Privacy Policy

Background

Equity Wealth Solutions Limited (hereinafter being referred to as “EWSL” “we” “us” “our” or ‘the Company”) is an institution licensed by the Malta Financial Services Authority (MFSA) in terms of the Trusts and Trustees Act (Chapter 331 of the Laws of Malta) and is authorised to act as:

  • Trustee or co-trustee;
  • Administrator of private foundations;
  • Fiduciary (holding assets on behalf of another person);
  • Qualifying Person (QP).

In terms of the Prevention of Money Laundering Act (Chapter 373 of the Laws of Malta), the Company is also considered as being a subject person.
Aims of Policy

In its course of business, the Company needs to gather certain information about individuals. Some of this information is statutorily required.

The information covers customers, business contacts and business partners. This Data Protection Policy (“the Policy”) describes how personal data may be collected, managed, stored to meet the Company’s policy data protection standards. The purpose of the Policy is to set out the basis on which your personal data is processed by the Company, to inform you how your personal data will be handled and to inform you about the Company’s obligations in regard to processing your personal data responsibly. It also provides information as to your rights as a data subject and the manner in which you can exercise these rights.

We process your data in an appropriate and lawful manner, in accordance with The Data Protection Act (Chapter 440 of the Laws of Malta) (the “Act”) and the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”) when it comes into force on 25th May 2018.

Please read this Policy carefully together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data.

Data Controller

For the purposes of this Policy, the Data Controller is Equity Wealth Solutions Limited, Company registration number C 31987, having its registered address at 176, Old Bakery Street, Valletta.
The Company forms part of a larger group of companies, herein “Ganado Group” which is made up of different legal entities including:

  • Ganado Services Limited, Company registration number C 10785, having its registered address at 171, Old Bakery Street, Valletta, Malta;
  • Ganado Trustees and Fiduciaries Limited, Company Registration number C 7880, having its registered office at 171, Old Bakery Street, Valletta;
  • Ganado Finance Limited Company Registration number C 77161, having its registered office at 171, Old Bakery Street Valletta;
  • GANADO Advocates, a legal firm having its registered office at 171, Old Bakery Street Valletta;

For more information about our data protection practices, you can contact us at dpo@ganadoadvocates.com.

How we use your personal data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

  • Where we need to perform the contract we are about to enter into or have entered into with you;
  • Where we need to comply with a legal or regulatory obligation;
  • In limited cases where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

The data which we collect is generally necessary to perform the terms of the contract with you or else is necessary in order to comply with legal obligations. If you fail to provide your personal data when requested, we may not be able to enter into a business relationship with you, enter into a contract with you (or take steps to do so) or otherwise provide the services you request.
Should we require your consent in order to be able to process your personal data for a purpose other than those indicated in this Policy, we shall provide you with a separate consent form requesting your consent and specifying the purpose for which we will use your personal data.

Purposes for which we will use your personal data

We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate. Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data.

Purpose/Activity Type of data Lawful basis for processing including basis of legitimate interest
To perform the services which you request (a) Contact information including name, surname, email, telephone number and affiliated entity.

(b) Copies of identity card documents, copies of utility bills, other identifying documentation, bank reference letters source of funds information as well as any documentation which is necessary or which we consider to be necessary for us to comply with applicable Anti-Money Laundering and Counter-Terrorism Financing laws and regulations (“AML Documentation”)

(a) Performance of a contract with you
(b) Compliance with our legal obligations as a subject person to perform due diligence.
To generate and issue invoices (a) Contact information
(b) Financial information including VAT number (where applicable) and bank details
(a) Performance of a contract with you
(b) Necessary for our legitimate interests (to recover debts due to us)
To manage our relationship with you which will include:
(a) Notifying you about changes to our terms or privacy policy(b) Notifying you of any updates such as communications from regulators.(c) Requesting updated AML documentation
(a) Contact information (a) Performance of a contract with you
(b) Necessary to comply with a legal obligation
To generate and issue invoices (a) Contact information
(b) Financial information including VAT number (where applicable) and bank details
(a) Performance of a contract with you
(b) Necessary for our legitimate interests (to recover debts due to us)
To manage our relationship with you which will include:
(a) Notifying you about changes to our terms or privacy policy(b) Notifying you of any updates such as communications from regulators.(c) Requesting updated AML documentation
(a) Contact information (a) Performance of a contract with you
(b) Necessary to comply with a legal obligation
To send you information relating to upcoming Company events in which you may be interested (a) Contact information (a) Necessary for our legitimate interest to further our business relationship with you. Please note that you will be given the option to unsubscribe to such communications and you can exercise this right to stop receiving such communications at any time by contacting dpo@ganadoadvocates.com.
To administer and protect our business (a) Contact information
(b) AML Documentation
(a) Necessary for our legitimate interests (for running our business, to prevent fraud and ensure that our documentation is accurate and complete)
(b) Necessary to comply with a legal obligation
To send you information relating to upcoming Company events in which you may be interested (a) Contact information (a) Necessary for our legitimate interest to further our business relationship with you. Please note that you will be given the option to unsubscribe to such communications and you can exercise this right to stop receiving such communications at any time by contacting dpo@ganadoadvocates.com.
To administer and protect our business (a) Contact information
(b) AML Documentation
(a) Necessary for our legitimate interests (for running our business, to prevent fraud and ensure that our documentation is accurate and complete)
(b) Necessary to comply with a legal obligation
To ensure health and safety at the workplace (a) In cases where you physically visit our premises, we may collect visual information through the use of CCTV camera recordings as well as information as to your location at a particular point in time (a) Necessary in our legitimate interest to protect the safety of our employees as well as the security of our premises.
(a) To ensure that we receive your instructions properly and can carry out your instructions accurately
(b) to ensure that we have information necessary to be able to lodge or defend against legal claims
(a) Recordings of any telephone conversations which you may have with us or any of our employees, consultants or other personnel (a) To perform the contract with you in the best possible manner.

(b) To protect our legitimate interest to be able to lodge a legal claim or defend ourselves adequately in case of a dispute

Where we obtain your personal data

Generally, we shall only process the personal data which you provide to us through correspondence, including direct interactions, through email or telephone correspondence or when filling in your details on any documents which we may provide.

As part of our compliance with our obligations as subject persons, we may also obtain information about you through publicly available sources, primarily through Internet searches as well as through searches in compliance databases. This information is necessary for us to be able to compile accurate and complete customer due diligence exercises and ensure compliance with our legal obligations.

Security Measures

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

In particular we undertake the following responsibilities:

  • Ensuring all systems, services and equipment used for storage data meet acceptable security standards
  • Performing regular checks and scans to ensure security hardware and software is functioning properly
  • Evaluating any third party services the Company is considering using to store or process data
  • Ensuring that Company undertakes all necessary measures to install adequate security  devices and procedures  to protect itself from malicious hacking attempts  or from any other illicit  attempt to retrieve data

The Company makes use of electronic communications with data subjects and the Company’s mail server is configured to send and receive its emails with TLS encryption subject to the receiving end having their mail server configured correctly to communication with TLS encryption.  It is the responsibility of the receiver of the emails to configure its mail server to be able to receive emails in the said encrypted format.

Data Subject Rights

You are entitled to exercise the following rights:

  • Right to Access Information: You have the right to request information as to whether or not your personal data is being processed by us as well as information as to how and why it is processed. If we receive such a request, this information shall be provided in writing, or by other means, including, where appropriate, by electronic means you may send an email to dpo@ganadoadvocates.com requesting information as the personal data which we process. You shall receive one copy free of charge via email of the personal data which is undergoing processing. Any further copies of the information processed may incur a minimal administrative charge not exceeding €5. 

In accordance with your data subject rights, we shall provide the information you request within one month. If we are unable to do so within this time-frame we shall notify you of our need to extend this period to respond and the reasons behind such an extension.

  • Right to object: You may ask us not to process your personal data for marketing purposes and your data will no longer be processed for such purposes.
  • Right to withdraw consent: You have the right to withdraw your consent to any data processing activity which relies upon your consent, at any time by sending an email to dpo@ganadoadvoactes.com. This will not however affect the lawfulness of processing which we carried out on the basis of such consent before its withdrawal.
  • Right to rectification: You have the right to obtain rectification of any inaccurate personal data about you that we have processed, update any data which is out-of-date and the right to have incomplete personal data completed, including by means of a supplementary statement.
  • Right to erasure: You have the right to obtain the erasure of personal data we have concerning you when your personal data is no longer required and there is no legal obligation or legitimate interest for us to keep this data in cases where:
  • You withdraw your consent to us processing your personal data;
  • Your personal data no longer needs to be processed;
  • Your personal data has been unlawfully processed;
  • Right to Restriction of Processing: You have the right to restrict our processing activities where:
  • you contest the accuracy of this personal data, for a period enabling the us to verify the accuracy of the same personal data;
  • Our processing is deemed unlawful, and you oppose the erasure of your personal data and request restriction of its use instead;
  • We no longer need your personal data for the purposes stated in this Policy, but you require it for the establishment, exercise or defence of legal claims;
  • You have objected to our processing pending the verification whether the legitimate grounds of our processing activities overrode those pertaining to you;
  • Right of Data Portability: As from 25th May 2018, you shall have the right to receive your personal data in a structured and machine-readable format and transmit this data to another Controller.

Disclosures

According to law the Company may be required from time to time to disclose client’s information to Government bodies and agencies, regulatory authorities, law enforcement, public or judicial bodies which may have jurisdiction over the Company. In such cases the Company will only do so under proper authority.

The Company may also share information on data subjects with any one of its service providers who may be engaged by the Company from time to time. These may include our professional advisors such as accounting firms, insurers, lawyers and bankers and other professional advisors whose services may be required as well as out IT systems and support services suppliers.

The Company undertakes that before engaging any service provider which may have access to your personal data, it will ensure its suitability and invariably will enter into a written agreement which will include a clause that all information that may be obtained by the service provider is to be retained secret and cannot be disclosed to third parties and require such service provider to ensure compliance with data protection laws.

The Company may also transfer your personal data to another entity within Ganado Group in furtherance of its legitimate interest to ensure business continuity and efficient internal administration.

Transfers of your personal data outside the European Union

Your personal data is stored and processed only within the European Union (EU). This notwithstanding, we may transfer any personal data we hold to a country outside the EU provided that:

  • The transfer is necessary for the performance of your contract with us;
  • The transfer is necessary for the performance of a contract concluded in your interests between us and another person;
  • The transfer is necessary for important reasons of public interest; or
  • The transfer is necessary for the filing or defence of legal claims;

Data retention

We shall only keep your personal data for as long as is strictly necessary.

Generally, your contact information shall be kept for a period of five years after the end of your business relationship with us in order to take into account the prescriptive period for contractual claims.

In order to comply with our legal obligations, we may need to retain your personal data for longer periods. In particular, we may retain AML documentation and customer due diligence information for a period of five years after the end of our business relationship and any financial information and any information relating to transactions which may have been effected shall be retained for a period of ten years to take into account applicable prescriptive periods under income tax reporting, taxation and accounting laws.

Other Matters

The Company may record telephone conversations and also install video cameras in its offices with the aim of offering additional security or resolve complaints.

Upon engagement all staff is required to sign a confidentiality clause as part of their work contract. They are bound to retain all information as confidential even after the termination of their engagement with the Company.

This policy may be reviewed at the discretion of the Company. We shall notify you of any changes to this Policy.

Complaints

Should you have any queries or concerns regarding our data protection practices, you can contact us at any time on dpo@ganadoadvocates.com

Should we be unable to deal with any data protection issue to your satisfaction, you have the right to complain to the national supervisory authority, namely the Information and Data Protection Commissioner.