Data Protection Policy
The General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data Protection Act (Cap 586), including the regulations made thereunder, regulate the processing of personal data whether held electronically or in manual form if it forms part of a filing system. The Valletta Cultural Agency set to fully comply with the applicable provisions of the data protection legislation.
Legal Basis and Purposes of Processing
The legal basis and the purposes of processing with regard to the processing operations conducted by Valletta Cultural Agency are the following:
| Processing Operation | Legal Basis for processing | Purposes of Processing
(Note: In the case of legitimate interest for CCTV surveillance, the controller should state that the purpose is for safety and security purposes.) |
| Consent for MailChimp subscribers collected from personal data | Processing shall be lawful only if the data subject has given consent to the processing of his or her personal data for one or more specific purposes, qs per Article 6.1(a) of the GDPR;
|
The purpose of the Processing of the data is for the Agency to carry out its operations listed hereunder in the categories of personal data held by the Agency. These include, but are not limited to, marketing outreach |
| Consent collected for workshop participation, including minors, in which consent is given by legal guardian. | Processing shall be lawful only if the data subject has given consent to the processing of his or her personal data for one or more specific purposes, qs per Article 6.1(a) of the GDPR;
|
The purpose of the Processing of the data is for the Agency to carry out its operations listed hereunder in the categories of personal data held by the Agency. These include, but are not limited to, marketing outreach and social media outreach. |
| Evaluating project proposals and/or submissions from calls, and/or calls for memberships for the Valletta Design Cluster which would contain personal data | Processing all be lawful to evaluate proposals and/or submissions, to communication with the proposers and for internal decision-making on successful proposals or candidates, as per Article 6.1(b) and Article 6.1(f) of the GDPR; | The purpose of the Processing of the data is for the Agency to receive and evaluate project proposals and artist participation, membership at the Valletta Design Cluster. |
| Evaluating prospective candidates for employment in which they send CVs and a covering letter; | Processing all be lawful to evaluate submissions to calls for recruitment, to communication with the prospective candidates and for internal decision-making on successful candidates, as per Article 6.1(b) and Article 6.1(f) of the GDPR; | The purpose of the Processing of the data is for the Agency to carry out its operations in terms of recruitments and employment information |
| Recording CCTV footage of the VCA and VDC Premises for the safety and security of agency staff, as well as those visit the premises. | Processing all be lawful for security reasons as per Article 6.1(f) of the GDPR under the Legitimate Interest The legitimate interest is to ensure the safety and security of individuals, prevent and detect crime, and protect our property; | The purpose of the Processing of the data is for the Agency to carry out its operations for safety and security reasons. |
| Processing personal data tied to financial data and for personal data tied to credit card charging system for payments at the Valletta Design Cluster. | Processing all be lawful for contractual necessity, legal obligation and Legitimate Interests as per Article 6.1(b), Article 6.1(c) and Article 6.1(f) of the GDPR.; | The purpose of the Processing of the data is for the Agency to carry out its operations, specifically for financial recordkeeping, anti-fraud, or tax compliance reasons. |
The categories of personal data and the special categories of personal data that will be processed are as follows:
| Categories of Personal Data | Special Categories of Personal Data | Source/s |
| Personal information of subscribers to the Valletta Cultural Agency (Name, Surname, Email address) | N/A | Data subjects sign up of their own volition to a MailChimp mailing list via the VCA website vca.gov.mt |
| Personal information of project participants (Name, Surname, Email address) | N/A | Personal information of project participants (Name, Surname, Email address etc.) are collected either via direct communication with the artists / artistic directors or else through a call for participants such as in the case of workshops (but not limited to) which is published on the Agency’s website and social media channels.
|
| HR documentation including employee contracts and CVs.
|
N/A | Applicants from open call |
| Unsucessful recruitment candidates’ CVs and Covering Letters
|
N/A | Data subjects submit their data (such as name, surname, ID card number, physical address, E-mail address and phone number )of their own volition via email or post for recruitment purposes |
| Financial information: Yearly Financial Statement
|
N/A | Annual audited financial statements |
| Financial information: Payment Transaction History | N/A | Payment transaction history for payments made at the Valletta Design Cluster |
| Digital Photographs and Videos of Public Events
|
N/A | Photography and videography service providers engaged by the VCA |
| Unsuccessful project proposals including Name, Surname, ID Card Numbers, Email Address and/or Phone Number
|
N/A | Unsuccessful project proposals are always communicated in writing via email to the individual who originally submitted the proposal, received via open call. |
| Personal information of applicants and members of the Valletta Design Cluster including Name, Phone Number, ID number, Primary address, VAT Number. | N/A | Data subjects sign up of their own volition through our online platform powered by Wild Apricot for membership or through online forms powered by Microsoft Forms for residencies and open calls. |
| CCTV Footage of Premises
|
N/A | Collected from CCTV cameras installed at the VCA offices and VDC premises |
Recipients of Personal Data
Personal Data will be disclosed to employees and service providers who are assigned to carry out the functions of the Agency, access the information that is being processed. Personal data will be disclosed to the personnel of the Valletta Cultural Agency so that activities, events and initiatives organized by the entity may be promoted and implemented.. Disclosure can also be made to third parties but only as authorised by law.
Your rights
Your rights as data subjects in connection with the processing of your personal data are:
- The right to receive a copy of your personal data undergoing processing, including information in relation to the processing activities.
- The right to request us to rectify personal data you think is inaccurate. You also have the right to ask us to complete personal data you think is incomplete.
- The right to request the erasure of your personal data in certain circumstances.
- The right to request the restriction of your personal data in certain circumstances.
- The right to portability of your personal data in relation to information that you have given us.
- The right to object to the processing of your personal data if we are able to process your information because the process forms part of our public tasks or is in our legitimate interests.
- The right to not be subject to a decision based solely on automated processing including profiling.
- The right to withdraw your consent at any time, where applicable.
Requests to exercise your rights are free of charge and should preferably be made in writing and sent to the Data Protection Officer of the Valletta Cultural Agency. Your identification details such as ID number, name and surname must be submitted with the request for the purpose of verifying your identity. In case the controller has reasonable doubts concerning your identity, you may be requested to provide additional information necessary to confirm it.
The Valletta Cultural Agency aims to comply as quickly as possible with the request and is obliged to respond without undue delay and at the latest within one (1) month from receipt of request.
The right exercised by the data subject may be limited or restricted, where necessary, pursuant to the applicable law.
Retention Policy
The following schedule outlines the retention requirements for the various categories of documentation within the Valletta Cultural Agency
| Category of Document | Retention Period | Justification |
| Personal information of subscribers to the Valletta Cultural Agency (Name, Surname, Email address) | For the duration of subscription | Until consent is revoked by the data subject. Consent can be revoked by contacting the DPO below. |
| Personal information of project participants (Name, Surname, Email address and Mobile Number) | For the duration of the project until presentation of final outcome
|
This will allow for the participants to be consulted for their contribution to the presentation of the final outcome. |
| HR documentation including CVs and employee information.
|
Ten years from termination of employment | This is in line with Government’s HR Corporate procedures. |
| Unsucessful recruitment candidates including CVs and covering letters
|
Two years from conclusion of Recruitment Procedure | This is in line with Government’s HR Corporate procedures. |
| Financial information: Yearly Financial Statement
|
Ten years from the end of the Financial Year | This is in line with Government’s Companies Act. |
| Financial information: Payment Transaction History | Five years from Transaction Made | This is in line with PMLA (Prevention of Money Laundering Act) – Malta, EU Anti-Money Laundering Directive (AMLD), Payment Services Directive 2 (PSD2) – EU Directive 2015/2366, Income Tax Management Act & VAT Act – Malta, and Card Scheme Rules. |
| Digital Photographs and Videos of Public Events
|
For the duration of the Agency’s operations. This applies to non-identifiable data subjects. For identifiable subjects, a retention period of one year shall apply. | The VCA will apply safeguards in the capture of images during such event to respect the right to privacy of data subjects. Requests for erasure will still apply in the event that these images contain personal data. |
| Unsuccessful project proposals
|
Six months from selection of projects
|
This period will allow for the submission of complaints in relation to this process.
|
| CCTV Footage of Premises
|
Not longer than 7 days. | This is for safety and security purposes as outlined in the CCTV Policy. |
Data that needs to be deleted after the established timeframes will be destructed in a secure manner to ensure that such information is no longer processed within the Valletta Cultural Agency.
The Data Protection Officer
The Data Protection Officer may be contacted on:
Vallletta Cultural Agency, Exchange Buildings, Republic Street, Valletta, VLT 1117
Telephone: 2124208
Email: dataprotection.vca@vca.gov.mt
The Data Controller
The Valletta Cultural Agency Data Controller may be contacted at:
Vallletta Cultural Agency, Exchange Buildings, Republic Street, Valletta, VLT 1117
Telephone: 2124208
Email: datacontroller@vca.gov.mt
The Information and Data Protection Commissioner
You have the right to lodge a complaint with the supervisory authority, which could be reached at the following contact details:
The Information and Data Protection Commissioner
Airways House,
Triq il-Kbira
Tas-Sliema SLM 1549
Telephone: +356 2328 7100
Email: idpc.info@idpc.org.mt
Website: www.idpc.org.mt
