data from the licensees, or from third parties or bodies, as it may deem necessary as the regulatory body responsible for the governance and supervision of all gaming activities to and from Malta. The Authority will also be gathering data on the basis of a licensee s activities. Furthermore, amongst other services, the Authority s Licensee Relationship Management Portal also allows people to apply for additional licences, amend profiles and settings, access certain documents, submit documentation and financial records. This information is processed for regulatory purposes in order for the MGA to fulfil its legal and regulatory functions. The MGA is assigned with the responsibility and official Authority to ensure that Malta s gaming regime is based on fair, responsible, safe and secure provision of gaming services and it seeks to ensure that the three main pillars of gaming, namely (i) the fairness of games, (ii) the protection of minors and vulnerable persons and (iii) the prevention of crime, fraud and money laundering, are safeguarded as much as possible. It is therefore the duty and responsibility of the Authority to process all the data and information as may be required to effectively safeguard the public interest with regards to gaming activities in and from Malta. 4.1.3 Processing of Data for the purpose of Audits The MGA may forward all data, including any personal data to the approved Auditor appointed by the licensee in accordance with the relevant procedures, in order for the said Auditor to carry out 1 To be superseded by the Gaming Act (Chapter 583 of the Laws of Malta) Public Page 5 of 11

the respective audit. This processing is carried out on the basis of a contractual obligation included within the applicable issued licences. 4.1.4 Processing of Licensees Data for Regulatory and Enforcement Purposes The law also empowers the MGA to investigate and assess compliance of licensees and individuals performing key functions with the law, and to take any enforcement action it may deem necessary, in accordance with the law. Personal data provided to the Authority will be used in the course of conducting investigations into the activities of all authorised and interested persons. The MGA may also publish any regulatory and enforcement action taken, at its discretion. 4.1.5 Sharing Licensee s Data with Other Entities, Bodies or Authorities There may be instances when the MGA will share a licensee s data, including any personal data, with any third parties fulfilling a service on the MGA s behalf, and under the express and specific instructions of the MGA. Occasionally, the MGA may also share such data with another body, or Authority where the law requires, or permits it to do so. This may include any relevant public authorities, local or overseas, gaming regulators, and law enforcement agencies. The primary purpose for such transfer of data is for the Authority to perform its functions as mandated within the law. Where the law does not require or specifically permit the MGA to transfer any data, the MGA may seek to share this data on the basis of a contractual obligation, where this is applicable. In all cases, the data shall be shared in a fair, transparent and in an encrypted manner. 4.2 Player Data Most personal data pertaining to players and that is processed by the Authority is supplied directly by the player to the Authority s Player Support Department when seeking assistance with general and technical queries as well as when asking for help in resolving disputes with land based or remote gaming operators. The Authority also collects certain personal data pertaining to players when carrying out inspections at land based operators premises aimed at enforcing requirements relating to the protection of minors and of vulnerable persons (such as self-barred persons and pathological gamblers). 4.2.1 Processing of Player Data provided through Player Complaints The MGA processes personal data relating to players and that has been supplied by the players themselves when this is necessary to provide assistance to the player with any general or technical query and when this is necessary to mediate any disputes arising between players and licensees. The MGA ensures that such data is processed exclusively for the purpose for which it has been collected and that it is processed in accordance with the applicable policies and procedures. In every instance the MGA s Player Support Unit (PSU) will log the details of the complainant, and the details of any other individuals named by the complainant. Most often, the MGA will have to share the complainant s identity with the licensee in order to be able to resolve the situation. If a complainant would not like to be identified to an operator, it is recommended that they inform us of that wish as soon as possible, and the MGA will try to respect that, however if it is determined that there is an overarching public interest to proceed with the investigation of a complaint and this can only be done by disclosing the complainant s identity, the MGA may decide to do so. Public Page 6 of 11

A complaint may also very well lead to enforcement action taken by the MGA, or by the Police, and in this case, the complainant s data will be included within this investigation. The MGA processes this data on the basis of the requirements laid down within the law. 4.2.2 Processing of Player Data gathered via Land-Based Inspections As part of its functions as the regulatory body entrusted by law to enforce the measures aimed at protecting minors and vulnerable persons, the MGA carries out inspections at the premises of land based operators. During such inspections, a sample of players is asked to provide their personal information so as to allow the Authority s inspectors to confirm that the players are not in the database of self-barred persons or on the list of pathological gamblers or below the age required by law to enter into such gaming premises. The MGA ensures that such personal data pertaining to players is only used for the purposes for which it is collected; that is to ensure that the land based gaming operator is abiding by the legal requirements related to the protection of minors and vulnerable persons that are applicable to him. This data is processed on the basis of the MGA s legal obligation to regulate the provision of gaming services offered to and from Malta. 4.2.3 Processing of Player Data collected via the Self-Exclusion System Players, or potential players, may approach the MGA and ask to be barred from entering a gaming premises for a specified time period or for an indefinite period of time. An individual may do so by requesting such exclusion from the gaming outlet itself, from the MGA s offices, or from the offices of the Responsible Gaming Foundation. The individual s details are thereby logged into a database administered by the MGA whereby the individuals data is continually processed to ensure that such individuals do not enter into a gaming outlet from which they have requested to be self-excluded. The MGA processes this data on the basis of a legal obligation to protect players and to ensure the enforcement of a self-exclusion system. 4.2.4 Processing of Player Data for the Purposes of any Investigation In the event of any suspicion of any specified crimes, including but not limited to money laundering, funding of terrorism, and manipulation of sports competitions, licensees may forward specific player data to the MGA, as well as to other supervisory Authorities. The MGA is legally bound to process this data in the course of its investigations into these crimes, and may transfer such data to another body, or Authority where the law requires, or permits it to do so. This may include any relevant public authorities, local or overseas, gaming regulators, sports integrity bodies, sports governing bodies, and law enforcement agencies. The primary purpose for such transfer of data is for the Authority to perform its functions as mandated within the law. 4.3 Data included within Generic Complaints The Authority may also receive any other general complaints relating to, for example, any gaming activity or gaming advertisement or data protection issue, to the MGA. In this case, similarly to the above, the relevant department, individual or committee within the MGA will log the complainant s details and proceed with its investigation. Here too, a complaint may also very well lead to enforcement action taken by the MGA, or by the Police, and in this case, the complainant s data will be included within this investigation. Public Page 7 of 11

5 Processing of Special Categories of Personal Data Special categories of personal data as defined by the GDPR include: personal data revealing racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union memberships, genetic and biometric data processed for the purpose of uniquely identifying a natural person; data concerning health; data concerning a natural person's sex life or sexual orientation. The MGA ensures that any processing of special categories of personal data is only carried out when one of the following applies: the data subject has given explicit consent to the processing of those personal data for one or more specified purposes; processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the MGA or of the data subject in the field of employment and social security and social protection law; processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent; processing relates to personal data which are manifestly made public by the data subject; processing is necessary for the establishment, exercise or defence of legal claims; processing is necessary for reasons of substantial public interest, on the basis of European or Maltese law; processing is necessary for the assessment of the working capacity of the employee; In all cases, the MGA is committed to ensure that any processing is proportionate to the aim pursued, respects the essence of the right to data protection and provides for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. 6 Transmission of Personal Data to a non-eu country Unless required by a legal obligation applying to the MGA, before transmitting any personal data to a recipient that is external to the MGA and that is situated in a non-eu country: The MGA ascertains that the relevant non-eu country has agreed to maintain a data protection level equivalent to this Data Protection Policy; and Authorisation from the Office of the Information and Data Protection Commissioner will be sought and obtained. If personal data is transferred from the MGA to a company with its registered office outside of the European Economic Area, the company importing the data is obliged to: cooperate with any inquiries made by the relevant supervisory authority of the MGA; and comply with any observations made by the relevant supervisory authority with regard to the processing of the transmitted data. Public Page 8 of 11

When personal data is transmitted by a third party to the MGA, it must be ensured that such data can be, and is only used for the intended purpose. 7 Rights of the Data Subject Every individual who is the subject of personal data processed by the MGA has the following rights: Right of Access; Right to Restriction of Processing; Right to Rectification; Right to Erasure; Right to Object; and Any data subject may contact the MGA to exercise any of the above-mentioned rights. A data subject request shall be made by sending an email to that Authority s Data Protection Officer (DPO) to the following email address: dpo.mga@mga.org.mt. The email shall contain the data subject s full name, address, and a description of the information you wish to view, correct or delete. The Authority s DPO may request further information from the data subject making the request should any clarifications be required. Furthermore, to ensure confidentiality and to verify the identity of the person making the data subject request, the DPO may request a photo to be taken of the subject person holding a photo identification document clearly showing name, identification number and facial photo on document. It is important to note that the rights of data subjects are tied with certain conditions and limitations that are stipulated within the GDPR itself. The Authority reserves the right to charge a reasonable fee for repetitive requests, requests for further copies of the same data, and, or requests which are deemed to be manifestly unfounded or excessive. We may also refuse to act upon requests that are deemed to be manifestly unfounded or excessive. 7.1 Right of Access The data subject has the right to obtain from the MGA a confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, a copy of the personal data undergoing processing 7.2 Right to Restriction of Processing The data subject has the right to obtain from the MGA restriction of processing where one of the following applies: the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; the MGA no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims; the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject. Public Page 9 of 11

Where, in accordance with the above, processing has been restricted; such personal data shall, with the exception of storage, only be processed: with the data subject's consent; for the establishment, exercise or defense of legal claims; for the protection of the rights of another natural or legal person; or for reasons of important public interest. 7.3 Right to Rectification In cases where any of the personal data processed by the MGA is incorrect or incomplete, the data subject can demand that such personal data is corrected or supplemented. 7.4 Right to Erasure The data subject has the right to obtain from the MGA the erasure of personal data concerning him or her without undue delay and the MGA has the obligation to erase personal data without undue delay where one of the following grounds applies: the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing; the data subject objects to the processing and there are no overriding legitimate grounds for the processing; the personal data have been unlawfully processed; the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject. The Authority would like to draw your attention to the fact that this right to erasure does not apply if the processing of the data is necessary for any of the following: for compliance with a legal obligation to which the MGA is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the MGA; for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or for the establishment, exercise or defense of legal claims. 7.5 Right to Object Where the data subject has the legal right to object to any data processing, the MGA shall no longer process such personal data unless: it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject; or it needs to process such data for the establishment, exercise or defense of legal claims. Public Page 10 of 11

8 Processing Security The MGA understands the importance of safeguarding personal data from unauthorised access and unlawful processing or disclosure, as well as from accidental loss, modification or destruction. This applies regardless of whether data is processed electronically or in paper form. Before introducing new methods of data processing, particularly new IT systems; the MGA defines and implements technical and organisational measures to protect personal data. These measures, which are part of the MGA s Information Security management, are based on the state of the art and take into account the risks of processing. Public Page 11 of 11

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback