Privacy Notice
for Third Parties

Introduction

This privacy notice (referred to as the “Notice”) outlines how Challenge Group, with central oƯices located at SkyParks Business Centre, Level 5, Malta International Airport, Luqa LQA 4000 – Malta, and all its subsidiaries, operating aƯiliates and branch oƯices from time to time (referred to as the “Group”, “Company” “Organisation”, “we” or “us”) collect and process personal data relating to our partners, suppliers and service providers. This may include individuals, such as self-employed persons, as well as representatives, employees, or contact persons of legal entities.

We take privacy seriously and we are committed to processing personal data in compliance with the General Data Protection Regulation EU 2016/679 (“GDPR”, “Regulation”) and any other applicable data protection laws which may be amended from time to time. 

Controller Details

The Data Controller of your personal data is the relevant entity in Challenge Group you have a business relation with. Updated contact details and other information on the Group can be found at https://www.challenge-group.com/

The Organization has appointed a Group Data Protection OƯicer (“DPO”). If you have any queries relating to this Notice, including any requests to exercise your rights, please contact the DPO at dpo@challenge-group.com.

Definitions

The definition of “Personal Data”, “Automated Decision”, “Data Controller”, “Profiling”, “Processing”, and “Special Category of Data” have the same meaning of GDPR.

Personal Data collected and purpose of the processing

We obtain personal information relating to you, either directly from you or indirectly through the partner, supplier or service provider for whom you work. We may collect various types of Personal Data about you, including:

  • Your name, surname, job title, email address, telephone number, residential address, passport/ID;
  • Information about your employer (e.g., name of your company and your title, position).

Additionally, in respect of those partners, suppliers and service providers who are individuals (such as self-employed persons), we may also collect social security number, financial data including bank account and VAT number, gender, medical data for insurance purposes, as and if required.

Please note that failure to provide Personal Data impedes the Company from being able to enter into the contract, thereby aƯecting the establishment of a business relationship and/or the continuation of the existing relationship.

We process Personal Data for the following purposes:

  • Performance of contractual obligations, including pre-contractual communications and negotiations preceding the establishment of a commercial agreement with you.
  • Management of the relationship with our partners, suppliers and service providers.
  • Billing, invoicing, debtor transaction processing and debt collection.
  • General administration purposes, archiving and record keeping.
  • Compliance and reporting.
  • Defending ourselves in the event of a legal claim or dispute.
  • Insurance purposes.
  • Other purposes which may be imposed by applicable law and authorities.

Legal Basis

The Group’s legal basis for processing Personal Data are the following:

  1. Art. 6 (1) (b) of GDPR. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  2. Art. 6 (1) (c) of GDPR. Processing is necessary for compliance with legal and regulatory obligations emanating from applicable laws and regulations, legal processes or enforceable governmental requests to which the Group/Company is subject.
  3. Art. 6 (1) (f) of GDPR. Processing is necessary for our legitimate interests in conducting an existing or new business relationship, performing our business activities and to establish, exercise or defend legal claims and to pursue any remedies available (including debt recovery).
  4. We might process special category of data (health data) for insurance purposes. In this case, your data will be processed on the basis of the appropriate legal grounds, as
    provided under art. 9 of GDPR.
  5. Any other legal basis that may apply according to the law of the jurisdiction where the entity is located.

Sharing of data

We may share Personal Data as follows:

  1. To the extent necessary, with any Court, Tribunal, Authority, or Governmental Entity and Law Enforcement Bodies where such disclosures are permitted or required pursuant to applicable law.
  2. Other entities/subsidiaries/aƯiliates within the Challenge Group.
  3. Trusted service providers and suppliers we are using to run our business, including systems, cloud and database providers.
  4. Professional advisers and any service providers that may require access to your Personal Data in rendering us with their services including lawyers, bankers, auditors and insurers.
  5. In the event that we are acquired by or merged with a third-party entity, or in the event of bankruptcy or a comparable event, or in the event of restructuring of the business, we reserve the right to transfer, or assign Personal Data in connection with the foregoing events, when allowed or imposed by applicable law and in compliance with legal and regulatory requirements.

Automated Decision-Making and Profiling

We do not rely on any decisions taken solely by automated means (in other words, without significant human intervention) – including profiling. Should this position change in the future (and only if legally permitted to do so), you will be notified accordingly.

Transfer of data to third countries

We may transfer your data outside the European Economic Area (“EEA”) when we share your data with our third parties or with the entities, subsidiaries and aƯiliates forming part of the Group. Where the recipient and/or third party is situated in a jurisdiction outside of the EU that has not received an adequacy decision issued by the European Commission (Art. 45 GDPR), the transmission of data shall be subject to appropriate safeguards within the meaning of Article 46(1) of Regulation (EU) 2016/679 which might include the Standard Contractual Clauses (SCCs). You can obtain a copy of the Standard Contractual Clauses (SCCs) by contacting us at dpo@challenge-group.com.

Security

The Group has put in place appropriate security measures to prevent Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to Personal Data to authorised personnel on a need-to-know basis. They will only process Personal Data on the Organization’s strict instructions or where the task or job at hand demands such access in order to be able to carry out a certain function or perform a certain job.

Data Retention

We will only retain Personal Data relating to you for as long as is necessary (taking into consideration the purpose for which it was originally obtained). We establish the retention period taking into account several factors and criteria, which includes but is not limited to any retention period set out by legal or regulatory requirements. We also take into consideration the time periods established by law, regulations and directives to exercise legal actions, to defend rights, to carry out procedural actions when determining the relevant data retention periods. Thereafter, Personal Data shall be immediately and irrevocably erased.

Different retention periods may apply according to the law of the country where the entity with whom you established the business relationship is located. For further details on data retention periods, please contact us at dpo@challenge-group.com.

We might retain your data for a longer period of time based on our legitimate interest to comply with our legal obligation, in case of a legal proceeding/audit or inspection form Authorities.

Data Subject Rights

Under GDPR you have the following rights:

A. Request access to your personal information. This enables You to receive a copy of the personal information we hold about you and to check that we are lawfully processing it;
B. Request rectification of Personal Data that we hold about you.
C. Request erasure of Personal Data relating to you (where applicable). This enables you to ask the Company to delete or remove personal information where there is no good reason for us continuing to process it.
D. Object to the processing of your Personal Data (where applicable) where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
E. Request that we provide you with any Personal Data that you may have provided us, in a structured, commonly used and machine-readable format;
F. Request the restriction of processing of your personal information.
G. Request that we transmit your Personal Data directly to you or to another controller indicated by you.
H. Right to be informed of the source – where the Personal Data we hold about you was not provided to us directly by you, you may also have the right to be informed of the source from which your Personal Data originates.

Please note that the rights indicated above are not absolute and can be subject to specific legal requirements or exemptions and therefore may not always be applicable.

There is no charge for the provision of the information, following your request, except in circumstances where the request is manifestly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances. The Organization may withhold certain information which is exempt from the right of Subject Access in accordance with the applicable law.

We may need to request specific information from you to help us confirm your identity and ensure the exercise of your rights. This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

To exercise any of your rights, file a complaint relating to your privacy or if you have any other questions about our use of your Personal Data, please email the Data Protection OƯicer (DPO) via dpo@challenge-group.com.

Although all reasonable eƯorts will be made to keep your information updated, you are requested to inform us of any change referring to the Personal Data we hold about you. In any case, if you consider that certain information about you is inaccurate, you may request rectification of such data, as explained above.

Further processing

Where we need to further process your Personal Data for a purpose other than that for which your Personal Data has been collected, we will provide you, prior to the commencement of the further processing, with any relevant information.

Updates

We may update this Privacy Notice at our sole discretion including as a result of a change in applicable law or processing activities. Any such changes will be communicated to you prior to the commencement of the relevant processing activity.

Complaints

The Organization and its Data Protection OƯicer may be contacted on complaints regarding the processing of Personal Data at dpo@challenge-group.com. You have also the right to lodge a complaint with the competent Leading Supervisory Authority, the OƯice of the Information and the Data Protection Commissioner in Malta (IDPC) (www.idpc.gov.mt) and any other competent Supervisory Authority.

Last updated: 9th February 2024