Data Subject Rights
Privacy Notice
Processing of personal data for the purpose of
handling data subject rights
Introduction
Challenge Group, with central offices located at SkyParks Business Centre, Level 5, Malta International Airport, Luqa LQA 4000 – Malta, and all its subsidiaries, operating affiliates and branch offices from time to time (referred to as the “Group”, “Company” “Organisation”, “we” or “us”), is committed to processing and protecting personal data in accordance with the General Data Protection Regulation EU 2016/679 (“GDPR”, “Regulation”) and any other applicable data protection and privacy Laws which may be amended from time to time. This privacy notice (referred to as the “Notice”) sets out how the Organisation collects and processes personal data in connection with the exercise of your data subject rights, according to GDPR.
Controller details
The Data Controller of personal data collected for the purpose of handling any data subject rights requests, is the relevant entity in Challenge Group to whom your query is addressed, and/or any other entity within the Group that can satisfy your need based on your request.
The contact details and other information on the Group can be found at https://www.challenge- group.com/.
The Organization has appointed a Group Data Protection Officer (“DPO”). If you have any queries relating to this Notice, including any requests to exercise your rights, please contact the DPO at dpo@challenge-group.com.
What personal data do we collect?
In order to grant data subjects their rights, the following personal data are processed:
- Any personal data e.g. name, surname, email address or phone number provided by the data subject in the context of their request;
- Any personal data relating to the data subject that is being processed by the controller, if any;
- Additional elements that may be needed to confirm the identity of the data subject requesting the information (e.g. answers to security questions or a copy of the data subject ID card or other identification document, subject to specific safeguards and in consideration of the principles of necessity and proportionality);
- Any personal data contained in the written authorisation and/or proof of legal authority when a third party (including relatives, siblings etc.,) is submitting a request on behalf of the data subject.
What are the purposes of the processing and the legal basis?
The processing of personal data is necessary for the purpose of addressing requests in connection with the exercise of data subject rights by, and received from, data subjects in accordance with the GDPR.
The lawfulness of this processing is therefore based on article 6(1)(c), as the processing is necessary for compliance with GDPR requirements and legal obligations arising from articles 15 to 21 of the GDPR, to which the Organisation is subject. Furthermore, we may process your data based on article 6(1)(f), when we have a legitimate interest of complying with requests from authorities, to establish, exercise and defend a legal claim.
Whenever we process your personal data based on our legitimate interests, we ensure that our legitimate interest does not override your interests or fundamental rights and freedoms.
Where do we collect the information from?
Data subjects or any third party acting on behalf of the data subject can submit a Data Subject Rights Request via email, by post, by hand (if physically delivered), by phone, in person or any other means of communication. A Data Subject Access Rights Request can also be submitted and received using the Data Subject Access Request (DSAR) Form available.
The initial request for any Data Subject Rights Request is generally followed by email exchanges between the Organisation and the interested party. Furthermore, the data subject is provided with a reply in electronic, standardized format, unless otherwise requested by the data subject.
When it comes to handling different requests, an assessment of different technical tools and databases is made, to ensure that the request can be fully complied with.
With whom do we share personal data?
We may share your personal data as follows:
- With Our Data Protection Officer, in order to handle the
- In accordance with the General Data Protection Regulation (EU) 2016/679 and in compliance with the principle of accountability, we may be required to provide your personal data in response to queries or investigations from authorities and for audit purposes.
- With Data processors who are involved and authorised to process personal data of data subjects on our behalf to assist us in handling of such requests, where necessary.
- With other entities forming part of the Organization.
- With professional advisers and any service providers that may require access to your personal data in order to provide their services to us.
- In the event that we are acquired by or merged with a third-party entity, or in the event of bankruptcy or restructuring of the business, we reserve the right to transfer or assign personal data in connection with these events, as permitted or required by applicable law and in compliance with legal and regulatory requirements.
How do we protect your personal information?
The Organisation has put in place reasonable security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. In addition, we limit access to your personal data to authorised personnel on a need-to-know basis. They will only process your personal data on the Organisation’s instructions or where the task or job at hand demands such access in order to be able to carry out a certain function or perform a certain job. We also provide education and training to relevant staff to ensure they are aware of our privacy obligations when handling personal data.
The individual making the request will be required to provide elements that allow the Organisation to adequately confirm their identity subject to the means available and based on the relationship between the Organisation and the data subject. This is to ensure that the identity of the person making the request and avoid security and personal data breaches.
How long do we retain your information for?
We establish the retention period taking into account several factors and criteria, which includes but is not limited to any retention period set out by legal or regulatory requirements. We also take into consideration the time periods established by law, regulations and directives to exercise legal actions, to defend rights, to carry out procedural actions. Thereafter, personal data shall be immediately and irrevocably erased. Different retention periods may apply according to the law of the country where the entity with whom you established the business relationship is located. For further details on data retention periods, please contact us at dpo@challenge-group.com.
We might retain your data for a longer period of time based on our legitimate interest to comply with our legal obligation, in case of a legal proceeding/audit or inspection form Authorities.
What are your rights?
You have the right to request from the Organisation access to, rectification or erasure of your personal data, restriction of processing concerning your personal data, or, where applicable, the right to data portability.
Please note that these rights are not absolute and may be subject to specific legal requirements or exemptions, and therefore may not always be applicable.
You can object to the processing of your personal data on grounds relating to your particular situation by stating these grounds in an email sent to the Controller. If the Organisation is unable to demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, the Organisation will remove the categories of personal data pertaining to such a request.
Although all reasonable efforts will be made to keep your information updated, you are kindly requested to inform us of any changes to the personal data we hold about you. If you consider certain information about you to be inaccurate, you may request rectification of such data as explained above.
There is no charge for the provision of this information, except in circumstances where the request is manifestly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
If it transpires that complying with a Data Subject Rights Request would reveal personal data about a third party, we may either seek that individual’s consent before responding to your request if this is possible or redact the third party’s personal data before responding. If we are unable to provide you with access to your personal data because disclosure would violate the rights and freedoms of third parties, we will notify you of this decision.
To exercise any of your rights, please email the Data Protection Officer (DPO) via dpo@challenge- group.com.
What is the time limit for addressing your Data Subject Rights’ Requests?
We endeavour to respond to a Data Subject Rights Request without undue delay and within one (1) calendar month from the date we receive your request. If the Organisation needs more information to verify your identity or clarify your request, there may be a suspension in time, which shall resume once the necessary details are provided. Efforts will be made to address the request regardless of whether the additional information to clarify your request is received. If no further information is expected from the data subject or interest party, the Organisation will proceed to process the request within the one (1) calendar month period.
This period may be extended by two further months where necessary, taking into account the complexity and the number of the requests. In those cases, the Organisation will inform you of the extension within one month of receipt of the request and will provide reasons for the delay.
Transfer of personal data outside the EU
We may need to transfer, store or process your Personal Data outside the EU/EEA. If your personal data are transferred in a jurisdiction outside of the EU that has not received an adequacy decision issued by the European Commission (Art. 45 GDPR), the transmission of data shall be subject to appropriate safeguards within the meaning of Article 46(1) of Regulation (EU) 2016/679 which might include the Standard Contractual Clauses (SCCs). You can obtain a copy of the Standard Contractual Clauses (SCCs) by contacting us at dpo@challenge-group.com.
Complaints
If you are unsatisfied with the way we have handled your Personal Data or any privacy query or request that you have raised with us, you also have the right to lodge a complaint with the competent Supervisory Authority. The Maltese Data Protection Commissioner (IDPC) is the competent Leading Supervisory Authority (www.idpc.gov.mt).
Updates to this Privacy Notice
We may update this Privacy Notice at our sole discretion including as a result of a change in applicable law or processing activities. To let you know when we make changes to this Notice, we will amend the revision date of this page. The amended Notice will apply from that revision date. Therefore, we encourage you to periodically review this Notice to be informed about how we are processing your information.
Last updated: 29th August 2024
Data Subject Access Request Form
Article 15 of the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) grants you the right to access your personal data including the right to obtain confirmation that we process your personal data, to receive certain information about the processing of your personal data, and to obtain a copy of the personal data we process. You can submit an access request by completing this form.
This Form is intended to facilitate the processing of your request and is not mandatory and you may submit a request for data subject access in other formats.
There is NO fee for Data Subject Access requests except in exceptional circumstances.
