Data and privacy
Please take the time to read it carefully. You have a number of rights in relation to your information including the right to object to processing of your personal information where that processing is carried out for our legitimate interests.
In this statement when we use the terms “we” and “our”, we refer to both Mazars Malta and Mazars Consulting Limited.
1. Who we are and how to contact us
Mazars is a professional services firm specialising in audit & assurance, tax, corporate finance, consultancy and outsourcing services. We are registered to carry on audit work by the Accountancy Board in Malta. We are also supervised by the Malta Financial Services Authority.
We have a Data Protection Officer who is responsible for overseeing questions in relation to this privacy statement and our approach to privacy. If you have any questions about this privacy statement, including any request to exercise your personal rights, please contact the Data Protection Officer using the details set out below:
Data Protection Officer - Mazars Malta - The Watercourse, Level 2, Zone 2, Central Business District, Birkirkara, CBD2010 - Malta
2. The purpose and professional basis for processing your information
We collect your information for a number of purposes and rely on a number of different professional bases to use your personal information.
a) To enter into and perform a contract with you
When we are engaged to carry out professional services it is necessary to collect personal information from you in order to seek and receive your instructions in relation to those professional services and to carry out those professional services.
b) To comply with our professional obligations
We are required to process your personal information to comply with certain professional obligations to which we are subject, including:
- Providing information to the Commissioner of Revenue, the Malta Financial Services Authority and other enforcement agencies under various pieces of legislation which apply to us;
- To verify your personal information provided to us and to meet our professional and compliance obligations, including detecting and preventing money laundering, tax avoidance and financing of terrorism.
c) For our legitimate business interests
Where we process your information for our legitimate interests, we ensure that there is a fair balance between our legitimate interest and your fundamental rights and freedoms.
We may use your personal information to manage our everyday business needs including accounting, internal reporting needs, market research, to progress and respond to professional queries, to ensure appropriate IT security and to prevent fraud, in our legitimate interest. Our legitimate interest is the effective management of our business.
We may use your personal information to update you on professional developments, firm developments or to invite you to events that we feel may interest you in our legitimate interest. Our legitimate interest is to connect with our clients and to update our clients on the services that we provide.
d) For the establishment, exercise or defence of legal claims
We sometimes process your personal information, including sensitive personal information, such as information concerning health, trade union membership and criminal convictions/offences where it is necessary for the establishment, exercise or defence of legal claims.
We will, in certain circumstances, rely on your explicit consent to process your personal data, including, sensitive personal data. This consent can be withdrawn at any time by using the contact details of the Data Protection Officer set out above.
3. Consequences of failing to provide information
Where we need to collect personal data by law, or under the terms of a contract with you and you fail to provide that data when requested we may not be able to perform the contract we have or are trying to enter in to with you. For example, we may require certain information from you in order to fulfil our requirements under both Maltese and European Anti-Money Laundering Legislation before carrying out certain professional services. As such we may not be able to carry out those professional services absent that information but we will notify you of this at the time if this is the case.
4. Categories of data subjects
Personal data we process for our own purpose and on your behalf may include but may not be limited to your client and prospect data, your staff data, your contractor data, your supplier data and data of children. Categories of data subjects will, where we act as data processor, be determined by you and as contemplated by our engagement terms and provision of our professional services.
5. Types of information we collect and some examples of how we use it
We may collect, use, store and transfer different kinds of personal information about you as follows and use it for a variety of different purposes and across various professional services we provide to you.
6. Your information and third-party service providers
Third Party Service Providers: We may share your personal information with or provide access to your personal data to third party service providers that they perform services and functions at our direction and on our behalf such as lawyers, IT service providers, printers, shredding companies, marketing companies who carry out marketing campaigns on our behalf and providers of security and administrative services.
Malta Police Force, Government bodies, or other Government officials: we may share your personal information with the Malta Police Force or other government bodies or agencies including but not limited to the Commissioner for Revenue, where required to do so by law.
Regulatory Authorities: we may share your personal information with our supervisory bodies, such as the Accountancy Board and the Malta Financial Services Authority where required to do so by law.
Third Parties: We may provide your information to third parties to facilitate your instructions to us, such as lawyers, parties to any professional claim, parties with whom you have a professional issue or complaint and third parties who you instruct us to communicate with on your behalf.
Mazars Group: We may share your information to other Mazars group or Praxity firms in performance of our professional services as instructed.
7. Duration of processing
We will process personal data on your behalf for so long as you instruct us to do so. At the cessation of our processing activities on your behalf it is your choice as to what happens to the personal data you have provided to us. We will work with you to carry out your reasonable instructions unless we are required to retain it to comply with legal obligations.
8. Use of sub-processors
As part of our service delivery, it is necessary for us to use sub-processors.
Our IT support is provided by parties external to Mazars. Some solutions we utilise are cloud-based and our need to rely upon those systems varies depending upon the services we deliver to you.
All sub-processors are bound by Mazars to provide at least the same level of protection for your data as we do.
9. Data transfers
Mazars and our subsidiaries and affiliated companies utilise a number of suppliers to provide us with IT and other associated services for the delivery of our business and services to you. In many cases, the suppliers we use will be granted access to the data we are processing in order to provide us with technical assistance. Such processing activities are not directly related to our principal services to you and are considered ancillary to our own internal activities.
As an International firm, our people need to be able to work from anywhere in the world using our IT services. Data may be stored on Mazars encrypted devices and transported with individuals as necessary for the delivery of our services in accordance with the terms and conditions we have agreed with you. We have put in place appropriate technical measures to ensure data remain secure irrespective of where our people deliver our services.
We may process your personal data through any of our other Group member firms worldwide. In the event, this is necessary we will ensure appropriate controls exist in the form of EU standard contractual clauses to protect your data and data subject rights and freedoms.
10. Transfers outside the European Economic Area
We may transfer your personal data outside the European Economic Area. These countries do not always afford an equivalent level of privacy protection and in such circumstances, we take specific steps, in accordance with data protection law to protect your personal information. In particular, for transfers of personal data, outside the EEA where there is no adequacy decision by the European Commission we may rely on contractual protection approved by the European Commission or the applicable safeguards under data protection law.
11. Data security
Mazars has put technological and organisational controls, including policies and procedures, in place to protect your personal data from loss, misuse, alteration or unintentional destruction. Our personnel who have access to the data have been trained to maintain the confidentiality of such information. Conditions to protect data to at least the same standard as we do are cascaded to all our contractors, sub-processors and suppliers.
We carry out regular monitoring and testing of our security defences to ensure they continue to be effective against the latest threats.
Data transferred over the internet by us and through our website are protected using encryption technologies to ensure they remain secure.
Please note that no communications over the internet can be guaranteed as secure. Whilst we take appropriate steps to protect your data we cannot guarantee that it will remain secure in transit. Once data reaches your network it is your responsibility to ensure it remains secure.
12. Your rights
You have several rights under data protection law in relation to how we use your personal information. You have the right free of charge to:
- Request a copy of the personal information we hold about you
- Rectify any inaccurate personal data we hold about you
- Erase personal information we hold about you
- Restrict processing of your personal information
- Object our use of your personal information for our legitimate interests
- Receive your personal information in a structured commonly used and machine-readable format
- To have that data transmitted to another data controller.
These rights are in some circumstances limited by data protection legislation. If you wish to exercise any of these rights please contact us using the contact details contained in this statement. We will endeavour to respond to your request within a month. If we are unable to deal with your request within a month we may extend this period by a further period of two months and we will explain why.
Mazars hopes that it can resolve any query or concern you may raise about the use of your data. However, if you believe that we have not complied with your data protection rights, you have the right to lodge a complaint to the Office of the Information and Data Protection Commissioner, Floor 2, Airways House, Triq il-Kbira, Sliema SLM 1549 – email@example.com.
13. Contacting you
From time to time we may use the contact details you and your representatives have provided to us to send invitations, marketing materials, updates and other publications and information about our services which we feel may be of interest to you. Should any individual not wish to receive such communications please contact the Data Protection Officer at the details set out at Para 1 above.
14. Changes & updates to this statement
We recommend you check this statement on a regular basis to ensure you remain in agreement with the activities we carry out in respect of processing personal data.
Should we make significant changes to the way we process data, we will draw your attention to the relevant part(s) of this statement through email and or other appropriate communications as part of our engagement activities with you.
For any enquiries, please contact: firstname.lastname@example.org